It makes significant business sense for directors and managements to implement policies, procedures and controls that help their companies' mitigate the impact of fraud.
Of late, there seems to be a spurt in instances of fraud in the corporate world. The recent Ernst & Young 9th Global Fraud Survey shows that the levels of fraud have risen significantly over the last two years. This increase in fraud across industries has raised certain questions over the preparedness of organisations in the prevention, detection and handling of frauds. At the same time, another pertinent question that has emerged is: What is a director's responsibility in prevention and detection of fraud?
Legislation/guidelines, such as Section 286 of the Companies Act, 1956, the Companies (Auditor's Report) Order 2003 (CARO), the Auditing and Assurance Standard 4 (AAS-4) and Clause 49 of Listing Agreement, have put the onus of prevention and detection of fraud on the management, directors and audit committees. While the management of the company is primarily responsible for implementing policies, procedures and controls for prevention and detection of fraud, the onus of governance is also placed on the board of directors/audit committees for prevention and detection of fraud.
In the past, managements paid little attention to any incident of fraud and treated it as if it had no particular risk to their organisation. They did not even have specific policies, procedures or controls to prevent or detect fraud. However, the recent surge in incidences of fraud has put the issue in focus.
No longer discretionary
Further, with the introduction of new corporate governance requirements in the form of Clause 49, AAS4, CARO, etc., which makes the directors responsible for the prevention and detection of fraud exercising adequate oversight on the management of the risk of fraud is no longer discretionary. Non-compliance with these regulations/guidelines can have serious repercussions, including loss of reputation, as can be seen from the regulator's actions against corporate players in the recent past.
For directors of companies with operations spread across multiple countries, the risk of non-compliance increases significantly as they need to comply with global legislation as well.
When confronted with this, directors raise the question: Is this only a regulatory requirement or does it add any value to the business? Various surveys conducted around the world (including India) have revealed that, on an average, companies lose 5-6 per cent of their annual revenues on account of fraud. This amount affects the bottom-line directly. Therefore, it makes significant business sense for directors and managements to implement policies, procedures and controls that help their companies' mitigate the impact of fraud on their bottom-lines.
While the management will need to identify, stamp out and prevent fraud, company directors, who can be held personally liable for the corporate governance of a company, also need to sit up and take notice of the implications of this business need and the regulatory requirements for themselves/the board, their company and responsibilities. As a first step, the directors may ask the following questions:
Does the company have a framework for managing fraud risk?
Has the company documented a formal anti-fraud policy and a code of conduct/ethics policy?
Have the policies been adequately and appropriately communicated? Is everyone in the organisation aware of the responsibility to prevent and detect fraud?
Are these policies and procedures tested periodically to reaffirm their effectiveness?
Does the company have a formal and robust fraud risk assessment process or, at least, does the risk assessment process specifically cover the risk of fraud?
Has the management team been trained for effective prevention and detection of fraud? Do they undertake fraud vulnerability assessment of high-risk areas on a periodic basis?
Has the management deployed adequate tools and procedures for proactive detection of suspicious or fraudulent transactions?
Is there an element of surprise in the internal audit process to deter fraud?
Is the internal audit team adequately equipped to cover fraud risk?
How does the management react to weaknesses in internal control systems identified by internal audit or during a prior period audit?
Does the company have an effective whistleblower mechanism to enable reporting of instances of observed/suspected frauds?
Have adequate protocols been designed and implemented for reporting detected instance of fraud to the directors/audit committee?
Does the company have a defined response mechanism and the necessary skill sets to investigate whistleblower complaints and fraudulent/dishonest acts?
Directors have collective responsibility for prevention and detection of fraud. Undertaking a quick health check by finding answers to these questions would, on the one hand, assist them in taking stock of the organisation's current state of preparedness in tackling fraud and, on the other, enhance the organisation's ability to tackle the situation when fraud actually happens.
Directors, through their proactiveness and foresight, can add significant value to the business (besides meeting their fiduciary responsibility) by ensuring that the management takes adequate steps to prevent and detect fraud in their organisations.
Sandeep Baldava (The author is Senior Manager, Ernst & Young, Risk Advisory Services.)