ISA 240 Fraud Risk Factors: How to Evaluate All Three Dimensions on a Real Engagement

The AFM found it in 2023. The FRC found it the year before. The same deficiency, different regulator: fraud risk factor evaluation that amounts to a column of "No" selections with no entity-specific reasoning behind them. The standard gives you 30-plus factors to consider. Most teams treat them as a checklist to clear, not as a diagnostic tool that feeds the risk register.

To evaluate ISA 240 fraud risk factors properly, assess each factor against all three fraud triangle dimensions (incentive or pressure, opportunity, and rationalisation or attitude) for both fraudulent financial reporting and misappropriation of assets, documenting entity-specific evidence for every evaluation before considering internal controls.

What the fraud triangle dimensions mean in practice

ISA 240.A1 (Appendix 1) organises fraud risk factors into the three conditions that are generally present when fraud occurs. These are not theoretical categories. They are diagnostic lenses, and each one asks a different question about the entity you are auditing.

Incentive or pressure asks: who at this entity has a reason to commit fraud? This includes management under pressure to meet debt covenants, employees with personal financial obligations, directors with share-based compensation tied to earnings targets, and owners facing earn-out thresholds. The inquiry is specific. You are looking for named individuals with identifiable pressures, not a generic "management may have incentive." If the CFO has a bonus tied to EBITDA and EBITDA is 5% above the threshold, that is a specific, documented pressure. If nobody at the entity has a documented reason to commit fraud, you can conclude the factor is not present, but that conclusion itself requires evidence.

Opportunity asks: does the entity's structure, operations, or control environment make fraud possible? This covers related-party transaction complexity, significant estimates with subjective inputs, weak IT general controls, inadequate segregation of duties, and management's ability to override the control system. Opportunity factors exist at almost every entity. The question is not whether opportunity exists in the abstract but which specific opportunities are present at this entity. A manufacturing company with EUR 3M of portable high-value inventory has a different opportunity profile from a professional services firm with no physical assets.

Rationalisation or attitude asks: is there something about the entity's culture, management's behaviour, or the ethical environment that would allow someone to justify committing fraud? This is the hardest dimension to evaluate because it relies on behavioural indicators rather than quantitative data. History of regulatory violations, management's dismissive attitude toward the audit process, failure to correct known control deficiencies, aggressive accounting positions, and a strained relationship between management and the auditor are all indicators. You will not find a number to document here. You will find patterns of behaviour.

All three dimensions must be evaluated separately for each factor. A factor can be present on one dimension but absent on another. The engagement team's job is to map each pre-populated factor to its dimension and evaluate it against entity-specific facts.

The structure of a fraud risk factor evaluation

A structured factor evaluation uses thirteen columns across four blocks. Understanding what each column does (and why it is positioned where it is) matters more than knowing the column count.

The first block identifies the factor: a reference number, the factor description (pre-populated from Appendix 1), the fraud triangle element it falls under (incentive/pressure, opportunity, or rationalisation/attitude), the fraud type it relates to (fraudulent financial reporting or misappropriation of assets), and the source of information (how the factor was identified: through inquiry, prior-year knowledge, industry research, or the team discussion).

The second block is the presence evaluation. This is the core of the working paper, and it contains two columns. The first asks: is this factor present at this entity? The answer is Yes or No. The second column requires an entity-specific explanation. If the answer is Yes, the explanation documents what evidence supports that conclusion, with enough detail for a reviewer to understand why the team concluded the factor is present. If the answer is No, the explanation must contain at least two sentences of entity-specific reasoning. "Not applicable" is not acceptable. "No indication of this factor based on our understanding of the entity" is also not acceptable. The explanation must reference specific facts about this entity that support the conclusion.

Why two sentences minimum for a "No" answer? Because regulators have observed that the default setting on most engagements is to mark factors as not present. The two-sentence requirement forces the team to engage with the factor rather than defaulting to "No." If you cannot write two entity-specific sentences explaining why a factor is not present, you may not have thought about it carefully enough.

The third block is the controls gate. This is a single column positioned deliberately after the presence evaluation. It asks: were controls assessed before completing the factor evaluation? The purpose of this column is explained in the next section.

The fourth block covers downstream flow: whether a whistleblower or reporting programme exists (completed for at least one row per engagement, and if no programme exists, that absence is itself a fraud risk factor under the opportunity dimension), whether the factor is carried forward to the risk register, and cross-reference columns linking to the risk register row where the factor is reflected.

The gating mechanism: why controls come after presence evaluation

This is the single most important structural feature of the factor evaluation, and it addresses the most common reason auditors under-identify fraud risk factors.

When the controls column sits before or alongside the presence evaluation, a predictable pattern emerges. The auditor sees a factor (say, "excessive pressure on management to meet third-party expectations"). The auditor thinks about the client's budgeting controls and bonus-approval process. The auditor marks the factor as "not present" because the controls mitigate the pressure. But the pressure exists regardless of controls. The CEO still has a covenant to meet. The CFO still has an earn-out target. Controls reduce the risk of fraud occurring, but they do not eliminate the incentive that creates the pressure in the first place.

This is not a theoretical problem. The AFM has specifically noted that firms conflate the presence of a fraud risk factor with the existence of a mitigating control. The factor evaluation is about inherent conditions. The risk assessment (performed in the risk register, after the factor evaluation) is about the risk of material misstatement after considering controls.

By positioning the controls column after the presence evaluation, the structure forces a two-stage process. First, evaluate whether the inherent condition exists based on entity-specific facts. Second, and only second, consider what controls the entity has in place. Factors that are present (regardless of controls) flow to the risk register, where the auditor then assesses the risk of material misstatement after considering the control environment.

This sequence matches ISA 315 (Revised 2019), which requires auditors to assess inherent risk before considering controls when identifying risks of material misstatement. ISA 240 applies the same logic to fraud risk factors. The factor evaluation is the inherent assessment. The risk register is where controls enter the picture.

If you find yourself wanting to reference a control to justify marking a factor as "not present," stop. Re-evaluate whether the factor is present as an inherent condition regardless of controls. If the condition exists (the pressure, the opportunity, the attitude indicator), the factor is present, and it flows to the risk register for further assessment.

Fraudulent financial reporting factors by dimension

Appendix 1 provides factors organised by dimension. For fraudulent financial reporting, the pre-populated factors cover the following areas.

Under incentive and pressure: financial stability or profitability threatened by economic or operating conditions, excessive pressure to meet third-party expectations (debt covenants, analyst forecasts, listing requirements), management's personal financial interest in entity performance (bonuses, share options, earn-outs), and excessive pressure to meet internally-set financial targets. These are the factors where you need specific financial data. What are the covenants? What is the headroom? What is the bonus structure? What are the targets?

Under opportunity: the nature of the industry or operations providing opportunities for fraudulent reporting (related-party transactions, significant estimates, complex financial instruments), ineffective board or management oversight of the financial reporting process, complex or unstable organisational structure (unusual legal entities, management turnover, understaffing), and deficient internal control components (inadequate monitoring, IT general controls, segregation of duties). Opportunity factors are often the easiest to evaluate because they relate to observable structural features of the entity.

Under rationalisation and attitude: inappropriate values or ethical standards communicated by management, history of violations of securities or other laws, management's excessive interest in maintaining share price or earnings trend, aggressive or unrealistic forecasts committed to third parties, failure to correct known significant control deficiencies on a timely basis, interest in minimising reported earnings for tax-motivated reasons, and a strained relationship between management and the current or predecessor auditor. These factors require judgment and are often the ones teams under-document.

Each factor needs entity-specific evaluation. "No indication" is not enough. "Dijkstra Logistics B.V. has no external debt covenants, no listing requirements, and management compensation is fixed salary with no performance component (confirmed via employment contracts reviewed)" is enough.

Misappropriation of assets factors

Misappropriation factors follow the same triangle structure but apply to physical assets and cash rather than financial statements.

Under incentive and pressure: personal financial obligations creating pressure on employees with access to susceptible assets, and adverse relationships between the entity and employees with asset access (known layoffs, compensation changes, missed promotions).

Under opportunity: large amounts of cash on hand or processed, inventory items that are small or high-value or in high demand, easily convertible assets (bearer bonds, precious metals, computer chips), fixed assets that are small or marketable or lack ownership identification, and inadequate internal control over assets (segregation of duties, authorisation, reconciliation, physical security, record-keeping, background checks). These opportunity factors require you to know what the entity has and who has access to it.

Under rationalisation and attitude: disregard for monitoring or reducing misappropriation risks, disregard for internal control by overriding existing controls or failing to correct known deficiencies, and behaviour indicating displeasure or dissatisfaction with the entity.

For entities with significant physical assets, portable inventory, or large cash volumes, the misappropriation section is at least as important as the fraudulent financial reporting section. Firms that devote extensive documentation to financial reporting factors but skip through the misappropriation section with a column of "No" entries are creating an inspection risk.

Third-party fraud factors (new in the revised standard)

The revised ISA 240 adds factors that were not explicitly covered in the current standard. These address the reality that fraud perpetrators are not always employees or management of the entity.

Two new pre-populated factors cover this area. First, whether third parties with access to entity assets or systems could perpetrate misappropriation. This includes outsourced service providers, IT contractors, temporary staff with system access, and delivery partners with warehouse access. Second, technology-enabled fraud pathways: cyber fraud, electronic fund transfer manipulation, and exploitation of IT system access. These factors reflect the increasing prevalence of fraud committed through technological means rather than traditional paper-based manipulation.

Blank rows at the end of the pre-populated list allow the team to add entity-specific and industry-specific factors that are not covered by Appendix 1. Use these rows. The pre-populated factors are a starting point, not an exhaustive list. Every entity has circumstances that go beyond the generic factors in the standard.

Worked example: Bakker Industrial B.V.

Scenario: Bakker Industrial B.V. manufactures precision metal components in the Netherlands. Revenue is EUR 47M. The company has a EUR 12M term loan with a 2.5x interest coverage covenant, tested quarterly. The CFO receives a bonus of 15% of salary if EBITDA exceeds EUR 6M. The factory holds EUR 3.2M of specialty steel inventory (high-value, portable in cut form). One production supervisor was dismissed last quarter after a dispute over overtime pay.

1. Evaluate incentive/pressure for fraudulent financial reporting. Factor: "Excessive pressure on management to meet third-party expectations." Present? Yes. Entity-specific explanation: Bakker has a EUR 12M term loan with a quarterly-tested interest coverage covenant at 2.5x. Current-year interest coverage is projected at 2.7x, giving limited headroom of 0.2x. The CFO's bonus (15% of salary) is tied to EBITDA exceeding EUR 6M. Both conditions create financial reporting pressure that did not exist before the term loan was drawn in 2024. Documentation note: "Factor present. Covenant headroom of 0.2x documented per Q3 management accounts. CFO bonus confirmed per employment contract reviewed 14 March 2026. Both create incentive for revenue overstatement or cost deferral. Carried forward to risk register."

2. Evaluate opportunity for misappropriation of assets. Factor: "Inventory items that are small, high value, or in high demand." Present? Yes. Entity-specific explanation: Bakker holds EUR 3.2M of specialty steel, including cut blanks that are individually worth EUR 500 to EUR 2,000 and are portable by hand. The factory operates two shifts; inventory counts occur quarterly. Between counts, physical access is controlled by shift supervisors, but no reconciliation of steel movements occurs between count dates. The steel type (precision-grade stainless) is in high market demand and easily resaleable. Documentation note: "Factor present. Steel blanks are high-value, portable, and in market demand. Quarterly count frequency means 3-month exposure window between physical verification. No between-count movement reconciliation. Carried forward to risk register."

3. Evaluate rationalisation/attitude for misappropriation. Factor: "Behaviour indicating displeasure or dissatisfaction with the entity." Present? Yes. Entity-specific explanation: one production supervisor was dismissed in Q4 following a dispute over overtime pay. The supervisor had physical access to inventory and key-card access to the warehouse during the period of employment. The dismissal occurred after the most recent inventory count, creating a 6-week window between the dismissal and the next scheduled count. Documentation note: "Factor present. Dismissed employee had warehouse access through [date]. Post-dismissal access revocation confirmed via HR records. Period between dismissal and next inventory count: 6 weeks. Carried forward to risk register for evaluation of misappropriation risk during the exposure window."

4. Evaluate opportunity for fraudulent financial reporting. Factor: "Deficient internal control components." Present? No. Entity-specific explanation: Bakker implemented a new ERP system (SAP Business One) in 2024 with segregated access roles mapped to job functions. Monthly management accounts are reviewed by the CFO and an independent non-executive director who chairs the audit committee. IT general controls were tested by the predecessor auditor with no significant findings, and we obtained and reviewed the predecessor's IT controls working paper. Segregation of duties is enforced through the ERP access matrix, which we tested during our planning procedures. Documentation note: "Factor not present. ERP access segregation confirmed via user access report (47 users, all mapped to approved role profiles). Monthly review by independent NED confirmed via board minutes (sampled 4 of 12 months). Predecessor IT controls working paper reviewed, no findings. Not carried forward."

5. Controls gate completed after all presence evaluations. The controls column confirms that no factor evaluation was influenced by the existence of a mitigating control. All "present" factors are carried to the risk register for risk assessment. The whistleblower programme column is completed: Bakker has no formal whistleblower reporting programme. This absence is itself documented as an opportunity-dimension factor (added as an entity-specific factor in the blank rows).

Practical checklist

1. Evaluate every pre-populated factor against this specific entity. Do not delete rows for factors you consider irrelevant. Mark them as "not present" with entity-specific reasoning (ISA 240.A1).
2. Complete the presence evaluation for every factor before looking at the controls column. If you reference a control in your "not present" explanation, reconsider whether you are conflating factor presence with risk mitigation.
3. Every "not present" conclusion requires at least two sentences of entity-specific evidence. "No indication" is not a conclusion. Name the facts.
4. Complete the whistleblower programme column for at least one row per engagement. If no programme exists, document that absence as an entity-specific fraud risk factor under the opportunity dimension.
5. After completing all factor evaluations, confirm that every "present" factor has been carried forward to the risk register with a cross-reference.

Common mistakes

• Marking factors as "not present" because a compensating control exists. The factor evaluation assesses inherent conditions. Controls are assessed in the risk register, not in the factor evaluation. The AFM has flagged this pattern specifically in multiple inspection cycles.
• Using identical explanations across multiple entities. If the explanation for "excessive pressure to meet third-party expectations" reads the same on a logistics company and a property developer, the evaluation is generic rather than entity-specific. An inspector can tell.
• Ignoring the misappropriation of assets section. Fraudulent financial reporting gets most of the attention, but misappropriation factors (particularly for entities with portable high-value inventory or large cash volumes) are equally required by ISA 240.A1 and equally inspected.
• Not updating the factor evaluation when new information emerges during fieldwork. If substantive testing reveals a control deficiency or a management behaviour pattern that constitutes a fraud risk factor, the factor evaluation should be updated before the risk register is finalised.