In a fast-paced business environment rocked by technological, social and economic disruptions, the old approach to fraud risk management – through set-in-stone controls and awareness policies – can no longer offer adequate protection for companies. As the nature of fraud complexifies, companies’ resilience also becomes inextricably tied to the roles, responsibilities and even liabilities of their directors. The board is thus called beyond its original fiduciary duty to ensure that fraud management protocols remain clear, well-resourced and strategically effective. To do this, directors must shun complacency, questioning process owners and sceptically challenging the box-ticking procedures of senior management.
Fraud is a vast category spanning embezzlement, accounting misstatement, cyber intrusion, malpractice, money laundering, bribery and now even greenwashing, with the emergence of ESG “failure” in the context of disclosures. And yet fraud management, from assessment to incident response, is often assumed to be the sole purview of internal audit or compliance departments. This must change: under sharpening scrutiny by stakeholders and society at large, it becomes unacceptable for boards and senior management to be unaware of current fraud risks and weaknesses, or to fail to investigate them appropriately. In many countries board members’ accountability, and even their personal liability, are even enshrined in law – a trend likely to continue.
And still directors and executives continue to over-rely on internal audit to deal with fraud risk, even as studies indicate that these departments detect less than 3% of fraud (instead revealed by whistleblowers or IT tools like data analytics). In a 2021 global survey by the Association of Certified Fraud Examiners, 14% of companies listed board member as the role least likely to receive fraud awareness training, and 54% did not plan to increase their fraud awareness budget. This is despite the fact that corporate fraud rates rise in times of economic difficulty and competitive tension , despite the increase in fraud in line with the explosion of technology and data , and despite recent events that cast serious doubt on the adequacy of conventional corporate governance (the cases of Enron, Xerox, the Volkswagen emissions scandal, Wirecard, etc.).
While no company will be blamed for not achieving a zero-risk environment, a corporation will suffer financial, legal and reputational losses if its risk protocols prove ineffectual. Deficiencies (e.g. in due diligence) breed confusion and hinder corrective action, leading to a loss of stakeholder trust – including that of employees. In the event of serious allegations or regulator audit, high stakes can trigger crisis mode, at which point it is well past time to search for the right legal advisors, forensic experts and cyber analysts. The panic of unpreparedness can even lead to ill-timed or miscommunication, or to the destruction of critical data. No policy can map every risk, but a botched fraud case will still upset stakeholders.
That is why boards must challenge senior management on the resources in place for investigations and enhanced due diligence (internal and external, human and technological), keeping clear records of their questions, requests and positions. Beyond the matters found in any white paper – tone at the top, controls and policies, disconnect between discourse and pressure, training, whistleblowing mechanism, etc. – there are three particular areas in which expertise, and thus awareness and efficiency, are critically lacking: investigations, third-party due diligence and data analytics. Today’s board should focus on these, and should not wait until something goes wrong to invest in them.
The board must ensure that management, internal audit, legal and compliance all have forensic technologies and enhanced due diligence tools, adequate fraud management skills, and access to external experts as needed. While most organisations will have a code of conduct, an ethics policy and certain controls in place, those with good fraud detection and suspicion protocols are all too rare. Among other things, these should list internal and external resources, including a crisis management team with roles allocated for communication, liaising with regulators and law enforcement, managing employees, and coordinating with external forensic and legal advisors.
But what is needed to shape effective fraud protocols? One factor is an active board: studies show a strong negative correlation between board meeting frequency and corporate fraud rates. But while more meetings can maintain better awareness of operations, the discussion of fraud risk among and between directors, senior management and external advisors will be less productive without an understanding of fraud drivers and an appreciation of its cross-departmental nature. This means the board must ask the right questions, deepening its own knowledge by leveraging that of staff and external experts (legal counsels, forensic experts, data analysts, cyber specialists, etc.).
How often do board members and senior management sit down to discuss potential drivers of fraud – strategy, people, technology, economic conditions, competition – or internal fraud triggers – corruption, manipulation of accounting reports, misleading investors, and others? How often do they take a holistic view of fraud risks? (What questions did the board ask in the Theranos or Abraaj cases? Did it demand to see the due diligence performed? What activities did the board monitor in the case of Danske and Nordea, Airbus, Novartis, Credit Suisse or Volkswagen? Did it challenge the auditors at Wirecard or Wells Fargo?)
The cross-departmental nature of fraud makes a holistic approach the only effective one; a perfect illustration is the use of sales team travel expenses to pay bribes. To identify this risk, assess it, mitigate it and prevent it requires an understanding of the commercial pressure and targets of the sales team, their incentive scheme, the accounting process for submitting and approving expenses, the vendor management process and the compliance approach (particularly if the company is in a regulated sector or subject to specific bribery and corruption legislation).
Finally, directors must also create clarity about their purpose, closing any gap between others’ expectations and their own understanding of their role. While stakeholders like regulators, lawmakers, the press, civil society, activists and governance experts see boards as primarily in charge of holding senior management accountable, most directors see their first task as helping executives increase profit. This can partly explain the lack of healthy discussion around fraud protocol, the lightness of due diligence on complex transactions, and the dangerous inadequacy and amateurism of investigations.
Profits can no longer come at the expense of ethic; the cost is simply too high. In 2001, Enron went bankrupt after years of fraudulent accounting (the biggest listed US company ever to do so at the time); in 2021, Theranos CEO Elizabeth Holmes received a criminal conviction for defrauding investors when building her blood testing startup. In the 20 years in between, scandals involving corruption, money laundering, embezzlement, data manipulation and greenwashing have continued to occur, most often with directors blamed for allowing them to happen. Beyond the scorn of civil society, board members in many countries have drawn scrutiny from regulators in matters of anti-bribery and corruption; health and safety; pollution; environment, social factors and governance itself (ESG); data protection; antitrust; etc. And as with corporate insolvency, fraud litigation can be brought years after the incident occurs. It is thus not just the board’s duty, but also squarely in its own interests, to establish an anti-fraud mindset down the management chain and across departments.
By Stéphanie Lhomme, Director and head of Forensic Investigations and Anti-Bribery Services at Arendt Regulatory & Consulting.
 Global Fraud Study from the Association of Certified Fraud Examiners 2021
 AFCE « Fraud Awareness Training – Benchmarking Report” 2021