How compliant are small businesses?

0
115

By Victor Rudebeck – Associate Director, Compliance, Forensics and Intelligence department, Control Risks

 

 

Compliance is continuously rising on the corporate agenda. The past few years have seen a myriad of new legislation introduced in areas such as anti-corruption, data protection and trade sanctions. Moreover, the threats facing companies continue to remain in constant flux, thereby further raising the need for robust internal controls. CEO fraud and cybercrime are the latest catchphrases making the rounds at compliance seminars.

The perception of compliance among smaller and mid-sized companies or enterprises (SMEs) is a different matter though. Unlike listed companies, the concept of compliance is not often top of the agenda for many SMEs. This stems in part from the assumption that compliance inevitably comes with excessive costs and bureaucracy and therefore remains incompatible with commercial success. Increased regulatory scrutiny has also focussed on larger organisations and triggered a relatively relaxed response from many SMEs, which either consider themselves exempt from the scope of new legislations or already sufficiently compliant to avoid further efforts in that regard.

Take corruption as an example. The list of countries implementing more stringent anti-corruption legislation includes not only the UK but also France, Peru, South Korea and India. A feature of many of these legislative frameworks is a corporate liability associated with failing to adequately prevent corruption inside the organisation. For instance, the UK Bribery Act includes the requirement for companies to maintain ‘adequate’ anti-corruption procedures. However, a survey by the UK government of 500 SMEs found that only 17 per cent had any knowledge of the adequate procedures provision and the guidelines published by the Ministry of Justice to comply with that requirement.[1]

Another important legislation for SMEs is the EU’s new General Data Protection Regulation (GDPR). The GDPR, due to come into force on 25 May 2018, will impose a number of new requirements to ensure companies process and store personal data securely. Although the legislation was first announced in 2016, SMEs seem ill-prepared for its imminent implementation. A survey in November 2017 of mainly mid-sized European companies noted that only eight per cent were on course for complying with the legislation.[2] A similar study of SMEs in the UK from September 2017 found that 66 per cent had never heard of the GDPR, let alone what it is expected to cover.[3]

SMEs play an important role in the economy by driving new innovation and research and contributing to gains in productivity. Encouraging SMEs to engage with compliance requires refreshed thinking around the scope of compliance, the value it brings to an organisation and how it can be effectively adapted to the modus operandi of an SME. As this article will show, a number of compliance solutions are readily available to SMEs that do not inflict high costs and burdensome administration. Four of them are discussed here below.

Defining programme ownership

The success of a compliance programme relies in large part on adequate support and resources being provided by management. Clear, unequivocal support for compliance, backed up by leadership by example does not cost much but likely constitutes the most significant contribution senior management can make to the success of a compliance programme. The moral influence of the owner and their closest management team in an SME further multiplies the importance of having a strong tone from the top.

On the other hand, a weak or contradictory message from management risks undermining the substance of the compliance programme. When directors look the other way or even directly participate in fraudulent activities, other employees will be quick to follow suit. One of our clients suffered large scale fraud in the procurement department that had gone on for a number of years, including rigged tender bids, supplier kickbacks and procurement of false goods and services. The fraud scheme was allowed to prosper in spite of the client having a strict procurement policy in place that clearly set out the procedure for selecting and monitoring suppliers. An investigation into the scheme revealed that members of senior management directly supported the scheme in exchange for receiving a portion of the kickbacks.

Defining what constitutes adequate support for compliance can often be difficult for SMEs. The compliance programmes of listed companies are typically maintained by one or several compliance teams, which are led by a chief compliance officer, reporting directly to senior management. By contrast, many SMEs refrain entirely from making any recruitments specifically to support compliance-related activities. Ownership of the compliance programme is either added to the business owner’s long list of responsibilities or shared across other existing departments, such as legal and finance. However, such an approach is problematic for several reasons.

First, it muddles transparency and accountability. The fact that an SME owner often decides for everyone and answers to no one leaves him or her ill-suited to also perform the checks and controls required to preserve the integrity of the business. On the other hand, where several departments are involved, there is a risk of compliance falling between different chairs, thereby complicating the task of allocating responsibility for a specific compliance breach or deficiency incurred.

Second, it raises the risk of a conflict of interest in the delivery of the programme where the team or individual investigating a compliance breach is also directly implicated in the reported wrongdoing.

In our experience, the majority of SMEs in the current regulatory environment will struggle to run an effective compliance programme solely as an add-on to existing back-office operations. Appointing a designated compliance officer is a more advisable option in that regard.

Designing internal controls

A flat organisational structure coupled with flexible decision-making and a culture of trust between management and the employees is often seen as instrumental to the success of SMEs. Many SME owners would also consider such a model incompatible with the layers of rules and procedures normally underpinning a compliance programme.

“Encouraging SMEs to engage with compliance requires refreshed thinking around the scope of compliance, the value it brings to an organisation and how it can be effectively adapted to the modus operandi of an SME”

The cost of inadequate governance can, however, be significant. A client in the mining industry suffered a six-digit fraud loss at the hands of its external trustees that had been given full control of the books and records without any meaningful supervision from anyone within the company.

A lack of internal controls also complicates the task of proving responsibility after the fraudulent activities have been detected. An SME in the shipping industry became subject to a claim for unfair dismissal brought by a former employee as a result of a €0.5million loss from a failed shipment. The company claimed the employee had acted on his own behest in making the shipment without seeking management approval in an attempt to cover up losses elsewhere. However, the company lacked any formal controls for reviewing proposed shipments, with approval often given verbally by management. The employee also maintained that he had received verbal approval from the CEO before proceeding with the shipment.

At the same time, SMEs should also be wary of not overstretching the scope of their compliance programmes. Several studies have found that smaller companies often try to benchmark their compliance programmes against those of larger, listed companies. This will not only prove costly and cumbersome to implement but also likely unsuccessful in addressing the risks the companies face.

A more effective approach begins instead with documenting the internal controls already in place to identify best practice across the organisation and modify or reinforce procedures where needed. Where gaps are identified, additional controls carefully tailored to the company’s risk profile, should be considered. Less is often better under such circumstances. For instance, a code of conduct that clearly states the company’s expectations, outlines acceptable behaviour and presents viable options  for asking questions and raising concerns can go a long way towards bringing lasting improvements in compliance.

Addressing third-party risk

Compliance is not exclusively an internal matter. The US Foreign Corrupt Practices Act and other anti-corruption legislation include corporate liability for corrupt activities undertaken by business partners, such as sales agents, distributors and consultants. Verifying that third parties engaged by the company maintain satisfactory compliance standards also reduces the risk of inadvertently being implicated in fraud schemes originating from outside of the organisation. For instance, a pharmaceutical client became victim of a CEO fraud after the fraudster had hacked into a supplier’s email account and issued the company with false invoices.

Third-party compliance risk is most effectively addressed through a due diligence or screening programme that examines the activities and backgroundof each third party. The reference to due diligence often draws comparisons to extensive legal teams required to coordinate the reviews of third parties. However, this does not have to be the case.

First, the company should ensure as much information as possible is provided by the third party itself through the completion of compliance questionnaire, backed up by relevant supporting documentation. The questionnaire should cover areas such as beneficial ownership, financial information, compliance policies, etc.

Second, subsequent internal reviews should prioritise third parties with highest perceived risk based on, for example, their country of residence, level of interaction with government officials and type of industry. While no compliance programme is ever 100 per cent secure, risk-based due diligence ensures the available resources are focussed where most needed.

Using technology effectively

The role of technology in delivering compliance is often misunderstood. Although IT provides the platform through which a large part of the programme can be delivered, having the right tone from the top and a strong compliance culture are more essential to laying the foundation for its success.

“As compliance is becoming an increasingly important success factor, the onus is on SMEs to adopt compliance as an integral part of their business model”

Nevertheless, technology can provide vital support in ensuring the programme is successfully implemented and adhered to. The key is to identify the parts of the business most in need of a technological solution to help drive stronger compliance practices. Investment in advanced, programmatic solutions is not a prerequisite. For instance, data analytics is an important tool to proactively monitor the compliance programme’s performance, for example, by analysing transactional data in real-time as it is entered into the accounting system. In such way, the company can detect and address suspicious activity before the fraudulent transaction is completed.

Companies processing large quantities of data from multiple sources will likely require a bespoke database system, integrated into the existing IT infrastructure, through which to run the analysis. Companies with smaller data volumes have the option of more cost-efficient solutions that involve refining the systems already in place. This includes refining the accounting system to automatically highlight certain changes to supplier data or transactions that meet high-risk criteria (e.g. high, round amounts) that will be processed for further review.

Similarly, employee expenses present to most companies a high-risk area for bribery and corruption. Many SMEs still use rather rudimentary tools, such as Excel spreadsheets, to process and monitor employee expenses. This raises the risk of fraudulent or illegal expenses being reimbursed as a result of false expense claims, circumvention of approval controls or an inability to monitor expenses centrally within the organisation. Expense report software is available at relatively minor costs to SMEs and helps to address such risks a lot more effectively.

SMEs are often distinguished by a number of unique features that help to explain their success, including a flat organisational structure and flexible decision-making. However, the same characteristics also leave SMEs more exposed to the risk of fraud and other regulatory missteps taking place, especially in light of the heightened scrutiny by regulators worldwide.

Further efforts are therefore required to improve compliance standards within SMEs. Contrary to popular perception, this does not need to involve high costs or excessive bureaucracy. Simply having a clear message of support from management of compliance-related activities goes a long way towards establishing a successful compliance programme. Other cost-efficient solutions can further strengthen the internal control environment, including the screening of third-party business partners and the use of technology to monitor suspicious transactions in real-time.

As compliance is becoming an increasingly important success factor, the onus is on SMEs to adopt compliance as an integral part of their business model.

 

About the Author:

Victor Rudebeck is an Associate Director in the Investigations and Forensic Services practice area of the Compliance, Forensics and Intelligence department. Victor specialises in providing anti-corruption compliance assessments and investigations for clients across a wide range of jurisdictions and sectors. He has also experience of delivering structured data analytics on a number of different accounting systems, including SAP, Oracle and Microsoft Access. Prior to joining Control Risks, Victor spent 6 years working for a forensic accounting firm in Paris and London, specialising in the provision of damage assessments in the context of international arbitration and commercial litigation.

Victor has a BSc in Information Management from the University of Sheffield, is a member of the Institute of Chartered Accountants in England and Wales (ICAEW), the Canadian Institute of Chartered Business Valuators (CICBV) and is a Certified Fraud Examiner (CFE). Victor is Swedish and fluent in English, French and German.

Footnotes

1.HM Government, Insight Into Awareness And Impact Of The Bribery Act 2010, 2015.

2.European Business Awards, 92% of European Business Are Unprepared For GDPR, 17 November 2017

3.Employeebenefits.co.uk, 66% Have Not Heard About GDPR Legislation, 25 September 2017