Auditing revenue – dealing with the risks

Inadequate challenge of management assumptions on revenue, blanket rebuttal of fraud risk for all aspects of revenue and insufficient audit work in relation to material revenue streams. These are just some of the areas where auditors are commonly criticised for their audit work when regulators review audit quality.

None of this should come as news to members of the audit profession. Yet as auditors we can still, sometimes, have a blind spot when identifying risks surrounding the revenue figure and designing appropriate audit procedures to gain an appropriate level of assurance over the disclosed figure.

A good audit should always be focused on the relevant audit assertions in the financial statement area. For revenue, it is usually easy to focus on confirming the accuracy of the reported figure, but completeness and cut-off could well be the areas where there is a higher risk of material misstatement and where additional audit focus is required. 

There are various things that should be considered as part of the risk assessment and in designing the risk response for revenue. 

Revenue streams

Understanding what revenue streams the audited entity has may seem obvious, but it is not unusual for a new business activity to start in an accounting period, or for one to cease. As soon as the auditor identifies that this is happening, they need to be considering what that revenue stream is, how the revenue is recognised, how the system of internal control is dealing with that revenue and how that is reported.

There will then need to be appropriate tests of the design and implementation of the systems around this revenue stream and substantive evidence to support the numbers disclosed.

In an entity with multiple revenue streams not all of these may individually have the same risk profile. Disaggregation of revenue into distinct streams will help focus the risk assessment and allow appropriate testing to be designed.

As well as considering any differing risk profiles across revenue streams, auditors also need to remember, when disaggregating revenue, not to ignore the streams which may be smaller but still material or, if immaterial individually, still material in aggregate.

Revenue recognition criteria

It is always important to understand the revenue recognition criteria being used by the audited entity. Are they following UK GAAP or IFRS? Does the auditor need to factor in any unusual features in the entity’s arrangements with customers? Are there any estimates involved that will need specialist knowledge or external expertise?

2025 is a good time to start conversations with management around the changes to revenue recognition in FRS 102 for periods commencing 1 January 2026. While not affecting the upcoming audit season directly, any changes to accounting policy that may arise in 2026 will need to be audited, so gathering appropriate information and understanding in the coming audit cycle will smooth the process for the following year. It may even make the prior year adjustment calculation easier.

Fraud risk

The auditing standard for fraud, ISA 240, presumes that there are risks of fraud in revenue recognition and requires the auditor to consider “which types of revenue, revenue transactions or assertions give rise to such risks”. Those risks of material misstatement are treated as significant risks, thereby requiring substantive procedures specifically responsive to that risk.

There are several potential pitfalls here that auditors will want to avoid. 

• Recording the whole of revenue as a significant risk.
  Is this correct? Classifying the whole of revenue as a significant risk – as opposed to just the completeness assertion or management’s ability to influence the estimation of revenue recognition, for example – will remove focus from the riskier items and increase audit effort across the area.
• Rebutting fraud risk across the whole of revenue.
  Again, can this really be true? Is there really no risk of management manipulating cut-off or hiding transactions (completeness)?
• Recording a significant risk, but failing to design appropriate procedures to address it.
  Simply linking a significant risk to a pre-existing ‘standard audit procedure’ feels like the auditor taking the line of least resistance. Procedures need to be clearly tailored to address the significant risk identified and show the linkage from understanding, through risk assessment to audit response.
• Not considering the experience of the team members who are carrying out the audit procedures.
  ISA 240 notes that one of the possible responses to fraud risk is to assign more experienced auditors to that audit area. Where a fraud risk is considered present, enhanced professional scepticism and an eye for what may look unusual are required – and they usually come with experience.

Choosing the appropriate type of audit procedures

Traditionally, with revenue being seen as a riskier audit area, the default audit response has tended to be substantive tests of detail. But is this always the correct approach?

With almost all audited entities using some sort of system for enterprise resource planning (ERP) or bookkeeping/accounting, probably with links to inventory and/or resource management systems and/or feeder systems such as platforms for e-commerce, discounting a controls-based audit approach feels sub-optimal. 

Auditors are required by ISA 315 to understand the systems of internal control, so why not leverage that understanding by testing some of those controls for operating effectiveness? Also, consider the provision in ISA 330 to test controls on a cyclical basis, while remembering that for significant risks, if a controls approach is being adopted, the control should be tested in the current period.

Do not completely rule out substantive analytical procedures. When these follow the ISA 520 approach of commencing by forming an expectation based on reliable inputs, they can give strong evidence particularly towards the completeness assertion.

Remember though that ISA 330 does state that if the risk is assessed as significant and a wholly substantive audit approach is being used, then the substantive response shall include tests of detail.

Use of automated tools and techniques

Revenue testing should be an area where automated techniques and data analysis are deployed with great effectiveness. 

The document matching tools that allow ledgers, inventory movement documentation and sales invoices to be uploaded and then interrogated and matched to the selected sample to test accuracy, are becoming commonplace in modern audit assignments.

Tools to assist with completeness of revenue may need more consideration, but data analysis of purchases and inventory will assist in prediction of income, while analysis of sales data will assist the identification of unusual patterns and adjustments, facilitating a more focused audit approach.

Documentation

Audit and Beyond recently featured Write it right, write it once – the key to efficient audit documentation. This is a great article from Graham Gardner, so I will not repeat those points again here, other than to note that revenue is one of those areas where there are often a lot of ‘assumptions’ and comments such as “Well, isn’t that obvious?” – which are always the enemy of good documentation. 

Do not leave to ‘assumption’ the auditor’s thought process on why a revenue stream is or is not risky, or which assertions are more or less important. Document the thought process clearly as part of the risk assessment documentation.

I recently had a discussion with an auditor when I challenged the omission of an assertion in a revenue risk assessment. The response was that there was no specific requirement to explain why an assertion had been deselected from the risk assessment. My counter to this will always be that as an experienced auditor, I was not able to understand the nature, timing and extent of the audit procedures being performed and hence the file did not meet the documentation requirements of ISA 230.

In the case of revenue, it is so important to take the reader of the file on the journey with you to understand the risk assessment and response thought process.