Skip to main content

Fraud Risk

Fraud is one of the most significant threats to the reliability of financial reporting and to the assets of an organization. While the primary responsibility for preventing and detecting fraud lies with management and those charged with governance, the auditor has an important responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by fraud or error.

This section covers the two types of fraud, the fraud triangle, the auditor's responsibilities related to fraud, common fraud risk factors and red flags, and the presumption of fraud risk in revenue recognition.

info

The auditor's responsibilities regarding fraud are governed by AU-C 240 (AICPA) for nonissuers and AS 2401 (PCAOB) for issuers. Both standards require the auditor to specifically consider fraud risks when planning and performing the audit.

Two Types of Fraud

Auditing standards distinguish between two principal categories of fraud relevant to the audit of financial statements:

1. Fraudulent Financial Reporting

Fraudulent financial reporting involves intentional misstatements or omissions in the financial statements designed to deceive financial statement users. This type of fraud is typically perpetrated by management and may involve:

  • Manipulating, falsifying, or altering accounting records or supporting documents
  • Misrepresenting or intentionally omitting events, transactions, or other significant information
  • Intentionally misapplying accounting principles related to amounts, classification, manner of presentation, or disclosure

Example: The CFO of MAS Inc. instructs the accounting staff to record fictitious revenue transactions at year-end to inflate earnings and meet analyst expectations. This is fraudulent financial reporting—management is deliberately misstating the financial statements.

2. Misappropriation of Assets

Misappropriation of assets involves the theft or misuse of an entity's assets. Unlike fraudulent financial reporting, which typically involves management, misappropriation of assets can be perpetrated by employees at any level of the organization. Examples include:

  • Embezzling cash receipts
  • Stealing physical assets (inventory, equipment, supplies)
  • Causing the entity to pay for goods or services not received (fictitious vendors)
  • Using the entity's assets for personal purposes

Example: A warehouse supervisor at Kingfisher Industries diverts shipments of finished goods to a personal storage unit and sells them to third parties. The theft is concealed by manipulating inventory records to hide the shortages. This is misappropriation of assets.

Exam Tip

Fraudulent financial reporting typically involves management and affects the financial statements directly (overstating assets/revenue or understating liabilities/expenses). Misappropriation of assets typically involves employees stealing resources and may or may not result in materially misstated financial statements.

The Fraud Triangle

The fraud triangle is a widely used model for understanding why fraud occurs. It identifies three conditions that are generally present when fraud takes place:

        Opportunity
           /\
          /  \
         /    \
        /  FRAUD \
       /    RISK   \
      /____________\
 Incentive/       Rationalization
 Pressure

1. Opportunity

Opportunity exists when the entity's internal controls are weak, absent, or can be overridden, creating the circumstances that allow fraud to be committed. Without opportunity, even a motivated individual with a ready rationalization cannot commit fraud.

Factors creating opportunity:

  • Weak or nonexistent segregation of duties
  • Inadequate oversight by those charged with governance
  • Overly complex organizational structures
  • Dominant management with little accountability
  • Lack of monitoring controls

2. Incentive / Pressure

Incentive (also called pressure) is the motivation to commit fraud. Individuals commit fraud because they face pressure—real or perceived—that drives them to act dishonestly.

Common sources of pressure:

  • Financial pressure — Personal debts, lifestyle beyond means, gambling problems
  • Performance pressure — Unrealistic earnings targets, compensation tied to financial results
  • External pressure — Debt covenants, analyst expectations, regulatory requirements
  • Organizational pressure — Threats of layoffs, fear of missing budgets

3. Rationalization

Rationalization is the mental justification that allows the person to reconcile their fraudulent behavior with their self-image. Common rationalizations include:

  • "I'm only borrowing it—I'll pay it back"
  • "I deserve this; the company doesn't pay me enough"
  • "Everyone does it"
  • "Nobody gets hurt"
  • "The company can afford it"

Example: A billing clerk at Illini Security creates a fictitious vendor and submits invoices for payment. The opportunity exists because the same person can create vendor accounts and approve payments (no segregation of duties). The incentive is mounting personal credit card debt. The rationalization is "I've been underpaid for years—this is just what the company owes me."

warning

Of the three fraud triangle conditions, opportunity is the element most directly addressable through internal controls. Strong controls reduce opportunity—but they cannot eliminate incentive or rationalization. This is why management override of controls is considered a fraud risk in every audit.

Auditor Responsibilities for Fraud

The auditor's responsibility is to obtain reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error. The auditor is not a guarantor and cannot be expected to detect all fraud, but the auditor must:

Required Actions

  1. Maintain professional skepticism — The auditor must approach the engagement with a questioning mind and be alert to conditions that may indicate fraud, regardless of the auditor's past experience with the entity's honesty.

  2. Discuss fraud risks with the engagement team — The audit team must hold a brainstorming session to discuss the susceptibility of the entity's financial statements to material misstatement due to fraud. This discussion should include the engagement partner and should consider how and where fraud could occur.

  3. Obtain information to identify fraud risks — The auditor performs risk assessment procedures specifically designed to identify fraud risks, including:

    • Making inquiries of management about their assessment of fraud risk and any known or suspected fraud
    • Making inquiries of those charged with governance about their oversight of management's fraud risk processes
    • Considering unusual or unexpected relationships identified during analytical procedures
    • Considering other information, including fraud risk factors

  4. Identify and assess fraud risks — Based on the information gathered, the auditor identifies specific fraud risks and assesses their likelihood and potential magnitude.

  5. Respond to assessed fraud risks — The auditor designs audit procedures that specifically address the identified fraud risks. Responses may include:

    • Assigning more experienced personnel to high-risk areas
    • Increasing the unpredictability of audit procedures
    • Modifying the nature, timing, and extent of procedures

  6. Evaluate audit evidence — The auditor evaluates whether identified misstatements may be indicative of fraud and considers the implications for the audit.

  7. Communicate identified fraud — The auditor must communicate identified or suspected fraud to the appropriate level of management and, in certain cases, to those charged with governance, regulatory authorities, or law enforcement.

note

Even if no specific fraud risk factors are present, the auditor must always presume that risks of fraud exist in revenue recognition and must consider the risk of management override of controls. These are default fraud risks in every audit.

Fraud Risk Factors and Red Flags

Fraud risk factors are events or conditions that indicate an incentive or pressure to commit fraud, provide an opportunity to commit fraud, or indicate an attitude or rationalization to justify a fraudulent action. While the presence of a risk factor does not mean fraud has occurred, the auditor must be alert to their presence.

Common Red Flags

CategoryRed Flag Examples
Financial pressureEntity is in financial distress; management compensation is heavily tied to aggressive financial targets
Operational complexityUnusually complex transactions near year-end; significant related-party transactions outside the ordinary course of business
Governance weaknessesDominated by a single individual with no effective oversight; inadequate audit committee
Accounting anomaliesSignificant journal entries made at or near year-end; recurring significant adjustments; accounts that are difficult to audit
Culture and attitudeExcessive interest in maintaining or increasing stock price; management displaying disregard for controls or regulatory requirements
Employee behaviorEmployees living beyond their means; employees who refuse to take vacation; employees who are overly protective of their duties
Documentation issuesMissing or altered documents; unexplained reconciling items; excessive voids or credits

Example: During the audit of Gies Co., the auditor notices that the CEO personally approves all journal entries over $10,000 but has no effective check on his authority. The auditor also observes that several significant non-routine entries were made in the last week of the fiscal year. These red flags—concentration of authority and unusual year-end entries—increase the assessed risk of fraudulent financial reporting.

Revenue Recognition as a Presumed Fraud Risk

Auditing standards include a rebuttable presumption that revenue recognition is a fraud risk in every audit. Revenue is presumed to be a fraud risk because:

  • Revenue is often the largest and most significant line item in the financial statements
  • Revenue recognition can involve complex judgments about timing, measurement, and classification
  • Management frequently faces pressure to meet revenue targets
  • Revenue is relatively easy to manipulate through techniques such as:
    • Recording fictitious sales
    • Premature revenue recognition (before delivery or performance)
    • Channel stuffing (pressuring customers to accept shipments early)
    • Improper cutoff (recording next period's revenue in the current period)
    • Bill-and-hold arrangements without substance

The Auditor's Response

Because revenue recognition is a presumed fraud risk, the auditor must:

  • Specifically assess how and where revenue could be misstated due to fraud
  • Design and perform audit procedures that directly address the risk of fraudulent revenue recognition
  • Document the rationale if the auditor concludes the presumption does not apply to a particular engagement (the presumption is rebuttable, but overcoming it requires strong justification and documentation)

Example: Illini Entertainment earns revenue from film licensing, theatrical distribution, and merchandise sales—each with different recognition criteria. Given the complexity and the multiple revenue streams, the auditor identifies a significant risk of fraudulent revenue recognition and designs targeted procedures, including testing license agreements for proper timing of revenue recognition, examining sales near year-end for cutoff, and performing analytics to compare revenue trends by category to industry benchmarks.

danger

Management override of controls is also a presumed fraud risk that cannot be rebutted. Unlike the revenue recognition presumption—which can be overcome with documentation—the presumption of management override risk always applies. The auditor must always test journal entries, review accounting estimates for bias, and evaluate the business rationale for significant unusual transactions.

Summary

TopicKey Takeaway
Fraudulent financial reportingIntentional misstatements by management to deceive users
Misappropriation of assetsTheft or misuse of entity assets by employees at any level
Fraud triangleOpportunity + Incentive/Pressure + Rationalization
Auditor responsibilityObtain reasonable (not absolute) assurance; maintain professional skepticism; brainstorm with team
Revenue recognitionPresumed fraud risk in every audit (rebuttable with documentation)
Management overridePresumed fraud risk that is not rebuttable—always applies
Red flagsUnusual journal entries, governance weaknesses, financial pressure, operational complexity