For Rio Tinto Audit Committee Chair and Non-Executive Director Simon Henry, the current effectiveness – or otherwise – of corporates’ assessment and management of fraud risk all comes down to culture.

“That’s my direct experience, and also what regulators would tell you,” he says. “In any corporate fraud investigation, when you really start to drill down and ask, ‘Why did this happen?’, you invariably end up looking at the company’s culture.”

Henry points out that, almost two decades ago, cultural challenges struck at Shell – an episode that resulted in the business paying a $120m fine, following a US-UK probe into the fraudulent overstatement of hydrocarbon reserves. More recently, Henry says, he has seen cultural issues within Rio Tinto itself – alluding to controversy over the destruction of sacred cave sites at Juukan Gorge, Western Australia, in May 2020.

While not an act of fraud, the move sparked an inquiry at the Australian Parliament, culminating in a scathing report that marred the company’s reputation and raised serious concerns over governance. The incident’s remoteness from Rio Tinto’s London HQ helps to illustrate Henry’s thoughts about the relationship between culture and oversight: “If fraud is going to happen, it often won’t be at head office, but somewhere in a company’s global operations,” he says. “For example, recent auditing irregularities at BT occurred in Italy.”

With that in mind, the role of boards is clear. “We’re independent,” Henry says, “but we should be very aware of the potential problems within the cultures we work in and require the correct checks and balances to be in place.”

In Henry’s judgement, that would include direct assessments of the integrity, objectivity and professional competence of key people in the system – from the CEO to financial controller, chief accountant, head of internal audit and even their reports. “And if, as a board member, you have any concerns about key aspects of global operations, go out there and see. Part of independent assurance depends upon personal observation.”

Fresh thinking

In the view of Jock Lennox – Audit Committee Chair at Barratt Developments and Chair of the Audit Committee Chairs’ Independent Forum – any corporate discussion around the assessment and management of fraud risk typically stems from change: large or small shifts in what a business does, how it does it and the broader context in which it operates. Without appropriate scrutiny, fraud vulnerabilities could open up as a result of those shifts.

“If you pare back any of the frauds I’ve come across in my career, there has typically been a breakdown in some basic controls, which has enabled someone to do something nefarious and go unnoticed,” he says. “Once that individual feels they can get away with it, they will build on it.” 

That tends to mean that some form of laxity has crept into the business as it’s developed, Lennox explains, whether around segregation of duties, for example, or the application of certain regulatory requirements. Perhaps the business has experienced cultural changes through management shifts, restructuring and/or new ownership that have undermined rigour in those areas.

“What that says to me is that you have to continually seek ways of refreshing your thinking about your business model, so you remain alive to the possibility of fraud risks emerging and apply appropriate controls,” he says. “In tandem, you need a framework of independent assurance to check that those controls are in situ and operating effectively. Plus, you have to ask yourself as an organisation whether the tone from the top is in the right place.”

Turning to specific types of fraud risks that audit committees deem particularly concerning at the moment, Lennox and Henry agree that the digital challenge leads the field by a considerable margin.

“I would be very surprised if any audit professional you spoke to didn’t include cyber as a major hurdle,” Lennox says. “We’ve probably all got experiences of being on the receiving end of a cyber issue – whether that’s data loss, for example, or a malware attack – and that risk area is clearly not going away.”

“It’s the one thing that worries us all because it’s so dynamic,” Henry says. “ The bad guys are smart and well resourced – increasingly through funding and/or technologies provided by state actors – thereby bolstering existing criminal elements.”

Advanced approach

What sort of role should audit committees play in tackling that threat area?

“Using frameworks to assess the effectiveness of the company’s defences is an important step,” Lennox says. “Whether you’re examining third-party penetration attacks, or assessing whether those attacks are active, dynamic or one-off, we’re learning all the time. So, I would expect this subject area to be a big part of an audit committee’s annual discussion, to make sure the company is on top of its game in this arena. And whether we have evidence that the controls we believe to be in place really are in place.”

When Henry considers the five corporates and one government department that he is most familiar with from his career, he credits them for having an advanced approach to cyberthreats. “In all cases,” he says, “the board has been through an awareness-raising process and has moved to, say, focusing 80% of the resource on the highest-priority 20% of threats. Indeed, most boards now have subcommittees on tech and cyber risks. Over the past 10 years, the way organisations address this issue has improved by orders of magnitude.”

In terms of other, pressing risk factors that are on audit committees’ agendas, Lennox cites issues of misrepresentation around sustainability and social responsibility. How far back can you trace your supply chain, he asks, to ensure that you are doing what you believe you are doing in relation to commitments around sourcing sustainable raw materials and avoiding modern slavery? “Those are broader topics than fraud per se,” he says, “but still go to the heart of honesty and integrity.”

Cascade of controls

Going forward, then, what should audit committees do to boost their effectiveness in the assessment and management of fraud risks?

“Organisations often find out whether or not they have the correct controls in place when something goes wrong,” Lennox says. “However, rather than relying on investigations and lessons-learned exercises, audit committee chairs and other directors should take a step back at key points in the year and ask themselves how confident they can be that their controls are operating properly and providing all the required coverage. Annual fraud workshops, perhaps involving external experts, could help to formalise that process – particularly at times when the company is influenced by internal or external changes.”

Henry highlights the value of audit committees ensuring that organisations implement a ‘cascade’ of fraud-risk management, starting at head office level and running down through individual departments and frontline staff. In addition, he advocates a common form of first-principles risk assessment. 

“Out of the 10 main things that could go wrong,” he says, “identify three existential risks, three you must manage, and other risks that are simply out of your hands because they’re external to the business. Setting those priorities in itself makes for better leadership, risk management and allocation of often strained resources.”