UK SOx and fraud risk UK SOx and fraud risk

On March 18 2021 the Government published the greatly anticipated "Restoring trust in the audit and corporate governance" white paper. The purpose to improve the UK's audit, internal controls, corporate reporting and corporate governance systems. The 232 page document includes proposed obligations for:

• Directors to report on the steps taken to prevent and detect material fraud; and
• Auditors to (1) report on the steps they have taken to detect material fraud and assess the effectiveness of relevant controls, and (2) report on the work they have performed as part of the statutory audit to conclude whether the aforementioned directors statement is factually accurate.

With the proposed obligation for strengthening the UK’s internal control framework placing potential sanctions on Directors and/or Auditors in relation to the above, now is the time to think about whether your fraud risk management framework is robust enough to withstand the new focus and scrutiny. 

In this blog we pose four key questions in respect of understanding and being able to demonstrate your fraud prevention and detection activities. The components should form part of your broader risk management discussions about being SOx ready.

1. Do you understand and know where fraud risks are in your organisation?

Our experience is that many organisations have not conducted a specific fraud risk assessment and do not have a dedicated fraud risk register. Being able to identify and understand your current fraud risk profile is paramount to being able to demonstrate you have actively tried to prevent and detect fraud. It will also provide an opportunity to identify control weaknesses or gaps that require strengthening.

2. How have you documented the maturity of your fraud risk management framework?

Historically, we have not seen clearly documented evidence of management reviewing fraud prevention and detection activities that would enable them to make the proposed attestations. To demonstrate this, you should establish a clear programme for understanding and reviewing the activities your organisation is performing across the full spectrum of prevention, detection and response. This might include reviewing preventive activities such as: fraud risk assessments, fraud awareness training, assessment and implementation of internal controls, supplier due diligence and/or pre-employment screening. As well as reviewing detection and response activities such as: whistleblowing hotlines, data analytics / mining, investigations, and remediation of control failures post an investigation. The programme should be clearly documented and should include the frequency and methodology of review.

3. Do your whistleblowing arrangements encourage reporting and protect whistleblowers?

In recent years we have seen an increase in media coverage and EU legislation surrounding whistleblowing, and the view that organisations are not doing enough to protect whistleblowers and create a culture that encourages reporting. Whistleblowing or internal mechanisms for reporting fraud continue to be a primary way to uncover fraud. Ensure you have a programme for reporting fraud that is well communicated to staff (and external/third parties if relevant), and one that offers multiple channels for reporting, including the ability to report anonymously. If you aren’t receiving reports, it is usually an indicator that the programme is not communicated well, or employees do not trust that they will be protected – not that fraud isn’t present. 

4. Do you have an opportunity to leverage data to create insight?

We are seeing a growing demand for the development and use of fraud data analytic programmes as a mechanism to detect fraud. The most basic form of analytics can be routine data sweeps over your accounts payable file for duplicate or sequential invoice numbers, sweeps over your credit card expenditure for unusual transactions or comparing where bookings have been made through corporate travel providers and then self-reimbursements processed for the same item / receipt. Advanced data analytics can include predictive assessment based on behavioural actions, targeted to your key risk area and business. The use of data is continuing to gain momentum and is a clear way to demonstrate an organisations commitment to detecting material fraud.

Fraud is something that almost all organisations will face to some size or scale in its lifetime – and it is expensive. Not only is the direct loss of fraud typically straight off the bottom line, but the indirect costs associated with investigating frauds, or the reputational damage to business that may occur, mean that spending a little time and effort now on prevention will likely save you in the long run even without potential reporting obligations.

Although the current white paper proposal is focussed on Public Interest Entities (PIEs), we are seeing our clients regardless of size and status take this opportunity to explore and discuss how they can align their fraud risk management framework, with one that would meet this more transparent style of reporting and best practice. After all, a reduction in fraudulent activity will lead to a decrease of costs in the long run, with the potential to identify process efficiencies, and if they aren’t requirements for you now – there likely will be some in the future!

If you would like to discuss the implications of the white paper or any of the questions posed in this blog please don’t hesitate to get in contact.