The Fraud Cast: Insights on BEIS and perspectives on fraud risk management
Transcript
Fran Marwood:
So, good afternoon everyone, and thank you all for joining us. My name is Fran Marwood, I'm a partner in our restructuring and forensics practise. And I lead our investigations team across the UK. A very warm welcome to the second webcast in our new fraudcast series. For those of you that couldn't join the first broadcast back in May, where we focused on our 2022 global economic crime survey, or GECS, as we call it, you can see the recording of that through our broadcast web hub. I'm delighted that on today's fraudcast, I'm joined by a panel of experts who are going to be talking about the recent BEIS consultation, and the impact of that consultation on the UK's audit and corporate governance regime. Specifically, in relation to fraud. Now, just as a bit of background, earlier this year, BEIS published it's response statement, and this followed a consultation on reforms that were aimed at restoring trust in audit and corporate governance. It was a big exercise, there were 98 questions, and they covered the recommendations from the Kingman Review, CMA, and Brydon reviews. And BEIS received over 600 responses from all parts of the financial sector and beyond. The statement summarises the themes from those responses, and it outlines the proposals that BEIS intends to take forward. And, one area where company directors are going to see a big difference, we think, is in responsibilities around fraud risk management reporting. Soi, that's an area that we're going to be discussing today. We'll be using a polling system, for those of you that were on last time, you'll be familiar with it. So you can share your thoughts as we go through the session. We'd also love to hear any questions you might have for the panel, and you can ask these by typing them in the box on the screen. The fraudcast today is going to be recorded, so please do share it when that comes out with your colleagues. And so, with that, I'm delighted to introduce our panel members today. I'm joined by Jayne, Jonathan, and Stewart, and I'll let the panel introduce themselves. So, over to you, Jayne.
Jayne Kerr:
Thanks, Fran. So, I'm Jayne Kerr I'm a director in our audit public policy team, and for the last three, four years, I've been primarily focused on responding to all of those reviews you just mentioned, culminating in the BEIS consultation. I work with a lot of companies, a lot of audit committees, boards, finance execs, to help them think through these different proposals and developed a number of materials and practical guides, again, to help companies think how they might be implemented.
Fran:
Thank you.
Jonathan Holmes:
Hi Fran, I'm Jonathan Holmes, as you know, but I'm also a partner in our restructuring and forensics practise, and I lead our fraud protection work, which obviously we are going to come onto in some detail. The one thing I would mention at the outset, is we actually do quite a lot of work, obviously, with clients, but we also work with our audit teams a lot. So, Jayne and I spend a lot of time talking, as it is.
Stuart McMeechan:
Thanks, Jonathan. I'm Stuart McMeechan. I'm a director in a restructuring and forensics practise, and I specialise in analytics and technology for investigations and proactive fraud protection.
Fran:
Thank you Stuart, and thank you all for those introductions. The first topic that we're going to cover is an overview of the BEIS proposals as they relate to fraud. So, let's get things started. We're going to go straight to one of our poll questions, which we'd like to get your thoughts on, and you should be seeing the question on screen now. We've got about 20 seconds to answer the question, so make sure you're quick with that. But the poll question is, has your organisation been formally considering the implications of the BEIS consultation? So, if you can pop your answers in there, we'll move onto you, Jayne. Whilst we're waiting for those poll answers to come through, I just wondered if you could tell us a bit more about what the response statement includes in relation to fraud, and our interpretation of what it says?
Jayne:
Yes. So, as you mentioned, there will be a requirement, and it will be a statutory requirement, so it will be written into company law, that directors make a statement in the annual report, the front half, most likely, about the steps they've taken to prevent and detect fraud. And this is new, there's nothing quite like that at the moment that directors have to do. In terms of what will be in that statement, we don't yet have many details, but from our experience and our discussions with the government and with BEIS who are developing this proposal, I think it's fair to assume that, in making that statement, there will need to be some discussion for the basis of the statement. So, what sort of risk assessment process have you been through, what were the main risks of fraud that were identified for the company, what are controls in place to mitigate those risks, what does the monitoring and oversight look like? And, I think there will be a fairly explicit statement that the directors are comfortable that those are the appropriate steps to take to prevent and detect material fraud. And I would highlight the word 'material' there, which is important, and also that the fraud that they're talking about is beyond just the financial statements. It's going to into, much broader, all types of fraud which could impact the company. So, quite a big statement to make that's different to today. In terms of the auditor's responsibilities, they won't necessarily change from today, because they were recently enhanced anyway, but your auditor will look at that statement that you make, like they do anything that's in your annual report, and make sure it's consistent with their knowledge from the audit. If it's not, they would have to make some comment on that. In terms of who this will apply to, it's going to apply to the largest companies, so those with over 750 employees, and 750 million in annual turnover,. Which is part of the governments expansion of the public interest entity definition that currently exists just for listed companies. This will also bring a number of private companies into that fold. SO, if you're a company that has over 750 employees, and over 750 million in annual turnover, this will become requirement for you. That said, even if you don't have that, we do think this will move the dial on how companies approach fraud, and how they disclose the risk of fraud in the financial statements, sorry, the annual report, regardless of any actual requirement.
Fran:
Now, thank you for that, Jayne. It will be interesting to see, from the results of our survey, how many businesses are considering the implications, and I'm pleased to say, that we've got a high proportion of our audience today who are obviously on top of things, with 53% of our audience having formally considered the implications. 17% haven't, and obviously, based on your detailed response, there, there are some businesses that it's more relevant to than others. And then, we have 30% who are don't knows, so I think for those people, there's probably an action there to go back to the organisations and talk to the relevant stakeholders, I think. But, any reflections on those statistics?
Jonathan:
I'll go, Jayne, because I think that's really positive. You know, over half, that's great. I think it might be thanks to the likes of yourself and your team, Jane, we were talking about it just before, and I think we've got, probably at about 500 to 600 companies you've not spoken to about this.
Fran:
Yes.
Jonathan:
So, I think, you know, a lot of noise is being made in the press about it, a lot of noise is being made by businesses such as ourselves, because obviously it's critically important to an audit, so I think that's a really positive result. (talking over each other 07.31)
Fran:
I think, that's higher than I was expecting it to be, so that's a really good answer. So, Jonathan, let's stay with you, then. We're just going to move on to get your perspective of how much you think these proposals are going to, the effect they're going to have on companies when they're tackling fraud.
Jonathan:
Yes, so, maybe this is unsurprising, but any attestation process that this is fundamentally going to become, I think will require, you know, considerable thought by companies, particularly given the level that it's entering in, at that director level, and front half of the financial statements we're expecting it to end up in. If I reflect on our global economic crime survey, I know we talked a lot about that last time, but only a third of businesses have actually got an active compliance monitoring fraud assessment program in place, or rather, actually, it's the other way around, a third of them really don't. And that just demonstrates that there is work to be done here, I think. And a lot of this, sort of, frankly, this fraud risk management, is getting ahead of it, and thinking about it before it happens, as opposed to just reacting to it the whole time, and we can talk a bit more about that. But I think, as a result, I think companies do have work to do, I think the statistics that you quoted just a minute ago, there, are really, really reassuring, really positive. But I think the areas that companies need to start to think about, here, are around the governance, are around fraud risk assessment, particularly around fraud risk assessment. Actually, I think that's a real linchpin to this entire process. But also, starting to think about not just investigation, but detection and prevention, as well.
Fran:
Yes. And, I was going to move on and ask about the key next steps that we are bringing up when we're talking to companies, but why don't we touch on those and perhaps build in the importance of a readiness assessment?
Jonathan:
Sure. Well, so, I think there is that. You know, we had the conversation this morning, myself and another one of the colleagues with us, and the question was, what do we do next? We want to get ahead of this, what does getting ahead of this even look like? Because, you're telling us that these rules don't actually exist quite yet. And that really does come down to the need to, the opportunity to run yourself a fraud and risk maturity, do something that makes you feel, where am I now, what building blocks do I have in place, where are my existing governance frameworks, what do I already do, where do I think (TC 00:10:00) I want to be? And albeit we don't have rules, it's quite easy to start to pick out the areas where we'd expect things to start to happen. And, you know, the fraud risk assessment is a great example. It's an area where, we absolutely expect companies to have one. They're already asked, as part of an audit, can I have your fraud risk assessment. The wrong time to start doing your fraud risk assessment is when you've been asked for it by your auditor. Statement of the obvious. So, I think there are things that companies can do in order to prepare themselves. And, actually, one of the really useful things to do is just to educate themselves. And, equally, you know, fraud's also a topic where you can talk to your peers, you can talk to other businesses about it, you can join a lot of different forums that allow you to actually see what other people are doing in this space. Because, you know, fraud is a topic that is one that everybody's trying to eliminate.
Fran:
Yes, and that's where a lot of the best ideas come from, and in our experience as well. So, no, thanks for that, Jonathan. We're going to move on now to the role of technology, and how that plays into preventing and detecting fraud. You should be seeing on your screens now another two poll questions, so the first of those is, 'Is your organisation using a technology based fraud detection or monitoring tool as part of their regular processes?' And the second part of the question is, 'If not, do you have any plans to deploy technology for fraud detection?'. You'll have gathered as viewers there's a little lag between the answers coming through, so whilst we're waiting for those results to come through, Stuart, I think, if we can turn to you, a key focus on the requirement, as I've just sort of alluded to, is prevention and detection. It's a two part question, so what are you seeing companies doing in the space currently from a tech perspective, and how do you think that's going to change in the future?
Stuart:
So for companies who are really clear on what their fraud risks actually are, their next kind of considerations are, firstly, what preventative controls do we need to have in place to mitigate the fraud risks that we know we have? And that could be things like segregation of duties, automatic payment clocking, for example, in systems, and really thinking about, you know, 'Where are the gaps we have in the preventative side?' Secondly, and I think this is where companies have the biggest gap, is more on the fraud detection side, which is really around, you know, 'Are we monitoring our transactions, our suppliers, our customers to try and identify whether we see any suspicious activity that could be fraud?' For example. For companies that are kind of starting from zero with fraud detection, they're typically going through three key steps. One is defining which fraud risks are significant enough to justify detection over, and then for that, building the business case, securing the investment to set up a detection programme, and then ultimately picking the best technology for the organisation, getting that up and running, and then the operating model set up around it. So having people, for example, to, you know, review, investigate, and close out transactions, for example. In terms of the technology itself, I'm seeing companies take a few different approaches. One example would be internal audit functions in the third line, taking an approach of extracting data, say, once a month or once a quarter, running some key fraud tests, for example, looking for potentially hijacked suppliers, looking for unusual accounting entries, etc, and then escalating where required if exceptions are found. The other approach, and I see this as becoming the more popular approach, is actually procuring dedicated fraud protection platforms and technologies. And the real benefit of this approach is that this will offer you more advanced techniques, like machine learning, entity resolution, which ultimately gets you to the higher risk activity with less false positives that you'll be spending time reviewing.
In terms of where I'm seeing companies kind of point detection at, I'd say for B to C companies it's quite common that they will already have some preventative and detective controls over customer, so trying to reduce losing customers and losing revenue due to fraud. But, otherwise, I'd say supply chain and procurement is commonly sort of a first port of call for fraud protection, partly because, you know, there's a lot of fraud that tends to happen in procurement, and we see that in investigations a lot. But also because there's real opportunity for recoveries in this area, which in some cases can actually pay for the detection programme that's being setup. And then just on your last question, just to summarise, and in terms of kind of what's next, I'm seeing lots more technology that's coming on the market that's very specific for fraud protection, and in parallel I'm seeing more access to analytics and data science specialists, both in-house and with firms like (inaudible 15.10). And I think that will mean that companies will be able to get up and running with fraud protection much quicker over time.
Fran:
And I think, I mean, that supply chain point that you made, we're sort of seeing that come in in practice, certainly after the summer a lot of the cases that we're having as a team seem to have a supply chain element. It kind of resonates with the findings from the Global Economic Crime survey as well where that was one of the biggest increases in types of fraud that we saw. We've got the results through from our questions, as if by magic. So the first one was, 'Is your organisation using any technology based fraud detection or monitoring tools?' And, again, these are reassuring answers. So yes is 46.8%, quite a high bunch of no's at 40%, and then we've got, again, 12% of don't knows, so if we can hold that thought and I'll do the second question and then we'll get some reflections. And then it says, 'If not, do you have plans to deploy technology?' And, I suppose, the important bit there is if, 'If not,' and we've got 34% of the audience in that category who were yes's, and 12% of no's, and then there's a 30% which is, 'Not applicable.' So some interesting stuff coming through there, Stuart, quite a lot to bite off, but I wouldn't if you could give us a few of your thoughts on those answers.
Stuart:
Yes, I think it's reassuring, it's nearly 50% have technology already in place to do some sort of detection. I'd say that, you know, as Jayne touched on, there's lots of different types of fraud that can happen in an organisation, and so in a way I'm not surprised that there is some element of fraud detection set up in nearly half of organisations. Yes, in terms of, kind of, plans to move forward, I think it's reassuring that a good percentage seem to be gearing up-, well, they're thinking about, 'What could we have in place? What should we have in place? And what might that look like for us?'
Fran:
Yes, and I think, you know, from experience, when you talk to clients in the legal and compliance teams, this particular topic seems to be one that a lot of people are interested in, so thank you for that, Stuart. So, just staying with the theme of poll questions, let's go back to you, the audience, with poll question four, 'Does your organisation have a fraud risk assessment, and when was it last updated?' The second part of that question is the killer. So we've got different categories on there, 'Yes, within the last 12 months. Yes, within the last two years. Yes, more than two years.' So we will go through those when the answers are through. But let's move onto that theme of fraud risk assessments, and I'll go to you, Jonathan. It's clearly a key process in any risk management programme, have you got any tips on what good looks like?
Jonathan:
Oh, yes. Well, thank you, Fran.
Fran:
I thought you might have.
Jonathan:
I certainly do. Yes, let me just list what I think are food for thought, if you like. Firstly, define fraud, so don't sit there and think, 'Well, what am I actually trying to address here?' You know, 'What to extent have I got financial fraud versus non-financial fraud?' So really get your answer around the definition of what you're trying to achieve here. Secondly, you see really useful ways of sort of-, there is an element of blank paper and brainstorming here, but, actually, it's about getting those right people in the room that represent all the corners of the business, that enable you to really surface some of the ways to think like a fraudster, etc, that will get you there. So there are roles for legal, and compliance, and procurement, and sales. Fraud touches all of those areas, right? So that's two, and I've got seven, so I better hurry up. I will say this, I say this a lot to clients, you know, you've got to think about the company as being both the victim, that's very natural for people to think like that, and the perpetrator. There are ways and means a company can end up being-, particularly when you're looking at bribery and solicitation of tax evasion, that, actually, not having adequate controls in place suddenly makes you a perpetrator of something as opposed to the victim. And also think about internal and external. And we see that in global economic crimes, so we see that a third of fraud are committed with some form of internal nexus, so you've really got to be alive to that. Let me just try and speed up a little bit. Again, if you don't already do a fraud risk assessment process, you already will have a risk assessment process sitting there, you know, so build on your building blocks, use the pre-existing systems of governance and things that you already have, and allow them to help you take on new and different types of fraud. Whether that be greenwashing, whether that be other areas of environmental, and things like that, that's much more topical today than it was sort of five years ago.
A couple more(TC 00:20:00). I think to your point, and I guess to the two points being made here, really have a think about how technology can help, because it can. Whether it's about detection, whether it's about (inaudible 20.10), I think, I mean I clocked those statistics there, but I do think that technology assisting fraud detection is going to be 100%, give it three years. I mean, that would be my protection. And then, finally, keep it alive. So you're absolutely right, I mean, it will be interesting to see what the survey comes back with, but a pandemic is a reason to redo your fraud risk assessment, you know, the rules of engagement just changed. I think it's the same in an energy crisis, I think it's the same with any kind of significant change in the business, and you should be doing it reasonably frequently anyway.
Fran:
No, thank you, Jonathan. So, let's go back to the questions, the answers are now up on screen. So this is for me very surprising, I think we've got a very well organised audience here. So 73% actually of our viewers today are saying that they've done a new fraud risk assessment within the last twelve months, 2% within the last two years, 10% more than two years ago, 6% with no, and 10% are don't know's. And I think, just to pick up on a point that you made earlier on, Jonathan, you know, with the pace of change that we've seen over the last two years, I can't ever remember a pace of change so rapid in terms of how business practice and global change affect how business is facing additional fraud risks. That came through, I think, in spades within the Global Economic Crime survey, just with the sort of differences in different types of fraud, and some were up and some were down. So that certainly resonates but, you know, I think the key thing there, and you made the point, is that by leaving the thing in a cupboard and not revisiting it, you're out of date very, very quickly in the modern world. So having an enhanced and a repeat view is certainly something we'd all (inaudible 22.10) by the sound, I don't know if Jonathan, or any of the other panellists, whether you've got any additional things to add on that?
Jonathan:
I'd be interested, Jayne, maybe this is great news, right? The idea, the number of times we've talked about fraud risk assessments now, and people are listening and reacting, and it makes sense. I don't know, do you see that a lot when you're talking about this to businesses?
Jayne:
I think it's sometimes by another name, I think that's what it is. I think people generally have a good process for assessing whether there are, perhaps, as you say, bribery and corruption, or money laundering, or things like that. And it might not necessarily be thought of as a fraud risk assessment. So I think some of the compliance, if you like, with this new requirement will be to bring a lot of things that are being done together in a more formal structure. But, yes, it does vary, but there are definitely elements of it being done in practice.
Fran:
Thank you. So before we head back into the Q and A session, I just thought I'd get some closing remarks from you guys in case we've sort of sped through this session. But in case there are things that you want to cover that perhaps we haven't touched on, we're trying to keep these sessions to half an hour. But any closing remarks?
Jayne:
I mean, I would say that I imagine when this requirement became known there was sort of a collective sigh of, you know, another disclosure, another piece of compliance. And I truly hope that people see it as something that is bigger than that, and more important than just a compliance exercise. For all the reasons that Jonathan and Stuart have given, it's a really important thing to do in a company. It's good for business, it's very good for governance, to have a robust fraud risk management framework. And so regardless of any requirement, I think having the mindset that this is a really important thing to do, and a really useful thing for the business to do, will set us off on a good path.
Fran:
And, certainly, I mean, if you go back two years, the sorts of stats we were getting on businesses that were even thinking about fraud risk was down in the 40's, so getting up to the high 70's is really quite a good development all around, really, I think. Jonathan, any closing remarks from you?
Jonathan:
I don't think I could put it better than you, Jayne. But, yes, I think that's right, I think it's doing the fraud risk assessment and realising that it's a positive event, it gets good people in rooms together talking about stuff that everybody's on the same page in terms of, you know, how they can combat it.
Fran:
Stuart?
Jonathan:
Yes, I mean, from a technology point of view, having worked with clients throughout from the start to implementation, there's lots of things to consider, you know? 'Do we want to build something in-house, do we want to buy something off the shelf? Who will use it, who will run it?' So I'd say the sooner you kind of start thinking about it, the sooner you start engaging your in-house IT team, etc, the better.
Fran:
Thank you, Stuart, and to all of you, for those comments, very helpful. Let's move on now to the Q and A, and I can see that you've all been very busy punching in the questions there, so I'll pick a few off the screen over here, and we can hopefully go through those questions. But, I mean, picking up the first one there, 'How are other companies structuring the governance around fraud, specifically responsibilities at the board and subcommittee level?' I mean, certainly, from conversations I've had, the creation of fraud subcommittees is something that's been a bit of a trend over the last couple of years, but I'll hand it over to you guys. Perhaps, Jayne, do you want to pick that one up first?
Jayne:
I mean, at this stage I think it's still, as we were mentioning in a slightly more informal way-, but I do think as part of the prequirement, I do hesitate to call it that, there will need to be more structure, definitely, around the governance. And as I said, I think it's all down to tone at the top, and the right messaging coming down from the board that this is something important for the company to do.
Fran:
Jonathan?
Jonathan:
Yes, I'd echo that. I mean, I'm seeing audit committees being more interested in it because they're reflecting the fact that the auditors are getting more interested in it. But in due course, yes, I suspect it will start to standardise as well as more and more companies start following the same way.
Fran:
Thank you. The next question here, we sort of touched on this at the start, but it talks about the (inaudible 26.53) recommendation on the board making a statement on the prevention and detection of material fraud. And there's a question, "What do we mean by material fraud. Is it financial materiality?" I wonder, Jayne, maybe if we just get your thoughts on that one.
Jayne:
It's a good question, and I think, at the moment, we don't have any guidance as to what the government, or in the end the regulator, will consider to be material, so I think one of the best things, or one of the most sensible things, to do is to use the auditing standards as a guide, because that is something that we have at the moment which talks about how you think about materiality when it comes to fraud. And the Auditing Standard would say that considering quantitative materiality's obviously important, but qualitative materiality's also really important when it comes to fraud. Because, an example they use in the standard, is if a senior person in the firm was to fix or falsify their expense claim, yes, that might not be quantitative material, it probably never would be, but it speaks to the integrity of that person, and what else might they be doing. So it certainly impacts your fraud risk assessment. And so I think there will be a need to look at quantitative and qualitative. It's hard, but as I say, the Auditing Standard is probably as good a guide as we've got at the moment for companies to think about how to do that.
Fran:
No, thank you. And I think you're probably going to get more of your fair share of these answers just looking at some of these questions. Just looking at time, I think we've got time for one more. So the question is, 'Is it likely that this statement on fraud mitigation can be linked to the external audit of financial statements, or will a distinct assessment and sign off process be required?' I don't know whether you've got any thoughts on that one?
Jayne:
So I'm wondering if that means will it be audited, or just as part of the audit would be covered, or will we be, perhaps, doing some separate assurance on it? I think that might be what we're asking. At the moment, there's no plans to change the auditors responsibility with regard to this statement. It could be something that the audit committee might request an auditor to do, or someone to provide more assurance on it, but at the moment it's not any additional work the auditor would do. However, as I mentioned earlier in the broadcast, that an audio has to look at any statement you make in the front half of the annual report, and if that statement needs to be consistent with what we know in our audit. So if we discovered in our audit that perhaps the controls that you're quoting around fraud are not operationally effective, then there'd be some obligation to report on that. So it would definitely be covered as part of the overall view from the audit, but at this stage there's no specific sign off from the auditor on the statement.
Fran:
No, thank you for that. There are some more questions up there. What we will try and do is just to collate some of the questions and the results from the polls as well, and circulate something after the call. But I'll use that, we're up to the half hour, so I'll bring things to a close. Firstly, a huge (TC 00:30:00) thank you to all our panellists for joining us today, and to all of you for your great input during the session, we've all really enjoyed that. I think it's really clear that we're all going to need to revisit how we manage fraud risk in a different way, and I think a key takeaway for me for today's session, particularly given the pace of change that we've talked about, is to keep an up to date fraud risk assessment, to think about the role that technology can play in helping manage the residual risk. And, please, do be sure to visit our Fraudcast web hub, we're using that as somewhere to, you know, keep our relevant materials, so there should be a lot of useful stuff on there for you. And don't forget to keep an eye out for our future broadcast sessions, and do let us know via the web hub if there are any topics that you're particularly interested in hearing about. Thank you, and we look forward to seeing you all again soon.
