Reacting to the fraud pandemic – being taken seriously, or just hot air?
Chris Phillips, Head of Investigations in our London office, shares some thoughts on the current battle against fraud.
In a time of a ‘fraud pandemic’, as commentated and reported on by a vast array of sources (single largest crime, £100bn in losses, one in five of us are victims), there is little if no mention of managing fraud risk/preventing fraud/detecting fraud/investigating fraud in the recently released Financial Reporting Council’s (FRC) draft minimum standard for Audit Committees.
This made me think, not about the FRC standard per se (very dry and not the standard’s primary purpose), but it made me ask the question – if we are in a fraud pandemic, are we responding as we should? Are we actually doing enough to protect the victims of fraud? And who is ‘we’?
It is generally accepted that we did a good job fighting the Covid pandemic, particularly in the UK – so what is different here in terms of fighting the explosion of fraud? Yes, fraud does not directly put pressure on the NHS to the same level as a global medical pandemic, but it is undisputed that it causes substantial grief and hardship to those affected and has wider implications for the economy – and for an extended period, often a lifetime (‘long Covid’ analogy).
Preventing fraud. Who’s responsible?
Back to the Audit Committee standard. So, the elephant in the room remains – who takes responsibility in reality, and who bears the most risk when fraud arises and losses ensue – both financial and non-financial? Whose feet should be held to the fire? Do we really know?
Reflecting on the recent narrative – following a series of high-profile fraud related audit disasters after the 2008/09 financial crisis, three substantial reports were produced by distinguished authors on governance and audit reform between April 2018 and December 2019 (by Sir John Kingman, the CMA and Sir Donald Brydon). Some actions have been taken and changes made – to address the conflict between audit and non-audit work for the Big Four and financial separation; more audit competition; and the creation of a new (and possibly more aggressive) regulator, the Audit, Reporting and Governance Authority (ARGA), replacing the FRC and due to start its work in April 2024.
We are now nearly halfway through 2023 and there is a strong feeling that recent economic turmoil already is and will further result in substantial fraud issues, as companies suffer and the temptation to ‘adjust’ reported figures becomes greater. Many ‘experts’ (including me) thought that the Covid lockdown and economic slow-down would result in a substantial increase in fraud, but the substantial government intervention combined with ultra-low interest rates and a package of other financial incentives reduced that threat significantly. Some of the Covid related government packages did result in fraud leakage as has been well documented.
Actually, it seems the fraud risk is greater now as we continue to see economic challenges, greater global uncertainty combined now with much higher levels of interest rates, mortgages and eye watering cost inflation. This is resulting in personal hardship for many, increasing the risk of employee related fraud. In addition, we are seeing unprecedented levels of push payment fraud, imitation and identity theft fraud, investor and sham email schemes, and crypto/cyber abuse. The list keeps growing. The nature of frauds is more varied, growing fast and having rapid impact – ‘multi-fraud variants’ if we stick with the Covid comparison. So, as with the Covid response, we need a combination of treatments, but centrally managed and implemented.
Are we in a position now to have greater confidence that those responsible for governance around corporate reporting have the necessary framework to meet stakeholder expectations? And is the remit broad enough to consider the different fraud variants – from accounting misstatement (where we have robust existing procedures) to technology enabled payment frauds, where the company paying the money to criminal gangs is the victim (and the transacting banks didn’t see the crime behind some cryptic corporate structure).
I understand that the FRC Audit Committee standard is a ‘minimum’ by definition, but given the current fraud crisis, and the urgent need to enhance confidence in corporate reporting and governance, and reduce loss and damage arising from fraud, this has to be confronted head-on and included in any standard, whether minimum or not. And surely enough time has passed since the three above-mentioned reports for those in charge to act with appropriate levels of force, guile and intent.
Consider this – if you are sitting as a Board member responsible for some or all of External Audit, Risk and Compliance, ESG, Remuneration, Code of Conduct and so on, has your thinking changed over the past five years so as to act differently in addressing the fraud pandemic?
If not, why is that? Either you think the risk is not actually real and so does not warrant specific attention, or you consider it is real but can be managed by management, or perhaps you don’t know and/or are waiting for something to happen? Are you feeling concerned or comfortable?
My assessment (not a scientific process but based on many conversations with senior executives) is that the Boardroom has not yet reacted as required. The issue is higher up the Board agenda than it was say 10 years ago, but it still remains embedded in broader conversations around risk and compliance, internal and external audit and now ESG, and is left mainly in the hands of ‘management’ to address (with some degree of external audit involvement). Is this sufficient when fighting a pandemic issue?
This approach is not in my view surprising as we see the Government (BEIS, Treasury), FRC, NCA, FCA and associated regulatory bodies throwing around well-intended economic crime and fraud discussion and consultation papers, strategic plans, corporate law/Companies House reform and associated placeholder legislation (delayed for years) whilst fraudsters make hay and society suffers.
I challenge anyone (especially senior management executives and Board members) to understand fully and connect all of the current initiatives in order to meaningfully engage in actions that actually reduce fraud and other related financial crimes. Even in the last couple of days, a new AI initiative has been announced. I fully support many of the steps being taken but the whole process, to make a difference, requires the very best organisation and clearer direction. What was the Covid message – ‘hands, face, space’. It seemed to work after some initial resistance – very simple and effective; 100% understood. I haven’t yet conjured up the fraud equivalent.….for another article.
Fraud prevention legislation due later this year but awaiting audit reform particulars
We wait to see the further particulars from the FRC (AGAR) and continue to hold our breath when it comes to the exact requirements and expectations around the imminent failure to prevent fraud legislation (similar to the 2010 Bribery Act), due at some point later this year and applicable (perhaps – if one is optimistic) in 2024. And we await further definition and certainty around corporate governance, ESG and audit reform subsequent to ARGA’s establishment. Ultimately, we will only see real change in behaviour when the consequences of failure are apparent, and meaningful – will we see more successful prosecution of fraudsters, and prosecution of companies and individuals under the failure to prevent laws?
Close to my heart as an ex-auditor, audit firms are changing structures via financial separation (and, as well reported, EY tried to go the full separation model but failed) and there is some movement around audit competition, but only marginal at this stage. The influence of the Big Four audit firms is clear to all and the direction of travel will enhance that strength through additional compliance requirements, such as implementing and reviewing the failure to prevent fraud requirements and the need for substantial digital based solutions (technology enabled risk-based audit).
The Government’s second Economic Crime plan (2023-2026) welcomed but is it sufficient?
Finally, the Government’s recently released Economic Crime plan 2 is far reaching and welcomed – but is it going to happen and meet the ambitious timelines? We shall see. The additional resources being committed are not insignificant – but is this sufficient in fighting such an enormous and industrial challenge and will this continue if there was to be a change in government? I applaud many of the ideas especially as regards crypto and anti-kleptocracy cells, major reform to Companies House and the overall UK supervisory regime and the enhanced use of technology/AI. I believe the ability for the Government to transfer some degree of responsibility to the corporate sector to act and respond will be critical.
Conclusion
Like many, I have been following with great interest the development of new initiatives to fight the fraud pandemic over the past six years. There have been some positive changes no doubt and the direction of travel is in my view promising – a real effort to combine private and public initiatives with greater transparency, more expert resources and accountability for failure. As to effectiveness and results, too early to comment.
A level of confusion (or lack of clear decision-making) as to who is responsible for preventing fraud, and in particular the expectation gap between the auditor and the company remains. The current legal system makes prosecution hard.
Back to the FRC minimum standard and what instigated this rambling summary – this was an opportunity for the FRC to set a robust standard that has to be met if not exceeded. An opportunity to make a clear and unambiguous statement. As fraud levels increase, now is the time to specify exact requirements, and to be granular as to the expectations of the Audit Committee and external auditor when it comes to addressing fraud and holding people accountable.
However, the issue is greater than just that – the plethora of fraud ‘variants’ need to be addressed as a whole, and we need to connect the dots in fighting the various perpetrators. Is now the time for an ‘anti-fraud czar’ to take control?
Addressing pandemics requires strong and impactful decisions, leadership and courage – combined with best available information and intelligence, outstanding innovation around treatment/care and executive level powers as to legislation and enforcement. I think we know this after the last few years fighting Covid. Much of the above exists, especially information, intelligence and innovation as to treatment. My concern, do we have sufficient leadership and courage (not just intention and words) to effect change quickly enough? And can the steps needed be taken across all elements of economic life?
What will not work is a disconnected, under-invested and politically driven process, which relies on year after year of consultation, independent reviews, widespread industry comment and windows of legislative time that open and close in the breeze.
We are not going to beat this pandemic and reduce the harmful impacts of fraud if we don’t get more serious, now.