How to Test Journal Entries for Fraud Under ISA 240

Key Takeaways

ISA 240.32(a) requires the auditor to test journal entries for appropriateness, but does not prescribe sample sizes or define “appropriate” for your client. Selection criteria must respond to the specific fraud risks identified during planning.
Generic criteria like “large and unusual” are insufficient. Effective criteria combine timing, user, account, and amount filters linked to identified fraud risks.
Population completeness is a common inspection finding. ISA 240.A45 requires the auditor to consider entries from the GL, consolidation systems, spreadsheet adjustments, and post-trial-balance entries.
Every tested entry needs documentation that states what the supporting document was, what it showed, and why the business rationale is consistent with other audit evidence. “Tested to support, no issues” is not sufficient.

You’re reviewing a mid-size manufacturer’s general ledger. 14,000 journal entries posted in the year. The audit program says “test journal entries for fraud risk.” Your senior handed you the working paper template and said “pick some entries.” That instruction is how ISA 240 deficiencies start.

To test journal entries for fraud under ISA 240, identify entries with characteristics that match the client’s specific fraud risks (ISA 240.32(a)), apply criteria-based selection rather than random sampling, test entries back to original supporting documentation, and evaluate whether the business rationale is consistent with the client’s operations.

What ISA 240.32(a) requires and why most files fall short

ISA 240.32(a) requires the auditor to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements. That sentence is broad on purpose. The standard does not prescribe a sample size, does not require testing every entry, and does not define what “appropriateness” means for your specific client. Your job is to make those decisions and document why.

The requirement sits under the broader fraud response section of ISA 240.28 through 240.33, which means journal entry testing isn’t a standalone procedure. It responds to the fraud risks you identified during planning. If your planning identified revenue recognition as the presumed fraud risk (ISA 240.26), your journal entry criteria should target entries that could inflate revenue. If your team discussion under ISA 240.15 identified management override through cost capitalisation, your criteria should target entries to fixed assets that bypass the normal purchase order workflow. The selection criteria follow the risks. Not the other way around.

ISA 240.A45 addresses one of the hardest parts: obtaining a complete population. The standard acknowledges that journal entries may exist in the formal general ledger, in consolidation systems, in spreadsheet-based adjustments, and in entries made directly to the financial statements after the trial balance was extracted. If you only tested entries from the GL export, you tested part of the population. The application material at ISA 240.A46 specifically notes that the auditor should consider entries made at unusual times (year-end, post-closing) and entries made by individuals who don’t normally post journal entries.

This is where most files get flagged. Auditors don’t skip journal entry testing entirely. What goes wrong is that selection criteria are generic (“large and unusual”), populations are incomplete (GL entries only, no consolidation adjustments), and documentation doesn’t link criteria back to identified fraud risks.

Reconcile before you select

Take the opening trial balance, add all journal entries, and confirm the result matches the closing trial balance. If it doesn’t, entries are missing from your population or you’ve received duplicate data. This reconciliation takes 15 minutes in Excel and prevents the most common population completeness failure.

How to define fraud-specific selection criteria

The default criterion most teams use is “entries above materiality” or “entries that look unusual.” Both are inadequate under ISA 240.32(a) because they don’t respond to specific fraud risks. A €500,000 entry to cost of goods sold might be entirely routine for a wholesaler. A €12,000 entry to consulting expenses posted on 30 December by the CFO’s login might be the one that matters.

Start with the fraud risks identified during planning. ISA 240.A44 provides guidance on characteristics that may indicate fraudulent entries, and four categories work for most engagements.

Timing-based criteria

Target entries posted outside normal business processes. Year-end adjustments, entries posted on weekends or public holidays, entries made after the reporting date but before the financial statements were authorised. For clients with monthly close processes, entries posted after the soft close deadline for any given month also qualify.

Quick win for timing analysis

Pull a list of all entries posted on non-business days from the client’s ERP system. That list is usually short and often revealing.

User-based criteria

Target entries posted by individuals with unusual posting authority. The CFO posting directly to the GL, a sales director posting to revenue accounts, any user posting entries outside their normal account range. ISA 240.A46(b) flags this explicitly. Request the client’s user access log alongside the journal entry data. Map each posting user to their job function. Entries posted by users whose primary role isn’t bookkeeping deserve scrutiny.

Account-based criteria

Target entries to accounts associated with the specific fraud risk. If your risk is revenue inflation, filter for manual entries to revenue, deferred revenue, trade receivables, and contract asset accounts. If your risk is expense manipulation, filter for entries between expense accounts and balance sheet accounts that could represent improper capitalisation. Use the analytical review tool to identify accounts with unexpected movements first, then trace those movements to specific journal entries.

Amount-based criteria

The weakest of the four but still relevant. Round-number entries (exactly €100,000, €250,000), entries just below approval thresholds, entries that net to zero across two accounts. These work as a secondary filter layered on top of the other categories. On their own, they select too many false positives to be efficient.

Document criteria before running the selection

The file should show what you were looking for, why you were looking for it (linked to the fraud risk), what population you searched, and what you found. If the criteria produce nothing, that result is documented too.

Testing the entries: what to check and how far to go

Selecting entries is half the work. Testing them is where the evidence lives.

For each selected entry, ISA 240.32(a) requires you to test appropriateness. In practice, that means four things. Obtain the original supporting documentation (invoice, contract, board minute, management calculation). Compare the entry description and amount to the supporting document. Evaluate whether the entry has a legitimate business rationale. Check whether the entry was authorised through the normal approval process or bypassed it.

The depth of testing scales with the fraud risk indicator. An entry flagged only because it’s a round number posted at year-end needs basic vouching to supporting documentation. An entry flagged because it was posted by the CFO directly to revenue on 28 December, bypassing the normal sales processing workflow, needs original source documentation, an explanation from the CFO recorded in the working paper, and consideration of whether additional entries with similar characteristics exist.

ISA 240.A47 notes that the nature and extent of testing is a matter of professional judgment, but your judgment must be documented. A working paper that says “tested to supporting documentation, no issues noted” for an entry with four fraud indicators won’t survive a quality review. State what the supporting documentation was, what it showed, and why it satisfies you.

IT considerations for journal entry populations

ISA 240.A45 and A48 touch on an area that non-Big 4 firms often underweight: the IT environment’s effect on your journal entry population. If the client runs SAP, Oracle, or another enterprise ERP, the system logs every posting with a user ID, timestamp, and posting key. Request the full audit trail export, not just the summarised journal listing the finance team normally provides. The summarised listing may exclude system-generated entries, recurring entries, or entries reversed and reposted within the same period.

For clients on smaller systems (Exact Online, AFAS, Twinfield), ask the finance team whether any entries were posted outside the primary system. Excel-based consolidation adjustments are the most common source of entries that sit outside the ERP. If the client uses intercompany elimination spreadsheets, those adjustments are part of your population. Ask for them explicitly. The client won’t volunteer them unless you do.

Don’t forget reversed entries

A journal entry posted and reversed the same day doesn’t show up in a period-end balance, but it may have been visible during an interim period. If your fraud risk relates to window-dressing, reversed entries matter. ISA 240.A48 addresses adjustments made in the course of preparing financial statements, and reversals fall within that scope.

For entries to accounts outside the normal transaction cycle, request a written explanation from the preparer. Record the explanation in the working paper and state whether you find it consistent with the client’s operations. “Consistent” means the explanation matches what you know about the business from other audit evidence. An entry reclassifying €400,000 from operating expenses to intangible assets needs more than a journal voucher. It needs evidence that the expenditure meets the recognition criteria under IAS 38.57.

How to document results that withstand review

Your journal entry testing working paper needs to tell a coherent story. A reviewer (whether your engagement partner or an AFM inspector) will look for four things in order: the complete population and how you confirmed completeness, the selection criteria and the fraud risk each criterion responds to, the entries selected and the rationale for selection boundaries, and the results of testing with specific evidence references.

Structure the working paper with a population summary at the top (source, record count, reconciliation to TB), a criteria table (each criterion mapped to the fraud risk it addresses), a selection summary (entries meeting each criterion, entries selected for testing, rationale for any entries not tested), and a detailed testing schedule below. Each row of the testing schedule should show the entry number, amount, posting date, posting user, account, the criterion it triggered, the supporting document obtained, and your conclusion.

Avoid conclusions that could apply to any entry. “Tested to supporting documentation, no issues noted” tells a reviewer nothing. “Tested to signed purchase order #PO-2024-0847 dated 15 November 2024, delivery note signed by warehouse manager, amount per invoice matches PO within €12 rounding. Entry is consistent with normal procurement cycle. No fraud indicator.” tells a reviewer everything they need.

Worked example: Kroon Metaal B.V.

Client: Kroon Metaal B.V., a Dutch industrial parts manufacturer. Revenue €38M, 340 employees. Year-end 31 December 2024. Non-Big 4 audit, second year of the engagement.

Identified fraud risks (from planning): Revenue recognition (ISA 240.26 presumption): risk of fictitious sales or premature revenue recognition on long-lead-time orders. Management override (ISA 240.31): CFO has direct GL posting access, approval of journal entries is informal.

Step 1. Obtain the complete population

Request the full journal entry listing from the client’s ERP system (SAP Business One) for the period 1 January 2024 to the date the financial statements were authorised for issue. Also request any consolidation adjustments and spreadsheet-based entries not processed through the ERP. Reconcile the total of all entries to the movement in the trial balance.

Documentation note: “Obtained journal entry population from SAP Business One export dated [date]. Population includes 14,237 entries. Consolidation adjustments obtained separately from finance manager’s consolidation workbook (47 entries). Total reconciled to TB movement. No entries identified outside these two sources.”

Step 2. Apply fraud-specific criteria

Based on the two identified fraud risks, apply four filters:

Revenue entries posted in the last five business days of December 2024 or in January 2025 with a December posting date (targets revenue cut-off manipulation)
All entries posted by the CFO’s user ID to any account (targets management override)
Manual entries to revenue accounts (accounts 8000–8999) that bypassed the automated sales order process (targets fictitious revenue)
Entries posted on weekends or public holidays throughout the year (targets override through off-cycle posting)

Documentation note: “Selection criteria designed to respond to revenue recognition fraud risk (ISA 240.26) and management override risk (ISA 240.31). Criteria applied to complete population of 14,284 entries across both sources.”

Step 3. Review the output and select entries for testing

The filters produce 89 entries. 62 are late-December revenue entries (filter 1). 14 are CFO-posted entries (filter 2). 8 are manual revenue entries (filter 3). 5 are weekend postings (filter 4, after removing duplicates already captured by other filters).

From the 62 late-December revenue entries, select all entries above performance materiality (€190,000) and a sample of entries below it, targeting entries where the delivery date per the sales order falls in January. Test all 14 CFO entries. The 8 manual revenue entries and 5 weekend entries are also tested in full.

Total entries selected for detailed testing: 41.

Documentation note: “89 entries met at least one criterion. 41 selected for detailed testing. All CFO entries, all manual revenue entries, and all weekend entries tested in full. Late-December revenue entries sampled based on amount and delivery date proximity to year-end. Rationale for selection documented per ISA 240.A44.”

Step 4. Test each selected entry

For each entry, obtain the supporting documentation. Revenue entries require the sales order, delivery note, and customer confirmation of receipt where available. CFO entries need the underlying calculation or business purpose, approved by the financial controller. Weekend entries require an explanation from the preparer plus screen evidence of the posting timestamp.

One CFO entry stands out. A €215,000 reclassification from operating expenses to development costs, posted on 29 December. The supporting document is a memo prepared by the CFO. No independent evidence that the expenditure meets IAS 38.57 criteria. This entry requires further investigation: request the project documentation, evaluate whether capitalisation criteria are met, and consider whether the entry was designed to improve operating profit at year-end.

Documentation note: “Entry #12847 (€215,000 reclassification to development costs, posted 29/12/2024 by CFO) flagged for further investigation. Supporting documentation limited to CFO memo. No project feasibility study or IAS 38.57 assessment on file. Discussed with engagement partner [date]. Additional procedures: request project file, assess capitalisation criteria, evaluate impact on operating profit.”

Conclusion

The journal entry testing identified one entry requiring further investigation and produced documented evidence that the remaining 40 tested entries were appropriately supported and consistent with the client’s operations. The file shows the complete population, the criteria (linked to fraud risks), the selection rationale, and the results of testing. A reviewer can trace the logic from fraud risk to criteria to entries tested to conclusion.

Practical checklist for journal entry testing

Confirm the journal entry population is complete. GL entries alone are insufficient. Request consolidation adjustments, spreadsheet entries, post-trial-balance adjustments, and any manual top-side entries separately. Reconcile the total to the TB movement (ISA 240.A45).
Write your selection criteria before you run the selection. Link each criterion to a specific fraud risk identified during planning. Document the criteria in the working paper (ISA 240.32(a)).
Include at least one timing-based criterion (year-end, post-closing, weekends) and one user-based criterion (entries by unusual users or with unusual approval patterns) in every engagement (ISA 240.A46).
Test every entry posted by C-suite or senior management directly to the GL, regardless of amount. These entries are where management override lives (ISA 240.31).
For each tested entry, state what the supporting document was, what it showed, and whether the business rationale is consistent with other audit evidence. “Agreed to supporting documentation, no issues” is not sufficient documentation under ISA 240.
Document entries that met your criteria but were not selected for detailed testing, and state why. An inspector who sees 89 flagged entries and 41 tested will ask about the other 48.

Common mistakes reviewers flag

Using “large and unusual” as the only selection criterion without linking criteria to identified fraud risks. The AFM’s thematic review on fraud procedures identified this as the most frequent deficiency in journal entry testing files. ISA 240.32(a) requires a response to specific fraud risks, not a generic filter.
Testing only GL entries and missing consolidation adjustments, post-closing entries, and spreadsheet-based adjustments. ISA 240.A45 explicitly addresses population completeness, and incomplete populations are flagged by the FRC in its Annual Inspection results as a recurring finding.

Frequently asked questions

What does ISA 240.32(a) require for journal entry testing?

ISA 240.32(a) requires the auditor to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements. The standard does not prescribe a sample size or define appropriateness for a specific client. The auditor must design criteria-based selection that responds to the fraud risks identified during planning, obtain complete populations including consolidation adjustments, and document the rationale for entries selected and excluded.

What selection criteria should be used for journal entry testing under ISA 240?

ISA 240.A44 provides guidance on characteristics that may indicate fraudulent entries. Effective criteria fall into four categories: timing-based (entries posted at year-end, on weekends, or after the reporting date), user-based (entries posted by individuals with unusual posting authority such as the CFO), account-based (manual entries to accounts associated with specific fraud risks like revenue), and amount-based (round numbers, entries just below approval thresholds). Criteria should be linked to the specific fraud risks identified during planning, not applied generically.

How do you ensure the journal entry population is complete under ISA 240?

ISA 240.A45 requires the auditor to consider entries from multiple sources: the formal general ledger, consolidation systems, spreadsheet-based adjustments, and entries made directly to the financial statements after the trial balance was extracted. To verify completeness, reconcile the total of all entries to the movement in the trial balance (opening TB plus all entries should equal closing TB). Request consolidation adjustments and post-trial-balance entries separately from the standard GL export.

Should all C-suite journal entries be tested regardless of amount?

Yes. Entries posted by C-suite or senior management directly to the general ledger should be tested regardless of amount because these entries are where management override risk under ISA 240.31 is most likely to materialise. Management override is a presumed fraud risk that cannot be rebutted, and journal entries posted by senior management bypassing normal approval workflows are the primary mechanism for override.

What documentation does ISA 240 require for journal entry testing?

The working paper should document: the complete population and how completeness was confirmed (source, record count, reconciliation to trial balance), the selection criteria and the fraud risk each criterion responds to, the entries selected and rationale for selection boundaries, and the results of testing with specific evidence references. For each tested entry, state what the supporting document was, what it showed, and whether the business rationale is consistent with other audit evidence. Generic conclusions like “tested to supporting documentation, no issues noted” are insufficient.