The new 'Failure to Prevent Fraud' offence: A compliance and accounting perspective

Luke Firmin -UK Head of Financial Crime and James Fox -Forensics Associate Director at Forvis Mazars, explore the UK government guidance and provide insights into the implications for organisations and auditors.

Fraud accounts for approximately 40% of crime across England and Wales and the annual cost of fraud in the UK is estimated to be £219 billion . Ahead of the implementation of the ‘Failure to Prevent Fraud’ offence on the 1 September 2025.

Background

The Economic Crime and Corporate Transparency Act 2023 (“the Act”) plays a crucial role in the UK’s efforts against economic crime. Key areas of the Act include enhanced Companies House powers, improved transparency and most notably, the introduction of the ‘Failure to Prevent Fraud’ offence, which comes into force in September 2025 .

The latter’s aim is to hold organisations accountable for fraudulent activities committed by employees, agents or subsidiaries (“associated persons”) intending to benefit organisations and where reasonable measures to prevent fraud were not in place. This offence is intended to promote a culture of transparency and integrity within corporate entities, reduce fraud and protect victims including businesses . The UK government published guidance on 6 November 2024 which sets out how firms can take action to prevent corporate fraud .

Key provisions

What is the scope of the Offence?

The offence applies across the UK and is applicable to large organisations across all sectors, which are defined as those meeting two out of three of the following criteria:

a turnover of more than £36 million,
a balance sheet total of more than £18 million, or
more than 250 employees.

While the offence itself is only applicable to organisations who meet the above definition, smaller organisations may still benefit from consulting the principles of the guidance to follow good practice.
The Failure to Prevent Fraud offence covers common law and statutory fraud offences across the UK: including cheating the public revenue, embezzlement, uttering, false accounting, false statements by company directors, fraudulent trading, participating in fraudulent business, obtaining services dishonestly, fraud by false representation, fraud by failing to disclose information and fraud by abuse of position.

Who is classed as Associated Persons?

The offence refers to fraud perpetrated by “associated persons”, which include employees, agents, subsidiaries, and other individuals or entities performing services for or on behalf of the organisation. This ensures organisations’ accountability for the actions of a range of individuals connected to their operations. Corporate liability will only arise if the individual or entity commits the base fraud while acting in their capacity as an associated person. It should be noted that those providing services to an organisation (e.g., external accountants, lawyers and valuers) are not associated persons for the purposes of this offence.

Intending to benefit

The application of the offence requires that the organisation “was intended to be the beneficiary”; there does not need to be actual receipt of any benefit. The benefit can be financial or non-financial in nature. No liability will arise where the organisation is a victim or intended victim of a fraud that was intended to benefit its clients, i.e., the loss caused or intended would be suffered by the organisation itself, or the intention of the perpetrated fraud was to harm the organisation itself.

How can you demonstrate Reasonable Procedures?

Organisations can avoid criminal liability if they are able to demonstrate that they had "reasonable fraud prevention procedures" in place. The design and implementation of fraud prevention measures should have due consideration of the organisation’s structure and the geographical scope of the offence. The guidance provides that reasonable fraud prevention measures should be informed by six principles: top-level commitment, risk assessment, proportionality, due diligence, communication including training, and monitoring and review.

What does this mean and what does best practice look like for Organisations?

Top-level Commitment

Organisations must demonstrate a strong commitment to fraud prevention. Senior management needs to lead by example through visible and active engagement in fraud prevention. Key components of successful fraud prevention efforts are fostering a transparent culture where fraud is unacceptable and the allocation of sufficient resources (including training and technology) to anti-fraud measures. It is essential that the organisation's stance on fraud is communicated, such as through codification in a code of ethics, and that there are clear and enforced consequences for policy breaches. As liability does not depend on whether organisations have knowledge of or instructed the fraud, there is additional pressure to ensure an appropriate fraud prevention framework is in place.

Risk Assessment

A detailed risk assessment is crucial for identifying areas susceptible to fraud. The process should include the evaluation of internal and external risks, the nature and operations of the business (including use of agents or contractors) and the potential impact of fraud. The risk assessment should be well-documented and subject to regular review and updates.

Proportionate, Risk-Based Procedures

Anti-fraud measures should be tailored to the specific organisation. This involves the design and implementation of procedures that are proportionate to the organisation’s size, nature and complexity of its activities, and the associated fraud risks identified through the risk assessment process. To be effective, an organisation should ensure that its procedures are ‘clear, practical, accessible, effectively implemented and enforced’ .

Due Diligence

Organisations need to put in place robust due diligence measures to assess and monitor relationships with third parties who perform services for or on behalf of the organisation. Measure can include the use of technology to conduct screening/vetting checks and reviewing contracts with service providers to include compliance and termination clauses. Another important aspect of due diligence is monitoring staff wellbeing as the likelihood of fraud increases where there are stressors such as workload concerns and unrealistic targets.

Communication and Training

In addition to ensuring that the stance on fraud is clearly communicated at all levels, organisations must implement training and awareness programmes to ensure that associated persons understand their fraud prevention responsibilities. Training should cover internal policies, legal implications of fraud, ethical behaviour and how to raise, investigate and respond to concerns.

Monitoring and Review

Internal controls include segregation of duties, regular audits and real-time monitoring of transactions to identify suspicious activity. Once procedures and controls are implemented, they should be subject to regular monitoring and review to ensure their operational effectiveness in preventing and detecting fraud, identify any areas for improvement and respond to emerging risks and lessons learned from any investigations.

Reporting and Whistleblowing

Staff should feel empowered to speak up when they witness any wrongdoing. Whistleblowing is “one of the most effective ways to uncover fraud” . To enable this, organisations need to make sure that employees are aware of whistleblowing policies and procedures, establish clear, independent and confidential reporting channels, and provide whistleblowers with protection from retaliation.

What are the implications for Auditors

The introduction of the ‘Failure to Prevent Fraud’ offence has several implications for auditors. Most immediately, it is a new law which, if not complied with, could have material effects on the financial statements of audited entities. The responsibilities of the auditor in relation to such laws are set out in ISA 250A , and auditors will need to consider how the introduction of this new offence could affect the procedures they need to undertake in accordance with this standard. For example, the current application guidance to ISA 250A states that auditors may need to make inquires of management regarding the policies and procedures it has established to ensure compliance with the new legislation.

In addition, ISA 240 details the auditor’s responsibilities relating to fraud in financial statement audits . While the responsibility for prevention and detection of fraud sits with management and those charged with governance, auditors need to obtain reasonable assurance that financial statements are free from material misstatement due to fraud. Auditors need to identify and assess the risks of material misstatement due to fraud and perform appropriate procedures and evaluate audit evidence in response to those risks.

The increased focus on prevention of fraud provided by the new offence has implications on how auditors might identify and assess the fraud risks at the audited entity. For example, the robustness (or otherwise) of an entity’s policies and procedures established in response to the new legislation may be relevant to the auditor’s assessment of the risk of material misstatement due to fraud.

As the legal environment changes, and the nature and methods of frauds evolve, so too must the auditor’s responses to these risks. Several recommendations have been put forward as suggestions as to how auditors might effectively respond to this developing landscape

Maintaining professional scepticism and adopting a forensic-like mindset.
Awareness that fraud perpetrators may be anyone regardless of their position in an organisation.
Involvement of forensic accountants and/or fraud subject matter experts throughout the audit engagement.
Undertaking continuing professional education on how to prevent, detect and respond to fraud.
Ongoing fraud brainstorming as to how internal fraud could be committed and concealed.
Use of artificial intelligence and data analytics tools to gather detailed client insights to help assess risks and identify material misstatements.
Automate where possible to increase efficiency and time available for more complex audit areas.
Perform robust testing in areas with inadequate segregation of duties.
Ongoing face-to-face inquiries into fraud-related matters throughout the audit, extending to non-accounting personnel and external parties.
Understanding of the client’s whistleblowing process including nature/pattern of complaints, and the investigation and resolution process.

Conclusion

The introduction of the “Failure to Prevent Fraud” offence is a pivotal step forward in the UK’s battle against corporate fraud. Large organisations should proactively review their existing fraud prevention measures to ensure their alignment with the guidance before the 1 September 2025 implementation date.

To ensure compliance with ISA 250A and ISA 240, auditors should also consider how the new offence and government guidance will affect their audit procedures, in particular inquiries of management as to their fraud prevention procedures, and the identification, assessment of and response to risks of material misstatement due to fraud. These actions will help to minimise the risk of internal fraud and contribute to a more transparent and ethical business environment.