ISA 240 – The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements

5 Assessing Risk of Fraud

5.1 Auditor and Professional skepticism

  • ISA 200 required auditor to conduct audit with an attitude of professional skepticism which is involves staying vigilant towards indicators and possibilities that may lead to fraud or can potentially result in fraud.
  • Being skeptic does not mean that auditor is required to assess the correctness of each and every record by management. Auditor will only suspect if there are reasons to suspect in which case auditor will probe further.
  • Auditor’s experience and knowledge regarding management’s honesty shall not reduce auditor’s skeptic approach to ignore the reasons why financial information is misstated and generalize it as error. If inconsistency is found auditor shall investigate the matter.

5.2 Discussions among team members

Discussions among team members increase effectiveness of audit. Engagement partners shall decide what matters need to be discussed with team members not present in the discussion. The purpose of discussions is to reinforce on the areas where fraud is suspected and expectation of its occurrence.

5.3 Risk assessment procedures


Inquiring management, employee, internal auditors and others helps auditor identify the conditions and events that indicate fraud. This also helps auditor in learning if management and those charged with governance are performing their duties to prevent and detect fraud.

Inquiries of management

Inquire management about:

  1. Any assessment of fraud conducted by management
  2. What system management has in place to prevent, detect and respond to fraud identified or suspected
  3. Communication between management and those charged with governance regarding system in place to assess and respond to fraud risks
  4. Management’s instructions to employees like best practices or code of conduct etc.

Auditor shall also inquire management or relevant individuals if they have any knowledge of suspected or identified fraud. Also inquire those responsible to conduct internal audit function if they know of any fraud actual or suspected and if there are conditions indicative of potential fraud.

Unless those charged with governance are part of management, auditor shall inquire:

  1. About supervising management and its functions including internal control system to eradicate fraud and associated risks
  2. About suspected or actual fraud, if any, in their knowledge. This helps auditor to corroborate inquiries of management.

Analytical procedures helps auditor in identifying information not consistent with expectations. Auditor can use these procedures as part of assessment of risk of fraud. If such inconsistencies are found auditor shall evaluate the information.

Any other information in addition to entity’s reporting system if auditor obtains information that is inconsistent with the information auditor already holds then auditor shall investigate the matter.

While performing risk assessment procedures auditor often obtain information regarding existence of fraud risk factors. Fraud risk factors are simply the conditions that provide indication of fraud committed under motivation or pressure. Although existence of such factors does not automatically mean that fraud also exist but most often if such conditions exist it is found that fraud also exist and thus material misstatements in financial statements.

The auditor shall treat those assessed risk related to fraud as significant risks and auditor is required to gain understanding of relevant controls expected to control such fraud occurrences.