What happened
The Financial Reporting Council has fined BDO and a former senior audit partner over “significant and serious” breaches linked to the 2019 audit of NMCN, the UK construction and infrastructure contractor that later collapsed into administration. Reports say the fine against BDO was £2 million before settlement discount, reduced to about £1.33 million, with a separate reduced fine for the audit partner.
NMCN was not a small or simple business. It worked across construction, engineering and infrastructure, including complex long-term contracts. The FRC’s concerns reportedly included insufficient audit evidence, inadequate professional scepticism and weaknesses around assessing revenue, profit, contract performance and going concern.
This story is not only about external audit. For boards, contractors, public sector buyers and supply-chain partners, it is a live reminder that long-term contract risk can build quietly until the damage is already serious.
Why it matters
Long-term contracts are difficult to manage because financial, operational and commercial risk often move at different speeds.
A project may look healthy on paper while margins are shrinking. A contract may be operationally busy but commercially loss-making. A supplier may appear stable because invoices are being paid, while the underlying cash position is deteriorating. A management report may show progress, but without strong challenge, evidence and assurance, it can hide weak assumptions.
That matters for several TPMG service areas, especially Internal Audit & Risk Assurance, Contractor Advisory, Public Sector Advisory and Client Advisory.
For contractors, the lesson is clear: contract performance cannot be treated as a spreadsheet exercise. It needs proper governance, early-warning controls, margin scrutiny, claims visibility and evidence-backed reporting.
For clients and public sector bodies, the issue is equally important. A contractor’s financial stress can become a delivery risk, service continuity risk, resident risk, patient risk or political risk. When a key supplier fails, the client often inherits the operational problem.
For boards, the question is not “Did we have reports?” The better question is: “Did we have enough independent challenge to trust the reports?”
What good looks like
Good contract risk assurance is practical, evidence-led and regular. It does not wait until year-end. It looks at the live indicators that show whether contracts are genuinely healthy.
First, contract governance should be clear. Every major contract should have named ownership, defined escalation routes, agreed reporting cycles and a documented risk register.
Second, financial assumptions should be challenged. Forecast margins, variations, claims, penalties, inflation pressures, subcontractor costs and labour assumptions should all be tested. Where figures rely on judgement, the judgement should be documented.
Third, operational evidence should match commercial reporting. Progress reports, site records, resource plans, client correspondence and programme updates should support the numbers.
Fourth, early-warning indicators should be monitored. These may include repeated cash requests, payment delays, rising disputes, high staff churn, increasing subcontractor complaints, missed milestones or repeated “temporary” fixes.
Fifth, boards and senior teams need independent assurance. Internal audit or an external assurance partner should periodically test whether the governance framework is working in practice, not just whether it exists on paper.
What to do now by audience size and sector
Small contractors and SMEs should start with the basics. Review your top five contracts. Check whether each has a current margin forecast, a live risk log, written variation evidence and clear ownership. Do not rely on informal updates or memory.
Mid-sized contractors should strengthen monthly contract review meetings. Finance, operations and commercial teams should review the same data together. Any major assumption should be evidenced and challenged.
Large contractors and multi-site providers should run independent contract assurance reviews across high-value or high-risk work. Focus on long-term contracts, low-margin work, heavy subcontractor dependency and projects with unresolved claims.
Public sector clients should review supplier resilience and contract management arrangements. This is not just procurement due diligence at award stage. It should continue through mobilisation, delivery, variation and renewal.
Housing, healthcare, education and infrastructure clients should identify critical suppliers where failure would disrupt services. For those suppliers, review financial resilience, contingency plans and early-warning triggers.
Professional services and advisory firms should also take note. The FRC action underlines the importance of scepticism, evidence and challenge. Those principles apply beyond statutory audit. They apply to any assurance, due diligence, governance or advisory work.
How TPMG helps
TPMG helps organisations strengthen contract risk, governance and assurance before problems become crises.
Through Internal Audit & Risk Assurance, TPMG can review contract controls, board reporting, risk registers, escalation routes and evidence trails. Through Contractor Advisory, TPMG can support contractors with practical governance, margin visibility and commercial control. Through Public Sector Advisory and Client Advisory, TPMG can help buyers understand supplier risk, contract resilience and delivery assurance.
The aim is simple: better visibility, earlier challenge and stronger evidence for decisions that matter.
