The failure to prevent fraud duty under Part 4 of the Economic Crime, Transparency and Accountability Act came into force on 1 September 2025. For most internal audit functions, the question is no longer whether ECCTA belongs in the audit plan, it does, but how to cover it credibly.

What the duty actually requires

The duty is straightforward in principle: large organisations must have reasonable procedures in place to prevent fraud being committed for their benefit by associated persons. If fraud occurs and a prosecution arises, the only defence available is demonstrating that those reasonable procedures existed.

The Home Office guidance sets out six principles, proportionate procedures, top-level commitment, risk assessment, due diligence, communication and training, and monitoring and review. These are deliberately non-prescriptive. What counts as reasonable depends on the size, sector, and risk profile of the organisation. That judgement belongs to the board. Internal audit's job is to assess whether the judgement the board has made is grounded in evidence.

Where internal audit fits

The starting point is understanding what management has done. Most organisations that fall within scope, large companies meeting two of three Companies Act size thresholds, will have at minimum acknowledged the duty and begun some form of gap analysis. What internal audit needs to assess is whether that work is substantive or superficial.

There are three distinct audit roles here, and they are worth keeping separate in your planning:

Assurance over the gap analysis itself. If management has commissioned an external or internal gap analysis against the six principles, internal audit can assess whether the methodology was sound, whether the right fraud risks were considered, and whether the conclusions are supportable. This is different from re-doing the gap analysis, it is reviewing the quality of the work already done.

Assurance over the procedures. Once an organisation has established what its fraud prevention procedures are, internal audit can assess whether those procedures are operating effectively. Are the controls described in policy actually operating in practice? Are the relevant people trained? Is the monitoring and review process functioning?

Advisory input during implementation. Some audit functions will be asked to contribute to the design of procedures, particularly where the internal audit team has financial crime expertise. This needs to be managed carefully, providing advisory input creates a self-review risk if internal audit subsequently audits the same procedures. Where this happens, the impairment should be documented and disclosed to the audit committee.

Scoping the audit

The scope of an ECCTA audit will depend on where the organisation is in its compliance journey. For firms that are still completing their gap analysis, it is probably too early to audit the procedures themselves, there may be little to audit. In that case, the more useful contribution is assurance over the risk assessment process: has the organisation identified the right fraud risks, considered the right associated persons, and assessed its existing controls honestly?

For firms that are further along, the audit scope should cover at minimum: the adequacy of the risk assessment against the Home Office guidance; the completeness of the procedures documentation; the evidence that top-level commitment is genuine rather than nominal; and the operation of the monitoring and review process.

The question of materiality is worth thinking through carefully. ECCTA is not an area where internal audit should apply its standard risk-based filter and conclude that the exposure is low. The reputational and legal consequences of a successful prosecution under the duty are significant regardless of the financial value of the underlying fraud. Scope accordingly.

Reporting considerations

Audit reports on ECCTA coverage should be specific about what was assessed and what was not. A report that says "we reviewed the organisation's ECCTA compliance" without specifying whether that covered the risk assessment, the procedures, or their operation will not give the audit committee what it needs. Be precise.

Where gaps are identified, the report should distinguish between gaps in the procedures themselves and gaps in the evidence that those procedures are operating. Both are significant, but they require different management responses. A procedure that exists on paper but is not operating is a more immediate risk than a procedure that is operating but not well documented.

Finally, the audit committee should understand the status of the organisation's ECCTA compliance independently of any audit work. Internal audit's job is to provide assurance, not to be the primary source of information about the duty. If board members are hearing about ECCTA for the first time through an internal audit report, something has gone wrong earlier in the governance process.

Getting specialist support

ECCTA is a new duty and most internal audit functions do not have deep expertise in corporate criminal liability or the specific fraud risks it is designed to address. Subject matter expert input, whether from an external adviser or a specialist within the firm, is worth considering for the scoping and fieldwork stages. The duty interacts with existing AML, anti-bribery, and fraud risk frameworks in ways that are not always straightforward, and getting that analysis wrong has consequences.

Kyle McMullan
Kyle McMullan
Founder, the audit hub

25 years in senior financial services internal audit and risk advisory. Kyle writes from direct practitioner experience, having held audit leadership roles, managed regulatory remediation programmes, and advised boards through some of the most complex compliance challenges in UK financial services.

Connect on LinkedIn
How to manage an FCA supervisory review without losing audit independence →