Fraud and cybercrime account for a large portion of all crime in England and Wales, according to the UK’s Office for National Statistics, and few sectors are as exposed to the risk — and as responsible for reporting it — as financial management. Action Fraud, the UK’s national fraud reporting centre, reports that nearly 750,000 cases of fraud were reported in the year ending March 2019, 65% of them from businesses and with the victims suffering total losses of £2.2 billion.
The process of reporting suspected fraud is not straightforward: Investigation and conviction rates are low, making some businesses doubt the value of filing a report, particularly given the reputational implications of doing so. However, reporting fraud is of the utmost importance, ethically, financially and often legally.
Several sector experts explained why to FM magazine.
It may be a regulatory requirement. “In the UK, professional accountants are obliged to report suspicious activities under money laundering regulations. While fraud is suspicious and needs to be reported to the National Crime Agency, there is no legal obligation to report suspected fraud to the police,” said Brendan Weekes, senior manager for forensic services at Smith & Williamson, a UK-based investment management, accountancy, and tax advisory firm. “However, complying with the ethical principles for professional accountants would suggest that there are strong arguments for accountants to report suspected fraud to the police.”
Rules may apply to specific cases of fraud and certain sectors. For example, in the UK, the Charity Commission requires charities to report serious incidents, including financial crimes — fraud, theft, cybercrime, and money laundering. The Information Commissioner requires notification of data loss where there is a risk to individuals. The Financial Conduct Authority may require notification where “any matter which could have a significant adverse impact on the firm’s reputation” has occurred or may occur. CIMA byelaws require members to report other members for misconduct.
Similar standards apply in the US and other jurisdictions. Management accountants in more junior positions may be the first individuals to suspect fraud, as they are closer to the more detailed financial information in a company. You can feel isolated and powerless in such a situation. “Accountants and professionals in finance departments should promptly report suspected fraud to management,” said Jennifer Abelaj, Esq., CPA, senior counsel at US law firm Davidoff Hutcher & Citron. “If management does not adequately respond, the professional may be required by state or federal law to report the fraud to the proper authorities, while not violating the client’s confidentiality.”
It may fall under fiduciary responsibilities. “If the professional is in the company’s management, the professional has a fiduciary duty to the shareholders. In some cases, failure to report fraud may result in personal liability to the professional,” said Abelaj.
As Weekes noted, companies may have insurance to cover suspected fraud losses, and a failure to report fraud to the police could result in a claim for those losses being denied. Under the UK’s Companies Act, directors have a duty to exercise reasonable care, skill, and diligence, and failure to appropriately respond to an allegation of fraud could constitute a breach of the directors’ duties and expose the company to a risk of further loss.
Ignoring or concealing fraud losses can have an impact on financial reports, including potential misstatements. This can affect relationships with auditors and, more importantly, with shareholders, who reasonably expect companies to take action to address losses and manage fraud risk.
“Today’s digital tools keep records of all interactions, recommendations, and alerts,” said Sean Byrnes, the CEO at Outlier AI, a California-based automated business analysis company. “If a company is found to have missed, ignored, or intentionally buried information that exposed critical company, employee, or customer data, the fallout from that action will certainly be more damaging than the possibility of reporting a false positive.”
Protecting the company’s reputation. Cases of fraud can have a serious impact on companies’ reputations, particularly if it emerges that there has been a cover-up. This can have a direct impact on financial performance in the longer term.
“Unreported instances of fraud damage the organisation’s reputation in the form of negative media coverage, which can translate to financial impact for publicly listed companies, creating a tangible impact on the organisation’s market capitalisation as well,” said Subhashis Nath, service line leader for enterprise risk and compliance at Genpact, a New York-based global professional services firm.
Fraud threatens the existence of any company or institution where it occurs because it undermines a company’s reputation as a trusted partner. The company may lose business opportunities if it has a reputation of not dealing in good faith.
“Company brand perception and customer loyalty are dependent on how quickly, and how well, organisations respond to fraud,” Byrnes said.
It is not just individual companies’ reputations at stake, but the accounting profession’s as well. Weekes noted that recent UK fraud scandals at supermarket giant Tesco and café chain Patisserie Valerie have prompted increased scrutiny of the financial industry. “These are examples of where perceived failures by accounting and audit professionals have resulted in an increased scepticism and growing criticism of the finance profession.”
It is part of good risk-management procedure. As we have seen, fraud has major implications for financial, reputational, and commercial risk. Monitoring and reporting malpractice is thus an essential part of risk management.
“Protecting an organisation from risks that keep them away from their stated objectives is a fundamental expectation from its leadership and, more importantly, the audit committee,” said Nath. “Many organisations do this through corporate audit and enterprise risk teams. Setting up a risk identification and mitigation environment powered by smart analytics, fraud indicators, risk assessments, and even behavioural science patterning — then conducting internal audits — is the first step to identifying and self-disclosing gaps in an organisation’s risk-management framework.”
Reporting fraud to official bodies helps those organisations build up a better understanding of the dynamics of fraudulent practices. This can help shape the regulatory and reporting infrastructure, and risk-management practices, benefiting all legitimate parties. This is particularly true given the rapid development of different forms of cybercrime.
“Systems that can quickly and automatically detect initial data outliers offer financial institutions a head start on averting loss, damage to the customer experience, and potentially millions of dollars in lost revenue, fines, and future business,” said Byrnes.
It is an important part of having a healthy corporate culture. An underappreciated effect of fraud can be the corrosive effect on staff morale and the internal health of a company. Unreported fraud is a sign of deficiencies in corporate culture that have a broader impact than the merely financial.
“Organisations and their leaders ought to do and be seen to do what is considered right by their staff, business partners, and stakeholders,” said Weekes.
Turning a blind eye to fraud can encourage further graft. But a zero-tolerance policy from management, with full internal investigations and the pursuit of criminal sanctions, sends a clear message.
“CIMA members and registered students can have a powerful influencing effect in a company, so use your professional membership to your own and your company’s advantage,” said Peter Steel, vice-president–Professional Standards and Ethics at the Association of International Certified Professional Accountants. “You have an ethical duty to report, and you should start by reporting up the management hierarchy. You never know who may be involved or complicit in fraudulent activity, so keep records of conversations and put all your advice in writing.” You may be in a good position to recommend the tightening up of procedures.
“An organisation’s leadership is mandated to run it in an ethical manner, which should be ingrained in the organisation’s culture and shouldn’t really require a regulation to enforce it,” concluded Nath. “If they choose to hide it instead of taking remediation measures, they’re already compromising their organisation’s integrity and contributing to — instead of mitigating — organisational risk.”
If you are concerned about fraud in your workplace, CIMA has some helpful resources to help you decide whom to talk to and what to do. Start with the Ethics Checklist to work through the issue in a methodical way. Check the company’s internal policies and procedures to ensure that you are acting within the terms of your employment. Make sure you have evidence to support your suspicion if possible. Consider what you might do if your concerns are ignored, such as communicating with those charged with governance (Section 100.25 of the Code of Ethics). Whistle-blowing may be your last resort.
— Andrew MacDowall is a freelance writer and risk consultant based in France. To comment on this article or to suggest an idea for another article, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.