The Auditor’s Responsibilities Relating to Fraud (ISA (Ireland) 240)

by | Mar 4, 2025 | Blog, News

Often the topic of fraud is addressed poorly on audit files.

Frequently audit files include a simple statement that ‘risk is low’ (because the Directors say there has not been any fraud) and there is no knowledge of any fraud in the past year. Audit teams need to take a more professional and appropriately sceptical approach by justifying in writing how this low risk assessment has been arrived at.  The file must show how the risks were discussed and the results of those discussions:

  • with the client and
  • within the audit team – (known as the ‘engagement team discussion’ or ‘brainstorming session’).

Consideration must be given to specific areas susceptible to fraud through theft such as:

  • cash based businesses,
  • high value stocks,
  • fake suppliers (posing as real creditors) who allege they have just recently changed their banking details; and
  • fixed assets etc.

Another good question to ask is what security measures are in place over tangible assets and are all tangible assets adequately insured? Sometimes a comparison between the fixed assets register and the list of insured items could throw up some interesting anomalies.

I often recommend to clients that they read the ISAs and the one on fraud (ISA (Ireland) 240) makes very interesting reading, especially the Appendices which have the titles:

  • Appendix 1 – Examples of fraud risk factors.
  • Appendix 2 – Examples of possible audit procedures to address the assessed risks of material misstatement due to fraud.
  • Appendix 3 – Examples of circumstances that indicate the possibility of fraud.

In terms of fraudulent reporting, the audit file needs to show how the auditor has considered what risk management policies and procedures management has in place to mitigate the fraud threat. Also carefully document the result of the risk assessment and assess whether it has nay impact on the audit work and/or on the audit opinion.

Fraud risk can change from one year to the next and therefore should be reassessed on an annual basis. Opening balances, especially in relation to matters like fixed assets are often ignored. The excuse being ‘we audited them last year or in a prior year’.  What if those assets are destroyed, sold or not in use and potentially impaired?

Identification of revenue recognition and management override risks (ISA (Ireland) 240)

Following on from fraud risk, ISA 240 assumes that there are at least two significant risks present on practically all audit assignments:

  1. those arising from revenue recognition criteria and
  2. management override of controls.

While most firms are adequately highlighting revenue recognition as a significant risk, there continues to be no clear statement of the specific audit procedures planned to address this. There is often no sufficient record of the client’s revenue recognition criteria and the accounting policy for revenue recognition contained in the financial statements is often poorly phrased or not appropriately worded.

For example, an accounting policy for an apartment management company stating that ‘turnover represents goods sold net of VAT’!! The accounting policy for revenue recognition/turnover/income is often the most significant accounting policy of them all and auditors need to pay more attention to this topic.

Management override is a risk area that a lot of firms often overlook, concluding that the risk is low due to strong internal controls or because the management is ‘honest’. Where there is potential for management override of controls, this must be identified as a significant risk and appropriate audit procedures performed. This is likely to be the case for most owner-managed SME businesses.

ISA 240 gives details of three areas which need to be tested when considering the risks associated with management override of controls. These are:

  • the appropriateness of journals;
  • accounting estimates, the appropriateness of which needs to be challenged; and
  • gaining an understanding of significant transactions which appear to be outside the normal course of business.

 More often than not, some or all of the above procedures will have been performed during the course of the fieldwork, but these need to be properly documented and clearly linked back to management override risk.

It’s important to note that with the advent of ISA (Ireland) 315 (Identifying and Assessing the Risks of Material Misstatement) for accounting periods commencing on/after 15 December 2021 that control risk is measured more appropriately on a 5-point scale as follows:

  1. Very Low
  2. Low
  3. Medium
  4. High
  5. Very High

The assessment of control risk is extremely important as it is designed to help identify areas where there may be a risk of misstatement due to:

  • error or
  • fraud

The results of this assessment will influence the choice of sample sizes and better focus on the tailoring of the audit programme. A common feature of files that fail inspection reviews is the lack of appropriate tailoring, especially for fraud risk. The results of substantive tests cannot therefore be used as the scope and extent of those tests cannot be determined until the risk assessment process is complete. It’s like putting the cart before the horse.

It is important to remember that where a risk is deemed ‘significant’, audit procedures must include an appropriate element of substantive testing.

We will look at more audit file weaknesses next week.

For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:

ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements.  Please contact John McCarthy FCA by email at john@jmcc.ie.