Published: 7 May 2021

In our latest dilemma, find out what to do when an auditor observes possible fraudulent behaviour unrelated to the audit.


An auditor for a construction group is conducting a second party audit of an engineering services company.  

He is in the sales and estimating department where he is checking the contract documents for the installation of electrical and mechanical services for a new hotel project.  

The auditor notices that an estimator is working on the bid for a new hospital project for the local Health Trust at an adjacent desk. Alongside the company’s bid documents is a bid folder from another services company. From his knowledge of the sector, he recognises the name of the main competitor for the contract.  

The audit of the sales and estimating department is satisfactory and no major issues are found. However, the auditor is uncomfortable with the possibility that he has observed the involvement of the services company in a cartel operation to defraud the public sector through bid rigging. 

What should he do? 


The objectives, scope and criteria of the second party audit need to be adhered to (reference: ISO 19011:2018 clauses 5.2 and 5.4.3). The audit is intended to verify that planned contractual requirements (including related documents) for the installation of electrical and mechanical services for a new hotel project are being met.  

The auditor is not certain he has witnessed a criminal and reportable offence. His presence in the auditee’s office may also have been accompanied with an information security and confidentiality agreement (reference: ISO 19011:2018 clause 5.1). It appears that his remit in this audit does not entitle him to enquire about or investigate the matter with the auditee, as per the agreed audit objectives, scope and criteria. 

The auditor, however, is entitled to discuss his observation with his supervisor if he believes it may have an adverse impact on the contractual requirements of the new hotel project. This issue and the risk it poses to the contract could be considered in the planning of subsequent audits of the company (reference: ISO 19011:2018 clause 5.3). 

If you have a dilemma you think we should include in our new Auditor Dilemmas series, please email [email protected] 

With thanks to Ian Dunlop, CQP FCQI, for providing the scenario, and Roland Tan, IRCA Certificated Lead/Principal Auditor, for providing the response.