Demonstrating Reasonable Procedures in Practice
If your organisation were investigated for fraud tomorrow, what evidence would you rely on to demonstrate that your approach to prevention was proportionate, coherent and actively maintained?
The introduction of the failure to prevent fraud offence under the Economic Crime and Corporate Transparency Act 2023 has sharpened attention on this question. But the real issue is not legislation alone (** see below). It is whether organisations can demonstrate, with credibility, that their fraud prevention mechanisms genuinely reflect how they operate in practice.
Reasonable procedures are not about producing more documentation. They are about being able to explain, clearly and confidently, how fraud risks are understood, owned and actively managed across the organisation.
For many boards, the risk is not inaction. It is false reassurance.
Fraud risk is not theoretical
Fraud remains one of the most prevalent crimes in the UK. Data from the Office for National Statistics continues to show that fraud accounts for a significant proportion of recorded crime. Industry reporting from UK Finance highlights that losses arise not only from external attacks, but also from insider activity and weaknesses in third-party relationships.
This matters because fraud exposure rarely sits neatly within one department. It emerges where financial pressure, opportunity, cultural tolerance, and weak oversight intersect.
If investigated, regulators will not be interested in whether a policy exists. They will look at whether prevention mechanisms are proportionate to the risks the organisation actually faces.
Why “reasonable procedures” is deliberately uncomfortable
The legislation deliberately avoids prescribing a checklist. Reasonableness is judged in context.
That means boards must be able to demonstrate:
- That fraud risks have been thoughtfully identified
- That controls reflect real operational pressures
- That oversight is active rather than symbolic
- That prevention mechanisms evolve as the organisation changes
As Paul Haley, Founder of Littlechild & Haley, observes:
“Organisations are rarely short of policies. What they are short of is confidence that those policies genuinely prevent the behaviour they are concerned about. Defensible procedures are those you can explain, with evidence, in the context of how your organisation actually works.”
The emphasis is not on perfection. It is on coherence and credibility.
The Six Pillars of *Defensible* Fraud Prevention
While there is no statutory checklist, six elements consistently underpin frameworks that stand up to scrutiny.
1. Visible top-level commitment
Fraud prevention must be owned at board and senior management level. This includes clear accountability, appropriate resourcing, and evidence of active oversight and challenge.
Investigators will look for board engagement, not simply board awareness.
2. A dynamic fraud risk assessment
Fraud risk assessments should reflect how the organisation operates now, not how it operated several years ago.
New services, digital transformation, outsourcing arrangements, financial pressure and organisational change all alter risk profiles. A static assessment quickly becomes misaligned with reality.
Defensible frameworks demonstrate that risk identification is ongoing.
3. Proportionate, risk-based controls
Controls must match exposure. Over-engineered controls in low-risk areas, combined with weak controls in high-risk areas, often indicate superficial design.
It is not the volume of controls that matters. It is whether they operate effectively in practice.
4. Due diligence beyond recruitment
Fraud exposure frequently arises through third parties, intermediaries, contractors and agents.
Reasonable procedures extend beyond pre-employment checks to ongoing scrutiny of relationships that create risk.
An organisation should be able to evidence how it assesses and monitors third-party exposure.
5. Communication, awareness and speak-up culture
Staff must understand expectations and recognise warning signs. Equally important is whether they trust that concerns will be addressed.
Evidence of training completion alone is insufficient. Investigators may look at whether speak-up channels are used, how concerns are handled, and whether lessons are learned.
Culture forms part of the defensibility narrative.
6. Ongoing monitoring and review
Fraud prevention mechanisms cannot remain static.
Continuous testing, internal audit challenge, review of near misses, and transparent reporting to boards and Audit and Risk Committees demonstrate that the framework is alive rather than installed and forgotten.
Monitoring provides evidence that prevention mechanisms evolve.
Assumption vs Evidence: What Must Be Demonstrated in Practice
In many investigations, the gap lies not in effort, but in evidence.
| Fraud prevention pillar | Common board assumption | What must be demonstrated in practice |
|---|---|---|
| Top-level commitment | A clear policy and statement of intent | Evidence of ownership, challenge, and active oversight |
| Fraud risk assessment | A documented risk register | A living assessment that reflects real operations and pressures |
| Controls | Formal approvals and segregation | Controls that work in practice, not just on paper |
| Due diligence | Pre-employment and onboarding checks | Ongoing scrutiny of third parties and relationships |
| Training and communication | Annual mandatory training | Practical awareness and trusted speak-up routes |
| Monitoring and review | Periodic reporting | Continuous testing, learning, and board visibility |
The ability to bridge this gap is central to defensibility.
The role of internal audit
Internal audit does not own fraud prevention. Responsibility sits with management and the board.
However, internal audit plays a critical role in assessing whether the framework is coherent, proportionate and demonstrably effective.
This includes:
- Testing whether controls operate as described
- Challenging optimism bias
- Assessing whether risk assessments reflect reality
- Providing assurance that oversight is active and evidenced
Increasingly, boards are asking not whether controls exist, but whether they would withstand scrutiny following an incident.
Donna Littlechild, Founder of Littlechild & Haley, reflects:
“Fraud prevention ultimately comes down to judgement. Judgement about risk, about behaviour, and about whether the organisation’s culture supports challenge. The most resilient organisations are those that understand their vulnerabilities and are prepared to test their own assumptions.”
Why acting early matters
Organisations that review their frameworks proactively are better placed to make proportionate improvements and embed learning calmly.
Those that delay often find themselves reacting under time pressure, focusing on documentation rather than substance.
Defensible fraud prevention is not about eliminating risk entirely. It is about being able to explain, clearly and honestly, how risk is understood, managed and challenged.
That clarity provides confidence long before any investigation occurs.
** organisations should seek their own independent legal advice.
References
- Economic Crime and Corporate Transparency Act 2023
https://www.legislation.gov.uk/ukpga/2023/56/contents - Office for National Statistics – Fraud and Crime Data
https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice - UK Finance – Fraud The Facts
https://www.ukfinance.org.uk/policy-and-guidance/reports-and-publications/fraud-facts - National Cyber Security Centre – Cyber Crime and Fraud Guidance
https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
