[Analysis] Common Audit Failures in Addressing Fraud Risk | SA 240 Compliance

Fraud risk in audits refers to the risk that material misstatements in a company’s financial statements may arise due to intentional acts of fraud. These misstatements can stem from either fraudulent financial reporting—such as manipulation of accounting records, intentional omissions, or misleading disclosures—or misappropriation of assets, such as theft or misuse of company resources. Recognizing the severity of such risks, auditing standards like SA 240 (The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements) require auditors to maintain a high level of professional skepticism throughout the engagement.

Table of Contents

1. Inadequate Documentation and Incomplete Management Representation
2. Failure to Identify and Assess Risks of Material Misstatement Due to Fraud
3. Absence of Engagement Team Discussions on Fraud Risk
4. No Testing for Management Override of Controls
5. Inadequate Procedures Over Revenue Recognition
6. Audit Plan Lacked Fraud Focus
7. Conclusion

In today’s complex financial reporting environment, detecting fraud remains a persistent challenge, even for experienced auditors. The recent Rs. 2,600 crore derivatives misstatement at IndusInd Bank, where internal trades were not marked to market and profits were artificially inflated, serves as a stark reminder of how fraud risks can go undetected when audit procedures fail to address management override and misstatements effectively. Such incidents underline the importance of SA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, which outlines the auditor’s duty to identify, assess, and respond to fraud risks with diligence and professional scepticism. Drawing on recent inspection findings and implementation guidance from the Auditing and Assurance Standards Board (AASB), this article highlights common pitfalls in fraud risk audits. It provides actionable insights to strengthen audit quality and compliance.

1. Inadequate Documentation and Incomplete Management Representation

1.1 Observation

One of the most frequently noted deficiencies in audit files is the lack of documentation that evidences fraud risk procedures, particularly regarding management representations. Several audit firms failed to obtain or include explicit representations from management that they had disclosed their assessment of fraud risk and any actual, suspected, or alleged frauds known to them. Despite issuing standard unqualified audit opinions, these critical disclosures were neither confirmed nor recorded.

1.2 Relevant Provisions of SA 240

As per paragraph 39 of SA 240, auditors are required to obtain specific written representations from management and, where appropriate, those charged with governance. These representations must confirm their responsibility for designing, implementing, and maintaining internal controls to prevent and detect fraud. They must also confirm that they have disclosed both the results of management’s own fraud risk assessments and any knowledge of fraud or suspected fraud involving management, employees with key control responsibilities, or other individuals whose actions may materially impact the financial statements.

1.3 AASB Guidance and Recommendations

The AASB emphasises that these representations are not optional or perfunctory. They serve as vital corroborative evidence in audits. When omitted or vaguely drafted, the reliability of the audit opinion is significantly compromised. Auditors must therefore revise their standard representation letter formats to ensure full compliance with SA 240. Additionally, management responses must be properly documented, and the absence of disclosures should be supported with specific reasoning and signed confirmations.

2. Failure to Identify and Assess Risks of Material Misstatement Due to Fraud

2.1 Observation

Another serious concern highlighted was that auditors did not properly identify or assess the risks of material misstatement due to fraud, especially at the assertion level. There were instances where auditors either skipped this assessment entirely or mentioned fraud risk only generically without applying it to specific accounts, disclosures, or transactions.

2.2 Relevant Provisions of SA 240

Paragraph 25 of SA 240 mandates that the auditor shall identify and assess the risks of material misstatement due to fraud both at the financial statement level and at the assertion level. These assessments must consider various fraud risk factors and be informed by the auditor’s understanding of the entity, its internal control environment, and any red flags that emerge during planning. Furthermore, paragraph 27 requires these identified risks to be treated as significant, which necessitates an understanding of the entity’s related controls.

2.3 AASB Guidance and Recommendations

AASB guidance underscores that this process must be documented and tailored to the specific entity. For example, if the auditor concludes that revenue recognition does not pose a fraud risk, this conclusion must be well-supported and documented, as paragraph 26 presumes that such a risk exists. Auditors are expected to proactively examine high-risk areas such as complex estimates, management judgments, and significant adjustments.

To address this, firms should enhance their audit planning documentation to include specific fraud risks, their impact at the assertion level, and the rationale behind the risk classification. A clear linkage between assessed fraud risks and responsive audit procedures must be evident in the audit file.

3. Absence of Engagement Team Discussions on Fraud Risk

3.1 Observation

In several cases, the audit files did not reflect any meaningful engagement team discussions relating to the susceptibility of the financial statements to fraud. This omission weakens the foundation of fraud-focused audit planning and execution.

3.2 Relevant Provisions of SA 240

As per paragraph 15 of SA 240, there must be documented discussions among the engagement team regarding how and where fraud could occur in the financial statements. This includes considering the ways fraud might be perpetrated and concealed and encouraging a mindset of professional skepticism. Such discussions help challenge assumptions and bring multiple perspectives into the risk assessment process, particularly when team members may have different levels of experience with the entity or industry.

3.3 AASB Guidance and Recommendations

The AASB highlights that engagement teams must go beyond a routine discussion. They should consider aspects such as management’s influence over financial reporting, internal control limitations, industry pressures, and the fraud triangle—comprising incentive or pressure, opportunity, and rationalisation. Team members should reflect on past audit findings, whistleblower reports, and changes in the control environment.

It is recommended that firms schedule dedicated brainstorming sessions during audit planning, capture key points of discussion, and ensure documentation includes the names of participants, significant risks identified, and the resulting audit strategy adjustments.

4. No Testing for Management Override of Controls

4.1 Observation

One of the most critical and universally applicable fraud risks, management override of controls, was overlooked in several audits. In some instances, there was no documentation of journal entry testing or review of significant accounting estimates, even though the audit report was clean.

A recent example is the ₹2,600 crore derivatives misstatement by IndusInd Bank in 2025. The accounting discrepancies arose from internal trades not being marked to market, inflating profits over multiple quarters. This misreporting points to potential management override of controls—a significant fraud risk under SA 240. The auditors’ failure to detect such overrides despite the scale of transactions highlights the critical need for robust journal entry testing and analytical scrutiny of management decisions.

4.2 Relevant Provisions of SA 240

According to paragraphs 31 through 33 of SA 240, management override is inherently a significant fraud risk in every audit engagement. The auditor is required to design and perform procedures specifically targeted at identifying and testing this risk. This includes testing the appropriateness of journal entries and other adjustments, reviewing accounting estimates for management bias, and evaluating the rationale behind significant or unusual transactions that fall outside the normal course of business.

4.3 AASB Guidance and Recommendations

The AASB stresses that failure to perform journal entry testing is a serious deficiency. Journal entries must be tested throughout the period, not just at year-end, and the auditor should use tools such as data analytics to identify anomalous entries. Similarly, when evaluating accounting estimates, auditors must not only verify their accuracy but also examine management’s underlying assumptions to assess potential bias or manipulation.

To comply with SA 240, firms must institute a standard procedure for journal entry selection and testing. Documentation should clearly show the basis for selection (e.g., unusual timing, related party involvement), the inquiries made of finance personnel, and the conclusions drawn from the audit evidence.

5. Inadequate Procedures Over Revenue Recognition

5.1 Observation

The AASB also noted that in some audits, revenue was tested using only basic vouching, without analytical procedures, external reconciliations, or consideration of the risk of premature revenue recognition. Furthermore, key information such as product-wise sales, reconciliation with tax returns, or cut-off testing was missing.

5.2 Relevant Provisions of SA 240

This is particularly problematic given that paragraph 26 of SA 240 presumes revenue recognition to be a fraud risk. Appendix 2 of SA 240 provides examples of specific audit procedures that can address this risk. These include performing analytical procedures on disaggregated revenue data, confirming key contract terms with customers, examining unusual terms or sales close to period-end, and reconciling sales with VAT/GST returns.

5.3 AASB Guidance and Recommendations

The AASB recommends that auditors move beyond traditional vouching and adopt a more analytical and evidence-driven approach. Audit files must include sales trend analyses, confirmation of dispatch and delivery terms, and details of any rebates or discounts that could affect revenue recognition timing.

Auditors should also incorporate unpredictability into their revenue audit procedures. For instance, selecting random days for detailed testing, performing unannounced checks, or reviewing credit notes issued post-year-end can help detect manipulation or backdating of sales.

6. Audit Plan Lacked Fraud Focus

6.1 Observation

In several reviews, it was observed that the overall audit strategy lacked a specific focus on fraud risk. There was a reliance on prior experience with the client rather than a fresh assessment based on current-year developments, and documentation of fraud responses was either absent or vague.

6.2 Relevant Provisions of SA 240

Paragraphs 28 and 29 of SA 240 emphasise that auditors must design overall responses to address the assessed risks of fraud. These responses may include assigning experienced personnel, involving forensic or IT experts, modifying the nature and timing of audit procedures, and introducing elements of unpredictability.

6.3 AASB Guidance and Recommendations

The AASB advises that fraud considerations should be built into the audit strategy from the outset. For example, if a company has recently undergone a change in management, is under financial pressure, or is dealing with complex revenue arrangements, these should all trigger heightened fraud risk considerations in the strategy document.

Firms must ensure that their audit plans are tailored to each engagement. Standardised planning templates should be revised annually to accommodate entity-specific risks and evolving fraud indicators.

7. Conclusion

Fraud risk is a critical component of audit planning and execution. The AASB’s observations serve as a timely reminder that compliance with SA 240 requires diligence, documentation, and a proactive, skeptical mindset. Auditors must move beyond standard procedures and engage deeply with the complexities of fraud, starting from the planning stage through to audit reporting.

SA 240 provides a clear structure. However, it is the auditor’s execution, professional skepticism, and attention to detail that determine whether fraud risks are appropriately addressed. By aligning audit practices with the requirements of SA 240 and the practical insights offered by the AASB, auditors can significantly enhance the reliability of financial reporting and strengthen stakeholder trust.

Source – Guidance on Non-Compliances Observed by Quality Review Board During Quality Reviews (Volume 3)