Audit Standards and the Auditor's Responsibility for Fraud Detection

ISA 240 is built on a core architectural choice: the auditor obtains reasonable assurance, not absolute assurance. Reasonable assurance is a high level of assurance, but it accepts that some fraud may not be detected. Three factors explain why absolute assurance is impossible in practice: fraud often involves deliberate concealment; collusion between employees can overcome segregation of duties; and management fraud can involve override of the very controls the auditor relies on. ISA 240 acknowledges all three explicitly.

Within that framework, ISA 240 imposes specific duties. First, the engagement team must discuss the susceptibility of the entity's financial statements to material misstatement due to fraud, a requirement that forces fraud thinking into team planning rather than treating fraud as an afterthought. Second, the auditor must apply risk assessment procedures specifically designed to identify fraud risks, including inquiries of management and others, analytical procedures with a fraud lens, and evaluation of unusual journal entries or period-end adjustments. Third, when fraud risks are identified, the auditor must design substantive procedures that respond to those specific risks. Fourth, when fraud is suspected or identified, the auditor must communicate with those charged with governance and, in some circumstances, with regulators.

ISA 240 recognises two categories of fraud relevant to a financial statement audit. Understanding the mechanics of each matters because the risk factors, detection techniques, and materiality implications differ significantly between them.

Fraudulent financial reporting involves intentional misstatements or omissions designed to deceive financial statement users. Common schemes include recording fictitious revenues, prematurely recognising revenue before performance obligations are met, understating liabilities or expenses, and manipulating disclosures to obscure financial deterioration. Because these schemes typically involve large amounts, they carry a higher likelihood of rising to the material misstatement threshold that triggers ISA 240 obligations. The Enron revenue scheme in the US and the Wirecard balance-sheet fabrication in Germany are both examples of fraudulent financial reporting that passed multiple external audit cycles before detection.

Misappropriation of assets covers theft or misuse of an entity's property by employees, management, or third parties. Individual instances, a single falsified expense claim or a skimmed cash payment, are usually immaterial to the financial statements. The audit risk arises when schemes are systemic or long-running, when they accumulate to material amounts, or when they indicate a control environment so weak that larger misstatements may exist. An auditor who finds one false invoice in an accounts payable sample must consider whether it represents a single event or a pattern. The ACFE's Occupational Fraud report consistently shows that asset misappropriation is the most common fraud category by number of cases, but median losses per case are far lower than financial statement fraud.

The audit expectation gap has been studied by academic researchers, regulators, and audit standard-setters in the UK, US, Australia, Canada, and the European Union since at least the 1970s. In its fraud dimension, the gap takes a specific form: many investors and board members believe that receiving a clean audit opinion means the entity's financial statements are free from fraud. Audit standards have never made this claim.

The debate about whether to close the gap by expanding auditor responsibility has three main positions. The first position holds that the current standard is appropriate: the audit is a financial statement assurance engagement, not an investigative one, and expanding the mandate without expanding audit scope, fee, and access would produce false comfort rather than better detection. The second position holds that auditors should be required to report proactively to regulators when fraud indicators are found, not just to those charged with governance, creating a regulatory tripwire that does not currently exist consistently across jurisdictions. The third position holds that fraud detection should be separated entirely from financial statement audit, with forensic procedures conducted by specialist firms on a systematic basis.

In practice, standard-setters have moved incrementally toward the second position. The UK's Financial Reporting Council revised ISA (UK) 240 in 2021 to strengthen requirements around fraud risk assessment and communication. The US PCAOB issued AS 2401 with specific guidance on auditor responses to fraud risk in public company audits. The EU's 2023 audit reform discussions included proposals for more direct auditor reporting to the European Securities and Markets Authority. None of these changes transformed the audit into a forensic investigation, but each tightened the procedural requirements within the existing framework.

The fraud triangle, developed by criminologist Donald Cressey from his interviews with convicted embezzlers, identifies three conditions present in most occupational fraud cases: pressure, opportunity, and rationalization. Auditors are not required to use the fraud triangle as a formal tool, but ISA 240's requirement to consider fraud risk factors maps directly onto its three components.

Pressure refers to a financial or personal motive: an executive facing personal debt, a division manager under pressure to meet analyst targets, or a company facing covenant breach. Auditors look for pressure indicators in compensation structures tied heavily to reported earnings, insider selling patterns, or management representations that seem inconsistent with the entity's financial position. Opportunity refers to conditions that allow fraud to occur and be concealed: weak segregation of duties, inadequate supervision of cash-handling staff, override-friendly accounting systems, or complex structures that obscure related-party transactions. Rationalization refers to the mental process by which the perpetrator justifies the act: "I'm underpaid", "I'll pay it back", "Everyone does this". Auditors cannot directly observe rationalization, but they can look for cultural signals in the control environment, tone at the top, and management's attitude toward internal controls.

When all three conditions are present, ISA 240 requires the auditor to treat fraud risk as elevated and to design procedures that directly address the specific risks identified. This might mean expanding journal entry testing, increasing the unpredictability of audit procedures (so that management cannot anticipate which accounts will be scrutinised), or performing additional substantive testing of revenue recognition around period-end.

An audit is not designed to gather evidence for litigation, attribute fraud to specific individuals, or reconstruct the full history of a scheme. When fraud indicators become significant enough that these objectives matter, a different engagement is required. The transition from statutory audit to forensic investigation can be triggered by several distinct events.

The most common trigger is an internal discovery: a whistleblower tip, an anomaly identified during the audit that cannot be explained by management, or a pattern in data analytics that indicates systematic irregularity. When the external auditor encounters such indicators and cannot resolve them through standard audit procedures, they are obliged to communicate with those charged with governance. The governance body then decides whether to commission a forensic investigation, typically by engaging a specialist firm separately from the statutory auditors to preserve independence.

A second trigger is regulatory or law enforcement contact. When a regulator such as the Securities and Exchange Commission in the US, the Financial Conduct Authority in the UK, the Securities and Exchange Board of India, or a prosecutorial agency initiates contact with the entity or the auditor, a formal forensic investigation typically follows, with its own chain of custody requirements and legal privilege considerations. A third trigger is the auditor's withdrawal: if the auditor concludes they can no longer rely on management representations or the control environment, they may withdraw from the engagement altogether, which in itself signals to the market and potentially to regulators that significant concerns exist.

ISA 240 prescribes a structured communication hierarchy for fraud-related findings. When the auditor identifies or suspects fraud involving management, they must communicate with those charged with governance, typically the audit committee or equivalent. When the fraud involves employees below management level, the auditor ordinarily communicates with management unless management is implicated. In both cases the communication must be timely, so that governance can act before additional damage occurs.

Reporting to external parties is more restricted. In most jurisdictions the auditor has no automatic obligation to report suspected fraud to regulators or law enforcement, because audit client information is confidential. However, specific statutory exceptions exist in many jurisdictions. In the UK, the Companies Act 2006 (section 520) and the Proceeds of Crime Act 2002 create specific reporting obligations. In India, the Companies Act 2013 (section 143(12)) requires auditors to report fraud above a specified threshold to the Central Government via the Ministry of Corporate Affairs. In the US, PCAOB AS 2405 (related to illegal acts) and SEC rules on auditor reporting of material weaknesses create analogous obligations. In all cases, auditors should seek legal advice before making a report to an external body.

When forensic investigations proceed to litigation or regulatory hearings, auditors may be called as witnesses. Their role is to speak to what their audit procedures were and what they found, not to offer opinions on whether a crime occurred or who is responsible. The distinction between fact witness and expert witness matters here: an auditor testifying to their own work is a fact witness; a forensic accountant retained to analyse the fraud and offer conclusions is an expert witness, operating under different procedural rules. In India, evidence from both categories is now governed by the Bharatiya Sakshya Adhiniyam 2023. Equivalent rules apply in UK courts under the Civil Procedure Rules and Criminal Procedure Rules, and in US federal proceedings under the Federal Rules of Evidence.