New failure to prevent fraud offence – update for Heads of Internal Audit

The Economic Crime and Corporate Transparency Act (the “Act”) received Royal Assent on 26 October 2023. This follows on from the Economic Crime (Transparency and Enforcement) Act which passed into law in March 2022, bringing in increased powers to address money laundering and other illegal activity.

Many of the measures look to reform Companies House. Specifically, the Registrar of Companies House will have extended powers to verify, delete or refuse information submitted to the register of companies and information that is already recorded in the register. All new and existing registered company directors, people with significant control and those filing on behalf of companies will be required to verify their identity. The Registrar will also be provided with enhanced investigation and enforcement powers. Some of these measures cannot be introduced immediately since they require secondary legislation and system enhancements.

Failure to prevent fraud offence

The most noteworthy measure for Heads of Internal Audit included in the Act is the new “failure to prevent fraud” offence. Under the proposed offence, an organisation will be liable where a specified fraud offence is committed by an associated person for the organisation’s benefit, and the organisation did not have reasonable fraud prevention procedures in place. The Act defines fraud as comprising the following offences:

  • fraud by false representation, by failing to disclose information, or by abuse of position (sections 2-4 Fraud Act 2006)
  • obtaining services dishonestly (section 11, Fraud Act 2006)
  • participation in a fraudulent business (section 9, Fraud Act 2006)
  • false accounting (section 17, Theft Act 1968)
  • false statements by company directors (section 19, Theft Act 1968)
  • fraudulent trading (section 993, Companies Act 2006)
  • cheating the public revenue (common law).

“Associated persons” include employees, agents or subsidiaries of the relevant organisation, an employee of a subsidiary or a person who otherwise performs services for or on behalf of the organisation.

Only large organisations are caught by this legislation and are defined as meeting two of the following criteria in the financial year preceding the year when the alleged fraud took place:

  • average number of employees more than 250
  • turnover above £36m
  • total balance sheet assets above £18m.

Subsidiaries of large organisations will be in scope, although they will only be responsible for their employees conduct and not that of associated persons.

The UK Government is committed to publishing guidance on reasonable fraud prevention measures in 2024. There is no commencement date for the new offence but this is expected to be shortly after the guidance has been issued.

Required action for organisations

Organisations will have a defence under the Act if they have put into place reasonable fraud prevention measures. Although the Government guidance has yet to be published, steps can begin to be taken now to develop the organisations arrangements, since the defence is similar to those available under the UK Bribery Act 2010 and Criminal Finances Act 2017. It is expected that the Government is likely to adopt the same principles that are set out in the guidance for this established legislation when defining “reasonable” measures under the new Act.

FRAUD PREVENTION - REASONABLE MEASURES

1. Proportionate procedures

The organisation’s procedures to prevent fraud by persons associated with it are proportionate to the fraud risks it faces and to the nature, scale and complexity of the organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced.

2. Top level commitment

The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing fraud by persons associated with it. They foster a culture within the organisation in which fraud is never acceptable.

3. Risk assessment

The commercial organisation assesses the nature and extent of its exposure to potential external and internal risks of fraud for the organisation’s benefit by persons associated with it. The assessment is periodic, informed and documented.

4. Due diligence

The organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified fraud risks.

5. Communication (including training)

The organisation seeks to ensure that its fraud prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training that is proportionate to the risks it faces.

6. Monitoring and review

The organisation monitors and reviews procedures designed to prevent fraud by persons associated with it and makes improvements where necessary.

Top level management commitment can best be demonstrated by the communication of the organisation’s anti-fraud stance through a policy or statement approved by the Board, together with the ongoing involvement of senior management in the development and monitoring of fraud prevention procedures.

The procedures do not need to be excessive, but they must be proportionate to the risk of fraud and the nature, scale of the organisation’s activities. Fraud risk assessment is therefore an essential building block in devising these procedures.

Due diligence over employees or agents working on behalf of the organisation may need to be strengthened if current procedures for checking employees or supplier take-on arrangements do not address the risk of fraud sufficiently.

For the procedures to work well, employees and agents need to be made aware of them. Internal communications including training should include the top-level commitment from senior management as well as focusing on the implementation of the procedures. External communications should include rules over recruitment, procurement and tendering which are designed to deter fraudulent activity.

Finally, organisation’s need to establish a mechanism to monitor the operation of fraud prevention procedures and ensure that the results of this are presented to senior management and acted upon when required.

What this means for Heads of Internal Audit

Heads of Internal Audit of organisations that are defined as “large” by the Act need to make sure that this matter is high on the agenda of the Audit Committee and management. The Government plans to issue its guidance on reasonable procedures in early 2024, so there is not long to prepare.

Fraud is not a new risk consideration for Heads of Internal Audit. IIA Standard 2120 requires that “internal audit activity must evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk.” They should already have a clear view of their organisation’s exposure to fraud and how this is being managed.

This knowledge – together with their experience of helping the organisation establish procedures to address legislation such as the Bribery Act in the past – means that they are well placed to support management in establishing the policy, procedures, fraud risk assessment and monitoring arrangements necessary to meet the requirements of the new Act.

Heads of Internal Audit Newsletter

Every quarter, experts from our Risk and Advisory Services team write on issues affecting internal audit professionals. The articles provide Heads of Internal Audit as well as Internal Auditors with relevant insight covering topics such as risk management, internal controls and governance.

Subscribe

References:

Subscribe