December 2026 ISA Deadline: 7 Standards Changing at Once

December 2026 is less than nine months away. For audits of financial statements for periods beginning on or after 15 December 2026, seven revised ISAs take effect simultaneously. That means every engagement file opened for a December 2027 year-end (or later) must comply with all seven. No firm can absorb that volume of methodology change in the final quarter before go-live.

The seven ISAs effective for periods beginning on or after 15 December 2026 are ISA 240 (Revised), ISA 500 (Revised), ISA 200 (Revised), ISA 220 (Revised 2024), ISA 230 (Revised), ISA 700 (Revised), and ISA 570 (Revised 2024), each introducing changes that affect audit planning, evidence gathering, documentation, quality management, and reporting.

The seven standards at a glance

The IAASB has not released this many revised standards with the same effective date since the Clarity Project completed in 2009. The coordination is intentional. Several of the revisions interact: the changes to ISA 200 on professional scepticism flow through to ISA 240's fraud requirements, ISA 500's evidence evaluation, and ISA 700's reporting obligations. Treating each standard as an isolated update will miss the connections.

All seven standards share the same effective date: periods beginning on or after 15 December 2026. Early adoption is permitted for each, subject to local jurisdictional rules. For a December 2027 year-end client, the new standards apply. For a September 2027 year-end client, they do not (because the period begins 1 October 2026, which is before 15 December 2026).

Here is the one-sentence summary for each, with detail in the sections that follow.

ISA 240 (Revised): fraud procedures after fieldwork

ISA 240 (Revised) introduces a mandatory stand-back evaluation at the end of the audit (paragraph 54) requiring the engagement partner to assess whether fraud risk assessments remain appropriate and whether sufficient appropriate audit evidence has been obtained regarding those risks.

The stand-back is new. It has no equivalent in the current ISA 240. Under the current standard, the engagement partner's fraud-related obligations concentrate on planning and response. The revised standard extends them to completion.

Paragraph 54(a) requires the partner to evaluate whether the initial fraud risk assessments remain appropriate in light of audit evidence obtained. Paragraph 54(b) asks whether the audit procedures performed actually addressed those risks. This is distinct from the ISA 330 stand-back (which covers all risk responses, not just fraud). The ISA 240 fraud risk assessment pack includes a dedicated completion tab that maps directly to these new requirements.

The revised standard also tightens requirements around the presumption of fraud risk in revenue recognition. Paragraph 28 describes rebutting the presumption as "ordinarily inappropriate," which is a stronger position than the current standard's framing. Revenue-stream-by-stream analysis becomes the expected approach rather than a blanket entity-level assessment.

Practical impact: firms need a completion-stage fraud evaluation form or working paper section that addresses paragraphs 54(a) and 54(b) separately. Templates built for the current ISA 240 do not have this section.

ISA 500 (Revised): evidence in a digital environment

ISA 500 (Revised) restructures how auditors evaluate the relevance and reliability of information used as audit evidence, with explicit requirements for technology-generated information and automated tools.

The current ISA 500 was written in an era when audit evidence was primarily paper or simple electronic records. The revised standard acknowledges that auditors now receive data extracts, use automated audit tools, and rely on system-generated reports. Paragraph 9 introduces requirements for the auditor to consider the source and nature of information, including whether it was generated by the entity's IT systems, by a third party, or by the auditor's own technology.

The most significant change is the requirement in paragraph 10 to evaluate whether technology-produced information is sufficiently reliable for the auditor's purposes. This applies to both the entity's system-generated data (for example, an aged receivables report from the ERP system) and to outputs from the auditor's own data analytics tools. If you use a data analytics tool to identify journal entries for testing, the revised ISA 500 requires you to consider the reliability of the data input and the tool's processing logic.

Practical impact: every audit file that relies on system-generated reports or data analytics needs documentation supporting the reliability assessment. A one-line note stating "data obtained from client ERP" is insufficient under the revised standard.

ISA 200 (Revised): professional scepticism reframed

ISA 200 (Revised) repositions professional scepticism from a general attitude to a set of specific behaviours that permeate the entire audit, with new application material on how scepticism applies to evidence evaluation, engagement team discussions, and the exercise of professional judgement.

The current ISA 200.15 defines professional scepticism but provides limited guidance on what it looks like in practice. The revised standard expands the application material to describe scepticism as an active, ongoing evaluation rather than a disposition. Paragraph A24 (revised) links scepticism directly to the auditor's assessment of evidence quality: the auditor considers whether information from the entity is consistent with other evidence obtained and whether indicators of management bias exist.

This revision is the conceptual backbone of the other six standards. ISA 240 (Revised) applies scepticism to fraud. ISA 500 (Revised) applies it to evidence reliability. ISA 570 (Revised 2024) applies it to going concern. The IAASB designed these revisions to create a consistent scepticism thread across the audit.

Practical impact: training programmes should address ISA 200 (Revised) first, because its concepts feed into every other standard in this package.

ISA 220 (Revised 2024): engagement-level quality management

ISA 220 (Revised 2024) builds on the 2022 revision by adding specific requirements for the engagement partner's involvement in quality management at the engagement level, including expanded direction, supervision, and review requirements and a stronger link to ISQM 1.

The key change in this iteration is the engagement partner's responsibility to determine that the engagement quality management responses (designed under ISQM 1) are being applied on the specific engagement. Paragraph 15 (revised) requires the partner to take responsibility for the nature, timing, and extent of direction, supervision, and review based on the assessed risks of the engagement. This replaces the more general "sufficient involvement" requirement.

Paragraph 30 (revised) adds a requirement for the engagement partner to stand back (before the auditor's report date) and determine whether the partner's involvement has been sufficient to conclude that significant judgements and conclusions are appropriate. This parallels the ISA 240 stand-back and the ISA 330 stand-back, creating a pattern: the IAASB wants partners to perform explicit completion-stage evaluations, not just sign off.

Practical impact: firms using a single quality checklist for all engagements will need to differentiate based on engagement risk. A listed entity audit and a small private company audit require different levels of direction, supervision, and review under the revised standard.

ISA 230 (Revised): documentation that tells the story

ISA 230 (Revised) introduces the concept that audit documentation should enable an experienced auditor with no previous connection to the engagement to understand not just what was done, but the reasoning behind significant professional judgements.

The current ISA 230.8 requires documentation sufficient to enable an experienced auditor to understand the work performed, evidence obtained, and conclusions reached. The revised standard adds explicit language about documenting the auditor's reasoning in reaching those conclusions. Paragraph 8(b) (revised) focuses on documenting how the auditor exercised professional scepticism and professional judgement on significant matters.

This connects directly to ISA 200 (Revised). If scepticism is now defined by specific behaviours, the documentation standard must require evidence of those behaviours. Inspectors at the FRC and AFM have flagged documentation of professional scepticism as a recurring deficiency. This revision makes the expectation explicit.

Practical impact: working paper templates need a "rationale" or "reasoning" field for significant judgements. A working paper that states the conclusion without explaining how the auditor reached it will not meet the revised ISA 230 requirements.

ISA 700 (Revised): the auditor's report changes

ISA 700 (Revised) introduces modifications to the standard auditor's report format, including updated descriptions of the auditor's responsibilities and new language on the exercise of professional scepticism, aligning the report with the ISA 200 (Revised) framework.

The revised report language in paragraph 38 (revised) expands the section describing the auditor's responsibilities to explicitly reference the exercise of professional scepticism throughout the audit. The change to the report wording itself is small, but it signals to readers (and regulators) that scepticism is embedded, not assumed.

Practical impact: firms must update their auditor's report templates. For any audit where the revised standards apply, using the old report template creates a non-compliance with ISA 700. This is the easiest change to implement but the most visible if missed.

ISA 570 (Revised 2024): going concern on a gross basis

ISA 570 (Revised 2024) requires auditors to identify events and conditions that may cast significant doubt on going concern on a gross basis (before considering management's mitigating plans) and then separately evaluate the feasibility and effectiveness of those plans.

This is the most significant operational change in the package. Under the current ISA 570, many auditors combine the identification of going concern events with management's response in a single assessment. The revised standard forces a two-step process. First, identify every event or condition that (taken alone) casts doubt. Second, evaluate what management intends to do about each one.

Paragraph 16 (revised) makes the gross-basis assessment explicit. The going concern checklist can be used to structure this identification step. Paragraph 19 (revised) then requires the auditor to evaluate management's plans and whether those plans are feasible given the entity's circumstances.

The practical difference is significant. Under the current approach, an entity with a current ratio below 1.0 but a signed refinancing agreement might never appear in the going concern working paper as a concern at all. Under the revised standard, the low current ratio is identified as a gross-basis indicator, and the refinancing agreement is evaluated separately as a mitigating plan. Both must be documented.

Practical impact: going concern working papers need structural redesign. The current single-step assessment (is there a problem, yes or no?) becomes a two-column analysis: gross-basis indicators in one column, management's mitigating plans in the other.

What firms should start doing now

Training is the first priority. ISA 200 (Revised) should anchor the training because its scepticism framework feeds into every other standard. Run it before the standard-specific sessions. A firm that trains on ISA 570 (Revised 2024) without first covering the ISA 200 changes will find teams confused about why the going concern approach changed.

Template updates come second. The changes to ISA 240 (stand-back evaluation), ISA 570 (gross-basis assessment), ISA 230 (reasoning documentation), and ISA 700 (report wording) all require new or modified working paper templates. Firms that use third-party methodology providers should confirm the provider's update timeline now, not in Q4 2027.

Dry runs matter. Pick two or four engagements with periods beginning before 15 December 2026 and apply the revised standards voluntarily. Early adoption is permitted. The dry run reveals template gaps, training deficiencies, and time budget pressures before they appear on a live engagement with a regulatory deadline.

Quality management system updates are also required. ISQM 1 responses should reflect the revised ISA 220 requirements for engagement-level quality management. The firm's monitoring and remediation process under ISQM 1.43 should include a check that the revised standards have been embedded in methodology and practice.

Worked example: mapping the changes to a single engagement

Scenario: Dijkstra Logistics B.V. is a Dutch transport and warehousing company with €62M revenue and a December 2027 year-end. The engagement team is planning the audit, which is the first engagement to fall under all seven revised standards.

1. The engagement partner reviews the firm's updated planning template, which now includes a section mapping applicable revised standards to the engagement. All seven revised ISAs are flagged as applicable because the period begins 1 January 2027 (after 15 December 2026).

Documentation note: "This engagement is subject to ISA 240 (Revised), ISA 500 (Revised), ISA 200 (Revised), ISA 220 (Revised 2024), ISA 230 (Revised), ISA 700 (Revised), and ISA 570 (Revised 2024). Templates updated to reflect all seven standards."

2. During the risk assessment, the team identifies that Dijkstra has a current ratio of 0.92 and a loan covenant that requires a minimum current ratio of 1.1 as at 31 December 2027. Under ISA 570 (Revised 2024), paragraph 16, these are gross-basis indicators. The team documents them in the left column of the new two-column going concern working paper before considering management's plans.

Documentation note: "Gross-basis going concern indicators identified: (1) current ratio of 0.92 at interim, below covenant threshold of 1.1; (2) loan covenant breach likely at year-end based on current trajectory. These indicators are documented before evaluating management's mitigating plans per ISA 570.16 (revised)."

3. The team uses data analytics to select journal entries for fraud testing under ISA 240. Under ISA 500 (Revised), paragraph 10, they document the reliability of the data extract: the ERP system version, the extraction method, completeness checks performed, and the logic applied by the analytics tool.

Documentation note: "Journal entry population extracted from SAP S/4HANA on 15 February 2028. Completeness verified by reconciling total debits and credits to trial balance. Analytics tool applied selection criteria [parameters listed]. Reliability of technology-produced information assessed per ISA 500.10 (revised)."

4. At completion, the engagement partner performs three separate stand-back evaluations: the ISA 330 stand-back on overall audit responses, the ISA 240 (Revised) paragraph 54 stand-back on fraud risk assessments and evidence, and the ISA 220 (Revised 2024) paragraph 30 stand-back on the partner's own involvement and the sufficiency of engagement quality management.

Documentation note: "ISA 240.54 stand-back completed. (a) Fraud risk assessments remain appropriate based on evidence obtained during fieldwork. (b) Audit procedures performed addressed all identified fraud risks. No additional procedures required. ISA 220.30 stand-back completed. Partner involvement sufficient for all significant judgements."

5. The auditor's report uses the updated ISA 700 (Revised) wording, including the expanded professional scepticism language in the auditor's responsibilities section.

Documentation note: "Auditor's report prepared using updated firm template reflecting ISA 700 (Revised) paragraph 38 wording. Report reviewed for compliance with revised report requirements."

A reviewer opening this file sees a clear trail: each revised standard is identified, each change is addressed in the relevant working paper, and the completion-stage evaluations are separate, documented, and cross-referenced.

Practical checklist for the transition

1. Map every engagement with a period beginning on or after 15 December 2026 and confirm it falls under the revised standards. For September year-ends, the 2027 year-end is not affected (period begins October 2026), but the 2028 year-end is.
2. Update the auditor's report template to reflect ISA 700 (Revised) paragraph 38 wording. This is the most visible change and the first thing a reviewer will notice.
3. Add a gross-basis going concern assessment section to the going concern working paper. Two columns: indicators (before mitigation) and management's plans (evaluated separately). Per ISA 570 (Revised 2024) paragraph 16.
4. Add a stand-back evaluation section to the fraud risk working paper for the engagement partner's ISA 240 (Revised) paragraph 54 assessment. This is separate from the ISA 330 stand-back.
5. Require documentation of reliability assessments for all technology-produced information per ISA 500 (Revised) paragraph 10. Include data source, extraction method, and completeness verification.
6. Run ISA 200 (Revised) training before any standard-specific sessions. The scepticism framework is the conceptual foundation for the other six revisions.

Common mistakes in standard transitions

• Updating report templates (ISA 700) but not updating working paper templates for the underlying procedural changes (ISA 240, ISA 570, ISA 500). The FRC's inspection approach looks at the substance of the file, not just the report. An updated report with unreconstructed working papers behind it is worse than a consistent pre-revision file.

• Applying the revised standards to engagements where the period began before 15 December 2026. The effective date is the beginning of the period, not the report date. A December 2026 year-end (period beginning 1 January 2026) falls under the current standards, not the revised ones.

Related content

• ISA 570 going concern checklist: Supports the gross-basis indicator identification required under ISA 570 (Revised 2024) paragraph 16.
• ISA 240 fraud risk assessment pack: Includes the stand-back evaluation tab that maps to ISA 240 (Revised) paragraph 54.
• FUTURE POST: ISA 700 forming an opinion: the completion checklist before you sign: Covers the updated auditor's report requirements and the quality management sign-offs before issuing the report.