Fraud Risk Brainstorming: How to Run and Document the ISA 240.29 Discussion

Two partners at the same firm. Same size clients. Same industry. One partner's fraud brainstorming fills six pages with entity-specific scenarios, named risks, and documented dissenting views. The other's fits on a single page: "The team discussed fraud. No specific risks identified beyond management override." Both technically say they held the discussion. Only one will survive an inspection.

The ISA 240.29 fraud risk brainstorming discussion requires the engagement team (with mandatory partner participation) to discuss the entity's susceptibility to material misstatement due to fraud, covering how fraud could be perpetrated and concealed, what factors create incentive or opportunity, and how procedures will be designed to remain unbiased.

What ISA 240.29 requires (and what most teams miss)

ISA 240.29 requires the engagement team to discuss the entity's susceptibility to material misstatement due to fraud. The partner must participate. The discussion must cover specific topics (not just a general conversation about fraud). And the revised standard requires documentation of the matters discussed, not just the conclusions reached.

Most teams miss the last point. The file shows a conclusion: "The team discussed fraud risks. Revenue recognition and management override were identified." But what did they actually discuss? Which revenue streams? What specific override scenarios? Did anyone disagree? Did anyone raise a risk that was later dismissed, and if so, why?

ISA 240.68(a) requires the auditor to document the matters discussed with the team. A conclusion is not a matter. "The CFO has personal pressure from the earn-out clause and could manipulate the percentage-of-completion estimates to inflate revenue" is a matter. "Revenue recognition risk discussed" is not. The difference is the difference between a file that demonstrates professional scepticism and a file that merely claims it.

The revised standard (paragraph 29) also adds topics that were not explicitly required before. Unbiased procedure design (paragraph 42) must be discussed: how will the team avoid designing procedures that only confirm management's assertions? Specialist consideration (paragraph 23) must also be discussed: does this engagement need forensic or fraud specialist skills beyond what the team possesses? These are not optional additions. They are new agenda items that must be covered and documented.

The engagement team includes everyone assigned to the engagement who will be involved in performing audit procedures. If you have team members who were not present for the discussion, ISA 240.29(c) requires you to communicate the relevant matters to them. Document who received the communication and when.

The 11-item brainstorming agenda

A structured agenda ensures every required topic is covered and documented. Here are the eleven items, each mapped to a paragraph reference in the revised standard.

Item 1: Entity culture, management integrity, ethical values, and TCWG oversight (paragraph 29(a)(i)). Open the discussion with what the team knows about the entity's ethical tone. How does management communicate values? Is there a code of conduct? How active is TCWG oversight of financial reporting? If this is a recurring engagement, what has the team observed about management's behaviour in prior years? This item sets the context for everything that follows.

Item 2: Incentives and pressures to commit fraud (paragraph 29(a)(ii)(a)). Who at this entity has a reason to commit fraud? Cover management, those charged with governance, and employees. Be specific: named individuals with specific pressures, not generic statements about "management pressure." If the CFO has a bonus tied to EBITDA, name the CFO, state the bonus structure, and state the current proximity to the target.

Item 3: How management, TCWG, or employees could perpetrate and conceal fraudulent financial reporting (paragraph 29(a)(ii)(b)). This is the core brainstorming question. What specific schemes could work at this entity? Which accounts would be affected? What entries would be posted? How would the perpetrator hide it from the audit team? This item should produce the most discussion and the most entity-specific scenarios.

Item 4: How assets could be misappropriated (paragraph 29(a)(ii)(c)). Cover management, employees, and third parties. The revised standard explicitly adds third parties as potential perpetrators. Which assets are vulnerable? Who has physical access? Who has system access? What would the theft look like in the accounting records?

Item 5: Revenue recognition risks (paragraph 29(a)(iii)). Which types of revenue, which transaction classes, or which specific assertions give rise to fraud risk? This is not a blanket "revenue is presumed a fraud risk." It requires the team to identify which specific aspect of revenue at this entity creates the risk. For a construction company, it might be percentage-of-completion estimates. For a software company, it might be timing of licence revenue recognition. For a retailer, it might be fictitious sales near period-end.

Item 6: Management override of controls (paragraph 29(a)(iv)). How could management override controls at this entity? This risk is always present, but the discussion should be entity-specific. Does the CEO approve journal entries without secondary approval? Can management override system controls in the ERP? Are there manual adjustments outside the normal approval process? What specific entries could management post to manipulate results?

Item 7: Prior-year fraud or suspected fraud (paragraph 29(b)). Has fraud been identified on this engagement before? Was suspected fraud investigated? What happened? Are prior-year matters still relevant to the current audit? If this is a first-year engagement, what did the predecessor auditor communicate?

Item 8: External information indicating fraud risk factors (paragraphs 27, A50-A51). Information from sources outside the entity: media reports, regulatory actions, whistleblower tips, industry fraud trends, peer company enforcement actions, sector-specific fraud patterns. If a competitor in the same industry was recently investigated for revenue manipulation, that is relevant to this discussion.

Item 9: Unbiased procedure design (paragraph 42). How will the team design procedures that are not biased toward confirming management's assertions? This is a new discussion topic in the revised standard. The team should specifically consider what contradictory evidence their procedures could reveal and how they will avoid the natural tendency to seek confirming evidence. This item should produce concrete commitments: "We will test WIP by obtaining independent cost estimates rather than relying solely on management's project managers."

Item 10: Specialist consideration (paragraph 23). Does this engagement require forensic or fraud specialist skills beyond the team's competence? If the fraud risks involve complex financial instruments, IT system manipulation, or industry-specific fraud patterns, the team may need specialist input. Document the decision and, if a specialist is not engaged, the reasoning.

Item 11: Summary of fraud risks to carry to the risk register (paragraph 39). The discussion should end with a clear list of fraud risks identified, each described in entity-specific terms, ready to be transferred to the risk register. Each risk should be stated as a specific scenario, not a generic category.

Running the discussion: pre-meeting preparation and facilitation

The quality of a fraud brainstorming session depends almost entirely on preparation. Research on group brainstorming consistently shows that unstructured discussions produce fewer unique ideas than structured ones because of anchoring bias: once the most senior person in the room names a risk, the team gravitates toward it rather than generating independent scenarios. This is particularly problematic in audit teams where hierarchical deference is common.

A pre-meeting preparation approach addresses this directly. Before the discussion, each team member independently identifies fraud scenarios for the entity. They write these down (in a column on the working paper designated for pre-meeting input) before entering the room or joining the call. The facilitator (typically the manager) collects all inputs before anyone speaks. This approach consistently produces more diverse fraud scenarios because junior team members are not anchored to the partner's initial framing. A second-year associate who has been testing accounts payable for four months may have noticed something that the partner, who spends two days on site, would never see.

During the session, the facilitator works through the 11-item agenda in order. For each item, pre-meeting inputs are shared first. Then the team discusses, challenges, and develops the scenarios further. The facilitator documents the substance of the discussion in real time (not after the meeting from memory, which is another common deficiency).

Two facilitation rules matter. First, the partner speaks last on each agenda item. If the partner opens with their view, junior team members are less likely to voice contradictory scenarios. This is not about undermining the partner's authority. It is about producing better fraud risk identification. Second, "none identified" for any agenda item requires a documented explanation. If the team genuinely identifies no incentive or pressure to commit fraud at this entity, that is a conclusion worth explaining in detail. It should not be the default.

The partner must be present for the entire discussion, not just the summary. ISA 240.29 requires partner participation, and inspectors have flagged files where partner attendance was limited to the opening or closing minutes. If the partner leaves the room for 40 minutes while the team discusses perpetration methods, the partner has not participated in the discussion of perpetration methods.

For small teams (two or three people), the pre-meeting technique is even more important. With only two voices in the room, one strong opinion can dominate. Having both people write down scenarios independently before discussing them ensures that the discussion starts from two perspectives rather than one.

Documenting substance, not just conclusions

Each agenda item requires a minimum of three sentences documenting the substance of what was discussed. This is not about volume for its own sake. It is about demonstrating that the team engaged with the topic rather than ticking a box.

For each agenda item, a structured working paper captures the following in separate columns:

Discussion notes: what scenarios, factors, or considerations the team discussed. This is the substance. Record what was said, what was debated, what alternative views were raised. If someone disagreed with the prevailing view, record the disagreement and the resolution. Three sentences minimum, and for the core items (items 3, 4, 5, 6), you should expect significantly more.

Pre-meeting input received: whether team members provided independent input before the discussion. A yes/no indicator with a reference to the pre-meeting forms.

Risks or scenarios identified: the output of the discussion for this agenda item. Each risk should be described as an entity-specific scenario, not a generic category. "Revenue could be overstated through manipulation of percentage-of-completion estimates on contracts above EUR 500,000" is a scenario. "Revenue recognition risk" is a category.

Impact on audit strategy: how the identified risks affect the audit approach. Cross-references to the response matrix where applicable.

Specialist consideration: whether this agenda item flagged a need for specialist input. For item 10, this column is mandatory.

Attendees present: names and roles for each agenda item. If someone stepped out, the record should show who was present for which items. The partner's name should appear on every row.

How the discussion output flows to the risk register

The discussion is not an end in itself. Its purpose is to identify fraud risks that will be assessed and responded to through the rest of the audit. Every fraud scenario identified in the discussion must be evaluated for inclusion in the risk register. The summary row (item 11) captures this transition.

For each scenario that the team decides to carry forward, the risk register entry should trace back to the discussion. The risk register should show which tab and which agenda item generated the risk. This creates the same bidirectional cross-referencing that the response matrix provides between risks and procedures: the discussion working paper points forward to the risk register, and the risk register points back to the discussion.

Scenarios that the team discussed but did not carry forward should be documented with the reasoning. "Discussed potential for inventory misappropriation through falsified scrap reports. Team concluded this is not a fraud risk because scrap volumes are immaterial (EUR 12,000 per year, 0.03% of revenue) and are independently verified by the waste management contractor. Not carried to risk register" is a defensible documentation of a scenario that was considered but dismissed.

Worked example: Muller Fertigung GmbH

Scenario: Muller Fertigung GmbH is a German precision engineering company. Revenue is EUR 34M, primarily from long-term manufacturing contracts with automotive OEMs. The company has 180 employees. The CFO joined 18 months ago from a competitor that was investigated for inflating work-in-progress valuations. The entity has a EUR 8M revolving credit facility with a net debt/EBITDA covenant of 3.0x (current ratio: 2.6x).

The engagement team consists of the partner, an audit manager, a senior, and two associates. Pre-meeting forms were distributed five days before the discussion.

1. Entity culture and management integrity (item 1). Pre-meeting input: the senior noted that the CFO's previous employer was investigated for WIP fraud. The manager noted that the entity has no formal code of conduct. Discussion substance: the team discussed the CFO's background, noting that no charges were brought and the CFO was not personally named in the investigation. The absence of a formal code of conduct was discussed at length. The entity relies on an informal "open door" culture according to management representations, but no written ethical guidelines exist for employees. The partner observed that the previous CFO (who retired) had a similar informal approach and no fraud issues arose during that tenure. The team agreed that the lack of formal framework is an attitude indicator but noted it in combination with the CFO's background. Documentation note: "Discussed CFO's prior employment at [name]. No personal involvement in investigation confirmed per management inquiry. Entity has no formal code of conduct; management describes 'open door' culture. Lack of formal ethical framework noted as an attitude indicator. Two team members flagged this independently in pre-meeting input."

2. Incentives and pressures (item 2). Pre-meeting input: the partner identified covenant pressure (headroom 0.4x). One associate identified the CFO's probationary bonus (EUR 40,000 if net profit exceeds EUR 2.8M in the first two full years). The other associate noted that the production manager receives a bonus based on scrap rates. Discussion substance: the team discussed both financial pressures. The covenant headroom is tighter than prior year (was 0.8x). The CFO's bonus creates direct personal incentive to overstate profit or defer costs. The production manager's scrap-rate bonus creates incentive to understate scrap, which could overstate inventory. Documentation note: "Covenant headroom reduced from 0.8x to 0.4x year on year. CFO probationary bonus of EUR 40,000 conditional on net profit exceeding EUR 2.8M (confirmed per employment contract). Production manager scrap bonus creates secondary incentive to understate scrap costs. All three pressures carried to risk register as incentive factors."

3. How could fraudulent financial reporting be perpetrated? (item 3). Discussion substance: the team identified two specific scenarios. First, overstatement of percentage-of-completion on long-term contracts by manipulating estimated costs to complete (the same method investigated at the CFO's prior employer). The manager noted that WIP is the largest balance sheet item (EUR 7.4M) and the percentage-of-completion estimate relies heavily on project manager assessments that are not independently verified. Second, capitalisation of development costs for projects that do not meet IAS 38 criteria, given that the entity has three active R&D projects (total capitalised: EUR 1.8M). The senior noted that two of these projects have been in development for over 30 months without generating revenue. Documentation note: "Scenario 1: WIP overstatement via manipulated costs-to-complete. Scenario 2: inappropriate capitalisation of development costs. WIP balance of EUR 7.4M (8% of total assets). Project manager assessments not independently verified. Two R&D projects in development 30+ months without revenue. Both scenarios carried to register."

4. Asset misappropriation (item 4): portable CNC tooling (EUR 1.1M, individual items EUR 15,000 to EUR 30,000) discussed. Two associates flagged that tooling is stored in an open workshop area with no individual tracking. Third-party risk: external contractors have unsupervised workshop access during night shifts. Documentation note: "CNC tooling is high-value and portable. Open workshop storage. External contractors have night-shift access without dedicated supervision. Risk carried to register."

5. Revenue recognition (item 5): the presumed risk was narrowed to percentage-of-completion adjustments on contracts above EUR 500,000 (12 active contracts, EUR 22M total). The team agreed that short-cycle orders (paid on delivery) do not present significant fraud risk. Documentation note: "Revenue fraud risk narrowed to PoC contracts above EUR 500K. 12 contracts, EUR 22M total. Short-cycle orders (EUR 12M) assessed as low fraud risk."

6. Management override (item 6): the CFO can post manual journal entries in the ERP without secondary approval for amounts below EUR 75,000. The team discussed that the monthly close process includes approximately 40 manual entries per month posted by the CFO. Documentation note: "CFO posts ~40 manual entries per month without secondary approval (threshold EUR 75K). ERP does not enforce dual authorisation below this level. Override risk specific to period-end accrual entries and WIP adjustments."

7-8. Prior-year fraud: none identified. External information: no media reports or regulatory actions related to Muller or its industry peers.

9. Unbiased procedure design (item 9): the team agreed to test WIP by obtaining independent cost estimates from a quantity surveyor rather than relying solely on management's project managers. This commitment was documented. Documentation note: "Team committed to independent verification of cost-to-complete estimates via quantity surveyor for the 5 largest contracts. Procedure designed to avoid reliance on management's project team assessments."

10. Specialist consideration (item 10): the partner decided a forensic data analytics specialist is not needed this year but will revisit if journal entry testing reveals unusual patterns. The quantity surveyor for WIP is classified as an auditor's expert under ISA 620. Documentation note: "Forensic specialist not engaged. Quantity surveyor engaged as auditor's expert for WIP verification. Decision documented."

11. Summary: five entity-specific fraud risks carried to the register (WIP overstatement through PoC manipulation, inappropriate capitalisation of development costs, misappropriation of CNC tooling, management override through uncontrolled journal entries, production manager scrap understatement), each with a cross-reference to the discussion item that generated it.

Practical checklist

1. Distribute a pre-meeting preparation form to every team member at least three business days before the discussion. Each member independently identifies fraud scenarios before the session (ISA 240.29).
2. Use the 11-item agenda to ensure every required topic is covered. Do not skip items, even if the team considers them unlikely to produce findings.
3. The engagement partner must attend the full discussion, not just review the output afterwards (ISA 240.29 requires partner participation).
4. Document at least three sentences per agenda item capturing the substance of what was discussed, not just the conclusion reached.
5. Transfer every fraud risk identified during the discussion to the risk register with a cross-reference back to the discussion working paper.
6. For teams of two or three people, the pre-meeting technique is even more important. Small teams are more susceptible to anchoring bias from the most senior member.

Common mistakes

• Documenting conclusions without substance. "Revenue recognition discussed. Risk identified." tells a reviewer nothing about what the team actually considered. The AFM's inspection findings repeatedly cite files where the discussion documentation is indistinguishable from a completed checklist.
• Holding the discussion without the engagement partner present for the full session. ISA 240.29 is explicit. If the partner dials in for the last five minutes to hear the summary, the requirement is not met for the ten agenda items the partner missed.
• Treating management override as the only fraud risk identified. Management override is always present, but the discussion should identify entity-specific risks beyond it. If the only output is "management override," the team either did not engage with the other ten agenda items or the entity genuinely has no other risk factors (which is a conclusion that itself requires detailed documentation and justification).
• Holding the brainstorming discussion after the risk register is already populated. The discussion should inform the risk register, not ratify it. If risks are already written before the team meets, the discussion is a formality rather than a genuine brainstorming exercise.