Every time an audit fails publicly, it fails in one of two places. Either a fraud the auditor did not detect comes to light and the audit is criticised for missing it, or an entity that received a clean audit opinion collapses shortly afterward and the audit is criticised for not warning. Across the Caribbean, the Atlantic, and around the world, the cases are different in detail but the structural failure is the same: the audit’s social licence is renewed or revoked on these two questions.

This article addresses both. It explains what International Standards on Auditing 240 and 570 (Revised) actually require the auditor to do about fraud and going concern, where the limits of the auditor’s responsibility properly lie, and where audit committees and boards must be more demanding than they typically are. It is the most uncomfortable article in this series — fraud and going concern are not subjects for euphemism — but it is also the most consequential. Get these two questions right with your auditor, and the rest of the audit takes care of itself.

Part One  |  Fraud

What the Auditor Is — and Is Not — Responsible For

ISA 240 — The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements — is unambiguous on the principal point. The auditor is responsible for obtaining reasonable assurance that the financial statements, taken as a whole, are free from material misstatement, whether caused by fraud or error. The auditor is not responsible for guaranteeing the absence of fraud. The standard recognises explicitly that even a properly planned and performed audit may not detect a material misstatement resulting from fraud, particularly where fraud involves collusion, sophisticated concealment, or management override of controls.

This is not an evasion. It is a statement of what an audit, as a discipline, can and cannot accomplish. An audit is a sampling and analytical exercise designed to provide reasonable, not absolute, assurance. A determined fraudster with knowledge of how audits work, the time to construct false documentation, and the willingness to involve others can defeat any audit. What the standard does require — and increasingly polices through inspection and root-cause analysis — is that the auditor approach the engagement with appropriate professional scepticism, design procedures responsive to fraud risk, and exercise judgment about the indicators that surface during the work.

“The auditor cannot guarantee the absence of fraud. The auditor can — and must — design an audit that takes fraud seriously from the first day of planning to the last day of fieldwork.”

What ISA 240 Requires in Practice

Four obligations under ISA 240 are worth understanding at a board level because they are visible in the audit plan and the audit working papers, and the audit committee can ask about them.

• A required attitude of professional scepticism. The auditor must approach the engagement with a recognition that material misstatement due to fraud is possible — not as a default assumption of management dishonesty, but as a default refusal to accept evidence at face value without testing it. In practice, this means audit procedures designed to confirm rather than merely corroborate.
• A presumed risk in two specific areas. ISA 240 establishes that revenue recognition is a presumed fraud risk in every audit, and that management override of controls is a presumed risk in every audit. The auditor must either accept those presumptions and design procedures responsive to them, or — rarely — rebut them in writing with documented justification.
• Mandatory journal entry analytics. The auditor must design and perform procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements. In a digitised entity, this is typically a population-level analytic exercise: unusual posting users, weekend or out-of-hours postings, round-sum entries, entries that bypass approval workflow, and combinations of accounts that should not normally be paired.
• A discussion among the engagement team about fraud risk. The standard requires the engagement team to hold a documented discussion about how and where the financial statements might be susceptible to material misstatement due to fraud, including how management could perpetrate and conceal fraudulent financial reporting. The discussion is not a formality. It is the moment at which the engagement team’s collective judgment is brought to bear on the entity’s specific fraud risk.

Where Caribbean Fraud Patterns Live in 2026

The fraud landscape in the Caribbean has moved decisively. Five fraud patterns now account for the largest share of material loss events across the region, and the auditor’s fraud risk assessment must engage with each:

• Business email compromise leading to fraudulent vendor payments — the single most common material fraud vector in the region, typically executed by impersonating a known supplier and redirecting payments to a fraudster-controlled account.
• Insider manipulation of payment files between approval and bank submission — a pattern that defeats traditional segregation-of-duties controls when the manipulation occurs after the approval step.
• Revenue recognition fraud at period end — channel-stuffing, holding the books open, bill-and-hold arrangements without genuine substance, side letters that reverse the apparent terms of sales.
• Expense and procurement fraud through fictitious vendors and ghost employees — patterns the audit’s population analytics on purchases, payroll, and master data can surface, but only if the auditor runs them.
• Management override through journal entries posted to bypass the standard accounting cycle — ISA 240’s presumed risk, and the principal target of the auditor’s mandatory journal entry analytics.

A competent auditor in 2026 understands which of these patterns is most relevant to the entity being audited and designs procedures responsive to them. An auditor whose fraud risk assessment looks the same regardless of the entity has not done the work the standard requires.

Part Two  |  Going Concern

The Standard Has Been Sharpened

ISA 570 (Revised) — Going Concern — has been progressively strengthened over recent revisions, with the most consequential changes effective for audits of financial statements for periods beginning on or after 15 December 2024. The revised standard responds to a long-running criticism: that auditors have, on occasion, issued clean opinions on entities that failed shortly afterward, and that the going-concern enquiry has too often been treated as a procedural rather than a substantive matter.

Three changes in the revised standard are particularly important for the audit committee to understand.

• Sharper risk assessment. The auditor must now conduct a more rigorous risk assessment of management’s going-concern evaluation, including assessing the reasonableness of the underlying assumptions and the appropriateness of the method used.
• Expanded evaluation of management’s assessment. Where management’s assessment uses a period of less than twelve months from the date of the financial statements, the auditor must ask management to extend the period to at least twelve months. The auditor must also evaluate whether management has considered all available information, including subsequent events.
• Enhanced transparency in the auditor’s report. The revised standard expands the circumstances in which going concern matters must be communicated in the auditor’s report, particularly where a material uncertainty exists and where management’s use of the going-concern basis is appropriate but a close-call judgment is involved.

“Going concern is no longer a procedural enquiry conducted at year-end. It is a substantive assessment conducted throughout the audit, with the auditor required to evidence the work and disclose the conclusion.”

What Going Concern Actually Looks Like in a Caribbean Audit

Five elements define a substantive going-concern enquiry under ISA 570 (Revised), and each is something the audit committee should expect to see in the audit communication.

• A documented assessment of the entity’s liquidity position over at least the next twelve months, including the cash-flow forecast, the assumptions underlying the forecast, and the sensitivity of the forecast to plausible adverse scenarios.
• An assessment of the entity’s financing arrangements — the maturity profile of debt, the headroom under covenants, the availability and reliability of refinancing options, and the existence and terms of any committed credit lines.
• Consideration of the entity’s strategic and operational risks — dependence on key customers, suppliers, or digital channels; regulatory risk; foreign exchange exposure; cyber-resilience as a going-concern factor for digitally dependent entities.
• Evaluation of subsequent events between the period end and the date of the auditor’s report — the period during which a going-concern situation may crystallise even if the period-end position appeared adequate.
• A written conclusion from the engagement partner on going concern, supported by the documented evidence, and where material uncertainty exists, an appropriate communication in the auditor’s report.

The Audit Committee’s Legitimate Role

Fraud and going concern are the two areas where the audit committee’s role is properly the most active. On both questions, the audit committee chair and the audit committee as a whole have legitimate and expected responsibilities that go beyond passive receipt of the auditor’s communication.

On fraud, the audit committee should:

• Receive and discuss the auditor’s fraud risk assessment annually, before the audit fieldwork begins. The discussion should be substantive, not ceremonial.
• Receive the results of the auditor’s journal entry analytics in a form the committee can interpret — not raw exception listings, but a synthesised report of what was tested, what was surfaced, and how the auditor evaluated the findings.
• Maintain a direct line of communication with the lead audit partner outside of management’s presence, used at least once during the audit cycle. ISA 260 (Revised) contemplates this; the audit committee should insist on it in practice.
• Receive, and act on, the auditor’s communications about deficiencies in internal control — particularly those relating to authorisation, segregation of duties, and access controls, which are the structural enablers of most internal fraud.

On going concern, the audit committee should:

• Read management’s going-concern assessment carefully — the cash-flow forecast, the assumptions, the sensitivity analysis — and not simply accept that management has prepared one.
• Ask the auditor specifically what its going-concern conclusion is, what the close-call judgments were, and what would have changed the conclusion if circumstances had been somewhat different.
• Pay particular attention to subsequent events and to the period between the financial statement date and the audit report date, where many going-concern situations actually crystallise.

Five Questions to Ask Your Auditor

• What is your fraud risk assessment for our entity this year, what specific fraud patterns are you most concerned about, and what audit procedures are responsive to those concerns? A generic answer means a generic audit.
• How did you perform journal entry analytics this year, what populations did you cover, and what exceptions did you investigate? The answer should be specific and grounded in the entity’s actual data.
• What is your conclusion on going concern, what were the close-call judgments, and what subsequent events did you evaluate? An auditor who cannot articulate close-call judgments has not engaged substantively with going concern.
• What deficiencies in our internal control environment, if any, materially affect our exposure to fraud or to going-concern risk? This is the question that translates audit findings into board action.
• If we asked you tomorrow to extend our going-concern assessment period to 18 or 24 months, what would change in your conclusion? This question reveals how robust the assessment really is.

How Dawgen Global Approaches Fraud and Going Concern

Within D·ASSURE™, fraud and going concern live primarily in the S pillar — Strategic Risk Mapping — with substantive procedures and journal entry analytics drawn from the second S pillar — Substantive Intelligence. The CARISK™ risk taxonomy provides the framework within which fraud risk is mapped to financial statement assertions, ensuring the audit’s fraud risk assessment is entity-specific rather than templated.

Every Dawgen Global audit includes a documented fraud risk discussion among the full engagement team — partner, manager, senior, IT audit specialist, and where relevant, forensic specialist — held early in planning and revisited as evidence accumulates. Journal entry analytics are run on the complete general ledger population for the period, with exception triage flowing into the engagement risk register rather than into a separate workstream. Going-concern evaluation is treated as a substantive engagement matter from planning through to sign-off, with the engagement partner required to write a formal going-concern memorandum supported by management’s forecast, the audit team’s sensitivity testing, and the partner’s evaluation of subsequent events.

Where the audit committee or the board requires more than the audit provides — a forensic investigation, an independent going-concern second opinion, a financial restructuring advisory engagement — Dawgen Global delivers these through the firm’s integrated disciplines, with clear scoping and clear deliverables. The position is, as on cybersecurity, one of intellectual honesty about what the audit does, combined with seriousness about what the audit must do.

What’s Next in the Series

Article 7 takes up the audit of regulated entities — credit unions, insurers, securities dealers, and other entities supervised by the BOJ, FSC Jamaica, ECCB, CIMA, FSRC, and their regional counterparts. Where the previous six articles built the foundation, Article 7 examines how that foundation is tested when the audit is also a regulatory document.

If you are an audit committee chair, CFO, or director and would like a confidential briefing on what a substantive fraud risk assessment or going-concern evaluation should look like for your entity — or a diagnostic review of your current auditor’s approach — the Dawgen Global Audit & Assurance team welcomes the conversation. Write to [email protected] or visit dawgen.global.

About the Author

Dr. Dawkins Brown is the Executive Chairman and Founder of Dawgen Global, an independent, integrated multidisciplinary professional services firm headquartered in New Kingston, Jamaica, with operations across more than fifteen Caribbean territories. He writes weekly on Caribbean governance, audit, and assurance matters through Caribbean Boardroom Perspectives and The Caribbean Advisory Brief.

The Caribbean Audit Imperative

A twelve-article series from Dawgen Global  |  dawgen.global

 

About Dawgen Global