CSSF ¦ Report on the CSSF’s 2025 Thematic Inspection: “The Risk of Fraud in Revenue Recognition in the Context of an Audit of Financial Statements”

CSSF Raises the Bar on Revenue Fraud in Audits

The Commission de Surveillance du Secteur Financier (CSSF) has placed fresh attention on one of the most sensitive areas in financial reporting: revenue recognition. Its 2025 thematic inspection, published in May 2026, shows that fraud risks in this area are still not being assessed with enough depth by auditors, even though revenue remains one of the most exposed lines in the financial statements.

Revenue is not just another audit area. It is often tied to performance targets, management compensation, market expectations, and investor pressure. That makes it especially vulnerable to manipulation. The CSSF’s review focused on whether auditors properly identified and responded to the risk of material misstatement due to fraud, with special attention to the presumption under ISA 240 that revenue recognition carries a fraud risk.

What the CSSF Inspected

The review covered 46 statutory audit files from Big 4 firms, including 17 public-interest entity audits. The sample spanned commercial and industrial entities as well as financial institutions, insurers, professional financial sector entities, and private equity.

Across these audits, the CSSF looked at whether auditors had properly evaluated fraud risk factors, identified the products or transactions that could give rise to fraud, justified any rebuttal of the presumption of fraud risk in revenue recognition, and designed controls and procedures that actually responded to the risk.

The results show a recurring issue: too often, auditors approached revenue fraud risk too broadly, too mechanically, or with insufficient documentation.

Bastian Schwind-Wagner _Follow

"The CSSF’s 2025 thematic inspection shows that revenue recognition remains a critical fraud risk area in statutory audits. Auditors are expected to move beyond generic checks and document a clear, specific, and well-supported assessment of fraud risks tied to the facts of each engagement.

The report also sends a wider message to the market: strong controls and automated processes do not remove the need for professional skepticism. Where revenue is tied to targets, performance pressure, or complex transaction flows, auditors must test the risk with real precision and not rely on routine rebuttals."

Why ISA 240 Matters Here

ISA 240 requires auditors to plan and perform audits with the goal of obtaining reasonable assurance that financial statements are free from material misstatement due to fraud or error. But fraud is different from error. Fraud can involve concealment, collusion, and deliberate override of controls. That means the usual procedures that work for errors may not be enough.

For revenue, the standard goes further. It creates a presumption that there are fraud risks in revenue recognition. Auditors must then evaluate which types of revenue, transactions, or assertions are exposed. This is not a formality. It is a required analytical step that should be grounded in the facts and circumstances of the engagement.

The CSSF’s report makes plain that auditors must not treat this presumption as a box-ticking exercise or dismiss it because the client appears well controlled.

Weak Risk Assessment Was a Common Problem

One of the most frequent findings was that auditors did not explain fraud risk factors with enough precision. In several files, pre-populated risk factors were accepted or rejected with little documented reasoning. In other cases, the audit file did not show why a known pressure, such as a revenue target embedded in a shareholder agreement, was not treated as relevant to fraud risk.

A meaningful fraud assessment starts with the specific incentives, pressures, opportunities, and rationalizations present in the engagement. It also includes control-related factors, such as weak oversight or deficiencies in accounting systems. The CSSF stressed that auditors should look at both inherent risk factors and control risk factors, but should not confuse the presence of controls with the absence of fraud risk.

The report also warns against a common misunderstanding: a strong control environment does not eliminate the need to identify fraud risk. Fraudsters can override controls, and some schemes are built precisely to bypass them.

Too Much Reliance on Generic Rationales

The CSSF found that auditors sometimes rebutted the presumption of fraud risk in revenue recognition using rationales that were too broad. In the financial sector, common justifications included simple calculations, robust internal controls, or highly automated processes. In the commercial and industrial sector, auditors often pointed to non-complex transactions, invoicing based on contracts, or the absence of management estimates.

The CSSF did not accept these reasons as sufficient on their own. Even where transactions are straightforward, fraud risk can still exist if there are many revenue streams, large volumes of transactions, material judgment points, or management pressure linked to turnover or KPI performance.

This is a key lesson from the review: simplicity in the mechanics of revenue does not automatically mean low fraud risk. A high-volume, low-value business can still be exposed if the conditions are right for manipulation.

The Rebuttal Problem

A finding was the high rate at which auditors rebutted the presumption of fraud risk in the financial sector. The CSSF questioned whether that pattern was consistent with the actual risk profile of the entities inspected.

The report aligns with the direction of the revised ISA 240, which narrows the circumstances in which rebuttal is appropriate. The revised standard points to only very limited examples, such as simple leasehold revenue from a single tenant or straightforward ancillary income based on fixed or externally published rates that are not key performance indicators for management.

The overall message is that rebuttal should be rare, well supported, and carefully documented. It should not become a default outcome.

Internal Controls Must Be Specific, Not Generic

Where the presumption of fraud risk was not rebutted, auditors were expected to identify controls that specifically address those risks and assess whether they were properly designed and implemented. The CSSF found that this was often done too generically.

Controls described in the audit files were sometimes too broad to show how they would actually detect or prevent fraudulent revenue recognition. In other cases, the auditor did not show how the tested controls linked to the identified fraud risks.

That matters because fraud-focused controls must be connected to the actual manipulation scenarios the audit team has identified. A standard control over revenue posting is not enough if the real risk involves side agreements, premature recognition, fictitious sales, or cut-off manipulation.

Audit Responses Were Often Too Similar to Error Responses

The CSSF also observed that audit responses to fraud risk were often not clearly different from the procedures used to address error. The changes in nature, timing, and extent were sometimes limited to a slightly larger sample or some unpredictability in selection. That is not always enough.

Where fraud risk is significant, the auditor should consider more persuasive evidence, more reliable sources, and procedures tailored to the suspected risk. That may mean earlier testing, more third-party evidence, direct confirmations of contract terms, or interviews with staff outside finance. It may also mean reviewing customer correspondence, checking for side agreements, and changing the audit approach from year to year.

The point is not to do more work for its own sake. The point is to do different work when fraud risk demands it.

What Good Practice Looked Like

The CSSF did identify some positive examples. In one case, the audit team prepared a detailed memorandum that broke down the revenue cycle, documented the different revenue categories, and performed a more thorough preliminary analytical review using both monetary and non-monetary information. In another case, the auditor reviewed the entity’s own fraud risk matrix to understand how management had identified and addressed revenue-related risks.

These are useful examples because they show a more disciplined approach. Good fraud assessment is not just about ticking a checklist. It is about understanding the business, the revenue model, the pressures on management, and the points where misstatement could happen.

What Auditors Should Take Away

The CSSF’s report is a reminder that revenue fraud risk cannot be handled with generic language or routine procedures. Auditors need to be more exact about which revenue streams are exposed, why the risk exists, whether rebuttal is really justified, and how the audit response addresses the specific threat.

The revised ISA 240 reinforces this direction. It places more weight on robust identification and assessment of fraud risk and less on routine rebuttal arguments. It also makes clear that revenue recognition is usually a serious fraud area, not one to be treated casually.

A Clear Signal for the Market

The CSSF’s thematic inspection is not just an audit quality review. It is a signal to the wider market that revenue recognition remains a central pressure point for financial crime and financial reporting abuse. Auditors are expected to be skeptical, specific, and well documented. Anything less leaves room for fraud to go unnoticed.

For companies, the report is equally relevant. Weak revenue governance, aggressive targets, vague controls, and poor documentation can all create conditions where fraud becomes easier to commit and harder to detect.

The conclusion is simple. Revenue recognition demands more than standard audit comfort. It demands disciplined fraud thinking, careful evidence, and a willingness to challenge narratives that seem too neat.

Dive deeper

• CSSF ¦ Report on the CSSF’s 2025 thematic inspection: “The risk of fraud in revenue recognition in the context of an audit of financial statements” ¦ Link