How to Respond to Fraud Indicators During an Audit

You’re testing journal entries on a manufacturing client. One entry stands out: a €380,000 credit to cost of goods sold with a debit to an intercompany receivable, posted at 23:47 on 30 December by the CFO. No description. No supporting document attached. The prior year file has a similar entry on 29 December for €295,000. You flag it to the engagement manager. The response: “It’s probably a reclass. Ask the client for the backup.”

That’s not what ISA 240 requires. The entry has four fraud risk indicators visible before you ask the client anything. The audit response needs to match.

To respond to fraud indicators during an audit, the auditor must maintain professional scepticism throughout the engagement (ISA 240.12), discuss the susceptibility of the financial statements to fraud with the engagement team (ISA 240.15), design and perform procedures specifically to address the assessed fraud risks (ISA 240.28–33), and evaluate whether analytical or other procedures performed indicate a previously unrecognised risk of material misstatement due to fraud (ISA 240.35).

What counts as a fraud indicator under ISA 240

ISA 240 doesn’t require you to find fraud. It requires you to design the audit so that you have a reasonable prospect of detecting material misstatement caused by fraud. That distinction matters because it sets the bar at response, not at proof. A fraud indicator is a condition that suggests fraud may exist. You don’t need certainty. You need enough of a signal to trigger a specific audit response.

ISA 240.A25 through A30 catalogues fraud risk factors across two categories: misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets. The Appendix to ISA 240 provides an extended list. But the standard’s list is organised by the fraud triangle (incentive/pressure, opportunity, attitude/rationalisation), which is useful for theory and less useful for recognising indicators in practice.

Here’s what you’re more likely to encounter on a mid-tier engagement, organised by where you find it.

In journal entries

• Entries without supporting documentation
• Entries posted outside normal business hours
• Entries posted by individuals who don’t normally post journals
• Round-sum entries with no description
• Entries that increase revenue or decrease expenses near the period end
• Manual entries to accounts that are normally only system-generated

In estimates

• Estimates that consistently sit at the optimistic end of the acceptable range (ISA 540.A129)
• Estimates that haven’t changed despite changes in the underlying risk drivers
• Estimates where management can’t explain the methodology or key assumptions when asked

In revenue patterns

• Transactions with counterparties that share addresses or directors with the client
• Revenue recorded in the last few days of the period without corresponding delivery evidence
• Credit notes issued in the first week of the new period that reverse prior-period revenue
• Side agreements or amendments to contracts that management didn’t disclose during your contract review

In management behaviour

• Reluctance to provide access to records or personnel
• Inconsistent answers to audit queries
• Last-minute adjustments to the financial statements after the audit team has completed fieldwork
• Pressure on the audit team to complete work faster or to accept explanations without corroboration

ISA 240.A22–A23 specifically identifies management override as a risk that exists on every engagement regardless of control environment.

The ISA 240 response hierarchy

When you encounter a fraud indicator, ISA 240 provides a structured response. It’s not “investigate the fraud” and it’s not “ignore it and move on.” The hierarchy has four levels, and the appropriate response depends on the severity of the indicator.

Level 1: Overall response (ISA 240.28–30)

This is the engagement-level response. ISA 240.28 requires you to determine an overall response to the assessed risks of fraud. That includes assigning more experienced staff to higher-risk areas, increasing the unpredictability of audit procedures, and evaluating whether the accounting policies selected by management indicate fraudulent financial reporting. This isn’t a reaction to a specific indicator. It’s the baseline posture of the engagement.

Level 2: Assertion-level procedures (ISA 240.30–31)

When you’ve assessed a fraud risk at a specific assertion (say, occurrence of revenue, or valuation of a provision), ISA 240.30 requires procedures designed to respond to that specific risk. ISA 240.A37 explains what “specifically designed” means: the nature and timing of procedures, along with their extent, are influenced by the assessed fraud risk. Changing the timing of a test from interim to year-end, extending the sample size, or performing a procedure that management doesn’t expect are all examples.

Level 3: Management override procedures (ISA 240.32–34)

Regardless of the fraud risk assessment, ISA 240.32 requires three specific procedures on every engagement. Test the appropriateness of journal entries. Review accounting estimates for bias. Evaluate the business rationale for significant unusual transactions. These are mandatory. They don’t depend on finding a specific indicator. And they can’t be delegated to a junior who doesn’t know what to look for.

Level 4: Response to identified or suspected fraud (ISA 240.38–42)

If your procedures identify a misstatement that may be the result of fraud (whether or not the amount is material), ISA 240.38 requires you to evaluate the implications. ISA 240.40 requires communication to management (unless management is involved, in which case ISA 240.41 requires communication to those charged with governance). If the fraud involves senior management, ISA 240.41 is clear: you communicate directly to those charged with governance.

Designing procedures that actually respond to the fraud risk

The most common audit deficiency in fraud response is the gap between the risk assessment and the procedure. The file says “risk of material misstatement due to fraud in revenue recognition: significant.” But the procedure says “select a sample of 25 invoices and vouch to delivery notes.” That procedure would be identical whether the fraud risk was assessed as significant or not. Nothing changed in response to the risk.

ISA 240.A37–A44 provides guidance on how to modify procedures to respond to fraud risks. The modifications need to affect what you do, when you do it, or how much you do — and ideally more than one of these dimensions.

Changing the nature

Perform a different type of procedure. Instead of vouching invoices to delivery notes (which the client prepares), confirm sales directly with customers under ISA 505. Rather than recalculating management’s provision, develop your own independent estimate. Where you’d normally review management’s bank reconciliation, obtain the bank statement independently and prepare your own reconciliation.

Changing the timing

Perform the procedure at a point management doesn’t expect. If your standard programme tests revenue at interim, move the cut-off testing to year-end. If the client knows you test Q3 journal entries, test Q4 entries this year. ISA 240.A38 specifically mentions unpredictability as a response to fraud risks.

Changing the extent

Test more items. But extent alone is rarely sufficient. Testing 40 invoices instead of 25 doesn’t help if the procedure itself wouldn’t detect the fraud. A larger sample of an ineffective test produces more ineffective results.

Journal entry testing as a fraud detection procedure

ISA 240.32(a) requires the auditor to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in preparing the financial statements. This is a mandatory procedure, not an optional one.

The standard doesn’t prescribe a specific method, but ISA 240.A45–A48 provides direction. You select journal entries based on risk criteria, not at random. The risk criteria should target entries with characteristics associated with fraudulent entries: entries made near the period end, entries recorded by unusual individuals, entries affecting unusual account combinations, and entries with no description or supporting documentation.

A practical approach for mid-tier engagements

1. Extract the full journal entry population for the period.
2. Filter for entries matching at least one risk criterion.
3. From the filtered population, select entries for testing.
4. For each selected entry, obtain and inspect the supporting documentation, evaluate whether the entry has a valid business purpose, and verify that the entry was authorised in accordance with the client’s processes.

Filter criteria that produce the most useful results

• Entries posted after business hours (after 19:00 or on weekends)
• Entries posted by the CFO or financial controller directly (rather than by accounts payable or accounts receivable staff who normally post)
• Entries with a debit or credit to revenue or cost of sales that are manual rather than system-generated
• Round-sum entries above a threshold (say, €10,000) with no description
• Entries posted in the last five business days of the reporting period

When you find an entry that meets multiple risk criteria, the documentation requirement increases. Record the entry details, the risk criteria it triggered, the supporting documentation obtained (or the absence of it), management’s explanation, and your evaluation of whether the explanation is consistent with the supporting evidence.

What to do when you find something

The moment shifts from “testing” to “evaluating” when you identify a misstatement that may result from fraud. ISA 240.35 describes this trigger: conditions identified during the audit that cause you to believe that a misstatement may be the result of fraud. You don’t need certainty. You need a reasonable basis for the belief.

Evaluate the implications (ISA 240.36)

A fraudulent journal entry affecting revenue doesn’t just create a revenue misstatement. It calls into question the reliability of the journal entry population, the integrity of management’s representations, and potentially the control environment as a whole. You reassess the fraud risk, and you determine whether additional procedures are needed in other areas.

Communicate to the appropriate level (ISA 240.40–41)

ISA 240.40 requires communication to the appropriate level of management. If the suspected fraud involves an employee below management level, you communicate to management and to those charged with governance. If the suspected fraud involves management, ISA 240.41 requires you to communicate directly to those charged with governance without first informing management. This is not a conversation you want to improvise. Plan the communication, consider the legal implications, and document what you communicated, to whom, and when.

Consider the implications for the auditor’s report (ISA 240.43–44)

If fraud is confirmed or strongly suspected, consider the implications for other aspects of the audit. ISA 240.44 requires you to consider whether a responsibility exists to report to a third party outside the entity. In the Netherlands, the Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme) may require reporting to the FIU-Nederland if the facts constitute an unusual transaction under the Act. The engagement partner should take legal advice before making or declining to make such a report.

Consider withdrawal from the engagement

ISA 240.38(c)(ii) addresses this: if the fraud is sufficiently serious, the auditor considers whether it’s appropriate to withdraw. In the Netherlands, withdrawal triggers notification obligations to the AFM under the Wta (Wet toezicht accountantsorganisaties). Document the consideration and the conclusion, regardless of whether you withdraw.

Worked example: Groot Logistics B.V.

Groot Logistics B.V. is a Dutch freight forwarding company. Revenue for 2024: €32M. During journal entry testing, the audit team identified the following entry: a €410,000 credit to transportation costs (cost of sales) with a corresponding debit to “intercompany receivable – Groot Management B.V.” posted on 28 December 2024 at 22:15 by the CFO. Groot Management B.V. is not on the approved related party list. The prior year file contains a similar entry on 30 December 2023 for €295,000.

1. Identify the fraud indicators

The entry triggers five risk criteria: posted outside business hours (22:15), posted by the CFO directly, affects cost of sales (a P&L account normally fed by purchase invoices), debits a receivable from an entity not on the related party list, and matches a pattern from the prior year. Under ISA 240.A25, the combination of indicators justifies treating this as a potential fraud matter, not a routine query.

2. Evaluate the entry

Request the supporting documentation from the client. The CFO provides an email from Groot Management B.V. (signed by J. Groot, who is also the sole director of Groot Logistics B.V.) asserting that Groot Management B.V. provided “operational consulting services” during 2024. No invoice is attached, and no service agreement exists. Time records supporting the €410,000 amount are absent.

Run a KVK search on Groot Management B.V. J. Groot is the sole director and UBO. This is an undisclosed related party under ISA 550. The transaction is a €410,000 cost reduction to Groot Logistics B.V. with no documentary support, booked to a related party receivable that exists only because of this entry.

3. Reassess the fraud risk (ISA 240.36)

The discovery changes the risk assessment. Revenue and cost of sales are now both affected by potential management override (the prior year entry suggests a recurring pattern). Reassess the risk of material misstatement due to fraud as high for the cost of sales and related party assertions. Expand journal entry testing to cover all entries to intercompany accounts. Request a full GL extract for all transactions with Groot Management B.V. across both years.

4. Communication (ISA 240.40–41)

Because the suspected fraud involves the CFO (who is also the sole director), ISA 240.41 applies. Communicate directly to those charged with governance. In a single-director B.V. where the director is the suspected party, governance communication becomes complex. Consider whether a supervisory board or independent shareholder exists. If no governance body exists independent of J. Groot, record the limitation and the engagement partner’s consideration of withdrawal.

Conclusion. The file now documents a suspected fraud involving management override of controls. The journal entry, the prior year pattern, the undisclosed related party, the absence of supporting documentation, and the CFO’s dual role are all recorded with cross-references to the relevant ISA paragraphs. The reviewer sees the risk indicators, the evaluation, the expanded procedures, and the governance communication plan.

Your engagement checklist

1. During the ISA 315 planning discussion, discuss fraud risk factors specific to this client using the categories in ISA 240.A25–A30. Record the discussion and the conclusions reached (ISA 240.15).
2. Design journal entry testing criteria that target entries associated with fraud: period-end timing, unusual posters, P&L entries without system support, round sums, missing descriptions. Document the criteria before testing (ISA 240.32(a)).
3. For each assessed fraud risk at the assertion level, design a procedure that changes what you test or when you test it compared to the standard programme. Document how the procedure addresses the specific fraud risk (ISA 240.30–31).
4. Include top-side adjustments and consolidation entries in the scope of journal entry testing. These bypass normal posting controls and are the highest-risk entries (ISA 240.32(a)).
5. If you identify a misstatement that may result from fraud, document the indicators before requesting management’s explanation. Evaluate the implications for the rest of the audit and reassess the fraud risk (ISA 240.35–36).
6. Know the communication hierarchy before you need it: management for employee-level fraud, governance for management-level fraud, external parties (FIU, AFM) where legal obligations apply. Document every communication (ISA 240.40–44).

Common mistakes regulators flag

• No link between risk assessment and procedure. The FRC’s thematic review of fraud-related audit procedures found that engagement teams frequently failed to design procedures specifically responsive to assessed fraud risks. The risk assessment identified revenue fraud as significant, but the audit programme contained no procedures different from what would have been performed if the risk were assessed at a normal level. ISA 240.30 requires a demonstrable link between the assessed risk and the designed response.
• Random journal entry selection. The AFM has noted that journal entry testing on many engagements was performed on a random basis rather than using risk-based selection criteria. ISA 240.A45 is explicit: the auditor selects journal entries based on the characteristics of fraudulent entries. Random selection of 25 entries from a population of 15,000 has a negligible probability of detecting a fraudulent entry that was designed to avoid detection.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024: the authoritative source for the complete ISA 240 text, including all application material on fraud risk factors (ISA 240.A25–A30) and journal entry testing (ISA 240.A45–A48).
• ISA 240, The Auditor’s Responsibilities Relating to Fraud: the parent standard governing fraud risk identification, management override, and the response hierarchy.
• ISA 315 (Revised 2019), Identifying and Assessing Risks of Material Misstatement: the risk assessment that drives the fraud response procedures.
• ISA 550, Related Parties: the standard governing undisclosed related party identification, directly relevant to fraud indicator evaluation.
• ISA 505, External Confirmations: the standard governing direct confirmation as an alternative to client-prepared evidence.