December 2026 ISA Deadline: What Your Firm Needs to Prepare Now

Key Takeaways

ISA 240 (Revised) and ISA 570 (Revised 2024) both become effective for audits of financial statements for periods beginning on or after 15 December 2026. For calendar year-end clients, the first affected period is 1 January 2027.
The two standards were aligned deliberately because fraud and financial distress are interrelated risks. Firms must implement them together, not sequentially.
Templates, working papers, and report formats need updating: the going concern working paper requires a two-stage structure (gross-basis identification then evaluation), and journal entry testing must respond to specific assessed fraud risks.
Engagement teams need training on the gross-basis going concern identification and risk-driven journal entry selection before live engagements begin – changed behaviour, not just changed templates.

What converges on 15 December 2026

Two revised standards share the 15 December 2026 effective date.

ISA 240 (Revised), approved by the IAASB in March 2025 and released July 2025, rewrites the auditor's responsibilities relating to fraud. The key changes: risk-driven journal entry testing (not generic), a requirement to understand the entity's whistleblower programme, explicit coverage of third-party fraud, a stand-back assessment at completion, a "clearly inconsequential" threshold for fraud allegations, and new Key Audit Matter requirements for listed entity audits.

ISA 570 (Revised 2024), released April 2025, restructures the going concern framework. The key changes: gross-basis identification of events and conditions before considering management's mitigating plans, mandatory evaluation of management's assessment on every engagement, an extended assessment period (twelve months from approval date rather than financial statement date), and new mandatory going concern content in every auditor's report.

In addition, narrow-scope amendments to the ISQMs, ISAs, and ISRE 2400 (Revised) resulting from the IESBA's revisions to the definitions of listed entity and public interest entity were published in September 2025 and also take effect for periods beginning on or after 15 December 2026. These are less operationally demanding but affect engagement acceptance and continuance decisions for entities that fall within the revised PIE definition.

ISA 600 (Revised) is not part of this convergence. It took effect for periods beginning on or after 15 December 2023 and should already be embedded in your group audit methodology.

Why these standards were aligned deliberately

The IAASB did not accidentally give ISA 240 and ISA 570 the same effective date. Fraud and financial distress are interrelated risks. An entity under financial pressure is more likely to have management override of controls. An entity committing fraud is more likely to face going concern issues when the fraud is discovered. The standards were designed to work as a package.

This has practical consequences for how you structure your files. The ISA 240 fraud risk assessment should cross-reference to the ISA 570 going concern working paper. If the going concern assessment identifies financial distress (a gross-basis event like a declining current ratio or a maturing loan facility), that's a fraud risk factor under ISA 240. If the fraud risk assessment identifies revenue manipulation, that may indicate going concern issues under ISA 570. The revised standards create this linkage explicitly. A firm that implements one standard without connecting it to the other misses the structural change the IAASB intended.

The IAASB has also encouraged jurisdictions to adopt both standards together with the forthcoming narrow-scope amendments for listed entities and public interest entities as a single package. The FRC in the UK has already issued consultation proposals for ISA (UK) 240 and ISA (UK) 570 reflecting the same December 2026 target date.

What changes in your audit files: a standard-by-standard summary

ISA 240 (Revised) changes to the engagement file

Journal entry testing working papers must show selection criteria that respond to specific assessed fraud risk factors, not a generic template applied identically to every client. If the risk assessment identifies revenue manipulation, the population and criteria must target revenue-affecting entries specifically.

The planning file needs a whistleblower programme section documenting whether the entity has a programme, how it operates, who administers it, what reports were received, and how the entity responded to them. For Dutch clients subject to the Wet bescherming klokkenluiders, the absence of a programme in an entity with 50 or more employees is a non-compliance issue under ISA 250.

Accounting estimate reviews must include a directional bias analysis. For each significant prior-year estimate, record the estimate, the outturn, and the direction of difference. If the pattern is consistently optimistic or pessimistic, document whether this represents a fraud risk factor. This is a management override procedure under ISA 240, distinct from the ISA 540 retrospective review even though the underlying data overlaps.

At completion, a fraud stand-back memo must document whether the ROMM due to fraud assessments made at planning remain appropriate in light of evidence obtained during fieldwork. If new information emerged (a late adjustment, a related party transaction not disclosed at planning, or a whistleblower allegation), the memo must address whether the original risk assessment was updated.

ISA 570 (Revised 2024) changes to the engagement file

The going concern working paper must split into two stages: gross-basis identification of events and conditions (before any mitigation) and evaluation of management's plans for each identified event or condition. A single-column template that merges both stages does not comply.

Planning templates must calculate the revised assessment period: twelve months from the expected approval date, not the year-end date. For a Dutch entity approving accounts in April, this adds several months to the assessment window. Add the calculation to every planning memo.

Every engagement must document evaluation of management's going concern assessment, even when no indicators exist. The file must show what method and assumptions management used, what data supported the assessment, and that you considered potential management bias.

Audit report templates need a new going concern section containing two explicit conclusions: whether the going concern basis is appropriate and whether a material uncertainty exists. Every report must include this section, not just those with material uncertainties.

Preparation timeline: what to do and when

Now through June 2026: methodology and template updates

Start with the templates. The going concern working paper redesign (two-stage structure) and the fraud risk assessment updates (whistleblower section, directional bias analysis, stand-back memo) are the highest-priority items because they affect every engagement. Update the audit report template to include the new going concern section. These changes can be drafted, reviewed by the technical partner, and piloted on a test file in this window.

Review your journal entry testing approach. If your firm uses a standardised population and selection criteria across all engagements, that methodology must change. Each engagement's journal entry testing must now respond to its specific fraud risk assessment. This may require a redesign of how the team documents the link between assessed fraud risks and selected journal entry criteria.

July through December 2026: training and pilot

Run training sessions for all engagement teams. The training should cover the gross-basis going concern identification (with worked examples showing the difference between the old merged approach and the new two-stage approach), the fraud risk assessment changes (whistleblower programme understanding, directional bias in estimates, the stand-back requirement), and the new audit report wording.

Pilot the updated templates on two or four dry-run files. Use a mix of entity types: one straightforward entity with no going concern indicators (to test whether the "every engagement" evaluation requirement is documented properly) and one entity with genuine financial stress (to test the gross-basis identification).

January 2027 onward: live implementation

Calendar year-end engagements under the revised standards will be 31 December 2027 audits (periods beginning 1 January 2027). Planning for these starts in Q3–Q4 2027. By that point, your methodology and templates should be final, and training should be complete.

For early-adopting clients or entities with non-calendar year-ends beginning on or after 15 December 2026, the timeline is tighter. A client with a 31 March 2027 year-end (period beginning 1 April 2026) would not fall under the revised standards. But a client with a year-end of 31 December 2027 (period beginning 1 January 2027) would. Check your non-December year-end portfolio carefully.

Post-implementation review

Build in a post-implementation review. After the first five completed files under the revised standards, the quality director or technical partner should review them specifically for compliance with the new requirements. Focus on two areas: does the going concern working paper genuinely separate gross-basis identification from management plan evaluation, and does the journal entry selection criteria link explicitly to the assessed fraud risk? These are the two structural changes most likely to be done poorly on the first attempt.

Worked example: SRA member firm readiness plan

Firm profile: Kuiper & Vos Accountants, a fictional SRA member firm in Utrecht with 28 professionals, 12 engagement partners, approximately 180 statutory audit clients. Mix of owner-managed SMEs, mid-market manufacturing, and a few PIE-adjacent entities.

Phase 1: assessment (now through March 2026)

The firm's quality director reviews the current methodology against both revised standards. Gaps identified:

Gap 1: The going concern working paper is a single-page template with a combined identification and evaluation column. Must be redesigned as a two-stage document per ISA 570 (Revised 2024).
Gap 2: Journal entry testing uses a firm-wide standard population (period-end entries above €10K posted by senior management). Must be redesigned to require engagement-specific criteria linked to assessed fraud risks per ISA 240 (Revised).
Gap 3: No whistleblower programme section exists in the planning template. Must be added per ISA 240 (Revised) paragraph 32(a).
Gap 4: The audit report template contains no going concern section for reports without material uncertainty. Must be updated per ISA 570 (Revised 2024).
Gap 5: No fraud stand-back memo template exists. Must be created per ISA 240 (Revised).

Phase 2: template development (April through September 2026)

The quality director and two senior managers draft updated templates. Each template is reviewed against the relevant standard paragraph by paragraph. The firm runs two test files using the prior year's completed engagements: one clean entity (Bakker Consultancy B.V., €8M revenue, no going concern issues) and one entity with financial stress (De Graaf Bouw B.V., €22M revenue, covenant breach in prior year).

The test reveals that the going concern two-stage template works but is too long for clean entities. A short-form version is created for entities where stage one identifies zero events or conditions. The fraud stand-back memo template works but needs a prompt for cross-referencing to ISA 570.

Phase 3: training (October through December 2026)

Two half-day sessions run for all audit staff. Session one covers ISA 570 (Revised 2024): the gross-basis concept with a before-and-after comparison showing how the same going concern facts would be documented under the old and new standards, the extended assessment period calculation, and the new report wording. Session two covers ISA 240 (Revised): whistleblower programme understanding, risk-driven journal entry testing, directional bias analysis, and the stand-back.

Each session uses a worked example based on a fictional client where participants complete the updated templates. The firm distributes a one-page reference card summarising the five template changes for engagement teams to keep in their planning files.

Behavioural change

Do not underestimate the behavioural change required. The gross-basis going concern identification asks teams to do something counterintuitive: identify a problem without immediately reaching for the solution. Most audit professionals are trained to evaluate and conclude. Separating identification from evaluation requires practice before it feels natural.

Phase 4: live (January 2027 onward)

First engagements under the revised standards use the updated templates. The quality director reviews the first five completed files for compliance with both standards, specifically checking whether the going concern two-stage structure is genuinely followed (not just reformatted) and whether journal entry selection criteria link to specific fraud risks. Findings are fed back before the main busy season starts.

A firm in this position would be ready by the time 2027 year-end planning begins. One that starts this process in 2027 will not.

Practical checklist

Map the effective date to your client base. For each client, identify the first period beginning on or after 15 December 2026. For calendar year-end clients, this is 1 January 2027 (audited in early 2028). ISA 240 (Revised) and ISA 570 (Revised 2024) both apply from that date.
Run a gap analysis comparing your current methodology to both revised standards. Focus on templates first: going concern working paper, journal entry testing, planning questionnaire, fraud risk assessment, audit report, and completion memo.
Redesign the going concern working paper as a two-stage document before anything else. This is the highest-risk template because the gross-basis requirement is a fundamental structural change, not an incremental addition.
Add a whistleblower programme section to your planning template. For Dutch clients, include a compliance check against the Wet bescherming klokkenluiders.
Update the audit report template to include the new mandatory going concern section with two explicit conclusions. Pilot the updated wording with your technical partner.
Schedule training no later than Q4 2026. Both standards require changed behaviour, not just changed templates. Engagement teams need to practise the gross-basis going concern identification and the risk-driven journal entry selection before live engagements begin.

Common mistakes

Firms that focus exclusively on ISA 570 and neglect ISA 240 (or vice versa) will produce files where the fraud and going concern assessments are disconnected. The IAASB aligned both standards deliberately. Implement them together.

The PCAOB's 2024 inspection spotlight found that consideration of fraud was among the most common Part I.B deficiency areas across all firm types. The ISA 240 changes were designed to address exactly these recurring findings. Firms that treat the revised standard as a minor update rather than a methodological change will continue to produce the same deficiencies under a stricter framework.

Related working papers

ISA 240 Fraud Risk Assessment Toolkit

Brainstorming agenda, risk matrix, journal entry testing, and management override procedures.

View the toolkit →

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

No spam — we're auditors, not marketers.

Frequently asked questions

When do ISA 240 (Revised) and ISA 570 (Revised 2024) take effect?

Both standards are effective for audits of financial statements for periods beginning on or after 15 December 2026. For calendar year-end clients, the first affected period is 1 January 2027, meaning 2027 year-end audits (performed in early 2028) must comply with both revised standards.

Why do ISA 240 and ISA 570 share the same effective date?

The IAASB aligned both standards deliberately because fraud and financial distress are interrelated risks. An entity under financial pressure is more likely to have management override of controls, and an entity committing fraud is more likely to face going concern issues when the fraud is discovered. The standards are designed to work as a package.

What is the most important template change for ISA 570 (Revised 2024)?

The going concern working paper must be restructured into two distinct stages: gross-basis identification of events and conditions (before any mitigation) and evaluation of management's plans for each identified event or condition. A single-column template that merges both stages does not comply with the revised standard.

What changes does ISA 240 (Revised) make to journal entry testing?

Journal entry testing must now respond to specific assessed fraud risks rather than using a generic template applied identically to every client. If the risk assessment identifies revenue manipulation, the population and selection criteria must target revenue-affecting entries specifically.

When should firms start preparing for the December 2026 deadline?

Firms should start now. Methodology and template updates should be completed by mid-2026, training should run in the second half of 2026, and pilot testing on dry-run files should be completed before the first live engagement under the revised standards. A firm that starts this process in 2027 will not be ready in time.