Q&A: You asked us - May/June 2022

Q Are there any resources on assessing reasonable actions to comply with corporate criminal offence, controls and red flags?

A We do not have specific guidance on complying with Corporate Criminal Offence (CCO) rules under the Criminal Finances Act 2017. However many financial services firms have published articles reviewing lessons learnt from the early years of the legislation.

Common themes on expected controls and reasonable steps are:

• A robust and regular risk-assessment process across all business areas potentially affected, which considers the risk of CCO as a specific fraud offence.

• A policy framework with specific reference where appropriate, which considers related processes such as Whistleblowing.

• Effective internal communications and training.

• Consideration of suppliers.

These are closely aligned to HMRC’s six guiding principles:

• Risk assessment.

• Proportionality of procedures.

• Top level commitment.

• Due diligence.

• Communication and training.

• Monitoring and review.

From an internal audit perspective, a good starting point might be to ask the business what actions it has implemented against each of these principles.


 

Q What is the new EU directive relating to human rights and how should internal audit address this?

A The European Commission published a proposal for a directive on corporate sustainability due diligence on 23 February. This would establish a duty for companies to undertake due diligence pertaining to sustainability and/or actual or potential adverse human rights and environmental impacts in their own operations, their subsidiaries and in “established business relationships”. 

The directive would apply to very large EU and non-EU companies that operate in the single market and to large companies in three higher risk sectors. It would require companies to establish transition plans to address their climate change risks and would clarify that directors’ duties should include considering sustainability impacts in their decisions.

It also includes provisions on access to public support, guidance and resources.

The directive could be enforced via civil remedies – ie, for people who are harmed by a breach – or by administrative oversight of compliance (whether or not harm occurs).

It is likely to be a while before the directive becomes law, however some EU and non-EU states already legislate in this area and existing rules therefore offer broad outline areas to consider when completing an assurance or consultancy engagement. Areas that internal audit should think about will include:

• Integrating due diligence into policies.

• Establishing and maintaining a complaints procedure.

• Identifying actual or potential adverse impacts.

• Monitoring the effectiveness of the due diligence policy and measures.

• Preventing and mitigating potential adverse impacts, and ending and minimising actual adverse impacts.

• Publicly reporting on due diligence.

Even if your organisation will not be required to comply with the directive, these areas are all worth considering as part of the internal audit approach to auditing ESG and may link into your organisation’s corporate social responsibility approach.

We recently held a session with Swift on the directive for audit leaders. Swift has produced an analysis on the proposed directive that may offer further information.


Q I am hearing a lot about supply chain disruption and associated risks, particularly following the pandemic and in the wake of the conflict in Ukraine. Do you have any guidance about what should be considered as part of an audit of this area?

A The technical guidance on our website includes an introduction to supply chains, which provides an overview of the key issues, an explanation of how supply chains work and a glossary of terms.

There is also advice about how to approach an audit, including example risks and controls. It is imperative that audit scope is sufficiently clear and focused to avoid the risk of offering false assurance – a danger because the topic is so broad.

When looking at current supply chain risks, you should consider how the conflict in Ukraine and the situation in different countries around the world as they learn to live with the risks of Covid-19 and potential variants are likely to exacerbate supply chain issues. A European war and a further lockdown in Shanghai have highlighted the interconnectivity between supply chain and geopolitical risks. Richard Chambers, former president and CEO of IIA Global, captured in his blog of 27 February 2022 the importance of proactively monitoring geopolitical risks and how this can help companies.

Ukraine and Russia are net exporters of wheat, corn and sunflower oil, so the war will inevitably affect food supply chains. Oil, gas and petrol/diesel prices have already risen sharply, exacerbated by deteriorating relationships with Russia, and this is contributing to rising inflation. Such rapid shifts are why it is important to use all the tools at your disposal and to think laterally when you consider supply chain risks to get an accurate picture of how effectively your organisation is managing them.


Q How can internal audit support an organisation to deal with the increasing and evolving risk of fraud?

A The uncertainty and level of change created by the Covid-19 pandemic put organisations under financial and operational pressure. This has created an ideal environment for fraudulent activity. According to an ONS survey, fraud and computer misuses offences have risen by over a third in England and Wales, driven largely by the Covid-19 pandemic.

As fraudsters are becoming more sophisticated, organisations should check that their anti-fraud control framework remains effective at preventing, detecting and responding to fraud risk.

The IIA Standards define fraud as any illegal act characterised by deceit, concealment or violation of trust perpetrated by parties and organisations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage.

Internal audit’s role in relation to fraud is detailed in the IIA Standards:

• IIA Standard 1200: Proficiency and Due Professional Care 1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

• IIA Standard 2120: Risk Management 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk.

• IIA Standard 2210: Engagement Objectives 2210.A2 – Internal auditors must consider the probability of significant errors, fraud, non-compliance and other exposures when developing the engagement objectives.

Internal audit teams are increasingly coming under pressure and scrutiny, within organisations and from external stakeholders, to be clearer about, and more accountable for, their role in fraud risk management. The institute is undertaking a piece of thought leadership research that will explore internal audit’s role in relation to fraud risk – the report will be published this summer.

GOT A QUESTION? Contact the Chartered IIA technical helplineon 0845 883 4739 or email technical@iia.org.uk

This article was first published in May 2022.