Article

Rising risks of fraud and financial misstatement: key changes for boards and legal teams

March 13, 2025

Reporting fraud and the misstatement of financial accounts – these are not events that audit committees, general counsels or boards go looking for, but they happen. Recent developments are raising the stakes, and consequences are becoming more severe.

Key changes include the way that individual employees, businesses and other “associated persons” can be held responsible for fraud (including accounting and reporting fraud) under a new regime introduced by the UK’s 2023 Economic Crime and Corporate Transparency Act (ECCTA). At the same time, in the wake of several significant financial fraud cases and corporate collapses, external auditors are tightening their approach to identifying and responding to reporting fraud. Both factors are likely to make the work of boards, committees and general counsels more difficult, as we outline below.

Failure to prevent fraud offence: extraterritorial reach

Under the ECCTA Failure to Prevent Fraud (FTPF) offence, an organization can be held criminally liable if (i) an employee, agent, subsidiary, or other associated person who provides services on behalf of the organization commits fraud with the intent to benefit the organization or their clients, and (ii) the organization failed to implement reasonable fraud prevention procedures. The offence is strict liability, meaning the prosecution does not need to prove that the person had any criminal intent or acted recklessly, only that the offence occurred.

The offence extends to cover large, incorporated bodies and partnerships formed in the UK and those formed outside of the UK where a UK nexus is present, such as where an overseas based organisation commits fraud in the UK or targets victims in the UK.

Reporting and accounting are among the underlying fraud offences

The underlying fraud offences notably include false accounting, false statements by company directors and fraud by failing to disclose information. This creates additional risk for management and the company if reporting fraud or misstatement arise, as it will put a spotlight on the company’s procedures and controls for preventing fraud and error.

Boards, general counsels and audit committees therefore need to be able to show that reasonable procedures have been designed and implemented, and that resources have been allocated and used to meet identified risks. Those risks ought to include higher-risk accounting and reporting elements of the business, e.g., joint ventures, unique business units, M&A acquisitions, accounting processes requiring management judgement, external financial reporting outside of statutory reporting.

They should also include factors such as reporting issues raised in internal audit/assurance processes, remediation and testing steps, and control weaknesses notified by external audit review. This third-party element creates additional risk for companies as they cannot control the external auditor’s opinion and reporting.

Proposed changes to fraud auditing standards and why they matter

The International Auditing and Assurance Standards Board (IAASB) is shortly to publish revisions to the fraud auditing standard, the International Standard on Auditing or ISA 240, to clarify and enhance the role of the auditors and bring about change in auditor behaviour.

IAASB is proposing seven key changes to the audit standard, including reinforcement of the exercise of professional scepticism and enhancements to the risk identification and assessment process. As part of the enhancements, IAASB seems intent on introducing a requirement for auditors to understand a company’s whistleblowing or other fraud reporting programs as part of the company’s internal control environment – regardless of whether fraud is present or suspected. This will include understanding how management addresses allegations made through these programs and the review of whistleblower program files.

This requirement could lead to auditors assessing and reporting deficiencies in a company’s whistleblowing and remediation processes. The auditors’ opinion on what makes an effective program may differ from management’s. The revised standard is also expected to clarify that a lack of a process to investigate or remediate fraud or suspected fraud may be regarded by the auditor as an indicator of a significant internal control deficiency, depending on the circumstances.

If auditors identify fraud or suspected fraud in their audits, there will be a new requirement for the auditors to obtain an understanding of the matter. Another key change will be requiring the engagement partner to determine whether there is a need for additional risk assessment or audit procedures.

How should companies act on reporting risk today?

While the ECCTA and audit standards unfold, companies can proactively strengthen their fraud risk management processes to stay ahead of evolving regulatory expectations and enforcement trends.

In the coming years, auditors will intensify scrutiny over fraud-related matters, driven by regulatory changes and heightened scepticism, making it standard to request more evidence of fraud prevention, investigations, and remediation. Companies must be ready to engage with auditors and audit committees while balancing transparency and legal privilege. Management representations will also face greater scepticism, with auditors rigorously challenging assumptions. To stay ahead, companies should ensure fraud risk management measures are well-documented and defensible.

Additionally, the audit trail is increasingly significant. The documentation of investigations, remediation efforts, and audit committee presentations (both internal and from external auditors), memorialise issues which may later require examination in the event of an FTPF case. Careful documentation and management of risk and privilege are needed to avoid inadvertently strengthening a case against the company.

In summary, to mitigate these risks, companies should:

“Tidy the table” to ensure that fraud and reporting control weaknesses identified have been effectively remediated.
Integrate “outbound” fraud risk considerations into risk assessments, accounting policies, and internal controls.
Allocate sufficient resources to controls which mitigate risk, accounting and reporting teams and systems, and whistleblower management and remediation.
Stress-test higher-risk areas of accounting and external reporting to identify vulnerabilities and enhance fraud detection mechanisms.
Ensure that fraud prevention measures are well-documented and regularly updated to reflect evolving risks and regulatory expectations.

By taking these proactive steps, companies can reduce their exposure to fraud-related enforcement actions, strengthen their defence against regulatory scrutiny, and reinforce their commitment to financial integrity.