The primary role of auditors is to provide an opinion on the truth and fairness of the financial statements. Given their access to financial information and sensitive records, auditors are often best placed to detect discrepancies and potential fraud that might otherwise go unnoticed. 

According to ISA 240, auditors must obtain reasonable assurance that financial statements are free from material misstatements, whether caused by fraud or by error. This responsibility extends to a legal duty to report suspicions of fraud to regulators.

Substantial fines serve as a stark reminder of the severe consequences that can arise when auditors do not adequately discharge their responsibilities. Such penalties highlight the risks of failing to identify and report significant issues in a timely manner.

Auditing regulated entities

Under the Financial Services and Markets Act 2000 (FSMA), auditors of regulated entities are required to disclose information or opinions relevant to the regulator's functions, as stated in sections 342(5) and 343(5) of the Act. 

This includes any suspicions of fraud that could impact the Financial Conduct Authority’s (FCA) Principles for Business and/or the Threshold Conditions for authorisation set by both the FCA and the Prudential Regulation Authority (PRA). 

To enable information-sharing and to protect auditors, FSMA permits auditors to communicate confidential or sensitive information to the regulator if they reasonably believe it is relevant to the regulator's functions.

In instances where an auditor reasonably believes that fraud or other serious irregularities have occurred, especially involving individuals in governance, they are legally obliged to report these suspicions to the appropriate regulator without delay. While FSMA provides the legal framework, the professional standard ISA 250B (Revised) further elaborates on the auditor's duty to report.

According to ISA 250B, para 12, when an apparent breach of statutory or regulatory requirements comes to the auditor’s attention, including instances of suspected fraud, the auditor must:

• Obtain available evidence to assess the implications for their reporting responsibilities.
• Determine whether there is reasonable cause to believe that the breach is of material significance to the regulator.
• Consider whether the breach constitutes criminal conduct that should be reported to the appropriate authorities.

Should a suspicion be reported?

When considering whether to report a suspicion of fraud, auditors might reflect on a range of important questions, including:

• Is there missing or incomplete documentation that raises concerns?
• Are there significant discrepancies between financial records and supporting evidence?
• Do any transactions lack a legitimate business purpose?
• Is management being defensive or obstructive in response to my enquiries?
• Have I noticed any pressure to approve financial statements despite unresolved issues?
• Would I be comfortable justifying my decision not to report these suspicions if scrutinised later?

In situations when auditors encounter a suspected fraud or breach, they might typically seek evidence to understand its implications before reporting it to the regulator. However, Article 28 of ISA 250B explains that their responsibility to report does not require a complete assessment of the breach's full impact beforehand. 

Instead, auditors will need to exercise professional judgement to determine whether there is reasonable cause to believe the matter is or could be materially significant to the regulator. 

To make this judgement, auditors might conduct appropriate investigations, including: 

• reviewing relevant audit evidence; 
• speaking with relevant staff and those charged with governance (where appropriate to do so); and 
• reviewing related correspondence and documents to the transaction or event concerned.

It is worth noting that an apparent breach of statutory or regulatory requirements does not automatically trigger a statutory duty to report to a regulator. 

For example, as per Article 27 of ISA 250B, a minor breach that has been corrected and reported by the regulated entity and appears isolated may not warrant reporting. 

When deciding whether a breach requires a statutory report to a regulator, auditors might consider factors such as:

• whether the breach suggests a broader compliance issue;
• whether it has been rectified and reported by the entity;
• whether ongoing issues or a lack of corrective action persist; and
• whether immediate reporting is necessary to protect stakeholders.

The determination as to whether to report is also explored in para 44 of ISA 240. The standard recognises that decisions around reporting involve complex considerations and professional judgements, prompting the auditor in some cases to seek internal consultation within their firm. 

Furthermore, the auditor may consider obtaining legal advice to fully understand their options and the professional or legal implications of any potential actions.

Prompt action is required

The FSMA and ISA 250B emphasise the need for timely reporting. When suspicions of fraud arise, auditors must act quickly, as delaying a report can allow fraudulent activities to continue, potentially worsening financial damage. 

Failing to meet these obligations can have severe consequences. The substantial penalties recently imposed on audit firms underscore the seriousness of these duties and serve as a cautionary reminder to the auditing profession of the dangers of inaction.