ECCTA: The journey and alignment of organisation initiatives

While organisations across the UK may have already started to work on reviewing and assessing their internal controls following reforms to the UK Corporate Governance Code (2024), it is important for organisations to start preparing for the new failure to prevent fraud offence introduced by ECCTA (376 pages / 3.7 MB) to ensure compliance.

This preparation will require organisations’ fraud processes and prevention frameworks to go further than their existing measures due to the extended scope and broader nature of ECCTA.

Under the new offence, a large organisation will be liable for economic crimes committed by an ‘associated person’. This includes directors, employees and agents of the organisation, acting for the benefit of the business or for the benefit of another associated person of the organisation. For the purposes of ECCTA, a ‘large organisation’ is defined by meeting two of the three following criteria: turnover of more than £36 million; balance sheet total of more than £18m; and more than 250 employees.

It is therefore essential for organisations to conduct a ‘current state’ assessment which will help them understand the maturity and readiness of their existing fraud risk management framework by affirming what is already in place. This will provide the building blocks to facilitate an informed fraud risk assessment, taking into account the extended scope under ECCTA, and to identify and assess new fraud risks, align current anti-fraud initiatives and identify any potential gaps.

What was the preventing fraud element in UK Corporate Governance Code reform?

Initially, the reforms to the UK Corporate Governance Code intended to include measures organisations would need to take to assess their ‘material’ fraud risk and would have required directors to attest that their organisation had reviewed this risk. This would have affected organisations operating in the ‘750 rule’ – only those with more than 750 employees and an annual turnover in excess of £750 million would have been in scope required to publish the attestation.

However, this measure is no longer included in the reforms to the UK Corporate Governance Code and instead the reforms focus more on strengthening organisations’ internal controls. These reforms have been characterised as ‘UK SOX’, reflecting similarities with the provision of the US Sarbanes-Oxley Act (US SOX). The reforms are intended to drive organisations to enhance their internal controls and for there to be increased accountability for senior figures within organisations. The requirements will include the public declaration of internal controls by the board, covering operational, compliance, and financial controls. This will take effect for account periods beginning on or after January 2026.  

‘Failure to prevent fraud’ requires addressing non-financial fraud risks

Interestingly, even if an organisation was compliant with US SOX, subject to an external audit and was preparing for the reforms implemented under the UK Corporate Governance Code, there remains a real risk that the organisation will not be ready to meet the necessary requirements for the failure to prevent fraud offence under ECCTA. There are two main reasons for this. Firstly, US SOX, external audits and reforms to the UK Corporate Governance Code primarily focus on areas concerning material financial statement fraud. However, ECCTA is far broader, covering both financial and non-financial fraud, and it is not limited to financial material fraud.

Organisations will now need to think about the non-financial information they publish, if the claims that they made can stand and if there is an audit trail. For example, concerning environment, social and governance (ESG) statements, such as the measures taken to lower emissions, in line with wider anti-greenwashing rules. 

Additionally, ECCTA shines a different spotlight in that organisations need to consider scenarios whereby they are a beneficiary of fraud and what controls they have in place to mitigate this risk. Traditionally, organisations have designed and implemented controls to mitigate them from being a victim of fraud. Organisations will need to think about implementing additional controls to mitigate them from being the beneficiary of any fraud, which will create a shift in mindset and attitude towards fraud. ECCTA will likely result in a transformational corporate shift with respect to how fraud is viewed.

The role of auditors and ‘failure to prevent fraud’

External auditors are asking more questions about their clients’ management of fraud risk, by reviewing fraud risk assessments in far more detail and asking more granular questions about the organisations' fraud risk management framework. This is so external auditors are more aware of and feel more comfortable with their clients’ preparations for ECCTA and UK SOX. Furthermore, this will help external auditors enhance their audits, as they will be able to address any additional or weakly protected material fraud risks identified by the organisation.  

Co-written by Hannah Bragg of Pinsent Masons.