What are fraud risk factors?

ISA 240.25 requires the engagement team to discuss the susceptibility of the entity's financial statements to material misstatement due to fraud. That discussion must cover where and how fraud could occur, meaning the team needs to identify the fraud risk factors present on this specific engagement.

The standard does not require the auditor to prove fraud exists. It requires the auditor to recognise conditions that make fraud more likely. ISA 240 Appendix 1 lists examples across two fraud types (fraudulent financial reporting and misappropriation of assets) and across the three fraud triangle categories. The auditor evaluates which factors are present and considers them alongside other information obtained during the audit (including from ISA 315 (Revised 2019) risk assessment procedures).

Where practitioners often stop too early: they note the presence of a fraud risk factor but do not document how that factor, combined with others, leads to an assessed fraud risk on a specific assertion. ISA 240.27 requires the auditor to identify and assess the risks of material misstatement due to fraud at the financial statement level and at the assertion level. A fraud risk factor is an input to that assessment, not the assessment itself.

Key Points

  • Fraud risk factors are conditions, not evidence of fraud itself. Their presence signals elevated risk but does not prove fraud has occurred.
  • ISA 240 Appendix 1 provides examples organised by the fraud triangle categories: incentive/pressure, opportunity, and rationalisation/attitude.
  • The auditor must consider these factors for both fraudulent financial reporting and misappropriation of assets.
  • ISA 240 (Revised 2024) strengthens the requirements around fraud risk factor identification, effective December 2026.

Why it matters in practice

Worked example: Castellón Construcciones S.L.

Spanish construction company, FY2024, revenue €67M, Spanish GAAP (PGC). Three ongoing infrastructure projects for municipal governments, milestone-based revenue recognition.

Step 1: Identify fraud risk factors for fraudulent financial reporting. Incentive/pressure: bank covenant requires minimum EBITDA of €5.5M, projected EBITDA is €5.8M (thin margin). Opportunity: milestone revenue recognition involves significant management judgment about percentage of completion; project managers who report completion percentages are not independent of bidding teams. Attitude: prior year audit adjustments included €320K reversal of prematurely recognised revenue, management disputed the adjustment.

Documentation note: "Fraud risk factors identified for fraudulent financial reporting: (1) EBITDA covenant pressure (projected €5.8M vs required €5.5M), (2) judgment in milestone completion assessments with no segregation between project management and bidding, (3) prior year revenue reversal of €320K disputed by management."

Step 2: Identify fraud risk factors for misappropriation of assets. Construction sites have significant physical materials. Site-level inventory controls rely on same individuals for purchasing authorisation and physical counts.

Step 3: Assess the resulting fraud risks. Combination of covenant pressure and judgment-heavy revenue recognition, reinforced by prior year disputed adjustments, creates risk of material misstatement due to fraud on revenue recognition (milestone revenue, assertion: occurrence and accuracy).

What reviewers get wrong

PCAOB inspection findings consistently note teams identify fraud risk factors but fail to link them to assessed risks at the assertion level. Factors appear in the planning file as a checklist; the fraud risk assessment in the risk section does not reference them. ISA 240.27 requires this linkage.

Teams default to the presumed fraud risk on revenue recognition (ISA 240.26) without evaluating whether specific fraud risk factors point to a different assertion or account balance. Additional fraud risks beyond revenue recognition are often warranted but not assessed.

Key standard references

  • ISA 240.25–27: Identifying and assessing the risks of material misstatement due to fraud, including the engagement team discussion and fraud risk factor evaluation.
  • ISA 240 Appendix 1: Examples of fraud risk factors for fraudulent financial reporting and misappropriation of assets, organised by incentive, opportunity, and rationalisation.
  • ISA 240.26: Presumption that revenue recognition involves fraud risk.
  • ISA 240 (Revised 2024): Strengthened requirements around fraud risk factor identification, effective December 2026.

Related terms

Fraud TriangleManagement Override of ControlsRisk of Material MisstatementProfessional SkepticismRevenue Recognition Fraud Risk

Related reading

ISA 240: The Auditor's Responsibilities Relating to Fraud
Blog guide
How to Test Journal Entries for Fraud Under ISA 240
Blog guide

Frequently asked questions

What is the difference between fraud risk factors and fraud risks?

Fraud risk factors are the underlying conditions — incentive, opportunity, or rationalisation — that make fraud more likely. Fraud risks are the specific risks of material misstatement due to fraud that the auditor identifies based on evaluating those factors. The factors are inputs; the fraud risks are the auditor's conclusions about where fraud could occur on specific assertions.

Must the auditor consider fraud risk factors for misappropriation of assets?

Yes. ISA 240 Appendix 1 provides separate fraud risk factor examples for misappropriation, organised by the same three fraud triangle categories. On engagements with significant physical assets, cash handling, or procurement activity, the assessment should cover misappropriation as a distinct fraud type.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook