To print this article, all you need is to be registered or login on Mondaq.com.
Article Insights
Ankura Consulting Group LLC are most popular:
within Antitrust/Competition Law, Insolvency/Bankruptcy/Re-Structuring and Compliance topic(s)
Fraud Risk, the Failure to Prevent Fraud and the
Consequences of What Auditors Find
Recent enforcement signals from UK regulators have made one
thing clear: Fraud risk, and how organisations identify, assess,
and respond to it, is firmly back in the spotlight. Public
statements from the Serious Fraud Office (SFO) throughout 2025
confirm that the Economic Crime and Corporate Transparency Act
(ECCTA) and the new Failure to Prevent Fraud (FTPF) offence are
active enforcement priorities. Prosecutors are increasingly focused
on whether companies can demonstrate they have taken reasonable
steps to understand and mitigate fraud risk, including across
complex third-party relationships.
Against that backdrop, statutory audits are emerging as a
critical and often underestimated pressure point. Auditors are
required to assess fraud risk and internal controls as part of
their audit opinion. Where issues are identified, the audit process
can quickly escalate into deeper scrutiny, formal investigations,
and disclosures that may attract the attention of regulators,
lenders, and litigants alike.
This two-part series explores the growing intersection between
statutory audit, fraud risk, and ECCTA/FTPF exposure. Part one
examined how audit findings and auditor reporting can create
visibility and risk under the FTPF, often before misconduct is
fully understood. If you missed this article, you can access it here. Part two looks through the
auditor’s lens, explaining how fraud risk is evaluated in
practice, why audit-triggered investigations arise, and how their
outcomes can materially affect audit opinions, timelines, and
regulatory exposure.
Part 2: Fraud Risk and FTPF Through the Auditor’s Lens
When fraud risk surfaces during a statutory audit, the
consequences are rarely confined to a single audit procedure or
reporting period. Auditor concerns about fraud, management
integrity, or control effectiveness directly shape the scope,
depth, and duration of the audit; and can trigger formal
investigations, the outcomes of which determine not only the audit
opinion, but the company’s broader regulatory and litigation
risk. Understanding how auditors evaluate fraud risk in practice,
and why “reasonable assurance” can expand rapidly in
high-risk situations, is critical for boards and management
navigating audit scrutiny.
The Basics
Contrary to popular belief, the purpose of an audit is not to
identify fraud. The purpose of an audit is to obtain reasonable
assurance that the financial statements are free from material
misstatement, whether due to fraud or error.
Importantly, auditors must also consider whether the financial
statements, taken as a whole, could present a fraudulent
misrepresentation; that is, whether the overall portrayal of the
company’s performance or position is misleading, even if no
single line item is materially misstated.
Reasonable assurance
When supporting companies through investigations under audit
scrutiny, we often get questions like: “Is it reasonable for
the auditor to ask for this information?” or “How much
more testing do they need to do to get comfortable?” The
answer depends on the circumstances but is always tied to the fact
that reasonableness is a subjective measure determined by the
auditor.
Auditing standards define reasonable assurance as high, but not
absolute assurance that the financial statements as a whole are
free from material misstatement.1Â In practice, this
means that audits are designed to reduce the overall audit risk
— i.e. risk the audit fails to detect material misstatements
— to an acceptably low level based on the auditor’s own
risk tolerance, but not to eliminate it entirely. There are
inherent limitations in an audit, such as the auditor’s use of
judgement, sampling techniques or the concealment of fraud, which
mean it is not possible to mitigate audit risk to zero, hence the
assurance being reasonable and not absolute.
Situations in which the auditor is concerned about fraud,
management integrity, or both, one can expect the bar for what is
reasonable to be significantly elevated.
Materiality
Materiality is another subjective measure. It is a financial
reporting concept that considers an assertion or omission to be
material if it can be reasonably expected to influence the economic
decisions of the users of the financial statements. When planning
and performing the audit, and when considering whether a
misstatement is material, the International Standards on Auditing
(ISA) 320 defers to the professional judgement of the auditor who
should consider how users of the financial statements would rely on
the information.2
There are scenarios in which the nature and scale of fraudulent
activity would not meet the definition of “material” in
this context. Even if financially significant to a particular
business unit, the auditor might consider the control environment,
likelihood of the risk being pervasive, and rule that so long as
the financial impacts have been rectified in the books and records,
that it is not material to the overall organisation’s financial
reporting. An example of this might be a conflict of interest that
transpires into an isolated procurement fraud with a particular
individual.
However, it is important to note that materiality is also
qualitative in nature. If audit procedures identify fraud concerns
in which there is suspected involvement from management; even if
the value is financially immaterial at a global level; it is likely
the auditor will have additional questions, want to perform
additional procedures, or even trigger an investigation. This is
because the auditor relies on various assertions by management,
both implicit and explicit, in the preparation and presentation of
the financial statements. If reliability in management is called
into question, there are significant impacts to how the auditor
approaches the remainder of the audit.
How Does the Audit Address Fraud Risk?
This is a perennial challenge and consistent expectation gap
between the public and the audit profession. It is important to
recognise the limitations of a statutory audit in this regard.
Fraud involving collusion, sophisticated concealments, or
management override can be difficult to detect.
ISA 240,”The Auditor’s Responsibilities Relating to
Fraud in an Audit of Financial Statements,” requires auditors
to design and perform procedures to identify and assess the risk of
material misstatement due to fraud. This includes assessing
relevant control frameworks and whether the auditor can rely on
those controls in designing their audit testing.3
As discussed above, the auditor manages the risk that they fail
to identify misstatement — whether due to fraud or error
— referred to as “audit risk,” through a simple
equation. The interplay of the equation components is important to
understanding how fraud risk impacts the overall audit.
The only factor within the audit risk equation that is in the
auditor’s control is their detection risk. The discovery of
fraud or material weaknesses/gaps in fraud controls or issues with
management integrity during routine audit procedures will cause the
risk of material misstatement to increase. To account for this, the
auditor will enhance their testing to bring detection risk lower
and reduce overall audit risk to an acceptable level based on what
they will determine to be reasonable under the reasonable assurance
definition discussed above.Â
Notably, these enhanced procedures can include requesting that
the company commission an investigation and conducting their own
“shadow” investigation.
How Investigations Impact the Audit Process
When potential misconduct or irregularities surface during the
audit, the auditor’s work in that area typically pauses until
the matter is investigated and the facts are established. In such
circumstances, the auditor will often request that management
commission an investigation — either internally or with
external legal and forensic support — to determine the
nature, extent, and financial reporting impact of the issue.
Shadow Investigations
At the same time, auditors will frequently conduct their own
parallel review, often referred to as a shadow investigation, using
their internal forensic specialists. The purpose of this shadow
investigation is not to replicate the company’s inquiry, but to
evaluate its independence, scope, methodology, and evidential
quality, ensuring the findings can be relied upon as audit
evidence. Auditors must be satisfied that the investigation was
conducted objectively and that its conclusions are consistent with
the financial statements.
Extended Audit Timetable
While the investigation is underway, the auditor’s testing
in the affected areas is generally suspended. Once the
investigation concludes or reaches a stage where its findings are
sufficiently clear, the auditor will resume testing, typically
performing expanded audit procedures to obtain additional assurance
and bring the overall audit risk back to an acceptable level. This
may include reperforming certain tests, corroborating findings with
independent evidence, or extending the scope of substantive
procedures.
These dynamics almost invariably extend the audit timetable. The
additional investigative steps, verification procedures, and
internal consultations required to reach a supportable opinion can
significantly delay the issuance of the audit report. This often
becomes a point of tension between management, the board, and the
auditors, particularly where reporting deadlines, market
expectations, or regulatory filing obligations are approaching.
How Outcomes from Investigations Impact the Audit Opinion
Once the investigation concludes and additional procedures were
performed, the auditor determines how the findings affect the audit
opinion. The impact depends on the severity, pervasiveness, and
evidential support of the findings:
Unmodified Opinion With Emphasis of Matter: The issue is
resolved but significant enough to warrant highlighting to users of
the financial statements.
Qualified Opinion: Misstatement or limitation of scope exists
but is confined to specific elements or areas.
Adverse Opinion: Misstatements are material and pervasive,
meaning the financial statements, as a whole, are misleading.
Disclaimer of Opinion: The auditor is unable to obtain
sufficient evidence to form an opinion; this is typically where
management restricts access or investigations remain
incomplete.
A more extreme outcome is auditor resignation, typically when
the auditor no longer has confidence in management integrity or
access to information. Such events are rare but carry significant
reputational and regulatory consequences.
Even where the final opinion is not modified, investigation
outcomes may drive new management letter points, control
recommendations, or required disclosures under ISA 265:
“Communicating Deficiencies in Internal Control.”
Navigating the Risks
Where audits and investigations run concurrently, the stakes are
high. Modified opinions, delayed filings, and auditor resignations
carry immediate market, financing, and reputational consequences.
Audit disclosures can also draw regulatory attention to potential
FTPF or broader ECCTA exposure, even in the absence of
self-reporting, and may act as a catalyst for follow-on litigation
or shareholder action.
Despite commonly feeling held hostage by the audit process,
there are ways for the board and management to regain control.
Auditors are required to communicate significant findings from the
audit, including throughout the audit process and before the audit
report is issued. This provides an opportunity for the board to
commission its own review of concerning conduct and enable them to
interact with the auditors from a place of confidence and
understanding of the issues. It also provides the board a headstart
in remediating control issues that create ECCTA/FTPF risks before
the audit report makes those issues public to prosecuting
authorities.
In this environment, boards and audit committees benefit from
experienced, independent support that understands both the audit
process and investigative expectations. Ankura’s forensic
accounting and investigations specialists regularly assist
organisations and their advisers in responding to audit-driven
fraud concerns, conducting defensible investigations under intense
scrutiny, and managing the interaction between auditors,
regulators, and other stakeholders. Our experience advising
corporates, audit firms, and audit regulators allows us to
anticipate how audit and investigation findings will be tested,
challenged, and ultimately reflected in the audit opinion —
helping clients maintain control of the process at moments when it
matters most.
Footnotes
3. https://media.frc.org.uk/documents/ISA_UK_240_Revised_May_2021_Updated_September_2025.pdf
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.