\nstatutory audit, fraud risk, and ECCTA\/FTPF exposure. Part one
\nexamined how audit findings and auditor reporting can create
\nvisibility and risk under the FTPF, often before misconduct is
\nfully understood. If you missed this article, you can\u00a0access it here<\/a>. Part two looks through the
\nauditor’s lens, explaining how fraud risk is evaluated in
\npractice, why audit-triggered investigations arise, and how their
\noutcomes can materially affect audit opinions, timelines, and
\nregulatory exposure.<\/p>\n
Part 2: Fraud Risk and FTPF Through the Auditor’s Lens<\/p>\n
When fraud risk surfaces during a statutory audit, the
\nconsequences are rarely confined to a single audit procedure or
\nreporting period. Auditor concerns about fraud, management
\nintegrity, or control effectiveness directly shape the scope,
\ndepth, and duration of the audit; and can trigger formal
\ninvestigations, the outcomes of which determine not only the audit
\nopinion, but the company’s broader regulatory and litigation
\nrisk. Understanding how auditors evaluate fraud risk in practice,
\nand why “reasonable assurance” can expand rapidly in
\nhigh-risk situations, is critical for boards and management
\nnavigating audit scrutiny.<\/p>\n
The Basics<\/p>\n
Contrary to popular belief, the purpose of an audit is not to
\nidentify fraud. The purpose of an audit is to obtain reasonable
\nassurance that the financial statements are free from material
\nmisstatement, whether due to fraud or error.<\/p>\n
Importantly, auditors must also consider whether the financial
\nstatements, taken as a whole, could present a fraudulent
\nmisrepresentation; that is, whether the overall portrayal of the
\ncompany’s performance or position is misleading, even if no
\nsingle line item is materially misstated.<\/p>\n
Reasonable assurance<\/p>\n
When supporting companies through investigations under audit
\nscrutiny, we often get questions like: “Is it reasonable for
\nthe auditor to ask for this information?” or “How much
\nmore testing do they need to do to get comfortable?” The
\nanswer depends on the circumstances but is always tied to the fact
\nthat reasonableness is a subjective measure determined by the
\nauditor.<\/p>\n
Auditing standards define reasonable assurance as high, but not
\nabsolute assurance that the financial statements as a whole are
\nfree from material misstatement.1\u00a0In practice, this
\nmeans that audits are designed to reduce the overall audit risk
\n\u2014 i.e. risk the audit fails to detect material misstatements
\n\u2014 to an acceptably low level based on the auditor’s own
\nrisk tolerance, but not to eliminate it entirely. There are
\ninherent limitations in an audit, such as the auditor’s use of
\njudgement, sampling techniques or the concealment of fraud, which
\nmean it is not possible to mitigate audit risk to zero, hence the
\nassurance being reasonable and not absolute.<\/p>\n
Situations in which the auditor is concerned about fraud,
\nmanagement integrity, or both, one can expect the bar for what is
\nreasonable to be significantly elevated.<\/p>\n
Materiality<\/p>\n
Materiality is another subjective measure. It is a financial
\nreporting concept that considers an assertion or omission to be
\nmaterial if it can be reasonably expected to influence the economic
\ndecisions of the users of the financial statements. When planning
\nand performing the audit, and when considering whether a
\nmisstatement is material, the International Standards on Auditing
\n(ISA) 320 defers to the professional judgement of the auditor who
\nshould consider how users of the financial statements would rely on
\nthe information.2<\/p>\n
There are scenarios in which the nature and scale of fraudulent
\nactivity would not meet the definition of “material” in
\nthis context. Even if financially significant to a particular
\nbusiness unit, the auditor might consider the control environment,
\nlikelihood of the risk being pervasive, and rule that so long as
\nthe financial impacts have been rectified in the books and records,
\nthat it is not material to the overall organisation’s financial
\nreporting. An example of this might be a conflict of interest that
\ntranspires into an isolated procurement fraud with a particular
\nindividual.<\/p>\n
However, it is important to note that materiality is also
\nqualitative in nature. If audit procedures identify fraud concerns
\nin which there is suspected involvement from management; even if
\nthe value is financially immaterial at a global level; it is likely
\nthe auditor will have additional questions, want to perform
\nadditional procedures, or even trigger an investigation. This is
\nbecause the auditor relies on various assertions by management,
\nboth implicit and explicit, in the preparation and presentation of
\nthe financial statements. If reliability in management is called
\ninto question, there are significant impacts to how the auditor
\napproaches the remainder of the audit.<\/p>\n
How Does the Audit Address Fraud Risk?<\/p>\n
This is a perennial challenge and consistent expectation gap
\nbetween the public and the audit profession. It is important to
\nrecognise the limitations of a statutory audit in this regard.
\nFraud involving collusion, sophisticated concealments, or
\nmanagement override can be difficult to detect.<\/p>\n
ISA 240,”The Auditor’s Responsibilities Relating to
\nFraud in an Audit of Financial Statements,” requires auditors
\nto design and perform procedures to identify and assess the risk of
\nmaterial misstatement due to fraud. This includes assessing
\nrelevant control frameworks and whether the auditor can rely on
\nthose controls in designing their audit testing.3<\/p>\n
As discussed above, the auditor manages the risk that they fail
\nto identify misstatement\u00a0\u2014 whether due to fraud or error
\n\u2014 referred to as “audit risk,” through a simple
\nequation. The interplay of the equation components is important to
\nunderstanding how fraud risk impacts the overall audit.<\/p>\n
![\"1746952a.jpg\"\/](\"https:\/\/www.newsbeep.com\/us\/wp-content\/uploads\/2026\/02\/1746952a.jpg\")
<\/p>\n
The only factor within the audit risk equation that is in the
\nauditor’s control is their detection risk. The discovery of
\nfraud or material weaknesses\/gaps in fraud controls or issues with
\nmanagement integrity during routine audit procedures will cause the
\nrisk of material misstatement to increase. To account for this, the
\nauditor will enhance their testing to bring detection risk lower
\nand reduce overall audit risk to an acceptable level based on what
\nthey will determine to be reasonable under the reasonable assurance
\ndefinition discussed above.\u00a0<\/p>\n
Notably, these enhanced procedures can include requesting that
\nthe company commission an investigation and conducting their own
\n“shadow” investigation.<\/p>\n
How Investigations Impact the Audit Process<\/p>\n
When potential misconduct or irregularities surface during the
\naudit, the auditor’s work in that area typically pauses until
\nthe matter is investigated and the facts are established. In such
\ncircumstances, the auditor will often request that management
\ncommission an investigation \u2014 either internally or with
\nexternal legal and forensic support \u2014 to determine the
\nnature, extent, and financial reporting impact of the issue.<\/p>\n
Shadow Investigations<\/p>\n
At the same time, auditors will frequently conduct their own
\nparallel review, often referred to as a shadow investigation, using
\ntheir internal forensic specialists. The purpose of this shadow
\ninvestigation is not to replicate the company’s inquiry, but to
\nevaluate its independence, scope, methodology, and evidential
\nquality, ensuring the findings can be relied upon as audit
\nevidence. Auditors must be satisfied that the investigation was
\nconducted objectively and that its conclusions are consistent with
\nthe financial statements.<\/p>\n
Extended Audit Timetable<\/p>\n
While the investigation is underway, the auditor’s testing
\nin the affected areas is generally suspended. Once the
\ninvestigation concludes or reaches a stage where its findings are
\nsufficiently clear, the auditor will resume testing, typically
\nperforming expanded audit procedures to obtain additional assurance
\nand bring the overall audit risk back to an acceptable level. This
\nmay include reperforming certain tests, corroborating findings with
\nindependent evidence, or extending the scope of substantive
\nprocedures.<\/p>\n
These dynamics almost invariably extend the audit timetable. The
\nadditional investigative steps, verification procedures, and
\ninternal consultations required to reach a supportable opinion can
\nsignificantly delay the issuance of the audit report. This often
\nbecomes a point of tension between management, the board, and the
\nauditors, particularly where reporting deadlines, market
\nexpectations, or regulatory filing obligations are approaching.<\/p>\n
How Outcomes from Investigations Impact the Audit Opinion<\/p>\n
Once the investigation concludes and additional procedures were
\nperformed, the auditor determines how the findings affect the audit
\nopinion. The impact depends on the severity, pervasiveness, and
\nevidential support of the findings:<\/p>\n
\nUnmodified Opinion With Emphasis of Matter: The issue is
\nresolved but significant enough to warrant highlighting to users of
\nthe financial statements.
\n
\nQualified Opinion: Misstatement or limitation of scope exists
\nbut is confined to specific elements or areas.
\n
\nAdverse Opinion: Misstatements are material and pervasive,
\nmeaning the financial statements, as a whole, are misleading.
\n
\nDisclaimer of Opinion: The auditor is unable to obtain
\nsufficient evidence to form an opinion; this is typically where
\nmanagement restricts access or investigations remain
\nincomplete.
<\/p>\n
A more extreme outcome is auditor resignation, typically when
\nthe auditor no longer has confidence in management integrity or
\naccess to information. Such events are rare but carry significant
\nreputational and regulatory consequences.<\/p>\n
Even where the final opinion is not modified, investigation
\noutcomes may drive new management letter points, control
\nrecommendations, or required disclosures under ISA 265:
\n“Communicating Deficiencies in Internal Control.”<\/p>\n
Navigating the Risks<\/p>\n
Where audits and investigations run concurrently, the stakes are
\nhigh. Modified opinions, delayed filings, and auditor resignations
\ncarry immediate market, financing, and reputational consequences.
\nAudit disclosures can also draw regulatory attention to potential
\nFTPF or broader ECCTA exposure, even in the absence of
\nself-reporting, and may act as a catalyst for follow-on litigation
\nor shareholder action.<\/p>\n
Despite commonly feeling held hostage by the audit process,
\nthere are ways for the board and management to regain control.
\nAuditors are required to communicate significant findings from the
\naudit, including throughout the audit process and before the audit
\nreport is issued. This provides an opportunity for the board to
\ncommission its own review of concerning conduct and enable them to
\ninteract with the auditors from a place of confidence and
\nunderstanding of the issues. It also provides the board a headstart
\nin remediating control issues that create ECCTA\/FTPF risks before
\nthe audit report makes those issues public to prosecuting
\nauthorities.<\/p>\n
In this environment, boards and audit committees benefit from
\nexperienced, independent support that understands both the audit
\nprocess and investigative expectations. Ankura’s forensic
\naccounting and investigations specialists regularly assist
\norganisations and their advisers in responding to audit-driven
\nfraud concerns, conducting defensible investigations under intense
\nscrutiny, and managing the interaction between auditors,
\nregulators, and other stakeholders. Our experience advising
\ncorporates, audit firms, and audit regulators allows us to
\nanticipate how audit and investigation findings will be tested,
\nchallenged, and ultimately reflected in the audit opinion \u2014
\nhelping clients maintain control of the process at moments when it
\nmatters most.<\/p>\n
Footnotes<\/p>\n
1.\u00a0https:\/\/www.frc.org.uk\/library\/standards-codes-policy\/audit-assurance-and-ethics\/auditors-responsibilities-for-the-audit\/<\/a><\/p>\n 2.\u00a0https:\/\/www.frc.org.uk\/library\/standards-codes-policy\/audit-assurance-and-ethics\/auditing-standards\/isa-uk-320\/<\/a><\/p>\n