Patisserie Valerie: What Went Wrong in a Small Company Audit

The fraud and its scale

Patisserie Holdings Plc, the AIM-listed holding company for the Patisserie Valerie café chain, announced in October 2018 that its board had been notified of potentially fraudulent accounting irregularities. At the time, the company operated approximately 200 stores with annual sales of around £100 million. Within four months of the announcement, it entered administration. Seventy stores closed. More than 900 jobs were lost.

In September 2023, the Serious Fraud Office charged four individuals, including former CFO Chris Marsh and the financial controller. Charges covered conspiring to inflate cash in balance sheets from 2015 to 2018. Fake invoices and falsified bank statements had been created to conceal hidden debts.

The forensic accountants hired after the discovery found that the business had overstated its financial position by £94 million. Cash was overstated by £54 million. Tangible and intangible assets were overstated by £23 million. Prepayments and debtors were overstated by £7 million. Creditors were understated by £10 million. The reported cash position of £28 million was in reality a net debt position of approximately £9.8 million, once hidden overdrafts were included.

Grant Thornton had been Patisserie Valerie’s statutory auditor for over ten years. The firm signed unqualified opinions for every year from 2007 through the 2017 financial year. The FRC opened its investigation in November 2018. In September 2021, the FRC issued its Final Decision Notice.

Where Grant Thornton’s audit failed

The FRC’s Final Decision Notice is unusually specific. It identifies failures across four audit areas. These failures were repeated in each of the three years under investigation and across several legal entities in the group. The FRC stated that these were not isolated shortcomings. The failures concerned matters fundamental to the proper conduct of an audit.

Revenue: the single payment nobody questioned

In the 2016 audit, Patisserie Valerie’s figures showed that a single voucher payment from a third-party company (referred to as “Company A” in the FRC report) received on 28 September 2016 represented 73% of the entire group’s annual revenue from that source. This was 11 times the average monthly receipts in preceding months. ISA 240.32 requires the auditor to evaluate whether the business rationale of significant unusual transactions suggests fraudulent financial reporting.

The audit team did not investigate it. No inquiry was made into why almost three-quarters of annual voucher revenue arrived in a single transaction on the penultimate day of the financial year. ISA 330.18 requires the auditor to perform audit procedures responsive to assessed risks. When a transaction of this nature appears in the data, the assessed risk of misstatement should increase. The response should include testing the transaction to independent source documents and making inquiries of management about its nature and timing.

Revenue testing across all three years also suffered from a related problem. The audit team tested revenue by agreeing transactions to invoices and bank receipts. But those invoices and bank receipts were the fabricated documents the fraudsters had created. ISA 505.7 requires the auditor to consider whether external confirmations are necessary. For a retail business reporting that the majority of its voucher revenue came from a single counterparty, confirming that revenue directly with the counterparty (rather than relying on documentation provided by management) was the obvious procedure. The team did not perform it.

Cash: missing overdrafts and a misread bank letter

The audit of cash was where the failures were most visible. Patisserie Valerie had two unauthorised and unreported overdrafts worth almost £10 million. These appeared in bank accounts that the audit team either did not identify or did not confirm.

ISA 500.6 requires the auditor to obtain sufficient appropriate audit evidence. For cash, this starts with bank confirmations sent directly from the bank to the auditor. The FRC found that Grant Thornton’s bank confirmation procedures were deficient. In one instance, a bank letter stating that Patisserie Valerie had a £4 million overdraft facility was misread as meaning the account was £4 million overdrawn. The distinction between a facility and an actual balance is elementary, and the misreading had consequences: it masked the true nature of the company’s banking arrangements.

ISA 505.7 and ISA 505.10 require the auditor to design the confirmation request, send it directly to the responding party (not through the client), and evaluate the response. If the client handles any part of the process, the evidence is unreliable. The FRC report suggests the audit team’s procedures for cash confirmation did not meet ISA 505’s requirements.

Hidden bank accounts and unreported overdrafts are detectable if the auditor requests confirmations for all accounts held by the entity, not only the accounts management discloses. ISA 505.A7 notes that the auditor may need to identify all bank accounts by requesting a confirmation of all accounts held with a financial institution, including those that may have been closed during the period. Grant Thornton’s team did not do this.

Journals: the entries nobody understood

The FRC identified severe failures in the testing of journal entries. ISA 240.32(a) specifically requires the auditor to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in preparing the financial statements. This is a mandatory procedure under ISA 240, not optional. The standard exists because management override of controls most commonly occurs through journal entries.

At Patisserie Valerie, thousands of false entries had been recorded in the accounts. The FRC found that Grant Thornton’s journal entry testing was compromised by errors that went unexplained. The audit team selected journal entries for testing but did not adequately follow through on inconsistencies they encountered.

Richard Murphy, a chartered accountant who reviewed the FRC report in detail, observed that journal entries are frequently misunderstood by audit staff who have never prepared a set of accounts. For a retail café chain, large manual journal entries adjusting revenue or cash near year-end should raise questions. At Patisserie Valerie, they did not.

Fixed assets: a smaller but persistent failure

The FRC found that Grant Thornton misstated fixed asset balances across the accounts, including property and motor vehicles. Approximately £2 million of fixed asset additions was wrongly categorised in the relevant years. This failure was smaller in magnitude than the revenue and cash issues, but the FRC included it because it demonstrated a pattern: the audit team was not verifying the basic assertions (existence, accuracy, classification) required by ISA 315.A190 for fixed assets. When an audit team fails to catch a £2 million misclassification in fixed assets while simultaneously missing a £54 million cash overstatement, the problem is systemic, not isolated.

Why the FRC sanctioned regardless of fraud

The FRC’s Final Decision Notice makes an important point that is easy to miss. The Notice states explicitly that it is not a finding of fraud and does not depend on any finding of fraud. The audit failings would still deserve sanction whether or not a fraud had been committed at Patisserie Holdings.

This matters for your practice. The FRC is saying that even if Grant Thornton had been given misleading information, the quality of the audit work itself was so poor that the firm should have been sanctioned regardless. Misleading information from management is not a defence against an audit that fails to meet ISA requirements. ISA 200.15 establishes that the auditor must plan and perform the audit with professional scepticism. Professional scepticism means recognising the possibility that a material misstatement due to fraud could exist, notwithstanding the auditor’s past experience of management’s honesty.

Grant Thornton’s then-CEO David Dunckley told MPs in 2019 that it was not the auditor’s role to identify fraud. He said the firm was not looking for fraud. ISA 240.5 directly contradicts this position. The standard requires the auditor to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by fraud or error. The auditor may not be able to detect a perfectly concealed fraud, but the auditor must design procedures that respond to assessed fraud risks. At Patisserie Valerie, the procedures either did not exist or were performed without adequate competence or scepticism.

Worked example: testing cash and revenue at a small retail client

Client: De Groot Bakkerij B.V., a Dutch bakery chain with 18 locations in Zuid-Holland. Annual revenue: €11.2M. Year-end: 31 December 2024. De Groot sells through a mix of in-store retail (74% of revenue), online orders (12%), and voucher partnerships with two corporate clients (14%).

Step 1. Identify fraud risk indicators in the revenue and cash cycle

The audit team reviews De Groot’s trial balance at planning. Voucher revenue from the two corporate partners totals €1.57M, but €980K of that amount (62%) was recognised in December 2024. The prior year showed voucher revenue distributed roughly evenly across months.

Step 2. Test revenue against external sources

The audit team sends confirmation requests directly to both corporate voucher partners under ISA 505.7. Partner A confirms €410K for the full year. De Groot’s ledger shows €420K from Partner A, with the €10K difference attributable to a December credit note not yet processed. This is reasonable.

Partner B confirms €590K for the full year. De Groot’s ledger shows €1.15M from Partner B. The €560K difference has no supporting documentation from Partner B.

Step 3. Test cash completeness

The audit team requests bank confirmations for all accounts held by De Groot at every financial institution the entity has dealt with in the past two years (not only the accounts in the trial balance). One bank confirms an account with a €95K overdraft that does not appear in De Groot’s records.

Step 4. Evaluate journal entries near year-end

The audit team selects all manual journal entries posted in the final two weeks of December that affect revenue or cash accounts, per ISA 240.32(a). One entry debits cash €560K and credits voucher revenue €560K. The description reads “Partner B Q4 settlement.” No invoice exists. The entry was posted by the financial controller on 29 December.

Your file checklist for small entity audit quality

1. Send bank confirmation requests for all accounts held by the entity at all financial institutions, including closed accounts. Use the ISA 505.7 procedures: design the request yourself, send it directly to the bank, evaluate the response. Never allow the client to handle any part of this process.
2. For any revenue line where more than 30% of annual revenue from a single source is recognised in the final month, classify revenue timing as a significant risk under ISA 240.27. Test the transactions to external confirmations from the counterparty, not to client-provided documents.
3. Test journal entries under ISA 240.32(a) by selecting entries that affect revenue or cash in the final two weeks before year-end. For each entry, trace to independent supporting documentation. A manual entry debiting cash and crediting revenue with no external support is exactly what ISA 240 requires you to find.
4. Compare the entity’s reported margins to industry peers. Patisserie Valerie reported margins higher than Starbucks while operating a sit-down café model with higher overheads. If your client’s profitability is inconsistent with the business model, ISA 520.5 requires you to investigate the anomaly.
5. After completing fieldwork, perform a stand-back review: does the overall financial position make sense given what you observed during the audit? ISA 520.6 requires analytical procedures at or near the end of the audit. An entity reporting £28 million cash while its competitors struggle should prompt further inquiry, not comfort.

Common mistakes in small entity audits

• The FRC’s Patisserie Valerie Decision Notice found that audit work on cash (including bank confirmations) was delegated to junior staff and not adequately reviewed. If the most junior member of your team is responsible for cash and bank, the engagement partner must still review the work. ISA 220.16 requires the engagement partner to determine that sufficient appropriate review has been performed.
• The FRC found that Grant Thornton did not identify inauthentic documents, including invoices with missing company logos, typing errors, and incorrect addresses. ISA 240.A44 lists characteristics of fraudulent documents. If your team accepts client-provided documents at face value without comparing them to independently obtained originals, you are replicating Grant Thornton’s failure.

Related tools and reading

Put audit concepts into practice with these free tools:

Related reading

Frequently asked questions

Source references

• FRC Final Decision Notice – Grant Thornton UK LLP / Patisserie Holdings Plc, September 2021
• FRC fine – £2.34 million (reduced from £4 million) for failures in the 2015–2017 audits
• Serious Fraud Office charges – September 2023, four individuals including former CFO Chris Marsh
• ISA 240 – The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, IAASB
• ISA 505 – External Confirmations, IAASB
• ISA 500 – Audit Evidence, IAASB