Three firms audited London Capital & Finance. Three firms missed the same fraud. In 2024 the FRC sanctioned PwC, EY, and Oliver Clive & Co over their LCF work, and the findings in each case read like the same checklist: insufficient understanding of the business, absent professional scepticism, audit procedures that never stood a chance of detecting what sat in plain sight. Red flags were visible during fieldwork. Nobody acted.

That pattern is the point. When we read enforcement files, we see SALY with better narratives. The same prior-year fraud work gets rolled forward, reworded, and signed off, right up until the entity collapses and the regulator opens a file. Fraud goes undetected because auditors skip ISA 240 ’s real work: understanding the business model, keeping professional scepticism alive when management’s explanations don’t reconcile, designing procedures that respond to assessed fraud risks, and acting on red flags as they surface.

Key Takeaways

  • Why the same ISA 240 failures appear in enforcement case after enforcement case, and what specific paragraphs the regulators keep citing
  • How to design fraud risk responses that go beyond the standard journal entry testing under ISA 240.32
  • What the FRC’s 2023/24 enforcement themes tell you about where your current file is most exposed, and what they don’t
  • How ISA 240 (Revised), effective December 2026, changes what regulators expect from your fraud work

What regulators actually flag on fraud

The FRC’s 2023/24 Annual Enforcement Review identified five recurring themes from concluded cases. Professional scepticism appeared in every single one. Failure to understand the entity sat alongside it. The FRC’s enforcement director called the year notable for the conclusion of several high-profile cases, most significantly LCF and Carillion.

But the pattern is older than those two files. The FRC opened 40 new cases in 2023/24, with 85% relating to audit. Across current investigations, the approach to the risk of fraud sits alongside audit planning, revenue recognition, objectivity, and evidence documentation. These are not isolated incidents. They are structural failures that repeat because root causes go unaddressed.

The FCA added a new dimension in 2024 when it fined PwC £15 million for failing to report suspected fraud at London Capital & Finance. That was the FCA’s first-ever fine against an audit firm. The message was direct: auditors who suspect fraud and don’t report it to the regulator face consequences separate from whatever the FRC does about audit quality. Under section 342(6) of the Financial Services and Markets Act 2000, auditors of FCA-regulated firms have a statutory duty to report suspicions of fraud promptly. PwC suspected fraud at LCF but didn’t report it to the FCA before resigning. That single omission cost £15 million.

The European picture tells the same story under different names. EY audited Wirecard for over a decade and never verified €1.9 billion in bank balances that turned out not to exist. KPMG audited Carillion and did not adequately challenge management’s going concern assumptions before the company collapsed owing £7 billion. In each case the post-mortem identified failures that mapped directly to existing ISA requirements. The standards were there. The application was not.

The business model gap: why ISA 315 failures cause ISA 240 failures

ISA 240.16 requires the engagement team to discuss how and where the FS might be susceptible to material misstatement due to fraud. That discussion is supposed to set aside the assumption that management is honest ( ISA 240 .A11). In our experience, most team discussions treat this as a planning-day formality, a tick box exercise. Someone reads last year’s fraud risk factors. Everyone nods. The WPs get updated.

The problem starts earlier. ISA 315.19 requires auditors to understand the entity’s business model, including how it generates revenue. Without that understanding, you can’t identify where fraud hides.

The FRC flagged this in its 2023/24 enforcement themes: failing to understand the entity resulted in failures to identify and assess risks of material misstatement.

In the LCF case, all three audit firms missed that LCF was a bond issuance operation with a loan book concentrated in connected parties. PwC admitted eight breaches covering risk identification, professional scepticism (particularly regarding fraud risk), and the auditing of loan debtors, revenue, related party transactions, and going concern. The FRC’s finding was blunt: PwC failed to obtain an adequate understanding of the nature of LCF’s business.

That failure cascaded. Procedures were designed for a business that didn’t exist. Revenue procedures tested the wrong assertions. Work on loan debtors didn’t test recoverability. The related party procedures never traced where the money actually went.

This cascade is not unique to LCF. At Wirecard, EY did not verify €1.9 billion in bank balances held (supposedly) in escrow accounts in the Philippines. EY accepted certificates from intermediaries instead of confirming directly with the banks, a failure against ISA 505 ’s requirements on external confirmations. The deeper failure was not understanding Wirecard’s third-party payment processor model well enough to spot that the escrow accounts were where the fraud risk concentrated. Procedures aimed at the wrong target because the risk assessment was built on an incomplete picture of how the business operated.

Professional scepticism is not a mindset problem

Regulators cite professional scepticism in virtually every enforcement action. It sounds like an attitude problem. It isn’t.

ISA 200.15 defines professional scepticism as an attitude that includes a questioning mind, alertness to conditions that may indicate possible misstatement due to fraud or error, a critical assessment of audit evidence, and a willingness to challenge assumptions underlying management’s representations. ISA 240 .A7 adds that the auditor may accept records and documents as genuine unless the auditor has reason to believe otherwise. That second sentence is the trapdoor. It creates a default of trust that management exploits.

ISA 240 (Revised), effective for periods beginning on or after 15 December 2026, removes that assumption entirely. The IAASB deleted the principle that auditors may accept records as genuine unless they identify reasons to believe otherwise. This is the single most significant change in the revised standard. It shifts the default from trust to verification.

Even under the current standard, the LCF case shows what the absence of scepticism looks like in practice. LCF was, according to the FCA, highly uncooperative during the 2016 audit. A senior individual acted aggressively towards the PwC audit team. The company provided inaccurate and misleading information. PwC’s own internal legal team was consulted on whether a draft email to LCF might inadvertently tip off the client about their fraud suspicions. Despite all of that, PwC signed an unqualified opinion and resigned without reporting to the FCA.

The failure wasn’t that the team lacked a sceptical attitude. The red flags were seen. Internal lawyers were consulted. This is the paragraph that makes partners uncomfortable at training, because every EP has had a client that matched this profile and the decision in the moment is never as clear as it looks on the enforcement page.

The issue was that the firm’s response to those red flags stopped short of the actions ISA 240.38 and ISA 240.40 require: evaluating the implications for the audit, communicating with those charged with governance, considering whether to report to regulatory authorities, and reassessing the risk of material misstatement. Scepticism without action is not scepticism. It is documentation of suspicions that went nowhere.

At Wirecard, the pattern was different in form but identical in structure. Financial Times journalists published detailed allegations of fraud from 2015 onwards. Short sellers flagged the escrow accounts. A whistleblower inside EY raised concerns about potentially fraudulent practices in 2016. EY’s response was to continue auditing under the assumption that the records were genuine. Confirmation bias played a documented role. The German market viewed Wirecard as a flagship success story, and that cultural context influenced how the audit team weighted contradictory evidence.

ISA 240.12 requires the engagement team discussion to occur “setting aside beliefs that the engagement team members may have that management and those charged with governance are honest and have integrity.” In Wirecard’s case, that belief was reinforced by the market, the regulator BaFin (which filed a complaint against the Financial Times journalists rather than investigating the company), and a decade of clean audit opinions. Setting aside that accumulated belief required more than a box-ticking discussion at planning. Someone on the team had to say: what if the escrow accounts don’t exist?

When audit procedures cannot catch what they were not designed to find

ISA 240.28 requires the auditor’s responses to assessed fraud risks to be clearly linked to those risks at the assertion level. This sounds obvious. In practice, most fraud responses default to ticking and bashing journal entries ( ISA 240.32 ), a retrospective review of accounting estimates ( ISA 240 .A46), the revenue recognition presumption, and evaluation of the business rationale for significant unusual transactions. That is the minimum. It is not a fraud response plan.

The LCF audits illustrate why the minimum is insufficient. LCF’s fraud did not sit in journal entries or accounting estimates. It sat in the loan book. Bondholders’ money was lent to connected parties who could not repay it, and a portion flowed through to LCF’s directors and associates for personal use (luxury properties, Rolex watches, a Porsche 911, gold bullion). Detecting that required procedures designed for connected-party lending fraud: tracing loan proceeds to ultimate use, testing whether borrowers had the capacity to repay, verifying the independence of borrowers from LCF management, and examining whether loan terms were consistent with arm’s length lending. Standard journal entry testing would never have caught this. Procedures needed to match the risk.

Wirecard’s fraud required different procedures entirely. ISA 505 sets out clear requirements for external confirmations. Direct confirmation with the banks was the procedure the risk demanded. EY accepted intermediary certificates instead. That failure, repeated over multiple audit cycles, was not a gap in the standards. It was a gap in execution.

FRC enforcement themes confirm this pattern. Failed audits don’t fail because the standards are inadequate. They fail because the procedures in the file were designed for a version of the entity that doesn’t account for where fraud risk actually sits. If the risk assessment is wrong (because the auditor doesn’t understand the business model), the procedures are wrong by inheritance.

ISA 240 (Revised) introduces a new stand-back requirement that directly addresses this gap. Before concluding the engagement, auditors must evaluate whether their fraud risk assessments and audit responses remain appropriate in light of the evidence obtained. It is designed to catch the situation where new information emerged during fieldwork but the fraud response plan was never updated. Under the current standard, there is no formal checkpoint for this re-evaluation. After December 2026, there will be.

Worked example: Kramer Vermögensverwaltung GmbH

Scenario: Kramer Vermögensverwaltung GmbH is a German asset management company with €38 million in assets under management. It raises capital through fixed-interest bonds sold to retail investors and lends the proceeds to property development SPVs. Your firm is appointed as auditor for the year ended 31 December 2025. During planning, you identify that four of the six borrowing SPVs share a director with Kramer’s CEO.

Understand the business model before designing fraud procedures ( ISA 315.19 , ISA 240.16 )

Map how money flows: bonds issued to investors, proceeds lent to SPVs, interest income from SPV loans used to pay bond interest. Identify that 67% of the loan book is concentrated in connected-party SPVs.

Documentation note: record the business model diagram in the planning file. Note the connected-party concentration as a factor requiring specific fraud risk consideration under ISA 240 .A26.

Assess fraud risk at the assertion level ( ISA 240.28 )

The key fraud risks are existence and valuation of the loan book (are the SPV loans real and recoverable?) and completeness of related party disclosures (are all connections disclosed?). Revenue recognition is a presumed risk, but the higher risk sits in whether bond proceeds are being used for their stated purpose.

Documentation note: record each assessed fraud risk with the specific assertion affected. Link each risk to the business model feature that creates it. ISA 240.28 requires this link to be explicit, not inferred.

Design procedures that match the assessed risks

For loan existence, confirm loan balances directly with each SPV. For the four connected SPVs, obtain independent evidence of the SPV’s ability to repay (bank statements, property valuations from an independent valuer, development progress reports). Do not accept confirmations or valuations provided by SPV management where that management overlaps with Kramer’s CEO.

For use of proceeds, trace a sample of bond proceeds from the Kramer bank account to the lending SPV bank account and onward to the ultimate use of funds. If proceeds were used for purposes other than property development (personal purchases, transfers to non-SPV accounts), that is a fraud indicator.

Documentation note: record the rationale for each procedure’s design. State explicitly why standard journal entry testing alone would be insufficient for this engagement ( ISA 240 .A34). The file should tell a story about why these procedures, not last year’s.

Apply the stand-back evaluation

At completion, review whether any evidence obtained during fieldwork changes the fraud risk assessment. If an SPV failed to provide bank statements, or if the independent property valuation came in significantly below the loan balance, re-evaluate whether the assessed fraud risks and your responses were sufficient.

Documentation note: record the stand-back evaluation as a separate section in the completion file. It becomes mandatory under ISA 240 (Revised) but is good practice now.

Your file checklist for fraud risk procedures

  1. Confirm that the engagement team discussion ( ISA 240.16 ) specifically addressed how the entity’s business model creates fraud opportunities, not just the standard journal entry and revenue recognition risks
  2. Verify that every assessed fraud risk at the assertion level has a corresponding procedure designed for that specific risk ( ISA 240.28 ) and not a SALY procedure rolled forward from last year’s WPs
  3. Check that the fraud risk assessment documents the link between business model, fraud risk factor, and procedure response
  4. For any related party lending or connected-party transactions, confirm that the audit obtained evidence independent of management about the counterparty’s existence and capacity to repay, plus the actual use of funds ( ISA 505 , ISA 550 .A30)
  5. Document whether any red flags emerged during fieldwork that should have triggered a revision of the fraud risk assessment, and record the conclusion (apply the ISA 240 Revised stand-back principle now, before it becomes mandatory)
  6. If you suspect fraud, verify that your firm’s reporting obligation under national law has been considered and actioned. Under the UK’s FSMA section 342(6), the duty to report to the FCA applies as soon as reasonable suspicion forms, not after the suspicion is conclusively proven.

Common mistakes regulators keep finding

  • The FRC’s 2023/24 enforcement review found that auditors repeatedly failed to obtain an adequate understanding of the entity before assessing fraud risk, resulting in procedures designed for a business model that didn’t match reality. The fix takes 30 minutes at planning. Draw the cash flow diagram, identify where the money concentrates, and ask where fraud could hide in that specific structure.
  • The FCA’s 2024 fine against PwC established that suspecting fraud and then resigning without reporting to the regulator is itself a sanctionable failure, separate from any audit quality findings. If your firm audits FCA-regulated entities, your escalation process for suspected fraud must include a reporting-to-regulator step, not just an internal consultation.
  • The FRC’s Carillion and LCF cases both involved auditors who relied on management representations without obtaining corroborating evidence from independent sources ( ISA 500 .A31). When management is the source of both the assertion and the evidence, the evidence has zero incremental value for fraud detection.
  • Defaulting to prior-year fraud risk responses without updating them for changes in the business model or new information obtained during the engagement. ISA 240.28 requires responses linked to the current year’s assessed fraud risks at the assertion level, not SALY with better narratives.

Related content

  • Fraud risk factors: ciferi glossary entry covering the ISA 240 fraud risk factor categories, with worked examples for small and mid-size entities
  • ISA 240 fraud risk assessment calculator: free tool that walks through the ISA 240 risk identification and assessment process with documentation output
  • ISA 240 (Revised) what changed: overview of the December 2026 changes to fraud auditing requirements, including the new stand-back evaluation
  • PwC / London Capital & Finance: what every auditor should learn: detailed case study of the LCF enforcement actions and their practical implications for your audit file

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

Put audit concepts into practice with these free tools:

ISA 530 Sampling Calculator
Sample size & evaluation Analytical Review Tool
Variance analysis with materiality thresholds

Related guides:

Common AFM Findings on ISA 240 Fraud Documentation PwC / London Capital & Finance: What Every Auditor Should Learn Wirecard Audit Failure and European Regulation

Frequently asked questions

Why do the same ISA 240 failures appear in enforcement cases repeatedly?

The root cause is typically a failure to understand the entity’s business model under ISA 315.19 , which cascades into fraud risk assessments that miss where fraud actually hides. Audit procedures are then designed for a version of the entity that doesn’t account for the real risk. The LCF and Wirecard cases both followed this pattern.

What was the FCA’s first fine against an audit firm?

In 2024, the FCA fined PwC £15 million for failing to report suspected fraud at London Capital & Finance. Under section 342(6) of the Financial Services and Markets Act 2000, auditors of FCA-regulated firms have a statutory duty to report suspicions of fraud promptly. PwC suspected fraud at LCF but resigned without reporting to the FCA.

What does ISA 240 (Revised) change about fraud audit procedures?

ISA 240 (Revised), effective December 2026, removes the assumption that auditors may accept records as genuine unless they identify reasons to believe otherwise. It also introduces a mandatory stand-back requirement: before concluding the engagement, auditors must evaluate whether their fraud risk assessments and audit responses remain appropriate in light of evidence obtained.

How did the Wirecard fraud go undetected for so long?

EY did not verify €1.9 billion in bank balances held in escrow accounts in the Philippines. Instead of confirming directly with the banks (as ISA 505 requires), EY accepted certificates from intermediaries. The deeper failure was not understanding Wirecard’s third-party payment processor model well enough to identify that escrow accounts were where the fraud risk was concentrated.

What is the difference between professional scepticism as attitude versus action?

In the LCF case, PwC’s team saw the red flags and even consulted internal lawyers about suspected fraud. But the firm’s response stopped short of the actions ISA 240.38 and 240.40 require: evaluating implications for the audit, communicating with those charged with governance, considering whether to report to regulatory authorities. Scepticism without action is not scepticism.

Source references

  • FRC, 2023/24 Annual Enforcement Review
  • FCA, Final Notice — PwC (London Capital & Finance), 2024
  • FRC, Carillion enforcement action (KPMG)
  • Parliamentary inquiry and regulatory findings on Wirecard AG / EY
  • ISA 240 , The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
  • ISA 240 (Revised), effective 15 December 2026
  • ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement
  • ISA 505 , External Confirmations

This article is for educational purposes only and does not constitute legal or professional advice. Always consult the applicable auditing standards and your firm’s methodology for engagement-specific guidance.

Last reviewed: March 2026