Fraud and the role of supervisory board members

On 30 January 2025, the Financieele Dagblad ran the headline: ‘AFM: Not only auditors, but also supervisory board members must pay more attention to fraud’ ('AFM: niet alleen accountant, ook commissaris moet beter op fraude letten’). This headline stemmed from the AFM report released the same day, titled ‘Insufficient audit procedures in response to fraud risks’ (‘Controlewerkzaamheden bij frauderisico's schieten tekort’) in which the AFM stated that the findings of its investigation (focused on auditors) are also applicable to audit committees.

In March 2024, it emerged that former executives and supervisory board members had settled with the trustee of the bankrupt company Imtech. They were accused of mismanagement and inadequate supervision in the five years leading up to the bankruptcy. During this period, fraud was uncovered in Imtech’s operations across Poland, Germany and Switzerland.

These instances underscore the clear expectation that supervisory boards play an important role in fraud prevention. Yet, the specifics of this responsibility and how it should be executed remain unclear.

This article delves into the concept of fraud, outlines the legal and governance framework for supervisory board members, shares insights from the Imtech case, and provides practical advice to enhance oversight of the fraud risk management.  

Fraud is a deliberate act of deception aimed at gaining an unlawful advantage. It manifests in various forms, including swindle, embezzlement and forgery. In the Netherlands, fraud is addressed through multiple legal frameworks, such as the Criminal Code, the Economic Offenses Act (‘Wet op de economische delicten’, WED), the General Administrative Law Act (‘Algemene wet bestuursrecht’, Awb) and tax legislation. To determine if a situation constitutes fraud, it's essential to examine the relevant laws alongside the specific facts and circumstances.

The impact of fraud on society is profound: it can erode economic trust. For businesses, fraud can result in financial losses and tarnish reputations, threatening their continuity. Individuals within these organisations, including executives and supervisory board members, may also face personal reputational harm. 

Legal duties

While there are no specific laws on fraud for supervisory board members, their responsibilities are clear from various legal articles:

• General oversight duties: According to articles 2:140/250 of the Dutch Civil Code (DCC), supervisory board members are tasked with overseeing the management board and risk management, which includes keeping an eye on fraud risk management. They ensure that the management board has robust internal controls to help prevent fraud.
• Approval of financial statements: As per articles 2:101/210 paragraph 2 DCC, the supervisory board approves the financial statements. This means they must critically assess whether the financial statements provide a true and fair view. Since fraud can skew this view, the supervisory board needs to be vigilant for any signs of fraud.
• Personal liability: Supervisory board members can be held personally liable if they fail in their supervisory role (articles 2:138/150 DCC).
  

These legal provisions suggest that if supervisory board members don't fulfill their duties properly, leading to damage—such as poor supervision of fraud risk management—they could be held personally liable. This liability hinges on serious culpable conduct. These articles are also relevant in the context of the Imtech case discussed later. In other instances, the Enterprise Chamber has identified mismanagement due to failed supervision by the supervisory board, often leading to civil proceedings and settlements, though not final judgments against supervisory board members.

Dutch Corporate Governance Code

The Dutch Corporate Governance Code (the Code), while not legally binding, is a key guideline for supervisory board members. It highlights 'fraud risks' in Principle 1.2.1 and also mentions ‘malpractices' and ‘irregularities’ in Principle 2.6. Principle 2.5 focuses on ‘culture,’ emphasising that a company’s culture should foster integrity in business operations and prevent fraud.

Supervisory board members play a crucial role in overseeing risk management and control systems, including conducting a thorough fraud risk analysis. To evaluate if management has implemented an effective fraud policy or fraud risk analysis, supervisory board members need a deep understanding of the organisation, its sector, and potential fraud schemes. They also need to know how to conduct a fraud risk analysis. The ‘Fraud Risk Management Guide’ by COSO and ACFE is a widely recognised framework. More information about this framework is available on our website.

Today, there's a growing focus on culture and creating a safe work environment, as these are seen as vital to ethical business conduct. This focus has led to more reports of undesirable and/or inappropriate behaviour. If management is implicated in this type of behaviour, the supervisory board may need to manage and take action on these reports. These situations can be complex and often draw significant media attention.

Finally, supervisory board members must oversee reporting procedures and, if needed, start independent investigations into malpractices. Leading such investigations isn't a regular task for board members, but objectivity and diligence are essential to protect the interests of all parties involved, including the company.

Perspective of the auditor and regulator (AFM)

Auditors conduct audit procedures that focus on fraud risks. However, a recent AFM study highlights that these procedures often fall short. As a result, the AFM is calling on audit committees to engage in critical discussions about the auditor's approach to fraud risk and thereby enhance their oversight.

In addition to the AFM's recommendations, there's a growing trend where auditors are inquiring about the fraud policies and fraud risk assessment of the companies they audit. Research indicates that not all companies have formalised fraud policies or a fraud risk assessment in place.

Furthermore, fraud is becoming a more prominent topic in discussions between auditors and supervisory boards. These conversations are evolving beyond merely identifying whether fraud occurred during the reporting period. Auditors are seeking meaningful dialogues with board members about the quality of fraud policies, the thoroughness of the fraud risk assessment, and the follow-up on any misconduct reports.

Royal Imtech N.V. was a large technical services provider that went bankrupt in 2015 following revelations of fraud in major projects, particularly in Poland and Germany. This led to significant write-downs, financing difficulties, and ultimately the company’s bankruptcy.

The following text is excerpted from a press release dated March 2024:

The trustees of Royal Imtech N.V. and investors' association VEB have reached settlements with the directors and supervisory board members of Royal Imtech, their insurers and with KPMG, Imtech's accountant. Insurers and KPMG together pay 40 million euros to the trustees. These settlements prevent further legal proceedings against the former directors, supervisory board members and the accounting firm. The demise of Royal Imtech in 2015 is considered one of the largest post-war bankruptcies. Shortly after the bankruptcy, the trustees and the VEB decided to act together on any claims against those involved in the bankruptcy of Imtech.

The settlements now reached are the result of years of research by the trustees into the course of events prior to the bankruptcy. Subsequently, the trustees held directors and supervisory board members liable for improper management and inadequate supervision in the five years prior to the bankruptcy. In addition, the trustees conducted disciplinary proceedings against various accountants at KPMG regarding the formally issued statements in annual reports.

The directors, supervisory directors and KPMG have not acknowledged any liability or guilt in the settlements.

The collapse of Imtech and subsequent settlements with former directors and supervisory board members highlight the potential accountability and liability of supervisory board members for failing to provide adequate oversight. Since the summons was never officially served and there was no public trial due to early settlement, it remains unclear whether the summons specifically cited frauds in Poland, Germany and elsewhere as reasons for the failed oversight and bankruptcy. However, the trustees have expressed in their twenty-seventh report that Royal Imtech’s administration failed to meet expected standards.

Although the supervisory board members did not admit liability or fault, the case resulted in financial losses and negative media attention, with potential reputational impact on the involved supervisory board members. It's worth noting that it took over eight years from the bankruptcy date to reach settlement—undoubtedly stressful years for the directors and supervisory board members facing potential liability and legal proceedings.

Supervisory board members play a role in overseeing fraud prevention. The key question is how they can effectively fulfill this responsibility. It begins with understanding their role and responsibilities. It's essential for board members to stay curious, ask questions, and maintain a critical perspective when things aren't clear.

Below are some questions that supervisory board members can ask themselves, their fellow board members and management to better understand how their organisation handles fraud. These questions can spark meaningful conversations between the board and management, helping to address fraud risks and meet the expectations of society, shareholders, and regulators.

Key topics and questions for supervisory board members:

• Is there a documented fraud policy? Is there an up-to-date fraud risk assessment that takes into account potential fraud schemes? How are external developments factored in?
• Does leadership promote a culture of integrity and transparency?
• Are management targets and bonuses realistic? Are there any earn-out arrangements?
• Is there an effective internal control system, and how is the risk of management override of controls assessed?
• What is the audit commission’s composition and expertise regarding fraud?
• Is there a robust whistleblowing procedure for suspected fraud and irregularities?
• Are agreements in place with external specialists for swift independent investigations?
• Are incidents thoroughly investigated, are root cause analyses performed, and do these lead to structural improvements in internal control?
• How is the dialogue with the auditor regarding fraud risks structured?