How to demonstrate the effectiveness of your internal controls for fraud prevention

From September 2025, the UK’s new failure to prevent fraud (FTPF) offence will put the onus onto organisations^[1] to be proactive with their fraud risk management activities, or face potential fines should a breach occur. Any organisation that is registered in the UK, or overseas company that has a UK nexus, will be potentially liable for fraud offences that occur in the UK.

In our first article on preparing for the Failure to Prevent Fraud Offence, we explored the introduction of the UK’s failure to prevent fraud (FTPF) offence from 1 September 2025, followed by a second article on what makes a robust risk assessment.

Continuing our series, we now look at how to ensure appropriate controls are in place to effectively mitigate the risks identified, as part of the “reasonable fraud prevention measures” defence if the organisation is investigated for failure to prevent fraud.

^{Hear from Deliveroo’s Head of Compliance Daniel Jarman in conversation with FRA fraud risk experts in our live webinar 26 June, where we explored the practicalities of preparing international businesses for the FTPF offence. Watch here.}

How do you evaluate effectiveness?

Demonstrating that your internal controls are effective typically involves a mix of documentation, testing, monitoring and reporting.

Effective internal controls are essential for ensuring the integrity, reliability and accuracy of financial reporting, safeguarding assets, preventing fraud and ensuring regulatory compliance. Without strong internal controls companies face increased risk of error, fraud and penalties, reputational damage and operational disruptions. Implementing and maintaining effective controls, promotes a stable environment that supports sustainable growth and accountability.

When seeking to implement effective controls, the focus should be on ensuring there are:

1. Clear policies and procedures outlining the control requirements,
2. Regular internal control testing at both First and Second Lines of Defence,
3. Monitoring of KPIs and Red Flags,
4. Independent assessments, and
5. Communication and oversight by management

Alignment with existing frameworks

The principles stated in the Bribery Act 2010 and the Economic Crime and Corporate Transparency Act 2023 share significant commonalities. Both advocate for "adequate" or "reasonable" measures to prevent misconduct, both emphasize the importance of implementing effective policies and procedures to prevent misconduct, and both advocate regular monitoring and review to ensure controls remain effective and relevant.

While control actions may differ across organisations, key elements are common to bribery, corruption, and fraud, meaning an organisation can leverage existing controls within its internal control framework. Examples of existing controls include:

• Segregation of duties: Ensuring no single individual has control over all aspects of a financial transaction.
• Regular audits: Conducting periodic reviews to detect and prevent irregularities.
• Accurate record-keeping: Maintaining detailed, up to date and precise financial records.
• Approval processes: Implementing multi-level approval for significant transactions.
• Whistleblower policies: Establishing channels for anonymous reporting of suspicious activities

Providing an effective defence

The sole defence to the new “failure to prevent fraud” offence is to demonstrate that the organisation had reasonable fraud prevention measures in place at the time of the alleged breach. It is also good practice for an organisation to understand and mitigate its risk exposure more generally – including, but not limited to, the risk of fraud.

Helpful evidence of an organisation’s fraud prevention measures would seek to demonstrate:

1. Mapping and documenting a gap analysis comparing the organisation’s fraud risk exposure to its preventative policies, procedures and controls. Gaps are identified where a fraud risk exposure is not mitigated by a control action and new enhancements are required.
2. Creation and implementation of fraud prevention controls, including evidence of pan-organisation communication, training and guidance.
3. Organisational culture demonstrative of staff awareness and sensitivity to potentially fraudulent activity and the channels for reporting concerns. The “tone from the top” and organisational action to remediate potential compliance breaches are demonstrative of an effective control environment.
4. Regular monitoring and testing of the effectiveness of the controls in place.

Many organisations have already adapted their internal controls following the introduction of a similar “failure to prevent” offence in the Bribery Act of 2010. The substantial penalties against those that did not do so shows the UK regulatory authorities’ commitment to using their powers as a deterrent against poor compliance. The upshot is that we can draw lessons on what the authorities have viewed as adequate procedures and apply those lessons to addressing the expectations for reasonable measures in the context of the FTPF offence.

If an organisation cannot successfully claim that it has implemented reasonable fraud prevention measures, strong post-offending cooperation and timely compliance remediation can mitigate penalties. Airbus received significant penalty discounts in the UK, France, and US for its exemplary cooperation and remediation efforts, including a 16.7% discount in the UK and a 50% discount in France, with no independent compliance monitor required in the US.  

Next Step: Investigations

With robust risk assessments and effective internal controls in place, the next area to assess is the company’s response to incidents and allegations. Our series continues with a focus on designing investigations programmes that adequately address the root cause of issues that arise, including when to escalate matters to the authorities.