SA 240 — Auditor's Responsibilities Relating to Fraud — CA Inter Microlesson

Think of SA 240 as the standard that answers one big exam question before it's even asked: "If fraud happens in a company, is it the auditor's fault?" The short answer is — not automatically. But the auditor does have clear, specific responsibilities, and this standard defines exactly what they are.

Fraud vs. Error — the intent test. Both result in a misstatement in the financial statements, but fraud is intentional while an error is not. If Ms. Iyer, the accountant, accidentally posts ₹1,00,000 to the wrong account, that's an error. If she deliberately inflates sales by ₹5 crores to hit bonus targets, that's fraud. SA 240 deals with two types of fraud: Fraudulent Financial Reporting (FFR) — manipulating the books to mislead users — and Misappropriation of Assets (MOA) — stealing cash, inventory, or other assets. FFR is usually management-driven; MOA is often employee-level.

Primary responsibility lies with Management, not the auditor. This is a favourite exam trap. The board of directors and management are primarily responsible for preventing and detecting fraud through internal controls. The auditor's job is to obtain reasonable assurance (not absolute assurance) that the financial statements are free from material misstatement — whether due to fraud or error. Reasonable assurance means the auditor can still miss a well-concealed fraud and not be negligent, as long as proper procedures were followed.

The Fraud Triangle — your risk-assessment compass. SA 240 uses the fraud triangle to identify why fraud occurs: (1) Incentive/Pressure (management under pressure to meet earnings targets), (2) Opportunity (weak internal controls), and (3) Rationalization/Attitude (the person justifies it to themselves). The auditor uses these risk factors during risk assessment procedures to identify where fraud risk is higher. Two fraud risks are presumed always present: (a) revenue recognition risk (FFR) and (b) management override of controls (FFR). The auditor must always address these, no exceptions. Professional skepticism — maintaining a questioning mind and critically assessing audit evidence — is the key attitude SA 240 demands throughout the engagement.

📊 Worked example

Example 1 — Identifying Fraud vs. Error

During the audit of Rajesh & Co. Pvt. Ltd., you find two issues:

The storekeeper forgot to update inventory records after a ₹2,50,000 goods return — the system shows excess stock.
The CFO has been recording fictitious sales invoices worth ₹18,00,000 to meet the quarterly revenue target set by the board.

Working:

| Item | Intentional? | Classification |

|---|---|---|

| Storekeeper's omission | No — oversight | Error |

| CFO's fictitious invoices | Yes — deliberate | Fraud (FFR) |

The ₹2,50,000 error may not be material depending on turnover. The ₹18,00,000 fraudulent invoices are almost certainly material and must be reported to Those Charged with Governance (TCWG) — i.e., the Audit Committee or Board.

Final Answer: The CFO's action = Fraudulent Financial Reporting. Auditor must communicate to TCWG promptly and consider impact on audit report.

---

Example 2 — Presumed Fraud Risks (4-mark type question)

You are the auditor of Mehta Traders Ltd. During planning, you assess fraud risks. The engagement partner asks: "Which fraud risks must we always treat as significant, regardless of the company?"

Working:

SA 240 mandates two presumed significant fraud risks:

1. Revenue Recognition — Management may inflate/deflate revenue. Always treat as a fraud risk unless rebutted with strong evidence and documented reasoning.

2. Management Override of Controls — Because management sets and can bypass controls, this risk always exists.

Response to these risks:

For revenue: apply unpredictability in testing, scrutinise journal entries, verify cut-off.
For management override: test journal entries (especially year-end), review accounting estimates for bias, evaluate unusual transactions.

Final Answer: Both risks are always presumed present. Document responses to each in the audit file.

⚠️ Common exam mistakes

Students say management and auditor share equal responsibility for fraud detection — Wrong. Management bears primary responsibility. The auditor provides reasonable, not absolute, assurance. If asked in an exam, always lead with this distinction.
Confusing FFR with MOA — Don't blur these. FFR = manipulating reported numbers (journal entries, estimates). MOA = physically stealing assets (cash, inventory). Both are fraud, but the perpetrator and method differ.
Forgetting the two presumed fraud risks — Many students list fraud risks generically. SA 240 specifically presumes revenue recognition and management override of controls as significant risks in every audit. If the exam asks you to "identify fraud risks," these two must appear.
Thinking professional skepticism is a one-time step — Students often mention it only in the planning phase. SA 240 requires skepticism to be maintained throughout the entire audit, not just at the start.
Missing the reporting chain — When fraud is found or suspected, students forget to whom it's reported. Rule: report to TCWG (Audit Committee/Board). If management or TCWG is itself implicated, consider reporting to a regulatory authority. Don't just say "report to management" — that may be the fraudster.

📖 Reference: SA 240 — Institute of Chartered Accountants of India

← Previous

SA 230

SA 250

Test yourself

Practice questions on this section, AI-graded with citations.

⚡ Practice now →