Why Fraud Goes Undetected: Lessons from Enforcement Actions

What regulators actually flag on fraud

The FRC’s 2023/24 Annual Enforcement Review identified five recurring themes from concluded cases. Professional scepticism appeared in every single one. Failure to understand the entity appeared alongside it. The FRC’s enforcement director stated that the past year was notable for the conclusion of several high-profile cases, most significantly the LCF and Carillion investigations.

But the pattern is older than those cases. The FRC has opened 40 new cases in 2023/24, with 85% relating to audit. Of the recurring themes across current investigations, the approach to the risk of fraud sits alongside audit planning and revenue recognition, as well as objectivity and evidence documentation. These are not isolated incidents. They are structural failures that repeat because the root causes go unaddressed.

The FCA added a new dimension in 2024 when it fined PwC £15 million for failing to report suspected fraud at London Capital & Finance. This was the FCA’s first-ever fine against an audit firm. The message was direct: auditors who suspect fraud and don’t report it to the regulator face consequences separate from and in addition to whatever the FRC does about the audit quality itself. Under section 342(6) of the Financial Services and Markets Act 2000, auditors of FCA-regulated firms have a statutory duty to report suspicions of fraud promptly. PwC suspected fraud at LCF but didn’t report it to the FCA before resigning. That single omission cost £15 million.

The European picture tells the same story with different names. EY audited Wirecard for over a decade and did not verify €1.9 billion in bank balances that turned out not to exist. KPMG audited Carillion and did not adequately challenge management’s going concern assumptions before the company collapsed owing £7 billion. In each case, the post-mortem identified failures that mapped directly to existing ISA requirements. The standards were there. The application was not.

The business model gap: why ISA 315 failures cause ISA 240 failures

ISA 240.16 requires the engagement team to discuss how and where the financial statements might be susceptible to material misstatement due to fraud. That discussion is supposed to set aside the assumption that management is honest (ISA 240.A11). In practice, most team discussions treat this as a planning-day formality. Someone reads last year’s fraud risk factors. Everyone nods. The file gets updated.

The problem starts earlier. ISA 315.19 requires auditors to understand the entity’s business model, including how it generates revenue. Without that understanding, you can’t identify where fraud hides.

The FRC flagged this in its 2023/24 enforcement themes: failing to understand the entity resulted in failures to identify and assess risks of material misstatement.

In the LCF case, all three audit firms failed to understand that LCF’s business was fundamentally a bond issuance operation whose loan book was concentrated in connected parties. PwC admitted eight breaches covering risk identification, professional scepticism (particularly regarding fraud risk), and the auditing of loan debtors, revenue, related party transactions, and going concern. The FRC’s finding was blunt: PwC failed to obtain an adequate understanding of the nature of LCF’s business.

That failure cascaded. The audit procedures were designed for a business that didn’t exist. Revenue procedures tested the wrong assertions. Work on loan debtors didn’t test recoverability. Related party procedures didn’t trace where the money went.

Professional scepticism is not a mindset problem

Regulators cite professional scepticism in virtually every enforcement action. It sounds like an attitude problem. It isn’t.

ISA 200.15 defines professional scepticism as an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence. ISA 240.A7 adds that the auditor may accept records and documents as genuine unless the auditor has reason to believe otherwise. That second sentence is the trapdoor. It creates a default of trust that management exploits.

ISA 240 (Revised), effective for periods beginning on or after 15 December 2026, removes this assumption entirely. The IAASB deleted the principle that auditors may accept records as genuine unless they identify reasons to believe otherwise. This is the single most significant change in the revised standard. It shifts the default from trust to verification.

But even under the current standard, the LCF case shows what the absence of scepticism looks like in practice. LCF was, according to the FCA, highly uncooperative during the 2016 audit. A senior individual acted aggressively towards the PwC audit team. The company provided inaccurate and misleading information. PwC’s own internal legal team was consulted on whether a draft email to LCF might inadvertently tip off the client about their fraud suspicions. Despite all of this, PwC signed an unqualified opinion and resigned without reporting to the FCA.

The failure wasn’t that the team lacked a sceptical attitude. The red flags were seen. Internal lawyers were consulted.

The issue was that the firm’s response to those red flags stopped short of the actions ISA 240.38 and ISA 240.40 require: evaluating the implications for the audit, communicating with those charged with governance, considering whether to report to regulatory authorities, and reassessing the risk of material misstatement. Scepticism without action is not scepticism. It is documentation of suspicions that went nowhere.

At Wirecard, the pattern was different in form but identical in structure. Financial Times journalists published detailed allegations of fraud from 2015 onwards. Short sellers flagged the escrow accounts. A whistleblower inside EY raised concerns about potentially fraudulent practices in 2016. EY’s response was to continue auditing under the assumption that the records were genuine. Confirmation bias played a documented role: the German market viewed Wirecard as a flagship success story, and that cultural context influenced how the audit team weighted contradictory evidence.

ISA 240.12 requires the engagement team discussion to occur “setting aside beliefs that the engagement team members may have that management and those charged with governance are honest and have integrity.” In Wirecard’s case, that belief was reinforced by the market, the regulator BaFin (which filed a complaint against the Financial Times journalists rather than investigating the company), and a decade of clean audit opinions. Setting aside that accumulated belief required more than a box-ticking discussion at planning. It required someone on the team to say: what if the escrow accounts don’t exist?

When audit procedures cannot catch what they were not designed to find

ISA 240.28 requires the auditor’s responses to assessed fraud risks to be clearly linked to those risks at the assertion level. This sounds obvious. In practice, most fraud responses default to journal entry testing (ISA 240.32) and a retrospective review of accounting estimates (ISA 240.A46), plus the revenue recognition presumption. These are the minimum. They are not a fraud response plan.

The LCF audits illustrate why the minimum is insufficient. LCF’s fraud did not sit in journal entries or accounting estimates. It sat in the loan book. Bondholders’ money was lent to connected parties who could not repay it, and a portion flowed through to LCF’s directors and associates for personal use (luxury properties, Rolex watches, a Porsche 911, gold bullion). Detecting this required procedures designed for connected-party lending fraud: tracing loan proceeds to ultimate use, testing whether borrowers had the capacity to repay, verifying the independence of borrowers from LCF management. Standard journal entry testing would never have caught this. The procedures needed to match the risk.

Wirecard’s fraud required different procedures entirely. ISA 505 sets out clear requirements for external confirmations. Direct confirmation with the banks was the procedure the risk demanded. EY accepted intermediary certificates instead. That failure over multiple audit cycles was not a gap in the standards. It was a gap in execution.

Enforcement themes from the FRC confirm this pattern. Failed audits don’t fail because the standards are inadequate. They fail because the procedures in the file were designed for a version of the entity that doesn’t account for where the fraud risk actually sits. If the risk assessment is wrong (because the auditor doesn’t understand the business model), the procedures are wrong by inheritance.

Worked example: Kramer Vermögensverwaltung GmbH

Kramer Vermögensverwaltung GmbH is a German asset management company with €38 million in assets under management. It raises capital through fixed-interest bonds sold to retail investors and lends the proceeds to property development SPVs. Your firm is appointed as auditor for the year ended 31 December 2025. During planning, you identify that four of the six borrowing SPVs share a director with Kramer’s CEO.

1. Understand the business model before designing fraud procedures (ISA 315.19, ISA 240.16)

Map how money flows: bonds issued to investors, proceeds lent to SPVs, interest income from SPV loans used to pay bond interest. Identify that 67% of the loan book is concentrated in connected-party SPVs.

2. Assess fraud risk at the assertion level (ISA 240.28)

The key fraud risks are: existence and valuation of the loan book (are the SPV loans real and recoverable?) and completeness of related party disclosures (are all connections disclosed?). Revenue recognition is a presumed risk, but the higher risk sits in whether bond proceeds are being used for their stated purpose.

3. Design procedures that match the assessed risks

For loan existence: confirm loan balances directly with each SPV. For the four connected SPVs, obtain independent evidence of the SPV’s ability to repay (bank statements, property valuations from an independent valuer, development progress reports). Do not accept confirmations or valuations provided by SPV management where that management overlaps with Kramer’s CEO.

For use of proceeds: trace a sample of bond proceeds from the Kramer bank account to the lending SPV bank account to the ultimate use of funds. If proceeds were used for purposes other than property development (personal purchases, transfers to non-SPV accounts), this is a fraud indicator.

4. Apply the stand-back evaluation

At completion, review whether any evidence obtained during fieldwork changes the fraud risk assessment. If an SPV failed to provide bank statements, or if the independent property valuation came in significantly below the loan balance, re-evaluate whether the assessed fraud risks and your responses were sufficient.

Your file checklist for fraud risk procedures

1. Confirm that the engagement team discussion (ISA 240.16) specifically addressed how the entity’s business model creates fraud opportunities, not just the standard journal entry and revenue recognition risks.
2. Verify that every assessed fraud risk at the assertion level has a corresponding procedure designed for that specific risk (ISA 240.28), not a generic procedure from a prior-year file.
3. Check that the fraud risk assessment documents the link between the business model, the fraud risk factor, and the procedure response.
4. For any related party lending or connected-party transactions, confirm that the audit obtained evidence independent of management regarding the counterparty’s existence and capacity to repay, plus the actual use of funds (ISA 505, ISA 550.A30).
5. Document whether any red flags emerged during fieldwork that should have triggered a revision of the fraud risk assessment, and record the conclusion (apply the ISA 240 Revised stand-back principle now, before it becomes mandatory).
6. If you suspect fraud, verify that your firm’s reporting obligation under national law has been considered and actioned. Under the UK’s FSMA section 342(6), the duty to report to the FCA applies as soon as reasonable suspicion forms, not after the suspicion is conclusively proven.

Common mistakes regulators keep finding

• The FRC’s 2023/24 enforcement review found that auditors repeatedly failed to obtain an adequate understanding of the entity before assessing fraud risk, resulting in procedures designed for a business model that didn’t match reality. The fix takes 30 minutes at planning: draw the cash flow diagram, identify where the money concentrates, and ask where fraud could hide in that specific structure.
• The FCA’s 2024 fine against PwC established that suspecting fraud and then resigning without reporting to the regulator is itself a sanctionable failure, separate from any audit quality findings. If your firm audits FCA-regulated entities, your escalation process for suspected fraud must include a reporting-to-regulator step, not just an internal consultation.
• The FRC’s Carillion and LCF cases both involved auditors who relied on management representations without obtaining corroborating evidence from independent sources (ISA 500.A31). When management is the source of both the assertion and the evidence, the evidence has zero incremental value for fraud detection purposes.

Related tools and reading

Put audit concepts into practice with these free tools:

Related guides:

Frequently asked questions

Source references

• FRC, 2023/24 Annual Enforcement Review
• FCA, Final Notice — PwC (London Capital & Finance), 2024
• FRC, Carillion enforcement action (KPMG)
• Parliamentary inquiry and regulatory findings on Wirecard AG / EY
• ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
• ISA 240 (Revised), effective 15 December 2026
• ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement
• ISA 505, External Confirmations