CORAA
Book a live demoStart free trial
University · SA 240 (Revised)

Journal Entry Risk Scorer.

Score a single journal entry (or a sample) against SA 240 fraud red flags. Get the response routing — from analytical to NOCLAR / Sec 143(12) reporting.

Red-flag criteria (tick those that apply)
Manual journal entry (not system-generated)
SA 240 para 33(a)(ii) — manual JEs carry higher fraud risk than auto-generated ones.
+2
Posted at period-end (last 5 days of month/quarter/year)
Earnings management timing pattern.
+3
Posted after period close / back-dated
+3
Round-number amount (ends in 00,000 / 0,00,000 etc.)
Plug-figure indicator.
+2
No or generic narration ("adjustment", "correction", "to balance")
+2
Touches an account rarely used in normal operations
+2
Routed through suspense / control / "other" account
+3
Debit and credit accounts have no apparent business relationship
+3
Posted outside normal business hours (nights, weekends, holidays)
+2
Posted by senior management / unusual user (e.g. CFO, controller, owner)
+3
Reversed in next period (potential to manage period-end balances)
+2
Above performance materiality
+3
Touches a related party / inter-company account
+3
Affects revenue, deferred revenue or unbilled revenue accounts (SA 240 para 26 — presumed fraud risk in revenue recognition)
+3
Split into multiple JEs of similar timing/amount (structuring)
+2
JE number out of expected sequence
+1
Risk verdict
0 / 39
Low risk
No fraud risk red flags. Standard analytical procedures sufficient. Document selection rationale per SA 240 para 32.

SA 240 (Revised) — JE testing.

SA 240 (Revised) — “The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements” — requires the auditor to design and perform audit procedures to (a) test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements, (b) review accounting estimates for biases, and (c) for significant transactions outside the entity’s normal course of business, evaluate whether the business rationale suggests fraudulent financial reporting (SA 240 para 33).

Section 143(12) of the Companies Act 2013 requires the auditor to report fraud above ₹1 crore to the Central Government in Form ADT-4 within 60 days, and below ₹1 crore to the Audit Committee / Board.

On CORAA
CORAA’s Scrutiny module runs all 16 red-flag tests on every ledger line at engagement upload — flagged JEs include the criteria triggered, the user who posted, time of posting and a one-click drill to supporting evidence. See Scrutiny, read SA 240.
SA 240 pageGoing Concern Scorer

How SA 240 journal entry testing works

SA 240 (Revised) — "The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements" — recognises that management is uniquely positioned to perpetrate fraud through manipulation of accounting records. Journal entries and other adjustments made directly in the general ledger, particularly at period-end and outside the normal operating workflow, are a primary vehicle for management override of controls.

Paragraph 33 of SA 240 requires the auditor to (a) obtain an understanding of the financial reporting process and controls over journal entries and other adjustments; (b) inquire of individuals involved in the financial reporting process about inappropriate or unusual activity; (c) consider the need to test journal entries throughout the period; and (d) select journal entries and other adjustments for testing — focusing on those made to non-routine, complex, or judgemental accounts, and those made at the end of the reporting period.

The 16 red flags scored here aggregate the indicators most commonly used by audit firms — manual posting, period-end timing, round amounts, generic narration, suspense routing, related-party touches, and revenue impact (a presumed fraud risk under SA 240 para 26). The score routes the response from analytical procedures (low risk) up to NOCLAR consideration and Section 143(12) reporting (critical risk).

Worked example — period-end revenue adjustment

During year-end testing you find a JE dated 31 March posted at 11:47 PM by the CFO, debiting "Unbilled Revenue" and crediting "Revenue from Operations" for ₹2.5 crore with the narration "year-end accrual".

Inputs
Manual / period-end / posted by CFO2 + 3 + 3 = 8
Posted outside business hours2
Revenue recognition entry3
Round number (₹2.5 cr)2
Generic narration2
Output
Total risk score19 / 38
VerdictCritical risk
ResponseSubstantive testing + TCWG + 143(12) consideration
A 19-point JE crosses the "critical" threshold. Required response: confirm the underlying contract and POC evidence, walk through the approval trail, inquire about the business rationale, communicate with TCWG under SA 260, and evaluate whether this constitutes a fraud requiring Form ADT-4 reporting under Section 143(12) (cash impact >₹1 crore would mandate Central Government reporting within 60 days).

Common mistakes

Testing only large value JEs
SA 240 risk is about characteristics, not just magnitude. A ₹50,000 entry posted by the CFO at midnight on 31 March to revenue is higher risk than a ₹5 crore routine inventory entry. Use risk-based sampling, not just monetary thresholds.
Ignoring system-generated entries
While SA 240 emphasises manual JEs, system-generated entries are not exempt. Calculate the population of automated entries, sample test the configuration / business rules behind them. Configuration changes by IT or finance can introduce systematic misstatement.
Missing the SA 240 para 26 revenue presumption
Revenue recognition is a presumed fraud risk. The auditor must specifically address how this risk has been responded to in the audit plan and document the procedures performed — even if the conclusion is that the risk is rebutted.
Treating Sec 143(12) reporting as optional
Section 143(12) is mandatory. Suspected fraud above ₹1 crore: Form ADT-4 to Central Government via MCA portal within 60 days of knowledge. Below ₹1 crore: report to Audit Committee / Board within 2 days, then Board's report disclosure. Non-reporting attracts auditor liability under Section 147.

Frequently asked questions

What is SA 240 journal entry testing?+
A required audit procedure under SA 240 (Revised) para 33 — testing the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of financial statements. The purpose is to address the risk of management override of controls, which is a significant risk in every audit.
What journal entries should be selected for testing?+
SA 240 para 33 identifies criteria: JEs to unrelated, unusual, or seldom-used accounts; JEs by individuals who typically don't make journal entries; JEs at period-end or post-closing with little/no explanation; JEs that don't go through normal processing; JEs to revenue accounts (presumed fraud risk under para 26).
What is management override of controls?+
The ability of management to make accounting estimates and prepare financial statements, including the authority to override controls that appear to be operating effectively. SA 240 identifies this as a significant risk requiring specific audit response in every engagement — irrespective of the auditor's assessment of the entity's ICOFR.
How does CARO 2020 clause (xi) interact with SA 240?+
CARO clause (xi)(a) requires the auditor to report whether any fraud by the company or any fraud on the company has been noticed or reported during the year. Clause (xi)(b) requires reporting whether the auditor has filed Form ADT-4 with the Central Government under Section 143(12). This is directly linked to SA 240 procedures.
What is the Section 143(12) reporting threshold?+
Fraud (or suspected fraud) involving an amount of ₹1 crore or more — report to Central Government via Form ADT-4 within 60 days from knowledge, after seeking management response within 45 days. Below ₹1 crore — report to Audit Committee or Board within 2 days; then disclosure in Board's Report.
Are journal entries with round amounts always suspicious?+
No — many legitimate entries (rent, salary accruals, depreciation) involve round amounts. But the combination of round amounts WITH other red flags (period-end timing, manual, generic narration, unusual account combination) significantly elevates the risk. The model evaluates the combination, not any single criterion.
Does SA 240 apply to limited reviews?+
SA 240 itself applies to audits. For limited reviews under SA 2410, the practitioner makes inquiries about fraud risks but does not perform the full SA 240 procedures. The presumption of management override still informs the review approach.
What if the auditor suspects but cannot prove fraud?+
Communicate the suspicion with TCWG under SA 260 (those charged with governance). If suspected fraud crosses the ₹1 crore threshold and management response within 45 days is unsatisfactory, file Form ADT-4. The SA 240 paragraph 41 also requires the auditor to consider whether the suspicion affects the auditor's assessment of the risk of material misstatement and the audit conclusions.

Authoritative sources

SA 240 (Revised) — Fraud in Financial Statements Audit (ICAI AASB)Read alongside Section 143(12) Companies Act 2013, Rule 13 of Companies (Audit and Auditors) Rules 2014, and CARO 2020 clause (xi).
Always confirm against the latest version of the source. Regulations evolve and amendments are common.
Related calculators
SA 240 pageSA 260 — Communication with TCWGCARO clause (xi) — Fraud ReportingGoing Concern Scorer
Last reviewed: 2026-05-28 · For informational purposes only — not professional advice.