Suspected fraud: Knowing when to escalate

February 18, 2026

For most audit and tax partners, fraud does not appear as a formal engagement. It usually emerges in two ways.

First, through direct communication from the client. A CFO, CEO or board member expresses a concern, mentions irregularities, internal conflicts, missing information, or simply states that something does not seem right.

Second, through red flags identified during assurance or tax work. These typically include financial pressure on management to meet profitability targets or debt covenants; complex or highly subjective accounting estimates; weak governance or ineffective audit committee oversight; high turnover in finance or IT roles; inadequate segregation of duties; large volumes of cash or easily convertible assets; aggressive earnings forecasts; a culture that prioritizes results over controls; and management override signals such as unusual journal entries near period-end, inappropriate changes in estimates, fictitious vendors or employees, or unexplained transaction patterns.

In both cases, the partner is faced with the same situation: there is no proven fraud yet, but there are sufficient indicators to consider the risk seriously.

What ISA 240 says

ISA 240 defines the auditor’s responsibilities in relation to fraud in financial statement audits. Under the standard, auditors are required to identify and assess the risks of material misstatement due to fraud, design appropriate responses, and obtain reasonable assurance that the financial statements are free from material fraud-related misstatements. This includes procedures such as inquiries, evaluation of internal controls, analytical procedures and testing journal entries for fraud indicators.

However, ISA 240 also makes an important distinction. While auditors may identify or suspect fraud through these risk-based procedures, their objective is not to perform a forensic investigation or make a legal determination of fraud. Their role remains focused on obtaining sufficient and appropriate audit evidence for financial reporting purposes.

The revised ISA 240 (effective 2025) reinforces this approach by strengthening professional skepticism and the use of a “fraud lens” in risk assessment and audit responses, while maintaining the boundary between audit responsibilities and forensic or legal investigations.

Why fraud requires a different type of expertise

At that point, consulting a specialist is not a sign of weakness. It is a sign of professional judgment.
Certified Fraud Examiners (CFEs) are trained in areas that are not part of traditional accounting education, such as fraud schemes and behavioral patterns, evidence handling and preservation, interview techniques, digital forensics, legal and regulatory implications, and litigation support.

Most audit and tax partners are highly competent in financial and tax matters. Very few are trained to conduct forensic investigations. And that is perfectly normal. Fraud is a specialized discipline. Trying to handle a suspected fraud case without the appropriate expertise exposes both the client and the firm to unnecessary professional, legal and reputational risk.

Why forensic audits are different

A forensic investigation is fundamentally different from a financial or internal audit. A traditional audit focuses on whether financial information is fairly presented. A forensic audit focuses on whether misconduct occurred, how it happened, who was involved, what evidence exists, and what the legal consequences may be.

This requires different competencies, including investigation methodologies, digital forensic tools, interview and interrogation skills, chain of custody procedures, coordination with legal counsel, and documentation suitable for litigation or regulatory processes.

In other words, a forensic engagement is not an extension of audit procedures. It is a different type of professional service with its own standards, risks and technical requirements.

The priority in any fraud case: evidence preservation

Regardless of who leads the investigation, one principle always comes first: preserve the evidence. This includes both physical and digital evidence, such as accounting systems and databases, emails and files, servers and backups, access logs, and physical documentation.

Evidence must be secured before interviews, internal reviews or management actions take place. Once evidence is altered or destroyed, the case may become impossible to prove, regardless of how strong the initial suspicion was.

From a professional risk perspective, this is the most critical step in the entire process.

What to do in practice: the Kreston network

In many cases, audit and tax partners will identify fraud indicators but will not have the internal capabilities to conduct a full forensic investigation. This is where the Kreston network becomes a strategic advantage.

Through the global forensic expert network, Kreston firms can access Certified Fraud Examiners, forensic accountants, digital forensic specialists, cross-border investigation teams, and legal and regulatory coordination support.

The local firm remains the relationship owner. The forensic team provides the technical expertise. The network enables a coordinated, professional and defensible response.

Final message to partners

Fraud situations are unavoidable in professional practice. What makes the difference is not whether you encounter them, but how you respond when they arise. Knowing when to escalate, when to involve specialists, and how to protect evidence is not just good practice. It is part of your professional responsibility.

And when in doubt, the most valuable asset you have is the network.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by the GDPR Cookie Consent plugin. It is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	This cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by the GDPR Cookie Consent plugin. It is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by the GDPR Cookie Consent plugin. It is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-performance	11 months	This cookie is set by the GDPR Cookie Consent plugin. It is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
device_id	10 years	Cookie used to maintain a local copy of the user's unique identifier.
viewed_cookie_policy	11 months	This cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not a user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
currency	1 year	This cookie is used to store the currency preference of the user.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
ac_enable_tracking	1 month	This cookie is set by Active Campaign to denote that traffic is enabled for the website.
device_view	1 month	This cookie is used for storing the visitor device display inorder to serve them with most suitable layout.

Cookie	Duration	Description
__kla_id	2 years	Cookie set to track when someone clicks through a Klaviyo email to a website.
_ga	2 years	This cookie is installed by Google Analytics. It is used to calculate visitor, session and campaign data and it also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to identify unique visitors.
_ga_M0XVMQMRZ1	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_188891991_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gat_gtag_UA_7661078_5	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. It is used to store information on how visitors use a website and helps to create an analytics report on how the website is performing. The data collected includes the number of visitors, the source of visitors and the pages visited in an anonymous form.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	16 years 5 months 19 days 16 hours 12 minutes	These cookies are set via embedded YouTube videos. They register anonymous statistical data e.g. how many times the video is displayed and what settings are used for playback. No sensitive data is collected unless you log in to your Google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
hl	1 year	No description available.
ln_or	1 day	No description
prism_800686921	1 month	No description
SFSESSIDPROD	2 days	No description
SFSESSIDPROD_SH	session	No description

Knowledge

Ricardo Gameroff

Managing Partner at Kreston BA Argentina