Large capital projects—particularly in construction, infrastructure, energy and public-sector development—carry inherent financial, operational and compliance risks. When these projects experience significant cost overruns, delays, or allegations of fraud, waste or abuse, scrutiny quickly shifts from project execution to governance and oversight.

For CPAs providing audit and attestation services to project owners or general contractors, these situations often trigger a familiar and uncomfortable question from boards, regulators and litigators alike: “Where were the auditors?”

Understanding how fraud and compliance risks manifest in large capital projects—and how those risks intersect with audit responsibilities—is critical for CPAs charged with providing assurance over financial statements that include significant project-related balances, estimates and disclosures.

Why capital projects create elevated audit risk

Capital projects differ meaningfully from routine business operations. They are temporary, complex and frequently managed by project-specific teams operating under intense schedule and budget pressure. Decision-making authority is often decentralized, with significant judgment exercised by project managers, engineers and procurement personnel outside the finance function.

From an audit perspective, these conditions heighten the risk of:

• Material misstatement related to capitalized costs

• Improper cost allocation or unsupported estimates

• Inappropriate revenue recognition on long-term contracts

• Management bias in forecasting project outcomes

• Weak internal controls over project-level transactions

These risks are amplified when projects involve joint ventures, extensive subcontracting, significant change orders or government funding—common characteristics of large projects, particularly in California.

In such environments, traditional audit risk models may not fully capture the behavioral and governance dynamics present in capital projects. While auditors are trained to assess pressure, opportunity and rationalization, capital projects often elevate additional risk factors—such as authority concentration, confidence-driven decision-making and informal control overrides—that can materially affect fraud risk and the risk of material misstatement.

Fraud, waste and abuse: Why auditors are drawn into the narrative

Not every troubled project involves fraud. However, allegations of fraud, waste or abuse frequently arise once projects go sideways. According to the Association of Certified Fraud Examiners’ Report to the Nations, most occupational fraud is detected through tips rather than audits or internal controls.

From an auditor’s standpoint, this reality presents a challenge: fraud may exist even when audit procedures have been properly designed and executed.

Despite this, auditors are often scrutinized in hindsight when fraud impacts material balances or disclosures. Questions arise about whether risks were appropriately identified, whether professional skepticism was applied and whether audit responses were sufficient given what later comes to light.

This disconnect between how fraud is typically detected and how audit performance is evaluated underscores the importance of robust, well-documented fraud risk assessments, particularly in complex project environments.

Common project-related fraud risks with audit implications

Certain fraud and abuse schemes appear repeatedly in large capital projects and have direct relevance to audit risk.

Procurement and vendor-related misconduct may include bid rigging, undisclosed related-party transactions or vendor favoritism. These practices can result in inflated contract values and project costs that flow directly into capitalized balances or cost of revenue.

Change order manipulation. While change orders are often legitimate, they can also be used to conceal inflated pricing, duplicate billings or costs that should have been included in the original contract. Weak documentation or inconsistent approval processes increase the risk that unsupported costs are recorded without sufficient audit evidence.

Overbilling and cost misclassification by subcontractors or consultants can lead to inappropriate capitalization, misstated margins or impairment issues. Auditors often rely heavily on management representations and project documentation when evaluating these costs.

Conflicts of interest, particularly undisclosed relationships between project personnel and vendors, can undermine procurement integrity and raise questions about fraud risk assessment and related-party considerations.

These risks are often exacerbated by behavioral and governance dynamics within project leadership. One way auditors can sharpen professional skepticism in these situations is by supplementing traditional fraud risk thinking with additional behavioral risk lenses, such as those discussed below, "Using the Seduction of Fraud Diamond in Capital Project Audits."

Whistleblower allegations and audit response

Tips and whistleblower complaints are often the initial trigger for investigations involving capital projects. While auditors may not receive these tips directly, they frequently become aware of allegations through management, audit committees or legal counsel.

In capital project environments, whistleblower allegations frequently arise when individuals observe conduct that reflects excessive confidence, entitlement or disregard for controls by project leadership. While auditors are not responsible for evaluating intent or personality traits, awareness of these behavioral signals can help auditors better assess the credibility of allegations and determine whether underlying fraud risk factors may be present.

For auditors, the existence of whistleblower allegations—substantiated or not—should prompt careful consideration of whether fraud risk assessments need to be revisited, audit procedures modified or disclosures evaluated, particularly when allegations relate to areas of significant judgment or material balances.

Compliance and legal risk as audit risk

Many large capital projects are subject to regulatory and legal requirements beyond standard commercial obligations. Projects involving government funding, public procurement rules, grants or public-private partnerships introduce additional compliance risks that can have financial statement implications.

Failures to comply with procurement rules, funding conditions, labor requirements or contractual obligations may result in disallowed costs, penalties, contract termination or litigation. When such outcomes are reasonably possible or probable, auditors must consider their impact on recognition, measurement, and disclosure.

As a result, compliance failures in capital projects often evolve into audit risk, even when they originate outside the finance function.

When projects turn into disputes

When significant issues arise, capital projects frequently end in disputes involving cost overruns, delays or allegations of improper conduct. In these situations, auditors may find their work examined alongside analyses prepared by forensic accountants, project controls experts and damages specialists engaged in litigation or arbitration.

In hindsight, disputes often highlight weaknesses such as inadequate documentation, poorly supported estimates, weak segregation of duties or informal approval processes. While auditors are not responsible for preventing disputes, their judgments are often evaluated against the information ultimately uncovered during these proceedings.

What auditors can do to manage professional risk

CPAs providing audit services for organizations involved in large capital projects can take several practical steps to manage professional and reputational risk, including:

• Develop a clear understanding of how major projects are governed and controlled

• Identify areas of heightened judgment, estimation and management bias

• Consider whether project-related risks warrant specialized audit procedures

• Maintain heightened professional skepticism when red flags or allegations arise

• Consider behavioral and governance risk factors when documenting fraud risk assessments

• Coordinate appropriately with audit committees, legal counsel, and internal audit

These steps do not eliminate risk, but they help demonstrate a thoughtful, risk-based audit approach grounded in the realities of complex projects.

Using the Seduction of Fraud Diamond in capital project audits

Auditors have long relied on the Fraud Triangle—pressure, opportunity and rationalization—to assess fraud risk. While foundational, prior research published in California CPA has shown that many modern, large-scale frauds do not always fit neatly within this model.

The Seduction of Fraud (SoF) Diamond expands traditional fraud thinking by introducing four behavioral and environmental risk factors often present in significant frauds: opportunity, temptation, entitlement and boldness. For auditors involved in engagements with large capital projects, this framework can serve as a useful supplemental lens when exercising professional skepticism.

Applying the SoF Diamond to capital projects:

• Opportunity: Decentralized authority, compressed timelines, weak segregation of duties and heavy reliance on project-level estimates can create expanded opportunities for misstatement or fraud.

• Temptation: Schedule pressure, financial incentives tied to milestones and fear of project failure can encourage control overrides or delayed recognition of unfavorable information.

• Entitlement: Project leaders may rationalize exceptions to controls under a “project success at all costs” mindset, particularly when projects are considered critical or high-profile.

• Boldness: Strong personalities willing to override controls, resist challenge, or dismiss concerns can materially increase management override risk.

Why does this matters to auditors? Auditors are not expected to diagnose intent or personality traits. However, awareness of these dynamics can help auditors identify areas requiring heightened skepticism, better evaluate whistleblower allegations and more clearly document fraud risk considerations in complex project environments.

When capital projects later become the subject of investigations, disputes or litigation, audit judgments are often evaluated in hindsight. Using a structured lens such as the SoF Diamond can help auditors demonstrate that fraud risk assessments considered not only transactional risks, but also the behavioral and governance realities of large projects.

Final thoughts

Large capital projects present unavoidable risk, and not every project failure reflects an audit deficiency. However, when projects experience significant fraud, waste or abuse, auditors are often pulled into the narrative—fairly or not.

By understanding how project risks, behavioral dynamics, compliance failures and disputes intersect, CPAs can better position themselves to answer the inevitable question—“Where were the auditors?”—with confidence, clarity and defensible professional judgment.