Fraud Risk, the Failure to Prevent Fraud and the Consequences of What Auditors Find
Recent enforcement signals from UK regulators have made one thing clear: Fraud risk, and how organisations identify, assess and respond to it, is firmly back in the spotlight. Public statements from the Serious Fraud Office throughout 2025 confirm that the Economic Crime and Corporate Transparency Act (ECCTA) and the new Failure to Prevent Fraud (FTPF) offence are active enforcement priorities. Prosecutors are increasingly focused on whether companies can demonstrate they have taken reasonable steps to understand and mitigate fraud risk, including across complex third-party relationships.
Against that backdrop, statutory audits are emerging as a critical and often underestimated pressure point. Auditors are required to assess fraud risk and internal controls as part of their audit opinion. Where issues are identified, the audit process can quickly escalate into deeper scrutiny, formal investigations, and disclosures that may attract the attention of regulators, lenders, and litigants alike.
This two-part series explores the growing intersection between statutory audit, fraud risk, and ECCTA/FTPF exposure. Part one examines how audit findings and auditor reporting can create visibility and risk under the FTPF, often before misconduct is fully understood. Part 2 looks through the auditor’s lens, explaining how fraud risk is evaluated in practice, why audit-triggered investigations arise, and how their outcomes can materially affect audit opinions, timelines, and regulatory exposure.
Part 1: How Statutory Audits Can Surface ECCTA and FTPF Risk Before Regulators Do
The 2026 audit cycle stands to present interesting developments for UK companies, creating exposure to the ECCTA and the new FTPF risks. Small to mid-cap companies, which have grown into scope of the FTPF without having historically invested in sufficient governance and fraud risk management, are particularly exposed to the risk that their auditor surfaces FTPF issues. Routine audit procedures can expand into enhanced testing, formal reviews, or investigations that generate audit evidence and public disclosures with regulatory consequences.
Why?
Auditors assess fraud risk and the sufficiency of internal controls within the audit as described in the International Standard on Auditing (ISA) 240:“The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements.” The standard obliges auditors to design and perform procedures to identify and assess the risk of material misstatement due to fraud.[1] This includes assessing relevant control frameworks and whether the auditor can rely on those controls in designing their audit testing. This would naturally include controls relevant to FTPF.
Auditors are also obliged to consider the appropriateness of reporting fraud concerns under the same ISA and to consider compliance with laws and regulations under ISA 250A: “Consideration of Laws and Regulations in an Audit of Financial Statements.”[2] It would follow that if the audit uncovers fraud, or indeed a company’s failure to prevent fraud, the auditor would need to consider compliance with ECCTA and the FTPF. In addition to the ISA, the Institute of Chartered Accountants in England and the Wales Code of Ethics explicitly discusses Non-Compliance with Laws and Regulations (NOCLAR), which covers a range of offences from fraud, corruption, and money laundering through to environmental protection and public health.[3] ICEAW expectations of auditors is specifically called out, requiring the auditor to consider management’s response and whether it is appropriate and sufficient in order to determine whether there are reporting obligations and to which agency the conduct should be reported.
For an auditor to reach an opinion within this context, it is likely that they will require management to have conducted a formal review, or potentially, an investigation. Crucially, the findings of the review/investigation may trigger the auditor to disclose the conduct. Even if the auditor does not report the conduct, any material outcomes of the investigations may be referred to, even if indirectly, within the auditor’s report. The auditor’s report is a publicly available document that could still yet trigger enquiries by the Serious Fraud Office (SFO), Financial Conduct Authority, and other agencies seeking to enforce ECCTA and the FTPF even in the case the auditor does not disclose the conduct.
How Might the ECCTA/FTPF Risk Exposure Within External Audit Report?
In reviewing audit reports for corporates where fraud has occurred — or cannot be ruled out — it is notable that auditors rarely use the word “fraud” in how they describe the issues they have identified. The report will however leave a clear footprint, sometimes in the year preceding the fraud being made public. Below are the common signals within financial statements and audit reports, which indicate that underlying issues could be fraud related, or that fraud controls may not be sufficiently evolved to prevent a fraud in the future. Interpreting these signals is important for boards, managements, and their legal advisors to stay ahead of regulators who could see the auditor’s report as a roadmap for enforcement under the FTPF.
1. Restatements Explicitly Attributed to Error or Misconduct
One of the clearest indicators that fraud or serious misstatement has occurred is a prior-period restatement, particularly where the restatement is attributed to error rather than a change in accounting policy. Where misconduct is involved, the notes to the accounts often refer to “irregularities,” “inappropriate recognition,” or “intentional misapplication of accounting standards,” sometimes alongside references to internal investigations.
Auditor reports accompanying restated accounts may include emphasis of matter (EOM) paragraphs drawing attention to the restatement and the underlying circumstances. In some cases, the auditor will also describe expanded audit procedures performed in response to identified risks, signalling that trust in management representations has been impaired.
2. Qualifications and Scope Limitations Linked to Information Access
Where fraud is suspected but cannot be conclusively proven, this often manifests as a qualified audit opinion or a qualification relating to a scope limitation. Typical language includes the auditor being “unable to obtain sufficient appropriate audit evidence” in respect of specific balances or transactions.
This scenario commonly arises where records are incomplete, management explanations are inconsistent, or third-party confirmations cannot be obtained. While the auditor will not allege fraud, the inability to rule out material misstatement, whether due to error or fraud, is made explicit through the modified opinion.
3. Material Weaknesses Arising From Management Override or Control Failures
Fraud that has been identified internally frequently results in disclosures around material weaknesses in internal control, particularly involving management override, journal entry controls, or segregation of duties. These disclosures may appear in the governance or risk sections of the annual report, with the auditor cross-referencing them in their report.
Auditors may explicitly state that control deficiencies “created a reasonable possibility that a material misstatement could occur and not be prevented or detected.” While carefully worded, this language indicates that the environment in which fraud occurred — or could still occur — has not yet been fully remediated.
4. KAMs Describing Identified Irregularities
Although key audit matters (KAMs) are not designed to disclose wrongdoing, they may reference identified misstatements, “non-standard adjustments,” or transactions that required forensic-style testing. Where fraud has been identified, KAMs often describe extensive substantive procedures, the use of specialists, or testing beyond normal audit scope.
Phrases such as “due to identified control failures,” “following the discovery of inappropriate accounting,” or “as a result of matters identified during the year” are strong indicators that the auditor uncovered issues rather than merely theoretical risks.
5. Going Concern Disclosures Linked to Misconduct or Investigations
Where fraud has occurred, especially involving revenue inflation or asset misstatement, it can quickly evolve into a going concern issue. Auditor reports may include material uncertainty related to growing concern, cross-referencing disclosures about investigations, covenant breaches, or financing withdrawals triggered by the misconduct.
Even where no material uncertainty conclusion is reached, the financial statements may disclose dependence on waivers, renegotiations, or equity injections following the identification of misstatements, an indirect but strong indicator that fraud may have caused the uncertain financial outlook.
6. References to Investigations, Regulatory Engagement or Whistleblowing
Audited financial statements sometimes disclose ongoing or completed internal investigations, whistleblower complaints, or regulatory enquiries. Where fraud has been substantiated, disclosures may include provisions for fines, legal costs, or remediation programmes.
Auditors typically reference these disclosures through EOM paragraphs or within KAMs, highlighting the uncertainty around outcomes and the potential for further financial impact.
7. Auditor Resignation or Report Re-Issuance
Finally, where fraud is identified late or cooperation breaks down, the most severe signal may be an auditor resignation or the withdrawal and re-issuance of an audit report. While rare, these events are often accompanied by public statements referring to concerns over management integrity or information reliability.
Staying 1 Step Ahead
Fraud risk and internal controls have long been a feature of statutory audits. What has changed is the enforcement context in which audit findings now sit. Recent Financial Conduct Authority (FCA) action against audit firms for failures to respond appropriately to fraud identified during audits, alongside ongoing Financial Reporting Council (FRC) enforcement relating to corporate collapses, has materially raised the bar for auditors. In response, auditors are increasingly cautious, more intrusive, and quicker to escalate concerns.
ECCTA and the FTPF will only intensify this dynamic. Audit-triggered enquiries ranging from enhanced procedures to formal investigations are becoming more common, particularly where there are questions around management integrity, third-party risk, or the maturity of fraud controls. For boards, audit committees, and their legal advisers, the auditor’s report is no longer just an accounting output; it can be a visible signal to regulators and other stakeholders that fraud risk has not been adequately addressed.
Ankura regularly supports boards, audit committees, and management teams in navigating fraud-related auditor enquiries, audit-triggered investigations, and the interaction between audit findings and regulatory exposure. We also advise audit firms facing audit quality reviews and conduct inspections on behalf of audit regulators, giving us a detailed understanding of how fraud risk is assessed and challenged in practice. In part two of this series, we draw on that experience to explain how auditors approach fraud risk, why investigations are triggered, and what organisations should expect once an audit moves into escalation mode.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
[1] https://media.frc.org.uk/documents/ISA_UK_240_Revised_May_2021_Updated_September_2025.pdf
[2] https://media.frc.org.uk/documents/ISA_UK_250A_Revised_November_2019_Updated_September_2025.pdf
[3] https://www.icaew.com/technical/trust-and-ethics/ethics/code-of-ethics/guidance-on-noclar
