Fraud Risk Factors

What are fraud risk factors?

ISA 240.25 requires the engagement team to discuss the susceptibility of the entity's financial statements to material misstatement due to fraud. That discussion must cover where and how fraud could occur, meaning the team needs to identify the fraud risk factors present on this specific engagement.

The standard does not require the auditor to prove fraud exists. It requires the auditor to recognise conditions that make fraud more likely. ISA 240 Appendix 1 lists examples across two fraud types (fraudulent financial reporting and misappropriation of assets) and across the three fraud triangle categories. The auditor evaluates which factors are present and considers them alongside other information obtained during the audit (including from ISA 315 (Revised 2019) risk assessment procedures).

Where practitioners often stop too early: they note the presence of a fraud risk factor but do not document how that factor, combined with others, leads to an assessed fraud risk on a specific assertion. ISA 240.27 requires the auditor to identify and assess the risks of material misstatement due to fraud at the financial statement level and at the assertion level. A fraud risk factor is an input to that assessment, not the assessment itself.

Why it matters in practice

Worked example: Castellón Construcciones S.L.

Spanish construction company, FY2024, revenue €67M, Spanish GAAP (PGC). Three ongoing infrastructure projects for municipal governments, milestone-based revenue recognition.

Step 1: Identify fraud risk factors for fraudulent financial reporting. Incentive/pressure: bank covenant requires minimum EBITDA of €5.5M, projected EBITDA is €5.8M (thin margin). Opportunity: milestone revenue recognition involves significant management judgment about percentage of completion; project managers who report completion percentages are not independent of bidding teams. Attitude: prior year audit adjustments included €320K reversal of prematurely recognised revenue, management disputed the adjustment.

Documentation note

"Fraud risk factors identified for fraudulent financial reporting: (1) EBITDA covenant pressure (projected €5.8M vs required €5.5M), (2) judgment in milestone completion assessments with no segregation between project management and bidding, (3) prior year revenue reversal of €320K disputed by management."

Step 2: Identify fraud risk factors for misappropriation of assets. Construction sites have significant physical materials. Site-level inventory controls rely on same individuals for purchasing authorisation and physical counts.

Step 3: Assess the resulting fraud risks. Combination of covenant pressure and judgment-heavy revenue recognition, reinforced by prior year disputed adjustments, creates risk of material misstatement due to fraud on revenue recognition (milestone revenue, assertion: occurrence and accuracy).

What reviewers get wrong

PCAOB inspection findings consistently note teams identify fraud risk factors but fail to link them to assessed risks at the assertion level. Factors appear in the planning file as a checklist; the fraud risk assessment in the risk section does not reference them. ISA 240.27 requires this linkage.

Teams default to the presumed fraud risk on revenue recognition ( ISA 240.26 ) without evaluating whether specific fraud risk factors point to a different assertion or account balance. Additional fraud risks beyond revenue recognition are often warranted but not assessed.

Key standard references

• ISA 240.25 –27: Identifying and assessing the risks of material misstatement due to fraud, including the engagement team discussion and fraud risk factor evaluation.
• ISA 240 Appendix 1: Examples of fraud risk factors for fraudulent financial reporting and misappropriation of assets, organised by incentive, opportunity, and rationalisation.
• ISA 240.26 : Presumption that revenue recognition involves fraud risk.
• ISA 240 (Revised 2024): Strengthened requirements around fraud risk factor identification, effective December 2026.

Related terms

Related reading

Jurisdiction notes

ISA 240 addresses the auditor’s responsibilities relating to fraud. In the United Kingdom, ISA (UK) 240 requires the engagement team discussion to include how and where the entity’s financial statements may be susceptible to material misstatement due to fraud, with the FRC noting deficiencies in the specificity of fraud risk discussions during inspections. In the Netherlands, NV COS 240 applies the same fraud risk assessment requirements; the AFM has identified insufficient scepticism in evaluating management override of controls as a recurring finding. In Australia, ASA 240 mirrors the IAASB base standard; ASIC has highlighted that auditors should maintain heightened scepticism around revenue recognition fraud risk ( ISA 240.26 ) and journal entry testing ( ISA 240.32 ).

In the United States, fraud responsibilities are addressed by AU-C 240 for non-public entity audits and PCAOB AS 2401, Consideration of Fraud in a Financial Statement Audit, for SEC registrant audits. AS 2401 requires the auditor to conduct a brainstorming session among the engagement team to discuss how and where the financial statements might be susceptible to material misstatement due to fraud. The PCAOB places particular emphasis on the presumed fraud risk in revenue recognition, management override of controls (including journal entry testing), and significant unusual transactions. PCAOB inspection reports have frequently cited deficiencies in the specificity of fraud risk assessments and insufficient scepticism when evaluating management explanations for unusual transactions. AS 2110 requires auditors to identify and assess fraud risks as part of the overall risk assessment process.

Frequently asked questions