Principle 6: monitoring and review - ECCTA countdown to compliance

As a reminder, organisations have until 1 September 2025 to ensure reasonable procedures are in place, to demonstrate compliance with ECCTA. This article will focus on principle six ‘monitoring and review.’

The fraud prevention framework put in place by relevant organisations should be informed by the following guiding six principles:

• top level commitment
• risk assessment
• proportionate risk-based prevention procedures
• due diligence
• communication (including training)
• monitoring and review

The principles are intended to be flexible and outcome-focussed, allowing for the huge variety of circumstances that relevant bodies find themselves in. Procedures to prevent fraud should be proportionate to the risk.

To assist with preparations and as part of our commitment to clients and organisations, we will be reaffirming the Government’s guidance on each of the six guiding principles in the lead up to the September deadline.

Monitoring and review

The organisation monitors and reviews its fraud detection and prevention procedures and makes improvements where necessary.
This includes learning from investigations and whistleblowing incidents and reviewing information from its own sector.

Monitoring

Monitoring includes three elements: detection of fraud and attempted fraud, investigations and monitoring the effectiveness of fraud prevention measures.

Detection of attempted fraud

Organisations have an interest in ensuring that they are using a range of measures to detect fraud and attempts at fraud. Relevant organisations are likely to have measures in place for detecting frauds against the organisation but may need to consider how these can be extended to frauds that might be intended to benefit the organisation or its clients. Relevant organisations may wish to consider the following questions:

• what analysis is carried out (for example on procurement/payments/invoicing)? How quickly are discrepancies flagged and to whom?
• what processes are in place for detecting unauthorised access to data?
• what data analytics tools are used? Is there scope for use of AI to identify potential frauds?
• what encouragement is there for staff to speak up about fraud-related concerns: speaking up early prevents small ethical problems snowballing into criminality?
• what are the organisation’s whistleblowing procedures?
• are they clearly communicated to staff and other associated persons?
• what action is taken after whistleblowing?
• are staff or other associated persons signposted to external whistleblowing sites?
• is there a nominated member of staff with responsibility for collating and verifying management information on suspected fraud and flagging to the board?

Investigation of suspected fraud

Relevant organisations are likely to have in place arrangements for investigating attempted frauds against the organisation but may need to extend them to cover frauds that are intended to benefit the organisation or its clients. Relevant organisations may wish to consider the following questions:

• what factors would trigger an investigation?
• who authorises the investigations?
• are decisions to investigate documented?
• what factors determine whether the investigation is internal or whether an external investigator is appointed?
• what arrangements are in place to ensure that internal investigations are independent?
• what are the arrangements for reporting the results of investigations to the board?
• how are the results of any investigations communicated through the organisation?
• what arrangements are in place for learning from investigations?

Investigations should be independent, clear about their internal client and purpose, appropriately resourced, empowered, and scoped (including through legal advice), and legally compliant. Investigations should strive to be fair to all parties. Useful sources of information include the Global Practitioners’ Guide to Investigations.

Monitoring of fraud prevention measures

Monitoring fraud prevention measures might include:

• monitoring of financial controls
• collecting data on how many staff have attended fraud prevention training courses and any test results, if applicable
• monitoring updates to procedures (for example, due diligence procedures)
• monitoring updates to contractual clauses for associated persons

Review

The nature of the risks faced by an organisation will change and evolve over time. This may be as a natural result of external developments, the failure to prevent a fraud by an associated person, or as a result of changes in the organisation’s activities. The organisation will therefore need to adapt its fraud detection and prevention procedures in response to the changes in the risks that it faces. The frequency of review is a matter for the relevant organisation, but risk assessments are typically conducted at consistent intervals (annually or bi-annually). Relevant organisations should also consider whether various external factors should trigger an earlier review or a partial review.

An organisation may wish to have its review conducted by an external party or may choose to conduct its review internally.
Relevant organisations can review their fraud detection and prevention procedures by:

• seeking internal feedback from staff members
• reviewing fraud detection analysis
• examining any investigations or relevant whistleblowing cases and the subsequent action taken
• examining other financial crime prevention procedures
• conducting formalised periodic review with documented findings
• working with other organisations, such as trade bodies or other organisations facing similar risks
• following advice from professional organisations (for example, accountancy or legal bodies)
• examining any relevant prosecutions or deferred prosecution agreements
• collating and verifying management information on the effectiveness of the fraud prevention measures and flagging to the board

This is not an exhaustive list, and it is expected that organisations will choose the approach most suited to their needs. Relevant organisations may change their review process in light of developments. For example, an organisation may need to take a more formalised and detailed approach to reviewing its fraud detection and prevention procedures following criminal activity by persons associated with it.

As mentioned, relevant organisations may put specific procedures in place during emergency scenarios. Once business as normal has resumed, the organisation should review the effectiveness of the fraud prevention measures during the emergency period.