The starting pistol has been fired
A “Failure to Prevent Fraud” criminal offence will come into force from August 2025. Bringing with it the potential for unlimited fines. It applies to “large companies” meaning those that have two out of three of:
- More than 250 employees
- More than £36m in turnover
- More than £18m in total assets
While the enactment date is August next year, fraudulent activity occurring much earlier could be prosecuted.
The critical challenge is that the organisation could be prosecuted in respect of a “fraudulent offence” committed by any “associated person”. The person committing the fraud may still be separately prosecuted.
A criminal liability can arise for the organisation even if the directors or senior management did not know about the offence in advance. Following the mode of the existing anti-money laundering legislation, this is a “strict liability offence”.
It’s also important to note that the definition of a fraudulent offence is broad and includes:
- Fraud by false representation, including “greenwashing”
- Fraud by failing to disclose information
- Fraud by abuse of position
- Participation in fraudulent business
- Obtaining services dishonestly
- Cheating the public revenue
- False accounting
- False statements by company directors
- Fraudulent training
What can directors do to protect themselves and the company?
Companies can evidence they have addressed these issues through the defence of demonstrating that there are “adequate procedures” in place. These are wide reaching and must be considered through the lens of both design and operating effectiveness. In this context, the government guidance explicitly says that “It will rarely be considered reasonable not to have undertaken a risk assessment and it should be periodically reviewed”.
What then are adequate procedures?
The guidance talks to six flexible and outcome-based principles:
- Top level commitment
- Risk assessment
- Proportionate risk-based prevention procedures
- Due diligence over third parties
- Communication and training for all associated persons
- Monitoring and review
The guidance also makes clear that controls and responses to existing regulatory obligations, including the UK Corporate Governance Code, are likely to need to be expanded and developed in greater granularity.
How should internal audit respond?
ECCTA should be considered in preparing and scoping all internal audit plans for 2025. It needs to be one of the factors shaping the audit universe.
However, beyond this we know that in many organisations internal audit is the centre of excellence of risk and control activities. Directors and senior management are going to require expert support to conduct the risk review and ensure it meets expectations. Many organisations will have a fraud risk assessment, certainly if they are caught by the UK Corporate Governance Code 2024. However, this needs to be refreshed and expanded to capture all the potential fraudulent offences.
In this context, we envisage the need for internal audit to think about a range of interventions. ECCTA is likely to require a significant programme of improvement in the control environment for many organisations. If we see it as a transformation programme and approach it as such, it is likely that continuous assurance with regular interventions is appropriate.
If the organisation has invested in an integrated assurance mapping exercise this will form a strong foundation. An assurance map should include an inventory of commitments and risks that are addressed through both second and third-line assurance. It will indicate where risks are being adequately addressed and where there is room for improvement.
Internal audit is also likely to be required to support communication and training on this topic. There are a broad range of individuals who needs to understand their obligations in embedding the appropriate controls and remaining abreast of monitoring activities. The inclusion of non-financial elements represents a significant shift and expansion of focus. This is not something that will be automatically understood by all parties.
A significant risk but also an opportunity
ECCTA represents a further opportunity for internal auditors to evidence their relevance and insight to senior managers across the organisation. It also creates a need for conversation about the adequacy of second and third-line functions. For readers who are not currently in internal audit but have oversight responsibilities, its essential to understand how the company is going to monitor, review and report on these risks.