5502 Fraud Risk Factors
Sep-2022

Risk factor definitions

OAG Guidance

Risk factors are characteristics, circumstances or events which are indicative that (a) there is an increased risk that a fraud could take place; or (b) a fraud may actually have taken place or be in the process of taking place. There are essentially two kinds of risk factors:

  • Risk factors: Conditions that give rise to incentives, opportunities or rationalization that may lead to the misappropriation of assets or fraudulent financial reporting. For examples of risk factors, refer to CAS 240 Appendix 1.

  • Evidential risk factors: Evidence that a fraud may actually have taken place or is in contemplation is more direct and is more likely to emerge during the conduct of the audit than at the client Acceptance & Continuance or planning stage, as it generally relates to inconsistencies or deficiencies in audit evidence. Evidential risk factors may include

    • discrepancies in the accounting records,
    • conflicting or missing evidential matter,
    • problematic or unusual relationships between us and the entity.

Risk factors are not in themselves evidence that a fraud has in fact occurred and their existence in relation to a particular client may not in any way be connected to fraud. Generally, the more risk factors that are identified in relation to a client, the greater the overall risk of fraud. However, there is no simple formula for estimating the degree of fraud risk, and even a few risk factors in key areas may be grounds for concern.

While we consider fraud risk factors relating to incentives/pressures and rationalization in identifying and assessing fraud risk, it is the second of the three conditions—opportunities—where we can best identify risk of fraud by responding to risk effectively and thereby increasing the opportunity for detection.

Risk factors relating to misstatements arising from fraudulent financial reporting

CAS Guidance

The fraud risk factors identified below are examples of such factors that may be faced by auditors in a broad range of situations. Separately presented are examples relating to the two types of fraud relevant to the auditor’s consideration - that is, fraudulent financial reporting and misappropriation of assets. For each of these types of fraud, the risk factors are further classified based on the three conditions generally present when material misstatements due to fraud occur: (a) incentives/pressures, (b) opportunities, and (c) attitudes/rationalizations. Although the risk factors cover a broad range of situations, they are only examples and, accordingly, the auditor may identify additional or different risk factors. Not all of these examples are relevant in all circumstances, and some may be of greater or lesser significance in entities of different size or with different ownership characteristics or circumstances. Also, the order of the examples of risk factors provided is not intended to reflect their relative importance or frequency of occurrence. (CAS 240 Appendix 1)

Fraud risk factors may relate to incentives or pressures, or opportunities that arise from conditions that create susceptibility to misstatement before consideration of controls (i.e., the inherent risk). Such factors are inherent risk factors, insofar as they affect inherent risk, and may be due to management bias. Fraud risk factors related to opportunities may also arise from other identified inherent risk factors (for example, complexity or uncertainty may create opportunities that result in susceptibility to misstatement due to fraud). Fraud risk factors related to opportunities may also relate to conditions within the entity’s system of internal control, such as limitations or deficiencies in the entity’s internal control that create such opportunities. Fraud risk factors related to attitudes or rationalizations may arise, in particular, from limitations or deficiencies in the entity’s control environment.

Risk Factors Relating to Misstatements Arising from Fraudulent Financial Reporting

The following are examples of risk factors relating to misstatements arising from fraudulent financial reporting.

Incentives/Pressures

Financial stability or profitability is threatened by economic, industry, or entity operating conditions, such as (or as indicated by):

  • High degree of competition or market saturation, accompanied by declining margins.

  • High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates.

  • Significant declines in customer demand and increasing business failures in either the industry or overall economy.

  • Operating losses making the threat of bankruptcy, foreclosure, or hostile takeover imminent.

  • Recurring negative cash flows from operations or an inability to generate cash flows from operations while reporting earnings and earnings growth.

  • Rapid growth or unusual profitability especially compared to that of other companies in the same industry.

  • New accounting, statutory, or regulatory requirements.

Excessive pressure exists for management to meet the requirements or expectations of third parties due to the following:

  • Profitability or trend level expectations of investment analysts, institutional investors, significant creditors, or other external parties (particularly expectations that are unduly aggressive or unrealistic), including expectations created by management in, for example, overly optimistic press releases or annual report messages.

  • Need to obtain additional debt or equity financing to stay competitive—including financing of major research and development or capital expenditures.

  • Marginal ability to meet exchange listing requirements or debt repayment or other debt covenant requirements.

  • Perceived or real adverse effects of reporting poor financial results on significant pending transactions, such as business combinations or contract awards.

Information available indicates that the personal financial situation of management or those charged with governance is threatened by the entity’s financial performance arising from the following:

  • Significant financial interests in the entity.

  • Significant portions of their compensation (for example, bonuses, stock options, and earn‑out arrangements) being contingent upon achieving aggressive targets for stock price, operating results, financial position, or cash flow.

  • Personal guarantees of debts of the entity.

There is excessive pressure on management or operating personnel to meet financial targets established by those charged with governance, including sales or profitability incentive goals.

Opportunities

The nature of the industry or the entity’s operations provides opportunities to engage in fraudulent financial reporting that can arise from the following:

  • Significant related‑party transactions not in the ordinary course of business or with related entities not audited or audited by another firm.

  • A strong financial presence or ability to dominate a certain industry sector that allows the entity to dictate terms or conditions to suppliers or customers that may result in inappropriate or non‑arm’s‑length transactions.

  • Assets, liabilities, revenues, or expenses based on significant estimates that involve subjective judgments or uncertainties that are difficult to corroborate.

  • Significant, unusual, or highly complex transactions, especially those close to period end that pose difficult “substance over form” questions.

  • Significant operations located or conducted across international borders in jurisdictions where differing business environments and cultures exist.

  • Use of business intermediaries for which there appears to be no clear business justification.

  • Significant bank accounts or subsidiary or branch operations in tax‑haven jurisdictions for which there appears to be no clear business justification.

The monitoring of management is not effective as a result of the following:

  • Domination of management by a single person or small group (in a non owner‑managed business) without compensating controls.

  • Oversight by those charged with governance over the financial reporting process and internal control is not effective.

There is a complex or unstable organizational structure, as evidenced by the following:

  • Difficulty in determining the organization or individuals that have controlling interest in the entity.
  • Overly complex organizational structure involving unusual legal entities or managerial lines of authority.
  • High turnover of senior management, legal counsel, or those charged with governance.

Deficiencies in internal control as a result of the following:

  • Inadequate process to monitor the entity’s system of internal control, including automated controls and controls over interim financial reporting (where external reporting is required).

  • High turnover rates or employment of staff in accounting, information technology, or the internal audit function that are not effective.

  • Accounting and information systems that are not effective, including situations involving significant deficiencies in internal control.

Attitudes/Rationalizations
  • Communication, implementation, support, or enforcement of the entity’s values or ethical standards by management, or the communication of inappropriate values or ethical standards, that are not effective.

  • Nonfinancial management’s excessive participation in or preoccupation with the selection of accounting policies or the determination of significant estimates.

  • Known history of violations of securities laws or other laws and regulations, or claims against the entity, its senior management, or those charged with governance alleging fraud or violations of laws and regulations.

  • Excessive interest by management in maintaining or increasing the entity’s stock price or earnings trend.

  • The practice by management of committing to analysts, creditors, and other third parties to achieve aggressive or unrealistic forecasts.

  • Management failing to remedy known significant deficiencies in internal control on a timely basis.

  • An interest by management in employing inappropriate means to minimize reported earnings for tax‑motivated reasons.

  • Low morale among senior management.

  • The owner-manager makes no distinction between personal and business transactions.

  • Dispute between shareholders in a closely held entity.

  • Recurring attempts by management to justify marginal or inappropriate accounting on the basis of materiality.

  • The relationship between management and the current or predecessor auditor is strained, as exhibited by the following:

    • Frequent disputes with the current or predecessor auditor on accounting, auditing, or reporting matters.

    • Unreasonable demands on the auditor, such as unrealistic time constraints regarding the completion of the audit or the issuance of the auditor’s report.

    • Restrictions on the auditor that inappropriately limit access to people or information or the ability to communicate effectively with those charged with governance.

    • Domineering management behavior in dealing with the auditor, especially involving attempts to influence the scope of the auditor’s work or the selection or continuance of personnel assigned to or consulted on the audit engagement.

OAG Guidance

Engagement team members may use the Fraud Risk Factors Checklist to help document their assessment of the above fraud risk factors related to fraudulent financial reporting and their conclusion as to whether or not there is a risk of a material misstatement due to fraud in those areas.

Risk factors arising from misstatements arising from misappropriation of assets

CAS Guidance

Risk factors that relate to misstatements arising from misappropriation of assets are also classified according to the three conditions generally present when fraud exists: incentives/pressures, opportunities, and attitudes/rationalization. Some of the risk factors related to misstatements arising from fraudulent financial reporting also may be present when misstatements arising from misappropriation of assets occur. For example, ineffective monitoring of management and other deficiencies in internal control may be present when misstatements due to either fraudulent financial reporting or misappropriation of assets exist. The following are examples of risk factors related to misstatements arising from misappropriation of assets (CAS 240 Appendix 1).

Incentives/Pressures

Personal financial obligations may create pressure on management or employees with access to cash or other assets susceptible to theft to misappropriate those assets.

Adverse relationships between the entity and employees with access to cash or other assets susceptible to theft may motivate those employees to misappropriate those assets. For example, adverse relationships may be created by the following:

  • Known or anticipated future employee layoffs.
  • Recent or anticipated changes to employee compensation or benefit plans.
  • Promotions, compensation, or other rewards inconsistent with expectations
Opportunities

Certain characteristics or circumstances may increase the susceptibility of assets to misappropriation. For example, opportunities to misappropriate assets increase when there are the following:

  • Large amounts of cash on hand or processed.
  • Inventory items that are small in size, of high value, or in high demand.
  • Easily convertible assets, such as bearer bonds, diamonds, or computer chips.
  • Fixed assets which are small in size, marketable, or lacking observable identification of ownership.

Inadequate controls over assets may increase the susceptibility of misappropriation of those assets. For example, misappropriation of assets may occur because there is the following:

  • Inadequate segregation of duties or independent checks.

  • Inadequate oversight of senior management expenditures, such as travel and other reimbursements.

  • Inadequate management oversight of employees responsible for assets, for example, inadequate supervision or monitoring of remote locations.

  • Inadequate job applicant screening of employees with access to assets.

  • Inadequate record keeping with respect to assets.

  • Inadequate system of authorization and approval of transactions (for example, in purchasing).

  • Inadequate physical safeguards over cash, investments, inventory, or fixed assets.

  • Lack of complete and timely reconciliations of assets.

  • Lack of timely and appropriate documentation of transactions, for example, credits for merchandise returns.

  • Lack of mandatory vacations for employees performing key control functions.

  • Inadequate management understanding of information technology, which enables information technology employees to perpetrate a misappropriation.

  • Inadequate access controls over automated records, including controls over and review of computer systems event logs.

Attitudes/Rationalizations
  • Disregard for the need for monitoring or reducing risks related to misappropriations of assets.

  • Disregard for controls over misappropriation of assets by overriding existing controls or by failing to take appropriate remedial action on known deficiencies in internal control.

  • Behavior indicating displeasure or dissatisfaction with the entity or its treatment of the employee.

  • Changes in behavior or lifestyle that may indicate assets have been misappropriated.

  • Tolerance of petty theft.

OAG Guidance

Engagement team members may use the Fraud Risk Factors Checklist to help document their assessment of the above fraud risk factors related to misappropriation of assets and their conclusion as to whether or not there is a risk of a material misstatement due to fraud in those areas.

Evidential risk factors

OAG Guidance

Evidential Risk Factors

Evidential risk factors and other indicators of fraud relate to deficiencies, discrepancies and/or inconsistencies in the audit evidence obtained in the course of the audit. These may include:

  1.  Discrepancies in the accounting records, including:
    • Transactions that are not recorded in a complete or timely manner or are improperly recorded as to amount, accounting period, classification, or entity policy.

    • Unsupported or unauthorised balances or transactions.

    • Last-minute adjustments that significantly affect financial results.

    • Evidence of employees access to systems and records inconsistent with that necessary to perform their authorised duties.

    • Significant unreconciled differences between control accounts and subsidiary records or between physical count and the related account balance which were not appropriately investigated and corrected on a timely basis.

    • Unusual transactions, by virtue of their nature, volume or complexity, particularly if such transactions occurred close to the year end.

    • Transactions not recorded in accordance with management’s general or specific authorisation.

    • Identification of important matters not previously disclosed by management.

    • Long outstanding account receivable balances.

    • High volume of sales reimbursements / returns post year end.

    • Suppliers’ accounts with a high volume of debit and credit entries.

  2. Conflicting or missing evidence, including:
    • Missing documents.

    • Unavailability of other than photocopied or electronically transmitted documents when documents in original form are expected to exist.

    • Significant unexplained items on reconciliations.

    • Unusual documentary evidence such as handwritten alterations to documentation, or handwritten documentation which is ordinarily electronically printed.

    • Inconsistent, vague, or implausible responses from management or employees arising from inquiries or analytical procedures.

    • Unusual discrepancies between the entity’s records and confirmation replies.

    • Missing inventory or physical assets of significant magnitude.

    • Unavailable or missing electronic evidence, inconsistent with the entity’s record retention practices or policies.

    • Inability to produce evidence of key systems development and program change testing and implementation activities for current‑year system changes and deployments.

    • Significantly incomplete or inadequate accounting records.

    • Contractual arrangements without apparent business purpose.

    • Unusual transactions with related parties.

    • Payments for services that appear excessive in relation to the services provided.

  3. Problematic or unusual relationships between us and the entity, including:
    • Denial of access to records, facilities, certain employees, customers, vendors, or others from whom audit evidence might be sought.

    • Undue time pressures imposed by management to resolve complex or contentious issues.

    • Complaints by management about the conduct of the audit or management intimidation of engagement team members, particularly in connection with our critical assessment of audit evidence or in the resolution of potential disagreements with management.

    • Unusual delays by the entity in providing requested information.

    • Tips or complaints to the auditor about alleged fraud.

    • Unwillingness to facilitate auditor access to key electronic files for testing through the use of computer‑assisted audit techniques.

    • Denial of access to key IT operations staff and facilities, including security, operations, and systems development personnel.

Indicators of the existence of fraud

OAG Guidance

Identifying fraud risk factors

The following are some examples of risk factors and other indicators that, individually or collectively, may provide an indication of fraud and are therefore worth considering when performing a fraud risk assessment. This is not an all‑inclusive list nor is the existence of one or more of these risk factors necessarily indicative of a risk of material misstatement due to fraud.

  • No or untimely preparation of account reconciliations

  • Significant short seller position held in entity’s stock

  • High staff turnover

  • Lack of segregation of duties

  • Inexperienced finance team

  • Tone at the top/Overbearing CEO/non‑finance executives with excessive involvement in accounting and reporting decisions

  • Lack of regular board meetings

  • Significant inconsistencies between results and industry benchmarks

  • Significant inconsistencies between current and historical results

  • Lack of acknowledgement of impacts from global circumstances on the business, such as global pandemics or climate change

  • No internal audit function in a large, complex entity

  • Lack of entity fraud risk assessment

  • Lack of a robust payment approval process

Indicators of fraud risks

The following table provides examples of fraud risk indicators; however, it is not meant to be a comprehensive list of all potential risk factors. Be alert to the indicators listed below and consult senior members of the engagement team if one or more of them are present on your engagement to consider whether an update to the fraud risk assessment and related audit response is warranted:

Risk factors and other indicators of fraud Example
Unbalanced view of results Rather than giving a balanced view about financial results, the entity’s Finance Controller (FC) focuses on one or two favorable elements of the entity’s performance and fails to answer our questions about other less favorable financial indicators.
Lack of readily available data The FC says it will take time to collate sales volume data. We would expect the FC to have that data readily available. Unusual delays in providing information that would be expected to be readily available may be indicative of an attempt to conceal fraudulent activity.
Unreasonable management explanations We are surprised to find that sales for the quarter are consistent with the level of sales in the prior quarter even though several warehouses were closed due to health and safety measures. The FC says that sales quickly returned to normal almost immediately after the warehouses reopened. There are questions regarding the length of the closure and the period over which sales volumes could return to normal. The explanation for the lack of decrease in revenue does not align to our expectations.
Management referring the engagement team to specific individuals The FC refers us to a specific individual in the sales organization and resists requests to provide an organizational chart for the sales department which was requested by us as a means of independently selecting other sales department employees to speak with. This FC resistance may be indicative of an attempt to control the message so that fraudulent activity does not come to light.
Aggressive questioning Our request for basic information (e.g., a supporting vendor invoice) is continually met with aggressive questioning from the FC as to the need to see the information.
Evidence suddenly available late in the process Late in the audit, the FC suddenly provides documentation that appears to mitigate an audit finding we communicated or were proposing to communicate to the executive management and the Audit Committee
Changes in an individual’s body language While responding to probing questions the FC appears uncomfortable and shows signs such as fidgeting, looking away or down, or changes in voice patterns.
Fraud Schemes

While we consider fraud risk factors relating to incentives/pressures and rationalization in identifying and assessing fraud risk, it is the consideration of opportunity (refer to the three elements of the ’fraud risk triangle’ (OAG Audit 5501) where we can best identify risks of material misstatements due to fraud and begin to identify the ways in which fraud may manifest (fraud schemes). Identifying these potential fraud schemes facilitates our design of an effective audit response.

Some fraud schemes can be simple. For example, adding an unsupported reconciling item in a bank reconciliation to conceal a misappropriation of cash and hoping its fictitious nature is not detected. Other schemes can involve a much higher level of sophistication. For example, creating falsified documents and emails that are intended to conceal that reported revenues are overstated.

Some examples of the fraud schemes include:

  • A financial controller manipulating an email to make it appear as if a third party had confirmed a customer accounts receivable balance;

  • Intentionally misstated cash balances concealed by fictitious documents created to make the bank account balance appear accurate;

  • Unsupported and fictitious items included amongst a large number of legitimate reconciling items in an attempt to hide them from detection;

  • Funds borrowed but inappropriately kept off the entity’s records and not reported;

  • Cash advances that are secured by an employee with forged documented approvals and then not recorded on the entity’s books;

  • Fictitious inventory items being added to the summary of inventory after the inventory observation date;

  • Renting undisclosed warehouses and recording revenues when inventory is shipped to those addresses;

  • Fictitious fixed asset additions recorded based upon falsified vendor invoices, processing of falsified invoices and receiving documents to facilitate cash payment to the perpetrating employee; and

  • Vendor invoices being left "in the drawer" and not accrued for at the year end.

The schemes listed above often originate from someone relatively senior in the finance team, for example to avoid a covenant breach, and often involve applying pressure to influence actions of someone more junior in the organization.

Indicators that may suggest the existence of fraud

In addition to identifying fraud risk factors or other indicators of fraud risks, and considering fraud schemes, we need to remain alert throughout the audit to indications that fraud may have occurred. The following list provides examples of such indicators that may suggest the existence of fraud. These examples are not meant to be a comprehensive list of all such indicators, and it is important to remain alert to other indications where fraud may exist.

  • Anonymous allegations of fraud, whether by letter, email, whistleblower hot line or anonymous call.

  • Allegations of fraud in the media, whether print, broadcast or internet (e.g., short seller blogs, social media posts)

  • Discovery of unauthorized third‑party access to the IT environment

  • Discovery that a high‑ranking official resigned due to known or possible illegal activities.

  • Information is discovered that the entity is the target of an investigation by a law enforcement agency.

  • Information is discovered that the entity has received a subpoena from a law enforcement agency or a regulatory agency, which indicates the entity may be a target of an investigation.

  • We have a perception that:

    • Intentional misleading verbal information has been provided by the entity.
    • Requested documents have been altered.
    • Documents are being intentionally withheld.
  • Discovery that the entity has suffered embezzlement even for a small amount and even if the employee is no longer employed by the entity.

  • Indication that a vendor may be fictitious.

  • Indications discovered of improper accounting for revenue or expenses:

    • Sales recorded before completed and final (earned).

    • Goods shipped before customer has committed to the purchase.

    • Revenue recorded for backordered goods that have not been shipped.

    • Fictitious revenue recorded.

    • Supplier refunds recorded as revenue.

    • Unbilled revenues or other accounts receivable being re‑aged.

    • Revenue recorded as a result of bill and hold arrangements without meeting recognition criteria.

    • Period end revenue transactions utilizing non‑standard shipping and/or payment terms.

    • Revenue recorded from self‑dealing or asset exchanges.

    • Changes to sales price without customer agreement.

    • Revenue recorded on consignment sales before control of the product has transferred to the consumer.

    • Current expenses shifted into later periods.

    • Expenses improperly capitalised.

    • Liabilities concealed and not accrued.

    • Delayed asset write‑offs or impairments.

    • Management bias in estimates, including asset/liability valuations, impairment assessments and allowances/provisions.

  • Inappropriate classification of impairment charges and other adjustments as "exceptional items" (where applicable to the financial reporting framework)