Fraud Red Flags Auditors Look For: 9 Critical Self-Audit Checks

What Fraud Red Flags Auditors Look For Can Teach Your Firm

Fraud rarely announces itself. It hides in a reconciliation that never quite balances, a vendor nobody recognizes, or a journal entry posted at 11 p.m. on the last day of the quarter. The fraud red flags auditors look for are the same patterns your firm can catch months earlier, if you know where to point the flashlight.

At BusAcTa Advisors, we provide audit support and bookkeeping for US CPA firms, so we see these patterns across hundreds of client files every year. The good news? Most red flags show up in the books long before an auditor arrives. Your clients can spot many of them with a simple self-audit routine.

This guide breaks down nine red flags, explains what each one signals, and gives your clients a checklist they can run every month. This is general information, not audit or tax advice. Consult a qualified professional about any specific situation. Last reviewed: June 2026.

Why These Red Flags Matter for Your Clients' Books

Most fraud isn't a dramatic heist. It's small, repeated, and quiet. Research from the Association of Certified Fraud Examiners shows that tips catch more occupational fraud than any other single method, which tells you something useful: the numbers alone don't catch it, people do.

Small businesses carry the most risk. They rarely have enough staff to separate who handles cash, who records it, and who reviews it. That missing segregation of duties is exactly what a fraudster needs. When one person controls a whole process, opportunity opens up.

Tips catch more occupational fraud than any other single method. The lesson for your firm: build a culture where people feel safe to speak up.

Auditors think in terms of the fraud triangle: pressure, opportunity, and rationalization. You can't see someone's pressure or rationalization in a general ledger. But you can see opportunity, and opportunity leaves tracks. That's where audit red flags come from.

Why does this matter to your firm specifically? Because your name is on the work. When you handle a client's books or support their audit, the controls you put in place are the difference between catching a problem early and explaining later why nobody saw it. Clients remember which firm protected them.

The 9 Fraud Red Flags Auditors Look For

Here are the nine patterns that make an auditor slow down and start asking questions. Each one is something your clients can watch for too.

1. Missing or altered source documents. An invoice that can't be produced, a receipt that looks edited, a contract with no signature. If the paper trail has gaps, auditors assume the worst until the gap is explained.

2. Bank reconciliations that never quite balance. Stale reconciling items that roll forward month after month often hide a shortfall someone is papering over.

3. One person controls the entire cash cycle. When the same employee receives payments, records them, and reconciles the account, nothing checks their work. This broken segregation of duties is the single most common opening for fraud.

4. Vendor anomalies. Duplicate vendors, a vendor address that matches an employee's home, or round-dollar payments just under an approval limit. These vendor fraud red flags point to fake or inflated billing.

5. Revenue with no support. Sales booked at period end with no shipping record or signed contract, then quietly reversed the next month, can signal someone propping up the numbers to hit a target. Watch for revenue that appears late in a period and vanishes early in the next.

6. Catch-all expense accounts that keep growing. A miscellaneous or other account that absorbs large amounts is a handy place to hide things. Auditors always open that drawer.

7. Payroll irregularities. A ghost employee who never takes leave, overtime that spikes without matching output, or two staff who share one bank account. Payroll is a soft target in small firms because one person often runs the whole cycle.

8. Manual journal entries from management. Top-side entries posted by an owner near the close, with vague descriptions, are a classic management-override flag.

9. Behavior that doesn't match the paycheck. An employee living well beyond their salary, or one who refuses to take a vacation, can be guarding a scheme only they can run.

Notice a theme? Every one of these is an opportunity created by weak controls. Fix the controls and most of these flags never get raised.

How Your Clients Can Self-Audit

Here's the encouraging part. Your clients don't need a full audit to catch most of these. A short, repeatable self-audit checklist run every month does most of the work. What would it cost a client to find a problem nine months late instead of next week?

Walk them through these checks, or have your offshore bookkeeping team run them as part of the monthly close:

• Reconcile every bank and credit card account monthly, and have someone who doesn't handle cash review the reconciliation.

• Pull a duplicate-payment and duplicate-vendor report from the accounting software before each payment run.

• Match three documents before paying any invoice: the purchase order, the receiving record, and the invoice itself.

• Review every manual journal entry over a set dollar threshold, and ask for the support behind it.

• Scan the miscellaneous and other expense accounts line by line.

• Require mandatory vacations and rotate duties, so no single person owns a process forever.

• Compare actual results to budget and chase any variance you can't explain in one sentence.

None of this is complicated. It's discipline, repeated monthly. That's the whole secret behind fraud detection for CPA firms and the clients they serve.

Who should run these checks? Ideally someone outside the day-to-day cash flow: a partner, an outside bookkeeper, or your offshore review team. The reviewer doesn't have to be senior. They have to be independent. That independence is what turns a checklist into a real control.

A self-audit doesn't need to be perfect. It needs to be regular. A modest check done every month beats a thorough one done once a year.

What to Do When You Spot a Red Flag

A red flag is a question, not a verdict. The moment your team finds one, the goal is to confirm or clear it quickly, without tipping off anyone who might be involved. Move calmly and write down each step you take.

Start by preserving the evidence. Pull the source documents, export the relevant journal entries, and save the reports before anything can be edited or deleted. Then widen the lens. Is this a one-off, or a pattern across several months? A single odd entry is noise. The same odd entry every month is a signal.

Keep the circle small. Loop in the business owner or partner, not the wider team, and never confront a suspected person on a hunch. If the numbers point to real loss, that's the moment to bring in a forensic specialist or legal counsel. Your job at this stage is to gather facts, not to prosecute.

A red flag is a reason to look closer, not proof of guilt. Confirm quietly, document everything, and escalate only when the facts support it.

Red Flag to Self-Audit: A Quick Reference

Use this table as a starting point for a monthly review. Your firm can hand it to clients or build it into the workpapers your team already prepares. Keep the version you actually use short enough that someone will run it every single month.

What Auditors Are Actually Required to Do

This isn't optional for auditors. Under AICPA standards, auditors must specifically consider the risk of fraud on every financial statement audit, not just honest error. For audits of public companies, the PCAOB sets a similar requirement.

So when an auditor asks pointed questions about a journal entry or a vendor, they're following the rules, not picking on your client. The SEC, for its part, pursues financial reporting fraud at public companies, which keeps the wider system honest. Want the deeper background? The AICPA audit and attestation resources set out the fraud-consideration standards in full.

For your firm, the takeaway is simple. If you understand what auditors look for, you can build those same checks into your bookkeeping services, accounts payable and receivable workflows, and audit support work, and catch issues before they ever reach an auditor's desk. Strong internal controls for small business clients protect them and protect your firm's name.

The Bottom Line for Your Firm

The fraud red flags auditors look for aren't mysteries. They're the visible tracks that opportunity leaves in the books: missing documents, lopsided duties, vendors that don't add up, and entries that appear in the dark. Teach your clients to run a simple monthly self-audit, and you turn a once-a-year scramble into a quiet, steady habit.

Firms that get ahead of fraud don't rely on luck. They rely on controls, routine reviews, and a second set of eyes. If you'd like a second set of eyes on your clients' books, contact BusAcTa Advisors to scope an audit-support or bookkeeping engagement, and we'll show you the exact checks we run before anything reaches an auditor.