Forensic accountant David Lister of Pinsent Masons was commenting as the final stage of the UK’s expanded corporate criminal liability regime took effect on 29 June, as many firms prepare for the upcoming autumn audit cycles and December year-end.
ECCTA marks the UK’s most significant reform of corporate criminal law since the Bribery Act 2010. The three-stage reform began on 1 September 2025, when failure to prevent fraud by ‘associated persons’ was introduced as a new corporate criminal offence. This new offence places the onus on businesses themselves to demonstrate that they have “reasonable procedures” in place to prevent employees, agents and subsidiary companies from committing fraud.
The legislation is aimed at driving behavioural change by encouraging organisations to improve prevention frameworks and embed fraud risk management into their core governance processes.
Lister commented that ECCTA is a “helpful” tool for auditors: “When issues arise the outcry is often ’where were the auditors, how did they not spot this?’”, he said, “but now with ECCTA audit firms can place the onus and burden of fraud back on their clients”.
He said the resulting changes to risk exposure for corporates are material. Although the phased approach has allowed many businesses time to prepare, he warned that auditors will be paying particularly close attention to organisations’ fraud risk management programmes, in particular where clients may have live financial crime investigations ongoing during the audit cycle.
For public companies, he said the potential reputational risks of fraud threaten to impact share prices and even result in litigation further down the line. Going into the next audit cycle, he warned this could lead to increasingly challenging conversations between boards and auditors. “Many organisations are already grappling with some difficult conversations with their auditors, and the quality of investigation work is increasingly under scrutiny,” he said. “When investigations around fraud surface, auditors will also be very interested to understand and ‘shadow’ those investigations.”
Now that the new corporate criminal liability regime is in full effect, Lister said it is vital for company boards and their audit committees to re-examine their processes and the ways they do business.
He said it would be important for firms to seek legal and accounting advice to ensure any potential issues are identified early on in the audit process. “Boards often misstep in the early stages of the discussion with their auditors and it is very difficult to recover once this happens,” he said. “However, the interaction with auditors is essential: auditors are required to assess fraud risk and internal controls as part of their responsibilities and audit findings may surface weaknesses in fraud prevention frameworks that carry potential legal consequences.”
A further often overlooked but no less significant change introduced by ECCTA is the enhanced role of Companies House in scrutinising corporate information. Historically, Companies House largely accepted filings at face value, with limited powers to verify or challenge the information submitted. ECCTA substantially changes this position by giving the registrar new powers to query information, require supporting evidence and reject filings where inconsistencies or concerns arise.
This shift will have important implications for both companies and their auditors, said Hinesh Shah, a forensic accountant at Pinsent Masons. “As Companies House undertakes greater scrutiny of filings, inconsistencies between information submitted to the registrar and information contained within audited financial statements, annual reports or governance disclosures may become more visible,” he said. “While responsibility for the accuracy of filings remains with company directors, auditor attention is likely to focus increasingly on the processes and controls that support information reported publicly, particularly where regulatory queries or anomalies emerge.”
The enhanced powers granted to the registrar reinforce the need for robust governance, accurate record keeping and effective verification processes. They also align closely with auditors' responsibilities to understand the control environment, assess risks of misstatement and consider compliance with laws and regulations. “In practice, organisations should expect greater scrutiny of the evidence underpinning their public disclosures and increased focus on the consistency of information reported across regulatory and financial reporting channels,” added Shah.