Uncategorized

PCAOB AS 2401: Consideration of Fraud in a Financial Statement Audit

PCAOB AS 2401 is the standard that requires auditors to consider the possibility of fraud throughout a financial statement audit. It treats fraud not as a side topic but as a risk the audit team must plan for, brainstorm about, and test directly. The standard carries two ideas that shape every public company audit: improper revenue recognition is presumed to be a fraud risk, and management can always override controls.

Key takeaways

  • PCAOB AS 2401 requires the auditor to consider fraud throughout the audit and to maintain professional skepticism regardless of past experience with the client (AS 2401.13).
  • There is a rebuttable presumption that improper revenue recognition is a fraud risk in every audit; the auditor must address it or document why it does not apply (AS 2401.41).
  • The auditor must test journal entries and other adjustments for evidence of possible material misstatement due to fraud (AS 2401.58).
  • Management override of controls is treated as a risk present in every audit, so the standard requires specific procedures even when no other fraud risk is identified (AS 2401.57).
  • Fraud-related findings, including insufficient response to fraud risks and weak journal entry testing, recur in PCAOB inspections, where the aggregate Big Four deficiency rate ran near 23 percent in FY2024 (PCAOB FY2024 inspection reports).

What is PCAOB AS 2401?

PCAOB AS 2401 is titled “Consideration of Fraud in a Financial Statement Audit.” It is the auditing standard that tells public company auditors how to address the risk that a company’s financial statements are materially misstated because of fraud. The standard originated as Statement on Auditing Standards No. 99 in the post-Enron era and was adopted into the PCAOB’s interim standards, then renumbered AS 2401 in the 2017 reorganization of the board’s standards.

The standard draws a line between two types of misstatement: those caused by error and those caused by fraud. An error is unintentional. Fraud is intentional. AS 2401 focuses on two kinds of fraud that matter to an audit: fraudulent financial reporting, which is the intentional misstatement of the financial statements, and misappropriation of assets, which is theft. The auditor’s job is not to find every fraud, but to plan and perform the audit to obtain reasonable assurance that the financial statements are free of material misstatement, whether caused by error or fraud.

Underlying the standard is the fraud triangle, a model describing three conditions usually present when fraud occurs: an incentive or pressure to commit fraud, an opportunity created by ineffective controls, and an attitude or rationalization that justifies the act. AS 2401 directs the audit team to consider these conditions when assessing where fraud is most likely.

Why PCAOB AS 2401 matters

AS 2401 matters because fraud is the failure mode that does the most damage to investor trust. An audit that misses an honest error is a problem; an audit that misses a deliberate scheme to inflate revenue can wipe out shareholder value and end careers. The standard exists because the ordinary audit response to error, more substantive testing, is not always enough against someone actively concealing a misstatement.

The standard also matters because it forces the audit team to confront its own biases. The default human tendency, especially with a long-standing client, is to assume management is honest. AS 2401.13 explicitly tells the auditor to set that assumption aside and maintain professional skepticism, recognizing that a material misstatement due to fraud could be present regardless of any past experience with the client’s honesty and integrity. This is a behavioral requirement, not just a procedural one.

For investors and forensic specialists, AS 2401 is the bridge between routine auditing and fraud investigation. When red flags surface, the standard governs how an audit team is supposed to respond. Readers tracing the warning signs that trigger that response can review our coverage of financial statement fraud red flags and the discipline of forensic accounting.

How PCAOB AS 2401 works (the requirements)

AS 2401 builds fraud consideration into the structure of the audit rather than bolting it on at the end. The requirements run from planning through evaluation, and several of them are mandatory in every audit regardless of what the risk assessment finds.

The brainstorming session

AS 2401.14 requires the audit team to discuss, before or during the gathering of information, how and where the financial statements might be susceptible to material misstatement due to fraud. This brainstorming session is meant to be a genuine exchange of ideas, set with an attitude that includes a questioning mind. Key engagement personnel must participate, and the discussion should emphasize how a fraud could be perpetrated and concealed.

Identifying fraud risk factors

The auditor gathers information to identify risks of material misstatement due to fraud, including by inquiring of management, the audit committee, internal audit, and others. AS 2401 lists fraud risk factors organized around the fraud triangle: incentives and pressures, opportunities, and attitudes and rationalizations. A risk factor is not proof of fraud, but its presence raises the likelihood that a fraud could occur and shapes the auditor’s response.

The revenue recognition presumption

AS 2401.41 establishes that the auditor should ordinarily presume there is a risk of material misstatement due to fraud relating to revenue recognition. This is a rebuttable presumption. The auditor may conclude it does not apply in a given engagement, but if so, the auditor must document the reasons supporting that conclusion. In practice the presumption is rarely rebutted, because revenue is the line item most often manipulated.

Management override of controls

Because management is uniquely able to override controls that otherwise appear to be operating effectively, AS 2401.57 treats management override as a risk in all audits. The standard requires specific procedures to address it even when no other fraud risk has been identified. These procedures include examining journal entries, reviewing accounting estimates for bias, and evaluating the business rationale for significant unusual transactions.

Journal entry testing

AS 2401.58 requires the auditor to design procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in preparing the financial statements. The auditor selects entries based on characteristics that suggest higher fraud risk, such as entries to unrelated or unusual accounts, entries posted at period-end or after the close, entries by people who do not normally make them, and round-dollar or just-below-threshold entries.

Responding and evaluating

The auditor’s response to identified fraud risks can be a change in the overall conduct of the audit, a change in the nature, timing, and extent of procedures, or procedures aimed specifically at management override. AS 2401 then requires the auditor to evaluate audit evidence at the end of the engagement to assess whether the accumulated results affect the earlier fraud risk assessment, and to consider whether identified misstatements may indicate fraud.

AS 2401 fraud risk factors by fraud triangle component

The standard organizes fraud risk factors around the three sides of the fraud triangle. The table below maps the components to examples drawn from the appendix to AS 2401 and shows the typical audit response.

Fraud triangle component What it represents Example risk factors (AS 2401 appendix) Typical auditor response
Incentives / pressures A reason to commit fraud Profitability threatened by economic conditions; pressure to meet analyst forecasts; significant portion of pay tied to stock price or earnings Heighten skepticism on revenue and earnings-sensitive accounts; expand substantive testing
Opportunities A way to commit fraud and conceal it Significant related-party transactions; weak internal control; complex or unstable organizational structure; domination of management by one person Test management override procedures; examine significant unusual transactions for business rationale (AS 2401.66)
Attitudes / rationalizations A mindset that justifies fraud Known history of securities law violations; management’s aggressive or unrealistic forecasts; strained relationship with the current or prior auditor Increase corroboration of management representations; reassess reliance on inquiry alone
Revenue (presumed) Presumed fraud risk in every audit Improper revenue recognition through timing, fictitious sales, or channel stuffing (AS 2401.41) Default fraud risk unless rebutted and documented; targeted revenue cutoff and existence testing

Worked example / application

Picture a public company that distributes industrial equipment and has narrowly beaten consensus earnings for eight straight quarters. During the brainstorming session required by AS 2401.14, the audit team flags the incentive side of the fraud triangle: senior executives hold large stock-based compensation that vests on hitting earnings targets, and the streak of just-beating estimates looks engineered rather than organic.

The team applies the revenue recognition presumption under AS 2401.41 and does not rebut it. It designs targeted procedures around cutoff, because timing manipulation is the easiest way to smooth earnings in a distribution business. The team also performs the mandatory management override procedures of AS 2401.57, starting with journal entry testing under AS 2401.58.

Using data analysis, the team extracts all manual journal entries posted in the last five business days of each quarter, then filters for entries to revenue and to a rarely used “deferred shipment” account, posted by a member of the finance leadership team rather than the usual staff accountants. Several entries are round-dollar amounts just large enough to close the gap to the analyst target. This combination of characteristics is exactly what AS 2401 tells the auditor to look for.

The team investigates and finds that shipments scheduled for early in the next quarter were recorded as current-quarter revenue through these manual entries, with the offsetting deferral reversed shortly after quarter-end. The business rationale offered by management does not hold up, and the pattern repeats across multiple quarters, which the team confirms through the retrospective review of estimates and accruals contemplated by AS 2401.63. That retrospective look is what converts a single suspicious entry into evidence of a sustained scheme, because it shows the manipulation was directional and deliberate rather than a one-time timing slip. The auditor evaluates the misstatements and concludes they indicate intentional manipulation, not error. Under AS 2401 the auditor communicates the matter to the audit committee, reconsiders the integrity of management representations across the audit, and evaluates the effect on the audit opinion and on the firm’s continuance with the client. Because the team can no longer rely on management inquiry as it did earlier in the engagement, it expands corroboration on other judgment-heavy accounts and revisits its overall fraud risk assessment under AS 2401.74. The case shows how the standard’s mandatory procedures, not a tip or a confession, are what surface the scheme, and how one confirmed fraud forces the auditor to re-evaluate the rest of the audit rather than treat the finding as contained.

Recent changes (PCAOB updates, effective dates)

The substantive requirements of AS 2401, including the brainstorming session, the revenue presumption, the management override procedures, and journal entry testing, have remained stable since the standard’s origin in the early 2000s and its 2017 renumbering. The board has not rewritten the fraud standard’s core mechanics. The changes that affect AS 2401 engagements come from the framework around it and from inspection emphasis.

The most consequential adjacent change is AS 1000, “General Responsibilities of the Auditor in Conducting an Audit,” adopted in PCAOB Release No. 2024-004 and effective for audits of fiscal years ending on or after December 15, 2024. AS 1000 reaffirmed and consolidated the duties of due professional care and professional skepticism that animate fraud consideration. Because skepticism is the behavioral core of AS 2401, the heightened framing in AS 1000 reinforces the expectation that auditors will not default to trusting management.

The PCAOB has also kept fraud and revenue testing high on its inspection agenda. In the FY2024 inspection cycle, the board continued to identify deficiencies in how firms responded to fraud risks and tested journal entries, and the aggregate deficiency rate across the largest firms was near 23 percent (PCAOB FY2024 inspection reports). Inspectors have pressed on whether journal entry testing was genuinely risk-targeted or applied as a mechanical extract, and on whether teams rebutted the revenue presumption without adequate support.

Common deficiencies under this standard

Frequently asked questions

What is the rebuttable presumption in PCAOB AS 2401?
AS 2401.41 states that the auditor should ordinarily presume there is a fraud risk relating to revenue recognition. The presumption can be overcome, but if the auditor concludes it does not apply, the standard requires documenting the specific reasons supporting that conclusion. In practice the presumption is rarely rebutted.
Why is management override of controls always a fraud risk?
Because management is in a unique position to manipulate accounting records and prepare fraudulent statements by overriding controls that otherwise appear effective. AS 2401.57 therefore requires specific procedures, including journal entry testing and estimate review, in every audit, even when no other fraud risk is identified.
What journal entries does AS 2401 require auditors to test?
AS 2401.58 directs auditors to select entries and adjustments using fraud-risk characteristics: entries to unusual or unrelated accounts, entries posted at or after period-end, entries by people who do not normally post them, round-dollar amounts, and entries lacking documentation. The selection should reflect the entity’s specific risks, not a generic filter.
What is the fraud triangle and how does AS 2401 use it?
The fraud triangle describes three conditions usually present when fraud occurs: incentives or pressures, opportunities, and attitudes or rationalizations. AS 2401 organizes its fraud risk factors around these three components so the audit team can assess where fraud is most likely and design a response.
How does AS 2401 differ from SAS 99?
They are essentially the same standard for different populations. SAS 99 was the AICPA fraud standard, later codified as AU-C 240 for non-issuer audits. The PCAOB adopted the same approach for public company audits and renumbered it AS 2401. The core concepts, including the brainstorming session and the revenue presumption, are shared.
Does AS 2401 require the auditor to find all fraud?
No. The objective is reasonable assurance that the financial statements are free of material misstatement, whether from error or fraud. Because fraud involves concealment, an audit performed in accordance with AS 2401 may not detect every fraud, particularly immaterial ones or those involving collusion and forged documents.
Who must attend the AS 2401 brainstorming session?
Key members of the engagement team, including the engagement partner. AS 2401.14 requires a discussion among the audit team about the susceptibility of the financial statements to fraud, with an emphasis on maintaining a questioning mind throughout the audit.
How does AS 2401 connect to internal control work?
Fraud often occurs where controls are weak, so the auditor’s understanding of internal control feeds the fraud risk assessment. Our guide to internal controls testing covers the control-side procedures, while AS 2401 governs the direct fraud response, including testing that targets the management override of those controls.

Bottom line

PCAOB AS 2401 makes fraud consideration a built-in part of every public company audit through mandatory steps that do not depend on the auditor sensing something is wrong. The revenue recognition presumption, the management override procedures, and risk-targeted journal entry testing are the load-bearing requirements, and they are also where PCAOB inspectors find the most failures.

Sources and methodology

This article draws on PCAOB Auditing Standard 2401, “Consideration of Fraud in a Financial Statement Audit,” including paragraphs .13, .14, .41, .57, .58, .63, .66, and .74, and its appendix listing fraud risk factors organized by the fraud triangle. Context on the auditor’s general responsibilities and professional skepticism is from PCAOB Release No. 2024-004 (AS 1000), effective for audits of fiscal years ending on or after December 15, 2024. Inspection context, including the aggregate Big Four deficiency rate near 23 percent and recurring fraud and journal entry findings, is drawn from the PCAOB’s FY2024 inspection reports. For related coverage see our regulatory section.