Fraud Risk Brainstorming: How to Run and Document the ISA 240.29 Discussion

Two partners at the same firm. Same size clients. Same industry. One partner's fraud brainstorming fills six pages with entity-specific scenarios, named risks, documented dissenting views, and concrete audit responses. The other's fits on a single page: "The team discussed fraud. No specific risks identified beyond management override." Both technically say they held the discussion. Only one will survive an inspection.

The ISA 240.29 fraud risk brainstorming discussion requires the engagement team (with mandatory partner participation) to discuss the entity's susceptibility to material misstatement due to fraud. That means covering how fraud could be perpetrated and concealed, what factors create incentive or opportunity, and how procedures will be designed to remain unbiased. Too many teams treat this as SALY with better narratives: last year's risks copied forward, the same generic revenue and override entries, a fresh date stamp. That is not what the standard requires.

What ISA 240.29 requires (and what most teams miss)

ISA 240.29 requires the engagement team to discuss the entity's susceptibility to material misstatement due to fraud. The engagement partner (EP) must participate. The discussion must cover specific topics, not just a general conversation about fraud. And the revised standard requires documentation of the matters discussed, not just the conclusions reached.

Most teams miss the last point. Your file shows a conclusion: "The team discussed fraud risks. Revenue recognition and management override were identified." But what did they actually discuss? Which revenue streams? What specific override scenarios? Did anyone disagree? Did anyone raise a risk that was later dismissed, and if so, why?

ISA 240.68 (a) requires the auditor to document the matters discussed with the team. A conclusion is not a matter. "The CFO has personal pressure from the earn-out clause and could manipulate the percentage-of-completion estimates to inflate revenue" is a matter. "Revenue recognition risk discussed" is not. One demonstrates professional scepticism. The other merely claims it.

The revised standard (paragraph 29) also adds topics that were not explicitly required before. Unbiased procedure design (paragraph 42) must be discussed: how will the team avoid designing procedures that only confirm management's assertions? Specialist consideration (paragraph 23) must also be discussed: does this engagement need forensic or fraud specialist skills beyond what the team possesses? These are not optional additions. They are new agenda items that must be covered and documented.

Your engagement team includes everyone assigned to the engagement who will be involved in performing audit procedures. If you have team members who were not present for the discussion, ISA 240.29 (c) requires you to communicate the relevant matters to them. Document who received the communication and when.

The 11-item brainstorming agenda

A structured agenda ensures every required topic is covered and documented. Here are the eleven items, each mapped to a paragraph reference in the revised standard.

Item 1. Entity culture, management integrity, ethical values, and TCWG oversight (paragraph 29(a)(i)). Open the discussion with what the team knows about the entity's ethical tone. How does management communicate values? Is there a code of conduct? How active is TCWG oversight of financial reporting? If this is a recurring engagement, what has the team observed about management's behaviour in prior years? This item sets the context for everything that follows.

Item 2. Incentives and pressures to commit fraud (paragraph 29(a)(ii)(a)). Who at this entity has a reason to commit fraud? Cover management, those charged with governance, employees, and third parties. Be specific: named individuals with specific pressures, not generic statements about "management pressure." If the CFO has a bonus tied to EBITDA, name the CFO and state the bonus structure, the current proximity to the target, and why that proximity matters.

Item 3. How management, TCWG, or employees could perpetrate and conceal fraudulent financial reporting (paragraph 29(a)(ii)(b)). This is the core brainstorming question. What specific schemes could work at this entity? Which accounts would be affected? What entries would be posted? How would the perpetrator hide it from the audit team? This item should produce the most discussion and the most entity-specific scenarios.

Item 4. How assets could be misappropriated (paragraph 29(a)(ii)(c)). Cover management, employees, third parties, and anyone with unsupervised physical access. The revised standard explicitly adds third parties as potential perpetrators. Which assets are vulnerable? Who has system access? What would the theft look like in the accounting records?

Item 5. Revenue recognition risks (paragraph 29(a)(iii)). Which types of revenue, which transaction classes, or which specific assertions give rise to fraud risk? This is not a blanket "revenue is presumed a fraud risk." It requires the team to identify which specific aspect of revenue at this entity creates the risk. For a construction company, it might be percentage-of-completion estimates. For a software company, it might be timing of licence revenue recognition.

Item 6. Management override of controls (paragraph 29(a)(iv)). How could management override controls at this entity? This risk is always present, but the discussion should be entity-specific. Does the CEO approve journal entries (JEs) without secondary approval? Can management override system controls in the ERP? What specific entries could management post to manipulate results?

Item 7. Prior-year fraud or suspected fraud (paragraph 29(b)). Has fraud been identified on this engagement before? Was suspected fraud investigated, and what happened? Are prior-year (PY) matters still relevant to the current audit? If this is a first-year engagement, what did the predecessor auditor communicate?

Item 8. External information indicating fraud risk factors (paragraphs 27, A50-A51). Information from sources outside the entity: media reports, regulatory actions, whistleblower tips, and industry fraud trends. If a competitor in the same industry was recently investigated for revenue manipulation, that is relevant to this discussion.

Item 9. Unbiased procedure design (paragraph 42). How will the team design procedures that are not biased toward confirming management's assertions? This is a new discussion topic in the revised standard. The team should specifically consider what contradictory evidence their procedures could reveal and how they will avoid the natural tendency to seek confirming evidence. This item should produce concrete commitments: "We will test WIP by obtaining independent cost estimates rather than relying solely on management's project managers."

Item 10. Specialist consideration (paragraph 23). Does this engagement require forensic or fraud specialist skills beyond the team's competence? If the fraud risks involve complex financial instruments or IT system manipulation, the team may need specialist input. Document the decision and, if a specialist is not engaged, the reasoning.

Item 11. Summary of fraud risks to carry to the risk register (paragraph 39). End with a clear list of fraud risks identified, each described in entity-specific terms, ready to be transferred to the risk register. Each risk should be stated as a specific scenario, not a generic category.

Running the discussion: pre-meeting preparation and facilitation

The quality of a fraud brainstorming session depends almost entirely on preparation. Research on group brainstorming consistently shows that unstructured discussions produce fewer unique ideas than structured ones because of anchoring bias: once the most senior person in the room names a risk, the team gravitates toward it rather than generating independent scenarios. In audit teams where hierarchical deference is common, this effect is even stronger.

A pre-meeting preparation approach addresses this directly. Before the discussion, each team member independently identifies fraud scenarios for the entity. They write these down (in a column on the working paper (WP) designated for pre-meeting input) before entering the room or joining the call. The facilitator (typically the manager or PM) collects all inputs before anyone speaks. This approach consistently produces more diverse fraud scenarios because junior team members are not anchored to the EP's initial framing. A second-year associate who has been ticking and bashing through accounts payable for four months may have noticed something that the partner, who spends two days on site, would never see.

During the session, the facilitator works through the 11-item agenda in order. For each item, pre-meeting inputs are shared first. Then the team discusses and develops the scenarios further. The facilitator documents the substance of the discussion in real time, not after the meeting from memory (which is another common deficiency).

Two facilitation rules matter. First, the EP speaks last on each agenda item. If the EP opens with their view, junior team members are less likely to voice contradictory scenarios. This is not about undermining the partner's authority. It is about producing better fraud risk identification. Second, "none identified" for any agenda item requires a documented explanation. If the team genuinely identifies no incentive or pressure to commit fraud at this entity, that is a conclusion worth explaining in detail. It should not be the default.

For small teams (two or three people), the pre-meeting technique is even more important. With only two voices in the room, one strong opinion can dominate. Having both people write down scenarios independently before discussing them ensures that the discussion starts from two perspectives rather than one.

Documenting substance, not just conclusions

Each agenda item needs a minimum of three sentences documenting the substance of what was discussed. This is not about volume for its own sake. It is about demonstrating that the team engaged with the topic rather than ticking a box.

For each agenda item, a structured WP captures the following in separate columns.

Discussion notes. What scenarios, factors, or considerations the team discussed. This is the substance. Record what was said and what alternative views were raised. If someone disagreed with the prevailing view, record the disagreement and the resolution. Three sentences minimum, and for the core items (items 3, 4, 5, 6), you should expect significantly more.

Pre-meeting input received. Whether team members provided independent input before the discussion. A yes/no indicator with a reference to the pre-meeting forms.

Risks or scenarios identified. The output of the discussion for this agenda item. Each risk should be described as an entity-specific scenario, not a generic category. "Revenue could be overstated through manipulation of percentage-of-completion estimates on contracts above EUR 500,000" is a scenario. "Revenue recognition risk" is a category.

Impact on audit strategy. How the identified risks affect the audit approach. Cross-references to the response matrix where applicable.

Specialist consideration. Whether this agenda item flagged a need for specialist input. For item 10, this column is mandatory.

Attendees present. Names and roles for each agenda item. If someone stepped out, the record should show who was present for which items. The EP's name should appear on every row.

How the discussion output flows to the risk register

The discussion is not an end in itself. Its purpose is to identify fraud risks that will be assessed and responded to through the rest of the audit. Every fraud scenario identified in the discussion must be evaluated for inclusion in the risk register. Item 11 captures this transition.

For each scenario that the team decides to carry forward, the risk register entry should trace back to the discussion. Your risk register should show which tab and which agenda item generated the risk. This creates the same bidirectional cross-referencing that the response matrix provides between risks and procedures: the discussion WP points forward to the risk register, and the risk register points back to the discussion.

Scenarios that the team discussed but did not carry forward should be documented with the reasoning. "Discussed potential for inventory misappropriation through falsified scrap reports. Team concluded this is not a fraud risk because scrap volumes are immaterial (EUR 12,000 per year, 0.03% of revenue) and are independently verified by the waste management contractor. Not carried to risk register" is defensible documentation of a scenario that was considered but dismissed.

Worked example: Muller Fertigung GmbH

Scenario. Muller Fertigung GmbH is a German precision engineering company. Revenue is EUR 34M, primarily from long-term manufacturing contracts with automotive OEMs. The company has 180 employees. The CFO joined 18 months ago from a competitor that was investigated for inflating work-in-progress valuations. The entity has a EUR 8M revolving credit facility with a net debt/EBITDA covenant of 3.0x (current ratio: 2.6x).

The engagement team consists of the EP, an audit manager (PM), a senior, and two associates. Pre-meeting forms were distributed five days before the discussion.

1. Entity culture and management integrity (item 1). Pre-meeting input: the senior noted that the CFO's previous employer was investigated for WIP fraud. The PM noted that the entity has no formal code of conduct. Discussion substance: the team discussed the CFO's background, noting that no charges were brought and the CFO was not personally named in the investigation. The absence of a formal code of conduct was discussed at length. Management describes an informal "open door" culture, but no written ethical guidelines exist for employees. The EP observed that the previous CFO (who retired) had a similar informal approach and no fraud issues arose during that tenure. The team agreed that the lack of formal framework is an attitude indicator but noted it in combination with the CFO's background. Documentation note: "Discussed CFO's prior employment at [name]. No personal involvement in investigation confirmed per management inquiry. Entity has no formal code of conduct; management describes 'open door' culture. Lack of formal ethical framework noted as an attitude indicator. Two team members flagged this independently in pre-meeting input."

2. Incentives and pressures (item 2). Pre-meeting input: the EP identified covenant pressure (headroom 0.4x). One associate identified the CFO's probationary bonus (EUR 40,000 if net profit exceeds EUR 2.8M in the first two full years). The other associate noted that the production manager receives a bonus based on scrap rates. Discussion substance: the team discussed all three financial pressures. Covenant headroom is tighter than PY (was 0.8x). The CFO's bonus creates direct personal incentive to overstate profit or defer costs. The production manager's scrap-rate bonus creates incentive to understate scrap, which could overstate inventory. Documentation note: "Covenant headroom reduced from 0.8x to 0.4x year on year. CFO probationary bonus of EUR 40,000 conditional on net profit exceeding EUR 2.8M (confirmed per employment contract). Production manager scrap bonus creates secondary incentive to understate scrap costs. All three pressures carried to risk register as incentive factors."

3. How could fraudulent financial reporting be perpetrated? (item 3). Discussion substance: the team identified two specific scenarios. First, overstatement of percentage-of-completion on long-term contracts by manipulating estimated costs to complete (the same method investigated at the CFO's prior employer). The PM noted that WIP is the largest balance sheet item (EUR 7.4M) and the percentage-of-completion estimate relies heavily on project manager assessments that are not independently verified. Second, capitalisation of development costs for projects that do not meet IAS 38 criteria, given that the entity has three active R&D projects (total capitalised: EUR 1.8M). The senior noted that two of these projects have been in development for over 30 months without generating revenue. Documentation note: "Scenario 1: WIP overstatement via manipulated costs-to-complete. Scenario 2: inappropriate capitalisation of development costs. WIP balance of EUR 7.4M (8% of total assets). Project manager assessments not independently verified. Two R&D projects in development 30+ months without revenue. Both scenarios carried to register."

4. Asset misappropriation (item 4). Portable CNC tooling (EUR 1.1M, individual items EUR 15,000 to EUR 30,000) discussed. Two associates flagged that tooling is stored in an open workshop area with no individual tracking. Third-party risk: external contractors have unsupervised workshop access during night shifts. Documentation note: "CNC tooling is high-value and portable. Open workshop storage. External contractors have night-shift access without dedicated supervision. Risk carried to register."

5. Revenue recognition (item 5). The presumed risk was narrowed to percentage-of-completion adjustments on contracts above EUR 500,000 (12 active contracts, EUR 22M total). Short-cycle orders (paid on delivery) do not present significant fraud risk. Documentation note: "Revenue fraud risk narrowed to PoC contracts above EUR 500K. 12 contracts, EUR 22M total. Short-cycle orders (EUR 12M) assessed as low fraud risk."

6. Management override (item 6). The CFO can post manual JEs in the ERP without secondary approval for amounts below EUR 75,000. The monthly close process includes approximately 40 manual entries per month posted by the CFO. Documentation note: "CFO posts ~40 manual entries per month without secondary approval (threshold EUR 75K). ERP does not enforce dual authorisation below this level. Override risk specific to period-end accrual entries and WIP adjustments."

7-8. PY fraud: none identified. External information: no media reports or regulatory actions related to Muller or its industry peers.

9. Unbiased procedure design (item 9). The team agreed to test WIP by obtaining independent cost estimates from a quantity surveyor rather than relying solely on management's project managers. This commitment was documented. Documentation note: "Team committed to independent verification of cost-to-complete estimates via quantity surveyor for the 5 largest contracts. Procedure designed to avoid reliance on management's project team assessments."

10. Specialist consideration (item 10). The EP decided a forensic data analytics specialist is not needed this year but will revisit if JE testing reveals unusual patterns. The quantity surveyor for WIP is classified as an auditor's expert under ISA 620 . Documentation note: "Forensic specialist not engaged. Quantity surveyor engaged as auditor's expert for WIP verification. Decision documented."

11. Summary. Five entity-specific fraud risks carried to the register: WIP overstatement through PoC manipulation, inappropriate capitalisation of development costs, misappropriation of CNC tooling, management override through uncontrolled JEs, and production manager scrap understatement. Each has a cross-reference to the discussion item that generated it.

Practical checklist

Common mistakes

• Documenting conclusions without substance. "Revenue recognition discussed. Risk identified." tells a reviewer nothing about what the team actually considered. The AFM's inspection findings repeatedly cite files where the discussion documentation is indistinguishable from a completed checklist.
• Holding the discussion without the EP present for the full session. ISA 240.29 is explicit. If the partner dials in for the last five minutes to hear the summary, the requirement is not met for the ten agenda items the partner missed.
• Treating management override as the only fraud risk identified. Management override is always present, but the discussion should identify entity-specific risks beyond it. If the only output is "management override," the team either did not engage with the other ten agenda items or the entity genuinely has no other risk factors (which is a conclusion that itself requires detailed documentation).
• Holding the brainstorming discussion after the risk register is already populated. If risks are already written before the team meets, the discussion is a ratification exercise rather than genuine brainstorming. I have sat through sessions where the PM had already drafted the risk register and the "discussion" was just the team nodding through it. That is the opposite of what ISA 240.29 intends.

Frequently asked questions

Related content

Put audit concepts into practice with these free tools: