Loading ...

Risky business – when organisational fraud may carry personal liability for directors and officers

Organisational fraud can take many forms, ranging from wage theft to cyber security breaches, to employee and tax fraud. The cost to Australian businesses can be significant. Fraud schemes can also range from the simple to the complex in terms of how these are perpetrated. This then turns the spotlight on the duties and obligations that fall on directors and other officers to minimise the risk of organisational fraud occurring. In the aftermath of dealing with a fraud event, the questions that are inevitably asked are:

  • can the directors and other officers be held personally liable for what has occurred?

  • can those directors and other officers demonstrate that they have adequately discharged their duties when the organisation falls victim to fraud?

The duty of care and diligence

Directors and other officers of companies have a number of duties imposed on them which are derived from common law, equity and statute. The duty to act with care and diligence is one such duty that comes to mind. 

No matter the source of the duty the basic principles are fundamentally the same. We see the duty codified today in section 180(1) of the Corporations Act 2001 (Cth) (Act). This section requires directors and other officers to exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if they were a director or officer of a company in the company’s position and if they had the same responsibilities in the company as that director or officer. It is an objective standard and will depend on the type, size and risks of the particular company.

Section 180(1) of the Act imposes a positive obligation on directors and officers, meaning, that it is not just what they do but also what they fail to do. The standard takes on account the director or officer’s experience and personal background, however, a lack of experience is not an excuse from exercising prudent, commonsense consideration of the issues.

What does that mean in practice?

In a practical sense, the duty to act with care and diligence means that directors and officers should:

  • stay up to date with the company’s activities and assess whether practices implemented by management are adequate and secure

  • have a functional knowledge of the operations of the company

  • have the ability to read and understand the financial records and accounts of the company and regularly review these to understand the financial position

  • provide guidance to management and assess whether management is carrying out its obligations and functions

  • supervise the policies of the company

  • have oversight of risks (and emerging risks) to the business of the company, and the steps being taken to mitigate such risks.

Who is a director or officer?

So, who is captured as a ‘director’ or ‘officer’? A director is someone who is appointed to that position or who is appointed as an alternative director. However, it can also include someone who is not formally appointed as a director but who acts in that position or who is someone whose instructions or wishes the directors of the company are accustomed to acting in accordance with[1]. The definition is wider than some anticipate and captures shadow or de facto directors. 

Officers are directors or secretaries of the company but can also include someone who makes or participates in making decisions that affect the whole or a substantial part of the business of the company or who has the capacity to significantly affect the company’s financial standing or with whose instructions or wishes the directors are accustomed to acting in accordance with (e.g., the CEO). It can also include certain insolvency practitioners appointed to the company.[2]

Am I doing enough as a director or officer?

All risk to a company’s business cannot be completely eliminated. This is a fact of doing business. However, the question will be whether, having regard to the type, size and nature of the business, the directors and officers are taking reasonably sufficient steps to mitigate the risks of organisational fraud. A board of directors should be aware of the risk, assess the risk and then make an informed decision about whether it will do something about the risk. 

Examples of possible steps are:

1. Employee fraud:

  •  identify the risk and understand its likelihood of occurence in a risk matrix

  • ensure policies are in place that create a culture of compliance and honesty without recrimination, such as a whistleblower policy

  • ensure management adequately vet potential employees before they are hired.

2. Cyber breaches:

  • have in place a data breach policy and ensure staff are being trained on what to do if a data breach occurs

  • assess the likelihood of a cyber breach and whether the company’s systems are sufficiently robust

  •  include ongoing cyber security assessment into the governance framework of the company

  • have the company follow the advice of the Australian Cyber Security Centre

  •  invest in strengthening security software.

3. Tax fraud:

  • engage in regular pay audits to ensure that employees are being correctly paid and the correct tax is remitted

  • ensure that you have properly qualified persons to undertake the accounting roles within your business and independent accountants to review financial accounts

  • train your directors on how to read financial statements and to critically assess the information contained in such statements, including noting any anomalies or unexplained expenses.

Enquiry and critical assessment are an essential quality for directors and officers. They set the tone from the top and must understand the risks to the business. It is important that directors and officers ensure there are policies, procedures and training in place to minimise risks to the business especially arising from fraud. The Sydney Morning Herald quoted the head of the Australian Securities & Investment Commission Chairman from his speech to the Australian Financial Review Cyber Summit in 2023 on the question of cyber security, which is both timely and relevant:

“If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence”[3]

Author: Rebecca Hegarty


[1] Section 9AC, Corporations Act 2001 (Cth).

[2] Section 9AD, Corporations Act 2001 (Cth).