Fraud Risk, the Failure to Prevent Fraud and the Consequences of What Auditors Find
Recent enforcement signals from UK regulators have made one thing clear: Fraud risk, and how organisations identify, assess, and respond to it, is firmly back in the spotlight. Public statements from the Serious Fraud Office (SFO) throughout 2025 confirm that the Economic Crime and Corporate Transparency Act (ECCTA) and the new Failure to Prevent Fraud (FTPF) offence are active enforcement priorities. Prosecutors are increasingly focused on whether companies can demonstrate they have taken reasonable steps to understand and mitigate fraud risk, including across complex third-party relationships.
Against that backdrop, statutory audits are emerging as a critical and often underestimated pressure point. Auditors are required to assess fraud risk and internal controls as part of their audit opinion. Where issues are identified, the audit process can quickly escalate into deeper scrutiny, formal investigations, and disclosures that may attract the attention of regulators, lenders, and litigants alike.
This two-part series explores the growing intersection between statutory audit, fraud risk, and ECCTA/FTPF exposure. Part one examined how audit findings and auditor reporting can create visibility and risk under the FTPF, often before misconduct is fully understood. If you missed this article, you can access it here. Part two looks through the auditor’s lens, explaining how fraud risk is evaluated in practice, why audit-triggered investigations arise, and how their outcomes can materially affect audit opinions, timelines, and regulatory exposure.
Part 2: Fraud Risk and FTPF Through the Auditor’s Lens
When fraud risk surfaces during a statutory audit, the consequences are rarely confined to a single audit procedure or reporting period. Auditor concerns about fraud, management integrity, or control effectiveness directly shape the scope, depth, and duration of the audit; and can trigger formal investigations, the outcomes of which determine not only the audit opinion, but the company’s broader regulatory and litigation risk. Understanding how auditors evaluate fraud risk in practice, and why “reasonable assurance” can expand rapidly in high-risk situations, is critical for boards and management navigating audit scrutiny.
The Basics
Contrary to popular belief, the purpose of an audit is not to identify fraud. The purpose of an audit is to obtain reasonable assurance that the financial statements are free from material misstatement, whether due to fraud or error.
Importantly, auditors must also consider whether the financial statements, taken as a whole, could present a fraudulent misrepresentation; that is, whether the overall portrayal of the company’s performance or position is misleading, even if no single line item is materially misstated.
Reasonable assurance
When supporting companies through investigations under audit scrutiny, we often get questions like: “Is it reasonable for the auditor to ask for this information?” or “How much more testing do they need to do to get comfortable?” The answer depends on the circumstances but is always tied to the fact that reasonableness is a subjective measure determined by the auditor.
Auditing standards define reasonable assurance as high, but not absolute assurance that the financial statements as a whole are free from material misstatement.[1] In practice, this means that audits are designed to reduce the overall audit risk — i.e. risk the audit fails to detect material misstatements — to an acceptably low level based on the auditor’s own risk tolerance, but not to eliminate it entirely. There are inherent limitations in an audit, such as the auditor’s use of judgement, sampling techniques or the concealment of fraud, which mean it is not possible to mitigate audit risk to zero, hence the assurance being reasonable and not absolute.
Situations in which the auditor is concerned about fraud, management integrity, or both, one can expect the bar for what is reasonable to be significantly elevated.
Materiality
Materiality is another subjective measure. It is a financial reporting concept that considers an assertion or omission to be material if it can be reasonably expected to influence the economic decisions of the users of the financial statements. When planning and performing the audit, and when considering whether a misstatement is material, the International Standards on Auditing (ISA) 320 defers to the professional judgement of the auditor who should consider how users of the financial statements would rely on the information.[2]
There are scenarios in which the nature and scale of fraudulent activity would not meet the definition of “material” in this context. Even if financially significant to a particular business unit, the auditor might consider the control environment, likelihood of the risk being pervasive, and rule that so long as the financial impacts have been rectified in the books and records, that it is not material to the overall organisation’s financial reporting. An example of this might be a conflict of interest that transpires into an isolated procurement fraud with a particular individual.
However, it is important to note that materiality is also qualitative in nature. If audit procedures identify fraud concerns in which there is suspected involvement from management; even if the value is financially immaterial at a global level; it is likely the auditor will have additional questions, want to perform additional procedures, or even trigger an investigation. This is because the auditor relies on various assertions by management, both implicit and explicit, in the preparation and presentation of the financial statements. If reliability in management is called into question, there are significant impacts to how the auditor approaches the remainder of the audit.
How Does the Audit Address Fraud Risk?
This is a perennial challenge and consistent expectation gap between the public and the audit profession. It is important to recognise the limitations of a statutory audit in this regard. Fraud involving collusion, sophisticated concealments, or management override can be difficult to detect.
ISA 240,“The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements,” requires auditors to design and perform procedures to identify and assess the risk of material misstatement due to fraud. This includes assessing relevant control frameworks and whether the auditor can rely on those controls in designing their audit testing.[3]
As discussed above, the auditor manages the risk that they fail to identify misstatement — whether due to fraud or error — referred to as “audit risk,” through a simple equation. The interplay of the equation components is important to understanding how fraud risk impacts the overall audit.
The only factor within the audit risk equation that is in the auditor’s control is their detection risk. The discovery of fraud or material weaknesses/gaps in fraud controls or issues with management integrity during routine audit procedures will cause the risk of material misstatement to increase. To account for this, the auditor will enhance their testing to bring detection risk lower and reduce overall audit risk to an acceptable level based on what they will determine to be reasonable under the reasonable assurance definition discussed above.
Notably, these enhanced procedures can include requesting that the company commission an investigation and conducting their own “shadow” investigation.
How Investigations Impact the Audit Process
When potential misconduct or irregularities surface during the audit, the auditor’s work in that area typically pauses until the matter is investigated and the facts are established. In such circumstances, the auditor will often request that management commission an investigation — either internally or with external legal and forensic support — to determine the nature, extent, and financial reporting impact of the issue.
Shadow Investigations
At the same time, auditors will frequently conduct their own parallel review, often referred to as a shadow investigation, using their internal forensic specialists. The purpose of this shadow investigation is not to replicate the company’s inquiry, but to evaluate its independence, scope, methodology, and evidential quality, ensuring the findings can be relied upon as audit evidence. Auditors must be satisfied that the investigation was conducted objectively and that its conclusions are consistent with the financial statements.
Extended Audit Timetable
While the investigation is underway, the auditor’s testing in the affected areas is generally suspended. Once the investigation concludes or reaches a stage where its findings are sufficiently clear, the auditor will resume testing, typically performing expanded audit procedures to obtain additional assurance and bring the overall audit risk back to an acceptable level. This may include reperforming certain tests, corroborating findings with independent evidence, or extending the scope of substantive procedures.
These dynamics almost invariably extend the audit timetable. The additional investigative steps, verification procedures, and internal consultations required to reach a supportable opinion can significantly delay the issuance of the audit report. This often becomes a point of tension between management, the board, and the auditors, particularly where reporting deadlines, market expectations, or regulatory filing obligations are approaching.
How Outcomes from Investigations Impact the Audit Opinion
Once the investigation concludes and additional procedures were performed, the auditor determines how the findings affect the audit opinion. The impact depends on the severity, pervasiveness, and evidential support of the findings:
- Unmodified Opinion With Emphasis of Matter: The issue is resolved but significant enough to warrant highlighting to users of the financial statements.
- Qualified Opinion: Misstatement or limitation of scope exists but is confined to specific elements or areas.
- Adverse Opinion: Misstatements are material and pervasive, meaning the financial statements, as a whole, are misleading.
- Disclaimer of Opinion: The auditor is unable to obtain sufficient evidence to form an opinion; this is typically where management restricts access or investigations remain incomplete.
A more extreme outcome is auditor resignation, typically when the auditor no longer has confidence in management integrity or access to information. Such events are rare but carry significant reputational and regulatory consequences.
Even where the final opinion is not modified, investigation outcomes may drive new management letter points, control recommendations, or required disclosures under ISA 265: “Communicating Deficiencies in Internal Control.”
Navigating the Risks
Where audits and investigations run concurrently, the stakes are high. Modified opinions, delayed filings, and auditor resignations carry immediate market, financing, and reputational consequences. Audit disclosures can also draw regulatory attention to potential FTPF or broader ECCTA exposure, even in the absence of self-reporting, and may act as a catalyst for follow-on litigation or shareholder action.
Despite commonly feeling held hostage by the audit process, there are ways for the board and management to regain control. Auditors are required to communicate significant findings from the audit, including throughout the audit process and before the audit report is issued. This provides an opportunity for the board to commission its own review of concerning conduct and enable them to interact with the auditors from a place of confidence and understanding of the issues. It also provides the board a headstart in remediating control issues that create ECCTA/FTPF risks before the audit report makes those issues public to prosecuting authorities.
In this environment, boards and audit committees benefit from experienced, independent support that understands both the audit process and investigative expectations. Ankura’s forensic accounting and investigations specialists regularly assist organisations and their advisers in responding to audit-driven fraud concerns, conducting defensible investigations under intense scrutiny, and managing the interaction between auditors, regulators, and other stakeholders. Our experience advising corporates, audit firms, and audit regulators allows us to anticipate how audit and investigation findings will be tested, challenged, and ultimately reflected in the audit opinion — helping clients maintain control of the process at moments when it matters most.
[1] https://www.frc.org.uk/library/standards-codes-policy/audit-assurance-and-ethics/auditors-responsibilities-for-the-audit/
[2] https://www.frc.org.uk/library/standards-codes-policy/audit-assurance-and-ethics/auditing-standards/isa-uk-320/
[3] https://media.frc.org.uk/documents/ISA_UK_240_Revised_May_2021_Updated_September_2025.pdf
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
