What are fraud risk factors?
Fraud risk factors are the observable conditions that make fraud more likely. They are organised around the fraud triangle — three elements that are typically present when fraud occurs:
- Incentive or pressure. A reason to commit fraud, such as aggressive earnings targets, personal financial difficulties, or compensation structures tied to financial performance.
- Opportunity. Circumstances that allow fraud to be committed, such as weak internal controls, complex transactions, significant related party dealings, or dominant management without effective oversight.
- Attitude or rationalisation. A mindset that permits the individual to justify fraudulent behaviour, such as a culture of "bending the rules," management's disregard for controls, or a history of aggressive accounting positions.
ISA 240 requires the auditor to identify fraud risk factors through inquiries, analytical procedures, and consideration of other information obtained during the audit. The presence of fraud risk factors does not mean fraud has occurred — it means the conditions that make fraud possible are present, and the auditor must assess whether they give rise to a risk of material misstatement due to fraud.
Key Points
- Fraud risk factors are conditions, not conclusions. Their presence signals elevated risk but does not prove fraud has occurred. The auditor uses them to identify and assess risks of material misstatement due to fraud.
- ISA 240 provides extensive examples. Appendix 1 (ISA 240.A25–A28) lists fraud risk factors for fraudulent financial reporting and misappropriation of assets, organised by incentive, opportunity, and rationalisation.
- Revenue recognition is presumed to be a fraud risk. ISA 240.26 requires the auditor to treat revenue recognition as a risk of material misstatement due to fraud unless the presumption is specifically rebutted.
- Management override is always a fraud risk. ISA 240.31 establishes that the risk of management override of controls cannot be rebutted, regardless of the entity's control environment.
Why it matters in practice
Worked example: Janssen Pharma
Janssen Pharma NV is a pharmaceutical distributor. During the planning phase, the audit team identifies the following fraud risk factors:
- Incentive: The CFO's bonus is 40% of base salary and entirely dependent on meeting an EBITDA target. The entity is EUR 800,000 below the target with two months remaining in the financial year.
- Opportunity: Revenue is recognised on a bill-and-hold basis for a significant customer, with manual journal entries used to record the transactions. No automated controls exist over the timing of revenue recognition for these arrangements.
- Rationalisation: During team discussion, a senior team member notes that the CFO has previously described year-end adjustments as "smoothing out timing differences" and has pushed back on proposed audit adjustments in prior years.
Based on these factors, the team identifies a fraud risk of premature revenue recognition for bill-and-hold transactions. The response includes: testing all bill-and-hold transactions in the final quarter against the specific recognition criteria (IFRS 15.B79–B82), examining manual journal entries that increase revenue in the final month, and performing cut-off testing with an extended sample around the year end.
Fraud risk factors vs fraud risks
Fraud risk factors are the conditions — the raw ingredients. A bonus tied to revenue targets is a fraud risk factor (incentive). Weak controls over manual journal entries is a fraud risk factor (opportunity). A dismissive attitude toward internal audit findings is a fraud risk factor (rationalisation).
Fraud risks are the auditor's assessed risks of material misstatement due to fraud — the conclusions drawn from evaluating the factors. "Risk of fictitious revenue through manual journal entries in Q4" is a fraud risk. It combines the identified factors into a specific risk that drives the audit response.
The distinction matters because the auditor must document both: the factors identified (ISA 240.44) and the resulting fraud risks assessed (ISA 240.25–27), along with the audit procedures designed to address each fraud risk.
What reviewers catch
Fraud risk assessment is among the most frequently cited deficiency areas in regulatory inspections:
- Generic risk assessments. The file listed fraud risk factors copied from the standard's appendix without linking them to the specific entity's circumstances or explaining why each was relevant.
- No documented link between factors and responses. Fraud risk factors were identified but the file did not show how they translated into specific fraud risks or how audit procedures were designed to address those risks.
- Revenue recognition presumption rebutted without sufficient basis. The auditor rebutted the presumption that revenue recognition is a fraud risk but the documentation did not explain why the presumption was not applicable to the entity's specific circumstances.
- Engagement team discussion not evidenced. ISA 240.15 requires a discussion among the engagement team about the susceptibility of the entity's financial statements to material misstatement due to fraud. The file contained no evidence this discussion took place.
Key standard references
- ISA 240.15: Discussion among the engagement team regarding the susceptibility of the entity's financial statements to material misstatement due to fraud.
- ISA 240.16–24: Identifying and assessing the risks of material misstatement due to fraud through inquiries, analytical procedures, and other information.
- ISA 240.25–27: Identifying fraud risks, including the presumptions regarding revenue recognition and management override.
- ISA 240.A25–A28: Appendix 1 — examples of fraud risk factors relating to fraudulent financial reporting and misappropriation of assets.
- ISA 240.44: Documentation requirements, including the identified fraud risk factors and the auditor's responses to the assessed risks of material misstatement due to fraud.
Related terms
Related tools
Related reading
Frequently asked questions
What is the difference between fraud risk factors and fraud risks?
Fraud risk factors are the underlying conditions — the incentive, opportunity, or rationalisation that make fraud more likely. Fraud risks are the specific risks of material misstatement due to fraud that the auditor identifies based on those factors. For example, management compensation tied to revenue targets (fraud risk factor — incentive) combined with complex revenue arrangements with side agreements (fraud risk factor — opportunity) may lead the auditor to identify a fraud risk of fictitious revenue recognition. The factors are inputs; the fraud risks are the auditor's conclusions about where fraud could occur.
Are fraud risk factors the same as the fraud triangle?
The fraud triangle (incentive/pressure, opportunity, rationalisation) is the conceptual framework. Fraud risk factors are the specific, observable conditions that map to each leg of the triangle. ISA 240 uses the fraud triangle framework and provides extensive examples of fraud risk factors in its appendices (ISA 240.A25–A28), organised by whether they relate to fraudulent financial reporting or misappropriation of assets, and by which leg of the triangle they address.
Must the auditor identify fraud risk factors on every audit?
Yes. ISA 240.16–24 requires the auditor to make inquiries, perform analytical procedures, consider other information, and hold engagement team discussions specifically to identify fraud risk factors. This is not optional and applies to every audit engagement regardless of the entity's size, industry, or perceived risk level. The auditor must also presume that revenue recognition is a fraud risk unless the presumption is rebutted with documented reasons.