What should an ECCTA fraud risk assessment evidence file include?

It should include assessment date, owner, methodology, fraud scenarios, associated-person populations, mapped controls, evidence items, gaps, reviewer decisions, and refresh history.

How often should the risk assessment be refreshed?

The refresh cadence depends on the organisation's circumstances. The evidence file should record the chosen cadence, triggers for earlier review, and the date of each update.

How does the risk assessment connect to the gap map?

The gap map should connect each material scenario to controls, evidence, missing items, owners, and reviewer decisions so unresolved work is visible.

Does a completed risk assessment prove reasonable procedures?

No. It is evidence for review. The legal assessment remains fact-specific and belongs with the organisation and qualified advisers.

Risk assessment

Fraud risk assessment evidence for ECCTA readiness.

A practical guide for compliance, financial-crime, legal, risk, governance, and adviser teams documenting the risk-assessment principle without turning workflow records into legal conclusions.

Risk assessment is the organising layer

The Home Office guidance names risk assessment as one of the six fraud-prevention principles. For evidence teams, it should be the map that connects fraud scenarios, associated persons, controls, gaps, and reviewer decisions.

A useful risk assessment file records the assessment date, owner, methodology, business units, geographies, associated-person populations, fraud scenarios considered, and the source version of the guidance used.

Record the scenario-to-control chain

Each material fraud scenario should link to the prevention procedures relied on, the evidence supporting those procedures, and any unresolved gaps. This avoids a risk register that lists risks but cannot show what evidence was reviewed.

Examples include due-diligence evidence, training records, approval controls, monitoring outputs, remediation actions, whistleblowing or investigation trends, and reviewer notes.

Set a refresh cadence and preserve versions

The monitoring and review principle means the file should show when the risk assessment was last reviewed, what changed, and what triggered the update.

Version history matters. A board pack should distinguish current evidence from stale, rejected, superseded, or pending items, and the replacement lineage should explain why the current version changed.

Map to gap and risk-register workflows carefully

DefenceFile can help turn risk assessment work into gap-map and risk-register views: scenario, control, evidence item, owner, status, review decision, and board-pack blocker.

Those views are workflow support. They do not decide whether procedures are reasonable or whether the organisation has discharged the s.199(4) burden.

Prepare for evidence-in-operation questions

The SFO compliance-programme evaluation guidance says policies and controls alone do not show that a compliance programme is effective. Risk assessment evidence should therefore show operation: who reviewed, what evidence was sampled, what issue was found, and what action followed.

The strongest workpaper is candid about what is incomplete. A visible unresolved gap is better than a polished pack that hides uncertainty from reviewers.

Official sources

Home Office failure-to-prevent-fraud guidance v1.5
Updated 2025-10-10; accessed 2026-06-15.
SFO compliance-programme evaluation guidance
Published 2025-11-26; accessed 2026-06-15.
Economic Crime and Corporate Transparency Act 2023
Royal Assent 2023-10-26; accessed 2026-06-15.
Joint CPS-SFO Corporate Prosecutions guidance
Updated 2025-11-10; accessed 2026-06-15.

Related DefenceFile pages

Boundary

DefenceFile organises evidence for legal and compliance review. It does not provide legal advice, create privilege, certify scope, certify reasonable procedures, or guarantee that a statutory defence will succeed.

Request pilot review View pricing and FAQ