Common AFM Findings on ISA 240 Fraud Documentation

What the AFM inspected and what it found

The AFM’s January 2025 report, “Insufficient audit procedures in response to fraud risks,” examined 32 statutory audits for financial years 2022 and 2023 at 13 audit firms. Twelve of these audits were at PIE audit firms; the remaining 20 were at regular (non-PIE) firms. For each audit, the AFM selected at least two fraud risks: the mandatory management override of controls risk, plus at least one client-specific fraud risk.

The headline finding: 23 of 32 audits contained one or more findings where the auditor did not obtain sufficient and appropriate audit evidence to address the identified fraud risks. Fifteen of those 32 had more than two findings. Only nine audits had zero findings.

At non-PIE firms the picture was worse. Seventeen of 20 inspected audits had findings. At the PIE firms, six of 12 had findings, though the AFM noted that the number varied between the three PIE firms inspected.

This report follows the AFM’s June 2023 publication “More attention for fraud risks!” which focused on the quality of the fraud risk analysis itself. The 2025 report targets the next step: whether the audit procedures performed actually respond to the risks identified. The AFM’s conclusion is that they often don’t.

Client-specific fraud risks: standard procedures applied to non-standard risks

The AFM’s central finding is that auditors plan and perform standard audit procedures to address identified fraud risks without adapting the nature, timing, or extent of those procedures to the specific risk. NV COS 240.31 (equivalent to ISA 240.28) requires the auditor’s response to assessed fraud risks to be linked to those risks at the assertion level. When the response is a generic procedure from the prior-year file, the link doesn’t exist.

The AFM found this pattern across multiple fraud risk categories.

Corruption risks

One auditor obtained a list of agent commission invoices but performed no further procedures on it. Contracts with agents weren’t assessed. No consideration was documented. Another auditor analysed outgoing payments to countries with low Transparency International CPI scores, which was appropriate, but then failed to verify the business rationale against source documentation for several of the flagged transactions. The AFM’s point is specific: selecting transactions for further verification because of fraud risk and then not completing the verification defeats the purpose of the selection.

Revenue recognition fraud risks

Auditors in several cases performed only standard audit procedures (the same procedures they would perform regardless of risk assessment). The AFM found that in some audits no specific procedures were conducted on the particular assertion to which the auditor had linked the fraud risk.

Payment organisation risks

Auditors didn’t perform planned procedures, limited testing to the largest suppliers or a single bank account, or didn’t establish that the supplier existed and that the service on the invoice was actually delivered. A recurring finding: auditors did not obtain source documentation when performing tests. The AFM emphasized that for fraud risks specifically, testing in sufficient depth means going back to the source document, not stopping at management’s summary.

Group audits

Group auditors in some cases did not follow up on peculiarities reported by component auditors. In other cases, the group auditor’s instructions to component auditors made no mention of fraud risks or the procedures needed to address them. Some group auditors conducted inadequate reviews of fraud-related procedures performed by component auditors, particularly around journal entries and revenue recognition.

Journal entry testing and management override: where most files fall short

Management override of internal controls is a mandatory fraud risk under NV COS 240.33 (ISA 240.32). Every statutory audit must include journal entry testing. The AFM found that this area, which should be the most standardised part of fraud documentation, still generates significant findings.

The AFM report makes a distinction that most audit files miss. Selecting journal entries for testing based on fraud risk criteria is step one. Testing them is step two. The AFM found that auditors select entries using appropriate criteria (unusual amounts, weekend postings, round numbers, manual entries bypassing controls) but then fail to obtain sufficient audit evidence about whether the entries are appropriate.

The AFM also found that it was insufficient to conclude solely on the basis of the journal entry’s description that there was no heightened risk and that the entry was acceptable. If a journal entry was selected for testing because its characteristics matched fraud risk criteria, the auditor needs to go beyond the description field.

For the retrospective review of accounting estimates (NV COS 240.33b, equivalent to ISA 240.A46), the AFM observed that auditors sometimes performed the review mechanically without evaluating whether the results indicated possible management bias. The review is supposed to identify tendencies in estimates that could signal fraudulent financial reporting. If every provision is consistently under- or over-estimated in the same direction across multiple periods, that pattern requires investigation, not just documentation.

One firm’s approach stood out as good practice: it used audit software to analyse transaction flows and ledger accounts (including journals) before designing fraud procedures. Data analysis helped the auditor focus the audit on specific items and periods with higher fraud risk. In the AFM’s view, data analytics, used properly, can increase both the depth and the targeting of fraud procedures. Used improperly (without validating the reliability of the data, or without following up on identified anomalies), it adds nothing.

The unpredictability requirement most firms ignore

NV COS 240.31c (ISA 240.30c) requires the auditor to incorporate an element of unpredictability in the nature, timing, and extent of audit procedures. The AFM found that 13 of the 32 inspected audits included no appropriate element of unpredictability.

The requirement exists because individuals within the entity who are familiar with normal audit procedures are better positioned to conceal fraudulent financial reporting if the audit follows the same pattern every year. Performing the same sampling approach each year is not unpredictable. Announcing stock count locations in advance eliminates the element of surprise. Repeating the same procedures at the same time in the same areas tells the client exactly what is and isn’t being tested.

For your own file, unpredictability doesn’t require expensive or time-consuming procedures. It requires procedures the client can’t predict. Shifting the ISA 530 sample selection to a different period than prior year, requesting bank confirmations for an account that wasn’t confirmed last year, or testing a revenue stream that falls outside the normal scope of substantive procedures all create unpredictability without significant additional cost.

Worked example: Hoekstra Bouw B.V.

Hoekstra Bouw B.V. is a Dutch construction company with €28 million in revenue. It reports four projects in progress valued at €6.2 million on the balance sheet. The company pays agent commissions to two intermediaries who source subcontractors. Your fraud risk assessment identifies two client-specific fraud risks: revenue cut-off on percentage-of-completion projects (ISA 240.27) and corruption risk on agent commissions.

1. Link each fraud risk to a specific assertion and design a specific response (NV COS 240.31)

Revenue cut-off: the assertion is occurrence and accuracy of revenue recognised on in-progress projects. Standard year-end cut-off testing does not address this. The procedure must test whether the percentage of completion reported by management matches independently verifiable project status.

Agent commissions: the assertion is occurrence (did the agent actually perform a service?) and valuation (is the commission rate commercially reasonable?). Standard accounts payable testing will never flag this because the invoices exist and are paid. The procedure must verify the business substance behind the commission arrangement.

2. Perform the revenue procedures with fraud-specific depth

Select two of the four projects. For each: obtain the project progress report from the project manager, compare it to independently observable evidence (site visit photographs, subcontractor delivery confirmations, architect sign-off on milestones). If the client’s reported completion percentage is 65% but the architect’s most recent milestone sign-off covers only 48%, that discrepancy is a fraud indicator requiring further investigation. Do not accept management’s explanation without corroborating evidence.

3. Perform the corruption procedures to source-document depth

Obtain the agency contracts for both intermediaries. Verify that the contract specifies what service the agent provides and what the commission rate is. For a sample of commission payments, trace the payment to the bank statement, match it to a specific subcontractor engagement, and verify that the subcontractor actually performed work on a Hoekstra project. If the agent’s commission is 12% of the subcontractor cost but the contract specifies 5%, that discrepancy requires explanation and source-document verification, not just an inquiry of management.

4. Include an unpredictability element

Visit one project site unannounced to verify that the project exists and that its visible progress aligns with the reported completion percentage. Request bank confirmations for an account not confirmed in the prior year. Test commission payments from Q2 rather than the Q4 sample window used previously.

Your file checklist for AFM-ready fraud documentation

1. For every client-specific fraud risk in the file, verify that a specific procedure has been designed for that risk at the assertion level (NV COS 240.31). If the procedure is identical to what you would perform without the fraud risk, the response is insufficient.
2. For journal entry testing, confirm that selected entries were tested against source documentation, not just evaluated based on their description or management’s verbal explanation (per AFM January 2025 guidance).
3. Verify that the retrospective review of accounting estimates explicitly assesses whether results indicate directional bias, not just whether individual estimates fell within an acceptable range.
4. Confirm that the file documents at least one element of unpredictability (NV COS 240.31c) that goes beyond standard sampling variation. The AFM found no unpredictability in 13 of 32 inspected audits.
5. For group audits, verify that the group auditor’s instructions to component auditors include specific fraud risk procedures and that the group auditor reviewed the component’s fraud-related work (ISA 600.40).
6. Where data analytics were used in fraud procedures, verify that the reliability of the underlying data was tested and that anomalies identified were followed up to source-document level.

Common mistakes from the AFM’s 2025 fraud review

• The AFM found that in 10 of 32 inspected audits, the fraud section of the auditor’s report was incorrect or incomplete, presenting an overly positive picture of the procedures actually performed. If your auditor’s report describes fraud procedures that weren’t performed (or were performed at a depth insufficient to support the reported conclusion), the report itself becomes a finding.
• In six of 32 audits, the AFM identified insufficient professional scepticism, defined as cases where there were both multiple findings on fraud procedures and no sufficient follow-up of contraindications or peculiarities. The AFM’s criterion is worth noting: it wasn’t a mindset assessment but a factual test of whether anomalies encountered during testing were investigated or ignored.
• The AFM found that only 11% of statutory audits at non-PIE firms identified at least one fraud risk (compared to 30% at PIE firms). Since 2022, there has been a positive trend toward identifying more fraud risks at non-PIE firms, but the gap remains large. If your non-PIE audit file identifies zero client-specific fraud risks beyond management override, the AFM’s data suggests your risk assessment is likely incomplete.

Related tools and reading

Put audit concepts into practice with these free tools:

Related guides:

Frequently asked questions

Source references

• AFM, “Insufficient audit procedures in response to fraud risks,” January 2025
• AFM, “More attention for fraud risks!” June 2023
• ISA 240 (NV COS 240), The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
• ISA 600, Special Considerations — Audits of Group Financial Statements