Over the centuries, society has developed what it considers to be acceptable standards of behaviour. Some of these have been codified into law, others are part of our moral code. Clearly, any deviation from these standards will result in “consequences”, as Sam Allardyce, the England Football manager, has recently found out to his cost.
However, when it comes to fraud, UK Prime Minister, Theresa May’s government appears to have decided that the combination of company law and society’s moral code isn’t up to scratch. The government is therefore proposing to introduce a new criminal finance bill, which could result in company directors being criminally responsible for the actions of their employees, even if the actions were expressly prohibited.
This has provoked some interesting discussion. Those in favour of the bill argue that company directors should be held accountable for what happens on their watch. Those against argue that the proposed bill would result in even more red tape that will reduce UK plc’s competitiveness, just at a time when the precise opposite is required in the post Brexit world.
However, those arguing against the bill are rather missing the point. One of the principle duties of a company director is to act in a way that is most likely to promote the success of the company for the benefit of its shareholders as a whole. Given that fraud would result in a financial loss to a company and therefore its shareholders, part of these responsibilities must include fraud prevention.
It is generally accepted that there are three key elements which must be present for a fraud to occur – opportunity, motivation and rationalisation. Opportunity refers to the fraudster’s ability to circumvent internal controls for their own benefit. Motivation is what drives the individual to commit the fraudulent act, which could result from domestic pressures or the need to achieve results at work. Rationalisation relates to the fraudster’s self-justification for their acts, even though they know them to be wrong.
The risk of opportunity can be addressed by ensuring that the internal control environment is robust and fit for purpose. Similarly, the motivation risk can be addressed by encouraging and rewarding behaviour that fits with the company’s long term goals, as well as monitoring employee wellbeing. If these two risks are properly controlled, the need for the potential fraudster to rationalise their acts is largely taken away, as they should be unable to commit the fraud.
On that basis, if companies have properly addressed their fraud risks, Theresa May’s proposed legislation should not generate any concerns for directors. However, if Tesco’s recent accounting issues are representative of UK plc, then it is clear that companies need to start getting their houses in order.
Current discussions indicate that the proposed legislation may allow companies to avoid prosecution by showing that they had taken the actions necessary to discourage such offending in the first place. Companies may refer to the existence of internal audit, or similar, functions as evidence of such actions. However, I remain to be convinced that this, on its own, will be enough.
I recently conducted an investigation for a large multinational after a whistleblower had raised concerns. The investigation established that internal audit visited each business unit once a year. However, the internal audit programme contained multiple modules, with each module only being considered at each business unit once every three years, largely for cost reasons. If the business unit was unaware of the internal control issue, it was therefore possible that a fraud could go undetected for three years. This assumes that internal audit then detected the actual fraud as part of their work!
I suspect that investors may find it unacceptable that a fraud could occur for up to three years without detection. If investors play an active role in the company, then this could result in awkward questions being asked of company directors. However, directors are likely to face a bigger problem if the Courts agree with investors.
It would therefore appear that a well-funded and active internal audit function is going to be critical to support and protect company directors if the proposed legislation is passed into law. However, the challenge that internal audit faces in any business is that it is a cost centre and is not revenue generative. Consequently, most companies, particularly in this age of austerity, will have cut out all fat from the profit and loss account and this may have included elements of internal audit.
It should now be clear that a strong internal audit function represents a core part of a company’s infrastructure, its skeleton if you will. And any surgeon will tell you that once you have cut away all of the fat, all that is left is bone and cutting into that generally tends to hurt.