Company directors are responsible for keeping proper accounting records which enable them to ensure that financial statements comply with the Companies Act 2006. They are also responsible for safeguarding company assets and taking reasonable steps for the prevention and detection of fraud and other irregularity.
The Financial Conduct Authority ('FCA') expects senior management in firms it regulates, to consider the full implications and breadth of fraud risk, which can affect profitability, reputation, customers and the markets in which firms operate.
Risk-assessment, analysis of fraud losses and management information on effectiveness of the control environment, can inform a risk-based approach. The level of resource required is influenced by senior-management risk-appetite and whether existing controls are considered sufficiently robust to mitigate significant fraud risk.
Source of risk
Fraud risk is encountered in a range of internal and external sources, examples include:
Customers, suppliers or agents using fraud to obtain money or assets from, or to conceal financial loss to, a firm
Insider fraud involving employees who steal cash or other assets belonging to the firm, or who defraud customers by improper use (or diversion) of their funds or assets; often involving systems override or using knowledge of an internal control weakness
Collusive fraud, where an employee conspires with a third party to cause financial loss to the firm, its customers or business counterparties
A fraud response framework includes:
Prevention - A combination of anti-fraud policy statement (i.e. tone-from-the-top), fraud risk assessment (i.e. to identify operational fraud risk), documented guidance and procedure (i.e. settting out minimum standards and controls), and awareness training for staff (i.e. to promote an anti-fraud culture)
Detection - Monitoring business activity and transaction flow for red-flags or indicators of fraud risk. Procedures can be a blend of manual review and/or use of automated scripts run against data hosted on IT systems. The effectiveness of these approaches relies on staff awareness of fraud risk (i.e. type and methodology), the complexity of rules used in automated scripts and the availability of relevant data to scan for unusual or anomolous activity
Response - A Fraud Response Plan ('FRP') outlines policy and procedure to follow should an organisation identify suspected fraud, allegations of theft or dishonesty or other impropriety. The FRP should provide transparency, integrity and fairness in responding to alleged or suspected fraud
Review and refresh - Fraud risk is dynamic, evolving and shifting as change occurs to business systems, internal processes and the operating environment. Maintaining an effective risk-based fraud strategy requires periodic challenge and validation of the staus-quo, designed to: (i) assess potential gap or weakness in controls; (ii) identify learning from issues/risk encountered since the previous refresh; and (iii) assess impact of any organisational change on fraud risk in the operating environment
Quality assurance - Senior management should ensure clarity of responsibility for fraud risk across the three lines of defence, with regular reporting by risk owners on anti-fraud policy compliance, along with timely escalation of new/emerging significant fraud risk or incident data.
How we can help you
FCRM assists clients to identify and assess fraud risk in internal business process and the operating environment. We also investigate loss events and trace assets misappropriated through fraud or other impropriety. We provide independence, objectivity and experience when responding to fraud issues.
We are accustomed to assisting clients with managing and responding to questions/concerns posed by a regulator, relating to fraud, error or other irregularity in the control environment (e.g. per FCA Handbook - SUP 15.3.17).