Auditor Responsibilities AU-C Section 240 – AU-C Section 240, issued by the American Institute of Certified Public Accountants (AICPA), outlines the specific responsibilities of auditors when considering fraud in audits of financial statements for non-issuers (private companies and other entities not subject to PCAOB standards). For US CPAs conducting audits under Generally Accepted Auditing Standards (GAAS), understanding AU-C Section 240 is essential to meet professional requirements, reduce audit risk, and provide reasonable assurance that financial statements are free from material misstatement due to fraud or error.
This article breaks down the key provisions of AU-C Section 240, effective for audits of financial statements for periods ending on or after December 15, 2012, and remains the current standard as of 2026. It is designed for US auditors, accounting professionals, and business owners seeking clear, actionable insights into fraud risk assessment and response.
What Is AU-C Section 240 and Why It Matters for US Auditors?
AU-C Section 240, titled Consideration of Fraud in a Financial Statement Audit, addresses the auditor’s responsibilities relating to fraud. It expands on AU-C Section 315 (Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement) and AU-C Section 330 (Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained) specifically for fraud risks.
In the United States, this standard applies to audits of nonpublic entities under AICPA GAAS. It differs from PCAOB AS 2401, which governs public company audits, but shares core principles like professional skepticism and fraud risk assessment. Compliance with AU-C 240 helps auditors avoid regulatory scrutiny, maintain audit quality, and fulfill their role in protecting stakeholders.
Scope and Objectives of AU-C Section 240
The scope of AU-C Section 240 covers the auditor’s duties to identify and respond to risks of material misstatement due to fraud in financial statement audits. It clarifies that the auditor is not responsible for preventing fraud—that duty belongs to management and those charged with governance—but must obtain reasonable assurance that the financial statements are free from material misstatement caused by fraud or error.
The objectives are clear:
- Identify and assess the risks of material misstatement due to fraud.
- Obtain sufficient appropriate audit evidence regarding those risks through designed and implemented responses.
- Respond appropriately to fraud or suspected fraud identified during the audit.
This framework integrates fraud consideration throughout the entire audit process, not as a separate checklist.
Primary Responsibility for Fraud: Management vs. Auditor
AU-C Section 240 explicitly states that the primary responsibility for the prevention and detection of fraud rests with management and those charged with governance. Management must establish a culture of honesty and ethical behavior, while governance provides oversight, including monitoring for management override of controls.
The auditor’s role is secondary but critical: to plan and perform the audit to obtain reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error. Due to the inherent limitations of an audit, absolute assurance is not possible, especially with sophisticated fraud schemes involving collusion or forgery.
Maintaining Professional Skepticism Throughout the Audit
Professional skepticism is a cornerstone of AU-C Section 240. Auditors must maintain an attitude that includes a questioning mind and critical assessment of audit evidence, recognizing the possibility of material misstatement due to fraud despite past experience with honest management.
Key requirements include:
- Accepting records and documents as genuine unless conditions suggest otherwise, then investigating further.
- Investigating inconsistent or unsatisfactory responses to inquiries.
This mindset must persist from planning through completion of the audit.
Engagement Team Discussion on Fraud Risks
AU-C Section 240 requires a discussion among key engagement team members, including the engagement partner, about how and where the entity’s financial statements might be susceptible to material misstatement due to fraud. This brainstorming session must address:
- External and internal factors creating incentives, pressures, opportunities, or rationalizations for fraud.
- The risk of management override of controls.
- Potential earnings management or manipulation.
- The importance of maintaining professional skepticism.
Discussions should continue throughout the audit as new information arises, ensuring the entire team remains vigilant.
Risk Assessment Procedures for Identifying Fraud Risks
To identify fraud risks, auditors must perform specific inquiries and procedures under AU-C Section 240, integrated with AU-C 315:
- Inquire of management about their fraud risk assessment, processes for identifying and monitoring fraud, and communications to governance.
- Inquire about known or suspected fraud.
- For entities with an internal audit function, inquire about fraud-related work.
- Understand oversight by those charged with governance.
- Perform analytical procedures, paying particular attention to revenue accounts.
- Consider other information that may indicate fraud risks.
- Evaluate fraud risk factors (incentives/pressures, opportunities, and attitudes/rationalizations).
Identifying and Assessing Risks of Material Misstatement Due to Fraud
Auditors must identify and assess fraud risks at both the financial statement level and assertion level. A key presumption is that there is a risk of material misstatement due to fraud related to revenue recognition. This presumption can be rebutted only with specific documentation if revenue recognition is not applicable.
All identified fraud risks are treated as significant risks, requiring an understanding of related controls. Management override of controls is always treated as a significant risk.
Designing Responses to Assessed Fraud Risks
AU-C Section 240 requires tailored responses:
- Overall responses at the financial statement level: Assign more experienced personnel, evaluate accounting policies for bias, and incorporate unpredictability in audit procedures.
- Assertion-level procedures: Modify the nature, timing, and extent of procedures (e.g., larger samples, year-end testing, use of computer-assisted audit techniques).
- Specific procedures for management override: Test journal entries and adjustments (including period-end and throughout the period), review accounting estimates for bias (including retrospective review), and evaluate business rationale for unusual or significant transactions.
Additional procedures may be needed if circumstances warrant.
Evaluating Audit Evidence and Responding to Identified Fraud
Near the end of the audit, auditors must evaluate whether analytical procedures or other evidence indicate previously unrecognized fraud risks. If a misstatement is identified, assess whether it could be indicative of fraud. If fraud involving management is suspected, reevaluate the reliability of previously obtained evidence and consider withdrawing from the engagement if necessary.
Communication and Documentation Requirements
AU-C Section 240 mandates timely communication:
- Communicate identified or suspected fraud to management at an appropriate level.
- Communicate to those charged with governance if it involves management, significant employees with control responsibilities, or results in material misstatement.
- Report to regulators when legally required.
Documentation must include:
- The engagement team discussion.
- Identified and assessed fraud risks.
- Overall and specific responses.
- Results of procedures performed.
- Communications about fraud.
- Conclusions on the revenue recognition presumption (if rebutted).
Common Fraud Risk Factors (Appendix A Examples)
Appendix A of AU-C Section 240 provides illustrative fraud risk factors categorized by:
- Fraudulent financial reporting: Incentives (e.g., pressure to meet analyst expectations), opportunities (e.g., weak internal controls or complex estimates), and attitudes (e.g., excessive interest in stock price).
- Misappropriation of assets: Incentives (e.g., financial pressures on employees), opportunities (e.g., easy access to cash or inventory), and attitudes (e.g., disregard for internal controls).
US auditors should tailor these examples to the client’s industry, size, and environment.
Best Practices for US CPAs Complying with AU-C Section 240
- Integrate fraud procedures seamlessly into risk assessment and response.
- Use data analytics for unusual revenue patterns or journal entries.
- Document all judgments thoroughly, especially rebuttals of the revenue presumption.
- Stay informed on AICPA resources and peer review expectations.
- Consider forensic specialists when fraud risks are elevated.
Recent Developments and Future Outlook for AU-C 240
As of April 2026, AU-C Section 240 remains fully effective. The AICPA Auditing Standards Board issued an exposure draft in 2025 for a proposed SAS that would supersede it and align more closely with revised international standards, but no final standard has replaced the current version. US auditors should monitor AICPA updates for any changes effective in future periods.
Conclusion: Strengthening Audit Quality with AU-C Section 240
AU-C Section 240 equips US auditors with a robust framework to fulfill their responsibilities regarding fraud while maintaining professional skepticism and tailoring procedures to each engagement. By diligently applying these requirements, auditors protect the integrity of financial reporting and uphold public trust in the profession.
For tailored guidance on implementing AU-C Section 240 in your audits, consult your firm’s quality control policies or reach out to AICPA resources. Proper application not only ensures compliance but also enhances the value of the audit to clients and stakeholders across the United States.