Reference points

Various sources indicate fraud is a serious issue, such as:

1. The UK Government’s Economic Crime Plan for 2023 to 2026 identifies: The volume of fraud has increased in recent years and even though it has fallen following the highs seen during the Covid pandemic, it still accounted for an estimated 41% of all crime experienced by adults in England and Wales in the year ending September 2022. This reflects an estimated 1 in 15 adults who were victims of fraud in the same year. Combatting fraud is therefore critical in the overall fight against crime. Victims can suffer both serious financial and emotional harm as a result of fraud, and we know that the money fraudsters make can go on to fund other serious and organised crimes. We also know from the 2020 Economic Crime Survey that around one in five businesses in the surveyed sectors had been a victim of fraud in the three years prior to the survey (18%).
2. Information published by the Office for National Statistics (‘ONS’) from a Crime Survey for England and Wales (CSEW) produced in partnership with the Home Office, indicates for the year ending September 2022:
• 3.7 million fraud offences.
• Bank and credit account fraud significantly decreased (14%) to 2.1 million offences.
• Advance fee fraud increased by nine times to 546,000 offences compared with the year ending March 2020 (60,000 offences) - This may indicate fraudsters taking advantage of behavioural changes during the coronavirus (COVID-19) pandemic, such as increased online shopping (e.g., includes scams where victims transfer funds to fraudsters for postal deliveries).
• CSEW estimates for the year ending September 2022 have shown that fraud has now returned to pre-coronavirus pandemic levels.
• Fraud offences reported to the police are recorded and collected by the National Fraud Intelligence Bureau (‘NFIB’) from Action Fraud and two industry bodies, Cifas and UK Finance.
• Police recorded fraud increased by 22% in the year ending September 2022 compared with the year ending September 2021. The increase was mainly driven by a rise in offences recorded by UK Finance, who reported a 157% increase (to 399,966 offences) compared with the year ending September 2021. This was a result of an increase in reporting from their existing members because of engagement from UK Finance, as well as reports coming in from new members who joined towards the end of 2021. Cifas also reported a 14% increase (to 364,835 offences) compared with the year ending September 2021.
• Action Fraud (the public-facing national fraud and cybercrime reporting centre) reported a 23% decrease in fraud offences (to 316,597 offences) compared with the year ending September 2021 (413,417 offences). This was driven by a 38% decrease in "Other fraud" (to 92,187 offences) and a 24% decrease in consumer and retail fraud (to 114,020 offences), and may be related to changes in behaviour as restrictions to social contact were lifted.
3. Since the 1980’s KPMG has maintained a Fraud Barometer, measuring cases of alleged fraud with losses of £100,000 or more reaching the UK courts. The Fraud Barometer identifies trends and patterns affecting the UK economy for businesses to be alert to. The Fraud Barometer: Analysis of UK Fraud Cases in 2022, indicate:
   • The total value of alleged fraud over £100k reaching UK Courts in 2022 was £1.12bn, an increase of 151% compared to £444.7m in 2021.
   • The figure for 2022 is similar to pre-pandemic values which saw a total value of £1.1bn for alleged fraud cases heard in 2019.
   • The volume of cases has fallen by 27% from 298 in 2021 to 219 in 2022.
4. The findings of PWC’s Global Economic Crime and Fraud Survey 2022 (GECS) indicate:
   • Overall, fraud, corruption and economic crime rates show no increase since 2018, despite supply chain issues, environmental and geopolitical instability, an uncertain economy, a talent shortage and many emerging risks.
   • Just under half of organisations (46%) reported experiencing some form of fraud or other economic crime within the last 24 months.
   • The tech industry is a notable exception. The growing maturity of the sector helped it identify a significant increase in fraud activity since 2020. Nearly two thirds of technology, media and telecommunications companies experienced some form of fraud, the highest incidence of all industries.
   • Across organisations of all sizes, cybercrime poses the biggest threat, followed by customer fraud and asset misappropriation.
5. EY’s Global Integrity Survey 2022, conducted with board members, managers and employees in 21 emerging market countries, revealed: "Approximately one-third (32%) of respondents from emerging markets say that bribery and corrupt practices present the greatest risk to the long-term success of their businesses, and just over one-quarter (27%) point to fraud. In addition, nearly one-third (30%) believe that the risk of a cyber and ransomware attack is a significant threat."
6. UK Finance is the collective voice for the banking and finance industry. Representing around 300 firms across the industry. In May 2023 UK Finance published its ‘Annual Fraud Report’’, detailing the amount of money stolen by criminals through financial fraud in 2022:
   • Over £1.2 billion was stolen by criminals through authorised and unauthorised fraud in 2022, equivalent to over £2,300 every minute.
   • 78 per cent of Authorised Push Payment (APP) fraud cases start online and 18 per cent start via telecommunications.
   • The banking and finance industry prevented a further £1.2 billion of unauthorised fraud from getting into the hands of criminals.

House of Commons - Committee of Public Accounts

The House of Commons report ‘Progress combatting fraud’ (March 2023) identifies:

Fraud against businesses and individuals is a significant and growing problem. Since we last looked at this issue in 2017, fraud appears to have been everyone’s problem but no-one’s priority. Combatting fraud is ultimately the responsibility of the Home Office. Fraud now accounts for 41% of all crimes committed in England and Wales, with 3.8 million incidents of actual or attempted fraud in the year to June 2022. We are deeply disappointed in the slow progress made by government in the last five years. Many of the same issues remain and there is still no sign that government has a grip on fraud or an adequate strategy to address it. Meanwhile, victims of fraud are left to pay the price. The Home Office’s most recent estimate of the cost of fraud to individuals is £4.7 billion, and it still cannot quantify the potential cost of fraud to businesses. Becoming a victim of fraud can be deeply distressing for many people and in some cases can cause lasting psychological damage. We are concerned that victims feel lost in the system, with poor communication leading to missed opportunities to prevent further harm and potentially undermining public trust in law enforcement.

Law enforcement is not set up to tackle the challenges presented by fraud. The volume and complexity of fraud currently overwhelms the capacity of both Action Fraud and local police forces, who lack the training and resources they need to pursue the hundreds of thousands of cases reported every year. We are also concerned that police morale is being undermined by the time it takes to investigate and prosecute fraud and the relatively short sentences handed out when prosecutions are successful.

The Home Office is not doing enough to influence those who are instrumental in combatting fraud. The Department is dependent on the banking, technology, telecoms and retail sectors to fight fraud, but its approach will continue to be sluggish and outmanoeuvred if it relies on purely voluntary charters with these sectors. The majority of frauds are also suspected to have an international element, but relationships with overseas criminal justice agencies are immature and threatened by the UK’s lack of domestic capacity.

We are disappointed given the pervasive and damaging effects of fraud on business, individuals, and society that the Government is still not able to fully grasp its extent let alone reduce its prevalence or harms. We will therefore continue to monitor both good and poor practice across government in this area.

The Police response to fraud

A 2019 report produced by Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (‘HMICFRS’), on effectiveness and efficiency of the police response to fraud, does not provide encouraging reading for victims of fraud. A key finding is ”The law enforcement response to fraud is disjointed and ineffective”. The report ’Fraud: Time to Choose’ includes:

• Sadly, we have found too many examples of processes that are inefficient and organisations that are not being properly held to account for their performance. As a result, many victims of fraud are not receiving the level of service they deserve.
• 7 of the 11 forces we inspected were unable to tell us how many of the reports of fraud that they received directly, resulted in attendance or other police activity.
• Some forces seeking reasons not to investigate allegations of fraud – one force filed, with no further action, 96 percent of the cases it received from the National Fraud Intelligence Bureau; some of these cases had a good degree of evidence, including identified suspects. Staff performing this role were clear that their function was to reduce demand.

In August 2021, HMICFRS issued an update having revisited its previous inspection to see how the police service had responded to recommendations and AFIs made in the 2019 report. Under the heading ‘Changes since our 2019 report’, the August 2021 report noted:

• Since the publication of our 2019 report, not enough has changed. Too many victims still receive a poor service and are denied justice. The investigation and prevention of fraud offences, by police forces, remain under-resourced and are not given enough priority. Also, there are too few fraudsters held to account.
• In our 2019 report, we concluded that a lack of capacity and capability in tackling fraud had an adverse effect on the quality of service provided to victims of fraud.
• In 2020, Sir Craig Mackey reported that the capacity and capability of forces to investigate fraud were outweighed by the scale of fraud offences.
• These conclusions remain the case today.
• The effect of fraud on the UK is still huge, and the chance of becoming a victim of it is still far too high. It causes misery to victims, individuals and businesses, and damages the national economy. It is estimated to be the type of crime that has the highest number of incidents committed in England and Wales. Adults are still more likely to be a victim of fraud than any other crime.

In March 2022, HMICFRS published ‘State of Policing: The Annual Assessment of Policing in England and Wales 2021’. The report draws on findings from inspections of police forces in England and Wales, to provide an overall view of the state of policing. The report includes:

• online crime is now by far the most prevalent type of crime; fraud has exploded, eclipsing all other crimes in volume (page 41);
• the need for forces and politicians to take fraud far more seriously (pages 49-50);
• For too long, police forces have placed an unjustifiable reliance on Action Fraud, the national fraud reporting centre, to solve the problem. But Action Fraud exists mainly to record fraud allegations, not investigate them. Many police forces aren’t taking their responsibilities to prevent and investigate fraud anywhere near seriously enough.

UK Government Fraud Strategy 2023 - 2025

In May 2023, UK Government published a Fraud Strategy which describes - "Fraud poses a significant threat to the people, prosperity, and security of the UK. It is by far the most common crime and now accounts for over 40% of all offences in England and Wales. This strategy will tackle fraudsters head on and cut fraud by 10%, protecting the British people’s hard-earned cash from criminals and putting more fraudsters behind bars."

To deliver a 10% cut in fraud on 2019 levels by December 2024, the government intends to:

• establish a new national fraud squad with over 400 new posts and make fraud a priority for the police
• deploy the UK intelligence community and lead a new global partnership to relentlessly pursue fraudsters wherever they are in the world
• put more fraudsters behind bars through better investigation and prosecution processes for fraud and digital offences
• ban SIM farms which are used by criminals to send thousands of scam texts at once
• stop fraudsters from being able to send mass text messages by requiring mass texting services to be registered, subject to a rapid review
• Replace Action Fraud with a state-of-the-art system for victims to report fraud and cyber crimes to the police
• ban cold calls on financial products so fraudsters cannot dupe people into buying fake investments
• stop people from hiding behind fake companies and create new powers to take down fraudulent websites
• work with industry to make sure that intelligence is shared quickly with each other and law enforcement
• change the law so that more victims of fraud will get their money back
• overhaul and streamline fraud communications so that people know how to protect themselves from fraud and how to report it
• make the tech sector put in place extra protections for their customers and introduce tough penalties for those who do not
• shine a light on which platforms are the safest, making sure that companies are properly incentivised to combat fraud

Corporate Liability

In April 2023 UK government announced its intention to create a new failure to prevent fraud offence, to hold organisations to account if they profit from fraud committed by their employees. A Factsheet issued on Gov.uk explains organisations will be liable where a specified fraud offence is committed by an employee or agent, for the organisation’s benefit, and the organisation did not have reasonable fraud prevention procedures in place. It does not need to be demonstrated that company bosses ordered or knew about the fraud. The offence applies to all large bodies corporate and partnerships.

The offence will apply to all large bodies corporate and partnerships. This means that in addition to businesses, large not-for-profit organisations such as charities are also in scope, as well as incorporated public bodies.

Organisations will be able to avoid prosecution if they have reasonable procedures in place to prevent fraud. There may also be circumstances where it is reasonable to have no fraud prevention procedures in place (for example, organisations where the risk is extremely low). The government will publish guidance providing organisations with more information about reasonable procedures before the new offence comes into force.

The failure to prevent fraud offence will capture the fraud and false accounting offences most likely to be relevant to corporations:

• fraud by false representation (section 2 Fraud Act 2006)
• fraud by failing to disclose information (section 3 Fraud Act 2006)
• fraud by abuse of position (section 4 Fraud Act 2006)
• obtaining services dishonestly (section 11 Fraud Act 2006)
• participation in a fraudulent business (section 9, Fraud Act 2006)
• false statements by company directors (Section 19, Theft Act 1968)
• false accounting (section 17 Theft Act 1968)
• fraudulent trading (section 993 Companies Act 2006)
• cheating the public revenue (common law)

Once the Economic Crime and Corporate Transparency Bill has been approved by Parliament (received Royal Assent), the government will need to publish guidance on reasonable fraud prevention procedures. Only then will the failure to prevent fraud offence come into force.

The Factsheet includes - ”Individuals within companies can already be prosecuted for committing, encouraging or assisting fraud but we will not be introducing individual liability for failure to prevent. Government does not see it as proportionate to prosecute an individual where they did not consent or know of the offence happening.”

Personal Liability

Examples of where a director might be deemed personally liable (i.e. if he or she):

• False statements by company directors - Intentionally deceives shareholders or creditors of a company by making a false statement as to the company’s affairs (Sec. 19 of the Theft Act 1968).
• Fraud by false representation - Makes a false representation (express or implied) knowing that it is, or might be, untrue or misleading, intending to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss (Sec. 2 of the Fraud Act 2006).
• Fraud by failing to disclose information - By dishonestly failing to disclose to another person information which he is under a legal duty to disclose, with intent to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss (Sec. 3 of the Fraud Act 2006).
• Fraudulent trading - Is knowingly party to the company carrying on its business with intent to defraud creditors of the company or of another person or for any fraudulent purpose (Sec. 213 of the Insolvency Act 1986). Example - continuing in business and accepting credit from suppliers, or taking payment from customers knowing that orders will not be filled (i.e. to maximise the amount of money coming in prior to liquidation).
• Wrongful trading - Where a company continues to trade whilst insolvent and unable to pay its debts as they fall due (Sec. 214 of the Insolvency Act 1986). There may be no dishonest intent to defraud creditors but directors may have failed to carry out their responsibilities (i.e. before commencement of winding up of the company, the director(s) knew or ought to have concluded that there was no reasonable prospect that the company would avoid going into insolvent liquidation).

Please note: SYSC326 does not provide legal advice. Nothing on this web site should be considered a legal opinion on interpretation of law or regulation.

For firms supervised by the Financial Conduct Authority (‘FCA’), fraud is:

• Captured in the FCA's financial crime objective.
• Relevant to the FCA’s consumer protection objectives.

Whilst the FCA prioritises consumer protection (as potential victims of fraud) more than to the protection of firms (as potential victims), the regulator does expect firms to be responsive to fraud risk in their systems and controls framework. The FCA Handbook (SUP 15.3.17) includes: A firm must notify the FCA immediately if one of the following events arises and the event is significant:

• it becomes aware that an employee may have committed a fraud against one of its customers; or
• it becomes aware that a person, whether or not employed by it, may have committed a fraud against it; or
• it considers that any person, whether or not employed by it, is acting with intent to commit a fraud against it; or
• it identifies irregularities in its accounting or other records, whether or not there is evidence of fraud; or
• it suspects that one of its employees may be guilty of serious misconduct concerning his honesty or integrity and which is connected with the firm's regulated activities or ancillary activities.

FCA Guidance

FCA guidance includes examples of good and poor practice on firms preventing losses from fraud, including:

Further guidance

Additional regulatory guidance can be found in Financial Crime Thematic Reviews (‘FCTRs’):

High-level management of fraud risk

FCTR 2 summarises the FSA’s thematic review Firms’ high-level management of fraud risk.

Small firms

FCTR 10 summarises findings of the Small Firms Financial Crime Review, with guidance for small firms on:

• Monitoring activity (FCTR 10.3.3G)
• Responsibilities and risk assessments (FCTR 10.3.7G)
• General fraud (FCTR 10.3.13G)
• Insurance fraud (FCTR 10.3.14G)
• Investment fraud (FCTR 10.3.15G)
• Mortgage fraud (FCTR 10.3.16G)
• Staff/Internal fraud (FCTR 10.3.17G

Mortgage fraud

FCTR 11 summarises findings of the FSA’s thematic review Mortgage fraud against lenders, containing guidance on:

• Governance, culture and information sharing (FCTR 11.3.1G)
• Applications processing and underwriting (FCTR 11.3.2G)
• Mortgage fraud prevention, investigations, and recoveries (FCTR 11.3.3G)
• Managing relationships with conveyancers, brokers and valuers (FCTR 11.3.4G)
• Compliance and internal audit (FCTR 11.3.5G)
• Staff recruitment and vetting (FCTR 11.3.6G)
• Remuneration structures (FCTR 11.3.7G)
• Staff training and awareness (FCTR 11.3.8G)

Investment fraud

FSA thematic review of Banks’ defences against investment fraud. Contains guidance for deposit-takers with retail customers on:

• Governance (FCTR 14.3.2G)
• Risk assessment (FCTR 14.3.3G)
• Detecting perpetrators (FCTR 14.3.4G)
• Automated monitoring (FCTR 14.3.5G)
• Protecting victims (FCTR 14.3.6G)
• Management reporting and escalation of suspicions (FCTR 14.3.7G)
• Staff awareness (FCTR 14.3.8G)
• Use of industry intelligence (FCTR 14.3.9G)

This may be fraud:

• Conducted by a company – Such as deliberate falsification of financial accounting records to present a false gain (e.g. over-stating sales/turnover) or to conceal a loss (e.g. under-stating liabilities, asset misappropriation by an employee, or for other reason); or
• Committed against a company (e.g. false invoices submitted to the company by a bogus supplier or third-party, resulting in payment being made where no goods or services have been provided).

Some companies or their employees seek to avoid paying tax due to HM Revenue & Customs (‘HMRC’), by deploying dishonest evasion measures designed to falsely inflate expenses and/or reduce profitability (and hence Corporation Tax liability).

Other examples

• Long Firm Fraud - An apparently legitimate business is established. As time passes and having developed a good credit history, the company starts to defraud suppliers and customers. Reneging on sales, having received all or partial payment and also, failing to pay suppliers that have credit exposure to the company.
• Payment Fraud - Creating false payments (e.g. an employee making fraudulent payments to himself, whilst indicating a different beneficiary in the company’s books and records – a false accounting entry) or by diverting/re-routing legitimate funds received from other parties (e.g. customers, supplier refunds, HMRC repayments, etc.), meant for the company but which do not make it to the balance sheet.
• Procurement Fraud - The typical procurement to payment cycle be susceptible to fraud risk, such as:
• Supplier selection – The improper disclosure of confidential information by an employee of the purchasing company to a particular (or favoured) supplier, for personal benefit.
• Ordering goods or services – An employee of the purchasing company colluding with a supplier and agreeing to pay above the market rate for supplies, despite equivalent quality material being available in the market, at a more competitive price.
• Receipt of goods or services – Sub-standard goods or services are delivered, or not delivered at all.
• Receipt and booking of supplier invoices – False or duplicate supplier invoices may not be verified by Accounts Payable against the actual goods or services received. Or a different blend of pricing and quantity appears on the invoice, as to what was actually agreed to be received.
• Invoice payment - Payments might be re-routed or settlement arrangements changed at short notice. Employee fraud is relatively easy where internal controls do not validate the receipt of goods or services, or where payments or payment systems can be manipulated without appropriate 4-eyes check or challenge.

If you have a Fraud Response Plan this should outline the procedure to follow for suspected (or alleged) fraud, to ensure the response is consistent with senior management expectation and risk-appetite.

In companies’ which do not have a Fraud Response Plan, fraud is sometimes considered a cost of doing business. Whilst this should not be the case, some companies also recognise the police response to fraud is generally weak. Also, when balanced against the combined factors of value lost or at risk, the time it takes to compile a case in support of a civil or criminal fraud allegation, along with the potential impact on business-as-usual activity and the diversion of senior management time, it is not surprising that cost-benefit is a consideration for many corporates.

However, cost-benefit should not be the sole consideration. Other drivers may take precedence, such as:

• Company directors are responsible for keeping proper accounting records which enable them to ensure that financial statements comply with the Companies Act 2006. They are also responsible for safeguarding company assets and taking reasonable steps for the prevention and detection of fraud and other irregularity.
• The Financial Conduct Authority ('FCA') expects senior management in firms it regulates, to consider the full implications and breadth of fraud risk, which can affect profitability, reputation, customers and the markets in which firms operate.
• Where collusion is suspected, the value lost or at risk may not be high. But, the potential for an employee conspiring with third parties to cause financial loss to the company, its customers or its business counterparties, or a repeat event leading to further loss or increased reputation risk, must be taken seriously and appropriate response taken – sometimes regardless of financial value.
• Senior Management, Audit Committees and Regulators often expect, if not require, fact-based and objective reporting on investigation findings, particularly where a system or control override or weakness, may have contributed to a fraud loss event.

The Fraud Response Plan (‘FRP’) should clearly set out the minimum steps to be taken in response to the discovery of alleged or suspected fraud, including: overall responsibility for initiating and supervising investigations, as well as key requirements for loss mitigation and evidence preservation

FRP benefits include:

• Promote organisational readiness to respond in a timely and effective manner
• Set out how internal investigations should be conducted and who to involve
• Forms part of an integrated anti-fraud strategy, covering fraud prevention, detection and investigation
• A framework to manage financial and reputation risk

FRP covers tactical and strategic considerations (relevant to the nature, size and operations of the business). Example areas for FRP coverage include:

• Internal arrangements for reporting, assessment and where necessary, escalation of material fraud risk to a designated person, a governance forum/committee or to senior management
• Provide guidance for managers, employees and stakeholders on the company’s fraud-risk appetite and how they are expected to respond to suspected fraud
• Who should be involved in fraud response (e.g. senior manager, legal department, internal audit, fraud team, etc.)
• External fraud committed against the company or its staff by third parties (e.g. customers, suppliers or other parties), as well as the risk of internal fraud or collusion involving employees and third parties (e.g. leveraging weakness in internal systems or controls)
• When external support may be required from professional investigators/specialists to make progress
• Guidance on how to minimise loss, preserve evidence and maintain confidentiality
• Considering whether remedial action is needed to prevent recurrence

Management and employees are often the first to identify possible cases of fraud or other impropriety. The FRP should therefore be clear on action to take when a case of suspected fraud is encountered. If staff do not know what is expected of them, any action or inaction on their behalf could inadvertently lead to further loss, or loss of evidence to identify person(s) involved.

No. Not in all cases. But, shareholders, regulators, investment partners, etc., might expect reasonable steps to be taken in response, to identify persons responsible and how to mitigate any on-going fraud risk. Where an investigation is initiated this will be influenced by a range of factors, including (amongst other):

• Assessment of the source / substance of an allegation or grounds for concern - A fraud, misunderstanding, or something else?
• Complexity of the fraud involved - Simple or complex, wholly internal or involving external parties?
• Value lost or at risk - An important consideration, but not the only one
• Risk-appetite - How acceptable is the risk/loss event, could other loss have been suffered but not identified, could fraud have been prevented, is there a material control weakness, etc.?
• Organisational culture - What does senior management expect to be undertaken, as a minimum, when responding to fraud allegation or suspicion (i.e. tone from the top)?
• Availability of fraud resource - Internal versus cost, competency and response capability of external support, etc.
• Following the trail – What is the potential for financial recovery or asset tracing in serious cases and whether this is wholly local, or involving cross-border activity
• Compliance with the Companies Act 2006 – Directors are responsible for safeguarding company assets and taking reasonable steps to prevent and detect fraud
• Regulatory risk - Particularly for firms supervised by the FCA:
  • Fraud, errors and other irregularities must be notified to the FSA immediately (i.e. if fraud events arise and an event is assessed to be significant, notification to the FCA under SUP 15.3.17 R is required, with all relevant and significant details of the incident or suspected incident of which the firm is aware)
  • The annual Financial Crime Return (REP-CRIM) includes data points on fraud, including types of fraud encountered, number of resource with fraud responsibility and case volumes.
• Other…

Regulators, industry bodies and fraud specialists recognise the importance of completing a fraud risk assessment (‘FRA’), to inform development (or maintenance) of an effective fraud risk management framework. Completed on a stand-alone basis or as part of a broader enterprise risk assessment programme using scenarios relevant to the organisation, FRA typically considers:

• Whether the organisation’s ability to prevent fraud is adversely impacted by a gap or weakness in internal controls
• How a fraudster (working alone or colluding with a member of staff) might be able to override or circumvent an internal control
• How fraud could be concealed

Inputs to scenario assessment could include:

• Details of known fraud events from within the organisation, including how these were undertaken and their consequential impact, along with assessment of any systems or controls failings previously identified;
• Consideration of internal and external audit findings / recommendations linked to strengthening internal controls to reduce fraud risk;
• Assessing industry fraud typologies or related risk identified in press or media reporting, linked to illegal / unethical practices;
• Considering law enforcement or regulatory publications on fraud for relevance to the operating environment;
• Consideration of any significant organisational change, such as, a merger or acquisition or change in reporting lines or management structure and whether this impacted (or increased) fraud risk to the business;
• Determining whether existing fraud related training is suitable or fit for purpose, or whether new/emerging risk identified might require an uplift in staff training and awareness;
• Analysis of loss/shrinkage suffered and whether this might involve fraud in any way, such as, the booking of bad debt provisions, manipulating stock or work-in-progress quantities, or unexplained increase in the level of write-offs or other accounting entries, which serve to balance the books, but where underlying causes may not have been assessed for fraud risk;
• Materiality of risk associated with employee expense fraud, manipulation of supplier invoicing (or vendor rebates), or other types of corporate fraud risk, relevant to the organisation’s operations;
• Other ……

FRA output

As noted above, FRA scenarios should be relevant to the organisation, to:

1. Help identify real risk facing the organisation, with an emphasis on the actual rather than perceived or generic fraud risks.
2. Inform senior management on risk facing the business, so that, senior management can direct resource utilisation towards addressing real fraud risk, to make a difference where it matters.
3. Ensure appropriate action is taken to any new/emerging material risk identified in the policy, procedure or internal control framework – consistent with senior management risk-appetite.

Anti-fraud framework arrangements should include:

• Governance - Senior management risk-appetite, risk ownership and accountability (e.g. by Board member or other individual with authority, expertise and resource), with supporting activity endorsed by the Board or equivalent senior management body:
• An informed awareness – Document an assessment of how your business is exposed to fraud risk.
• Policies & procedures - Reflecting due consideration of legal and regulatory risk relevant to the organisation’s countries of operations. Anti-fraud measures might be covered in a range of policies, some fraud specific and some having a nexus to other policies in the wider control framework (e.g. Fraud policy, Whistle-blowing policy, Supplier procurement/RFP policies, Risk/incident reporting procedure, Human Resource policy, Internal disciplinary arrangements, etc.).
• Risk-based control environment - Design and implement a suitable control framework, reflecting assessed risk and appropriately resourced to promote compliance with policy and supporting procedure(s)
• Training and Awareness - Develop appropriate training content and ensure coverage of key risk in the operating environment. Content should, as a minimum cover:
1. Policy, procedure and supporting guidance
2. Risk-based training of appropriate employees (i.e. generic for all staff, with additional focused content for staff in higher-risk roles’)
• Compliance monitoring - Controls testing and assurance must be included, to provide assurance or insight for senior management on compliance with policy and procedure
• Reporting - An internal mechanism accessible to all staff, so as to be able to report any concern identified to an appropriate person (e.g. a Senior manager, Internal-audit function, Compliance function, a dedicated Whistle-blowing line or another designated contact/reporting point).