Identifying and assessing the risks of material misstatement due to fraud are among the most challenging aspects of auditing in recent years, according to outreach conducted by the AICPA Auditing Standards Board (ASB) (see the sidebar, “Peer Review Survey Findings” at the end of this article).

Potential reasons include difficult economic and industry conditions during the post-pandemic era; changes in the workforce, including labor shortages (i.e., fewer employees doing more work); challenges associated with extensive remote-work arrangements for employees at organizations, including less oversight of employees; and disruptions to global supply chains and associated inflationary pressures.

The auditor’s overall work on risk identification and assessment is guided by AU-C Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, while fraud-specific audit requirements are included in AU-C Section 240, Consideration of Fraud in a Financial Statement Audit. For example, AU-C Section 240.25 directs auditors to identify and assess the risk of material misstatement due to fraud in accordance with AU-C Section 315 and reminds auditors that “risk assessment should be ongoing throughout the audit,” recognizing that the auditor’s knowledge and understanding of an entity and its environment are not static but evolve.

Auditing standards, including AU-C Section 315 and AU-C Section 240, are principles-based and allow auditors to exercise professional judgment in applying them. That said, because revenue may be particularly susceptible to fraud and a number of past financial reporting frauds have centered on improper revenue recognition, AU-C Section 240.26 includes a requirement that “When identifying and assessing the risks of material misstatement due to fraud, the auditor should, based on a presumption that risks of fraud exist in revenue recognition, evaluate which types of revenue, revenue transactions, or assertions give rise to such risks.”

Notwithstanding this requirement, auditors may not identify a risk of fraud due to improper revenue recognition based on their understanding of the entity’s circumstances and their risk assessment. In such instances, auditors may rebut the presumed risk (see AU-C Section 240.A35). Importantly, in the case of such a rebuttal, an auditor should include the reasons for their determination in the engagement’s audit documentation.

The following sections offer industry-specific revenue recognition insights for not-for-profit (NFP) entities and employee benefit plans (EBPs) as well as observations related to revenue more broadly that auditors may find helpful when identifying and assessing risks of material misstatement due to fraud related to revenue recognition.

NOT-FOR-PROFIT ENTITIES

NFP entities have diverse operating and governance structures and business models, ranging from small local chambers of commerce to nationally recognized organizations that provide disaster relief. This diversity has implications for the auditor’s evaluation of the types of revenue, revenue-related transactions, and financial statement assertions that can lead to risks of fraud in revenue recognition.

Depending on the NFP’s purposes and operations, revenues may stem from either nonexchange transactions or exchange transactions. As the name implies, nonexchange transactions involve the receipt of something of value by the NFP without giving the other party something of equal value in return. Common examples of nonexchange revenues for NFPs include private donations and grants. On the other hand, in exchange transactions the NFP receives something of value and provides the other party goods and/or services. Examples of exchange revenue within NFPs vary greatly and may include revenues such as tuition payments for child care, pet adoption fees, conference registration fees, and patient services fees for health care.

Understanding the nature of an NFP’s operations and its revenues is critical to appropriately assessing the potential risks of fraud in revenue recognition. It is important for auditors to remain aware of potential motivations or incentives that management and other personnel may have to intentionally misstate nonexchange revenues. For example, the executive director of an NFP that specializes in affordable housing may want to inflate nonexchange revenues to enhance their apparent financial health to increase the likelihood that a city government with available funding for affordable housing developments will provide a grant to the organization.

Also, auditors may consider whether members of management or development personnel feel pressured to achieve certain donation targets or whether a significant portion of their compensation is dependent on achieving targeted donation levels, either the amounts received or pledged.

The type of NFP is also important to keep in mind. For example, social service organizations are more likely to rely on nonexchange revenue than on exchange revenue because they often assist individuals facing significant life challenges of some sort. This type of NFP may include organizations such as food banks, mental health clinics, health care clinics, and homeless shelters. Although such organizations receive a substantial portion of their support through donations and grants, they may still earn some level of exchange revenues through voluntary or encouraged means (i.e., pay what you can) rather than based on true contractual terms.

It is also important for auditors to be alert to how oversight by boards of directors varies across types of NFPs. Take as an example the board of directors for a local chamber of commerce. Such a board is likely to function much like the board of a for-profit organization with a focus on business and controls and be made up of individuals with considerable professional experience who are business owners in the community. On the other hand, the board of a day care center that provides care for children from lower-income households may consist of individuals who are “drawn to the cause” with a greater emphasis on the organization’s mission than on business and control considerations.

These examples are meant to illustrate the substantial variation in board oversight and are not intended to imply that one board is superior to another. The key is for auditors to recognize the scope and depth of oversight activities of an organization’s board.

EMPLOYEE BENEFIT PLANS

EBPs generally have cash inflows that are not subject to FASB Accounting Standards Codification Topic 606, Revenue From Contracts With Customers. Common cash inflows for plans include investment income (e.g., dividends, interest, unrealized/realized gains/losses, securities lending income, and interest income on notes receivable from plan participants) and contributions (e.g., discretionary contributions from employees, nondiscretionary contributions from employers, and reciprocal contributions from multiemployer plans). Other less common inflows include those from revenue sharing, grants, lease income/rental income, and pharmacy rebates.

The AICPA Financial Reporting Executive Committee has determined that such inflows are not subject to the guidance in Topic 606 and should not be treated as revenue by an EBP. Considering this guidance, there would not be a risk of fraud due to improper revenue recognition if a plan had no inflows other than those described above. Nonetheless, it is important for auditors to still consider fraud risks associated with any cash inflows a plan does have.

EBPs may have other inflows that are potentially subject to Topic 606 and that could have risks of fraud associated with them. Examples may include tuition payments or inflows for books and supplies. As mentioned previously, auditors need to understand the EBP’s underlying nature and the inflows it receives to determine whether they are subject to Topic 606. For example, if a health and welfare plan only serves as a passthrough for tuition payments to another entity on behalf of the plan’s participants, then such payments are not revenue to the plan and would not give rise to risks of fraud in revenue recognition. On the other hand, if tuition payments are not passed through to another entity, then they would be treated as revenues of the plan and would give rise to potential risks of fraud due to improper revenue recognition.

GENERAL CONSIDERATIONS

Besides the above industry-specific observations, understanding and discussing the following matters may be helpful when assessing the risk of fraud due to improper revenue recognition more broadly:

Entity background

Obtain a clear understanding of the entity’s business objectives and associated business risks, strategies used to achieve those objectives, and performance measures used by the entity that involve revenues. An additional consideration that may be relevant is whether the entity has received private-equity investments. If so, management may be under pressure to inflate revenues so that the company appears to provide an acceptable return on investment to the private-equity firm. Finally, consider whether an entity’s revenues may be susceptible to manipulation to achieve a particular result for the owners’ personal income taxes. For example, revenues may be accelerated or deferred from one reporting period to another if the resulting effect on income taxes is advantageous to the entity’s owners.

Disaggregated revenue streams

The types of revenue vary considerably across industries, so it is important to understand the following aspects of the entity’s revenue streams: the nature of the revenue, amounts, volume of activity, complexity, levels of subjectivity and estimation, whether company specialists are used, key accounting policies, and the existence of related-party transactions.

Results of risk assessment procedures

Results from risk assessment procedures that are specific to revenue may provide insights that are useful in assessing fraud risks related to revenue. For example, consider your understanding of the client’s processes related to each revenue stream including how revenue transactions are initiated, authorized, processed, recorded, and reported. Other helpful information may come from considering the potential impact of changing or unique industry conditions, results from preliminary analytical procedures, and your understanding of compensation arrangements for management and other employees when they include incentives tied to revenue targets.

Influence of information technology

Obtain an understanding of changes in the entity’s information technology environment related to revenues. Organizations of all types and sizes may have artificial intelligence or bots embedded in their accounting systems. Auditors need to understand how these emerging technologies can mitigate risks or potentially present new risks of misstatement.

Fraud triangle

Consider each of the three legs of the fraud triangle (i.e., incentives or pressures to perpetrate fraud, opportunities to commit fraud, and attitudes or rationalizations to justify fraud) for each material revenue stream. Also keep in mind the “could factor” as it relates to revenue. For example, consider the following questions from the perspective of “if management were to commit fraud”: What could go wrong in the revenue process? How could fraud be perpetrated and concealed? What points in the revenue process are susceptible to manipulation? What is the likelihood and magnitude of a potential misstatement in revenues based on your understanding?

FINAL THOUGHTS

Addressing the presumed risks of fraud due to improper revenue recognition requires professional judgment and a sound understanding of a client’s business. Begin by challenging your understanding of the entity and carefully consider how changes, or the lack thereof, in the entity or its industry affect your risk assessment.

Ask yourself and others on the engagement team fundamental questions such as “How does the company make money?”, “Who are the company’s customers?”, and “How could revenue be misstated?”

Finally, maintain your professional skepticism and be open to challenging what you know about a client. Change is constant — remaining aware of those changes affecting clients is essential if auditors are to respond effectively to risks of fraud.

Peer review survey findings

The AICPA Auditing Standards Board polled a total of 500 peer reviewers in 2022, 2023, and 2024 to gather insights that included auditors’ considerations of fraud, quality management, and audit documentation.

Identifying and assessing fraud risks ranked as the top fraud-related challenge in 2024, up from fourth place the previous two years.

The surveys also asked whether the audit documentation reviewed as part of their most recently completed system review indicated that the engagement team had rebutted the presumption that risks of fraud exist in revenue recognition.

The proportion of peer reviewers responding affirmatively was higher than expected in 2024 and 2023.

The 2024 survey findings also revealed that rebuttals occurred more frequently on audits involving not-for-profit organizations and employee benefit plans than in other industries or types of entities. Peer reviewers believed audit teams had sufficient basis for the rebuttal in all but one case.

About the author

J. Gregory Jenkins, CPA, Ph.D., is the Ingwersen Professor of Accounting in the Harbert College of Business at Auburn University in Auburn, Ala., and is a member of the AICPA Auditing Standards Board. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.

LEARNING RESOURCES

AICPA A&A Focus

With one simple, free registration, AICPA members can join the monthly AICPA A&A Focus webcast series and earn one CPE credit while getting up to date with what’s happening in the accounting, auditing, and assurance space. Each live broadcast communicates the latest news and information, taking a deeper look at the topics and issues affecting your daily work.

WEBCAST

2022 Revenue Recognition: Audit and Accounting Guide

This guide is essential for preparers and auditors involved with revenue recognition from contracts with customers. It has been updated with general audit consideration across companies and industries. Also available: Revenue Recognition: Audit and Accounting Guide (subscription).

PUBLICATION

For more information or to make a purchase, go to aicpa-cima.com/cpe-learning or call 888-777-7077.

AICPA & CIMA MEMBER RESOURCES

Articles

“6 Ways to Improve the Peer Review Experience,” JofA, Aug. 1, 2024

“The Auditor’s Approach to Fraud: Enhanced With Forensics,” JofA, March 5, 2024

“AICPA Auditing Board Approves Two Exposure Drafts for Public Comment,” JofA, Feb. 14, 2025

Reports

AICPA Auditing Standards Board 2025 work plan (includes a standard-setting project to examine potential revisions and enhancements to AU-C Section 240, Consideration of Fraud in a Financial Statement Audit). Updates may be found on the ASB’s website.

Auditing Revenue More Efficiently & Effectively

Website

AICPA Auditing Standards Board