Key Points
- Every journal entry must balance: total debits equal total credits, with no exceptions.
- ISA 240.32 requires auditors to test journal entries as a mandatory procedure on every audit engagement to address management override of controls.
- Non-standard or manual journal entries posted outside the normal transaction cycle carry elevated fraud risk.
- Most mid-market audits involve populations of 5,000 to 50,000 journal entries per year, requiring a risk-based selection strategy rather than full-population testing.
What is Journal Entry?
A journal entry records the debit and credit legs of a transaction, along with a posting date, a description, and (in most ERP systems) the user who posted it. Standard journal entries flow automatically from sub-ledgers: a sales invoice generates a debit to receivables and a credit to revenue without manual intervention. Manual journal entries, by contrast, are posted directly to the general ledger by accounting staff. These manual entries are where audit risk concentrates.
ISA 240.32(a) requires the auditor to design and perform procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in preparing the financial statements. The standard treats journal entry testing as a non-negotiable response to the presumed risk of management override. ISA 240.A43 explains the rationale: because management is in a position to override controls, fraudulent financial reporting often involves manipulation through journal entries that are recorded directly in the general ledger. The auditor selects entries based on characteristics such as entries made at unusual times, entries to seldom-used accounts, entries posted by senior personnel who do not normally make journal entries, and entries with round-number amounts or no description. Substantive procedures on the selected entries include vouching to supporting documentation and verifying that the entry has a legitimate business rationale.
Worked example: Henriksen Shipping A/S
Client: Danish maritime logistics company, FY2025, revenue EUR 140M, IFRS reporter. The engagement team is performing journal entry testing under ISA 240.32 as part of the audit of the FY2025 financial statements.
Step 1 — Obtain the complete population
The team extracts the full journal entry listing from Henriksen's SAP system for the period 1 January to 31 December 2025. The population contains 28,400 journal entries. The team reconciles the extracted total to the general ledger trial balance to confirm completeness. The net movement per the journal entry listing ties to the opening-to-closing movement per the trial balance within EUR 12 (a rounding difference).
Step 2 — Define risk-based selection criteria
The team identifies four risk characteristics. Entries posted on weekends or public holidays. Entries posted by the CFO or CEO (users who do not normally post entries). Entries to revenue accounts with an offsetting debit to a balance sheet account other than receivables. Entries with no description field or a description containing only generic text such as "adjustment" or "correction." These criteria target the fraud risk indicators listed in ISA 240.A44.
Step 3 — Select and test entries
The criteria flag 94 entries totalling EUR 6.2M in gross debits. The team selects all 94 for testing (the population of flagged entries is small enough for full testing). For each entry, the team inspects the supporting documentation, verifies the business rationale, confirms the account coding is appropriate, and checks authorisation. Of the 94 entries, 91 are supported. Three entries (totalling EUR 185,000) were posted by the CFO on 28 December 2025, debiting a prepaid charter cost account and crediting an operating expense account, with the description "year-end reclassification." The team investigates further.
Step 4 — Resolve the three flagged entries
The team obtains the underlying charter contracts and confirms that the reclassification relates to a prepayment for Q1 2026 charter hire that was initially recorded as a 2025 expense. The reclassification is appropriate under IAS 1.35 (current asset classification). The CFO posted the entries because the financial controller was on leave. The team confirms this with the financial controller upon their return and verifies the posted amounts against the charter invoices.
Conclusion: the journal entry testing covered the full population, applied risk-based criteria aligned to ISA 240.A44, and resolved all flagged items with supporting evidence, producing a defensible file that demonstrates the mandatory fraud-response procedure was performed with appropriate rigour.
Why it matters in practice
- The FRC's 2022/23 Audit Quality Inspection report identified journal entry testing as one of the most frequent areas of deficiency, finding that audit teams applied selection criteria that were too narrow to capture the relevant fraud risks on the specific engagement. ISA 240.A44 provides a list of characteristics to consider, but the list is not exhaustive. Teams that apply only one or two generic filters (such as "entries over EUR 100,000") without tailoring the criteria to the entity's fraud risk profile miss the point of the procedure.
- Teams often exclude automated or system-generated entries from the population on the assumption that automated entries cannot be manipulated. ISA 240.A43 makes no such distinction. Management can override automated controls by altering system parameters, creating manual override entries that reverse automated postings, or modifying master data that feeds the automated entry. The full population must be obtained before risk-based filtering begins.
Journal entry vs adjusting entry
| Dimension | Journal entry | Adjusting entry |
|---|---|---|
| Scope | Any transaction recorded in the accounting system, whether automated or manual | A subset of journal entries made at period-end to update account balances for accruals, deferrals, estimates, and reclassifications |
| Timing | Posted throughout the reporting period as transactions occur | Posted at or after period-end, before the financial statements are finalised |
| Audit risk profile | Risk depends on the nature of the entry; automated entries carry lower inherent risk than manual entries | Higher inherent risk because adjusting entries are manual, judgmental, and directly affect the reported figures |
| ISA 240 relevance | Full population subject to journal entry testing procedures under ISA 240.32 | Included in the journal entry testing population, but also subject to additional scrutiny as "other adjustments" under ISA 240.32(a) |
The practical distinction matters for audit planning. Adjusting entries are a subset of journal entries, but they carry disproportionate risk because they occur at the point in the reporting cycle where management has the strongest incentive and opportunity to manipulate results. The engagement team tests the full journal entry population under ISA 240.32 and then applies additional scrutiny to the adjusting entry subset as part of year-end procedures.
Related terms
Frequently asked questions
How do I select journal entries for testing on a small audit?
On a small entity audit, the journal entry population may contain fewer than 2,000 entries. ISA 240.32 still applies. Extract the full population, apply risk-based criteria (unusual timing, unusual accounts, entries by senior management, entries without descriptions), and test all flagged entries. If the flagged population is small enough, test every entry rather than sampling. ISA 240.A45 permits the auditor to consider the size of the population when designing the extent of testing.
Can I use data analytics for journal entry testing?
Yes, and ISA 240.A44 encourages the auditor to use computer-assisted audit techniques to identify entries with specific risk characteristics across the full population. Data analytics allows the auditor to test 100% of the journal entry population against multiple criteria simultaneously, which is more effective than manual filtering of a spreadsheet extract. The key requirement remains that the criteria are tailored to the entity's fraud risk profile, not generic.
Does journal entry testing apply to interim periods?
ISA 240.32(a) requires testing of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements. If the auditor performs interim procedures, journal entry testing at interim covers the interim period. The auditor must then extend the testing to cover the remaining period and year-end adjusting entries, because year-end entries are the highest-risk population for management override.