How to Update Your Fraud Documentation for ISA 240 Revised

What ISA 240 (Revised) changes in documentation requirements

The AFM’s January 2025 review found insufficient audit evidence to address fraud risks in 23 of 32 statutory audits. In 17 of those 20 files at regular audit firms, the procedures lacked specificity and depth. ISA 240 (Revised), effective 15 December 2026, adds documentation requirements that would have caught most of those deficiencies at the planning stage. Your current fraud working papers probably won’t survive the transition without changes.

The extant standard requires you to document the “significant decisions” reached during the engagement team discussion on fraud. ISA 240 (Revised) replaces this with a requirement to document the “matters discussed.” That’s not a cosmetic change. Under the current wording, many teams document the conclusion (we assessed revenue recognition as a fraud risk) without documenting the reasoning that got them there. The revised standard closes that gap.

ISA 240 (Revised) also introduces documentation requirements in four areas that the extant standard either leaves implicit or doesn’t address. You now need to document the key elements of your understanding of the entity obtained through the fraud lens (aligned to the ISA 315 (Revised 2019) structure), the sources of information used, the risk assessment procedures performed, and the rationale for significant professional judgements when identifying and assessing risks of material misstatement due to fraud. If you identify fraud or suspected fraud, you must document the results of related procedures performed and the significant professional judgements made. The conclusions reached and the basis for those conclusions must also go in the file. And you need to document your communications with those charged with governance on fraud matters throughout the engagement, not only at completion.

The stand-back requirement is new. Before concluding the audit, ISA 240 (Revised) requires you to evaluate whether your fraud risk assessments remain appropriate and whether you’ve obtained sufficient appropriate audit evidence in response. This evaluation needs documentation. It builds on the existing stand-back in ISA 330, but the fraud-specific stand-back is an additional, separate requirement.

Early adoption is permitted. The IAASB encourages jurisdictions to adopt ISA 240 (Revised) alongside ISA 570 (Revised 2024) as a package, given the deliberate alignment between the two standards on fraud and financial distress.

The engagement team discussion: from “significant decisions” to “matters discussed”

Under extant ISA 240.15, the engagement team discusses the susceptibility of the entity’s financial statements to material misstatement due to fraud. The documentation requirement under extant ISA 240.47 captures the “significant decisions” from that discussion. In practice, most templates reduce this to a single conclusion paragraph.

ISA 240 (Revised) paragraph 29 makes the discussion itself more prescriptive. The engagement team discussion must now explicitly include how the entity’s financial statements may be susceptible to material misstatement due to fraud. The discussion must cover fraudulent financial reporting and misappropriation of assets by employees (both carried over from the extant standard) as well as misappropriation of assets by third parties (new). The discussion must also address the fraud risk factors the team has identified. The requirement to discuss third-party misappropriation is new. Under the extant standard, most fraud brainstorming sessions focus on management fraud and employee misappropriation. Paragraph 29(a)(ii)c. of ISA 240 (Revised) now requires the team to exchange ideas about how assets could be misappropriated by third parties.

For documentation purposes, the shift from “significant decisions” to “matters discussed” means your template needs to capture the substance of the conversation. A single summary paragraph no longer suffices. The working paper should record which fraud risk factors the team considered, why certain factors were assessed as giving rise (or not giving rise) to identified fraud risks, and the reasoning behind the team’s assessment of how fraud could occur in the specific context of this entity.

This aligns with what the AFM found in its 2023 fraud risk analysis review of 32 statutory audits. The regulator reported that the presumed fraud risk in revenue recognition was often not recognised, and that teams frequently failed to specify how management could commit fraud. The revised standard’s documentation requirement directly addresses both findings.

New documentation for fraud risk identification and assessment

ISA 240 (Revised) strengthens the linkage to ISA 315 (Revised 2019) by requiring the auditor to apply a “fraud lens” throughout the risk identification and assessment process. The structure of the risk assessment section in the revised standard mirrors the structure of ISA 315 (Revised 2019). In practice, this means your fraud documentation should track the same logical flow as your ISA 315 working papers.

You now need to document your understanding of the entity’s whistleblower programme (or other mechanisms the entity uses to report fraud). This is a new requirement. If the entity has no such programme, document that fact and consider what it tells you about the control environment.

The revised standard also changes how you document the presumption of fraud risk in revenue recognition. ISA 240 (Revised) includes new guidance stating that the significance of fraud risk factors related to revenue recognition ordinarily makes it inappropriate to rebut the presumption. Under the extant standard, many teams develop a rebuttal argument as a matter of course. The revised standard shifts the emphasis: if you rebut, the documentation burden for your rationale is higher, and the circumstances in which rebuttal is appropriate are narrower.

Management override of controls is now explicitly classified as a significant risk of material misstatement due to fraud at the financial statement level. The extant standard didn’t specify the level. Your risk register needs to reflect this classification, and your documentation of responses under ISA 330 needs to address it at the financial statement level (not only at the assertion level, though the revised standard also requires you to determine whether management override gives rise to additional risks at the assertion level).

The stand-back requirement: what goes in the completion file

ISA 240 (Revised) introduces a stand-back requirement that builds on the existing stand-back in ISA 330 but applies specifically to fraud. Before concluding the audit, you must evaluate whether your assessments of the risks of material misstatement due to fraud remain appropriate and whether you’ve obtained sufficient appropriate audit evidence to respond to those assessed risks.

This isn’t the same as the ISA 330 stand-back. The ISA 330 stand-back evaluates overall audit evidence. The ISA 240 fraud-specific stand-back requires you to look at your fraud risk assessments and fraud-specific responses as a distinct evaluation. If you’ve already integrated your fraud procedures into your general risk response documentation, you’ll need a separate section or working paper that pulls the fraud thread through from planning to completion.

What should this look like in the file? At minimum, it’s a completion-stage working paper (or a distinct section of your completion memo) that lists each fraud risk identified at planning, the responses designed, the evidence obtained, any new fraud risk factors identified during fieldwork, and your evaluation of whether the original risk assessment still holds given everything you’ve seen. If new fraud risk factors emerged during the audit that weren’t covered in the planning-stage discussion, this is where you document how you addressed them.

The analytical review tool can help flag unusual fluctuations at the completion stage that might indicate previously unidentified fraud risk factors.

Documenting identified or suspected fraud

ISA 240 (Revised) creates a separate section for procedures when fraud or suspected fraud is identified. Under the extant standard, the requirements for responding to identified fraud sit within the general response framework. The revised standard breaks them out, which means your documentation structure should do the same.

When fraud or suspected fraud is identified, the revised standard requires you to obtain an understanding of the matter and evaluate how the entity has responded. You must then determine the effect on the audit engagement. A new “clearly inconsequential” threshold provides proportionality. If the engagement partner determines the matter is clearly inconsequential, no further procedures are required (but the determination itself must be documented). For anything above that threshold, the engagement partner must determine whether to perform additional risk assessment or further audit procedures, and that determination goes in the file.

The revised standard also adds a requirement (paragraph 55(a) of ISA 240 (Revised)) to make inquiries about identified fraud or suspected fraud with a level of management at least one level above those involved. When appropriate, inquiries should also be made with those charged with governance. Both the inquiries and the responses must be documented.

Worked example: updating a fraud file for Bakker Industrial B.V.

Bakker Industrial B.V. is a mid-sized Dutch manufacturing company with €68M revenue, producing industrial components for the automotive sector. The engagement is in its fourth year. The team consists of the engagement partner, one senior, and two staff members. The previous year’s file documents a single fraud brainstorming conclusion: “Revenue recognition assessed as a fraud risk. Management override of controls addressed through journal entry testing.”

Before (extant ISA 240 documentation)

The fraud discussion working paper contains one paragraph: “The engagement team discussed the susceptibility of the financial statements to fraud on 15 September 2026. Revenue recognition was identified as a fraud risk due to performance-based incentive arrangements. Management override of controls will be addressed through testing of journal entries and review of accounting estimates. No other specific fraud risks were identified.”

After (ISA 240 (Revised) documentation)

1. Engagement team discussion (ISA 240 (Revised) paragraph 29)

The working paper now has four sections. First, it lists participants and date (engagement partner R. Visser, senior J. de Groot, staff members K. Bakker and L. Janssen, 15 September 2027). Second, it records the fraud risk factors discussed, including: incentive pressure from parent company margin targets (incentive/pressure), the CFO’s dual role as financial controller with direct posting access to SAP (opportunity), high volume of manual journal entries in the last two weeks of each quarter (opportunity), and reliance on a single long-tenured IT administrator for system access management (opportunity).

Third, it records how the team assessed susceptibility to fraudulent financial reporting (revenue cut-off manipulation at quarter-end given the margin pressure and the pattern of late journal entries), misappropriation of assets by employees (low risk given strong inventory controls and reconciliation procedures), and misappropriation by third parties (the entity supplies automotive OEMs on consignment terms; goods held at customer premises are valued at €4.2M and verification relies on customer confirmations alone). Fourth, it records the fraud risks identified: revenue recognition (revenue cut-off, specifically assertion: occurrence and cut-off for Q4 revenue), management override of controls (significant risk at the financial statement level, with additional assertion-level risk in manual journal entries and accounting estimates for warranty provisions).

2. Whistleblower programme understanding

Bakker Industrial has no formal whistleblower programme. The entity relies on an informal open-door policy. The engagement team noted this as a deficiency in the control environment relevant to the prevention and detection of fraud.

3. Stand-back evaluation (completion stage)

At completion, the engagement team evaluated whether the fraud risk assessments from planning remained appropriate. During fieldwork, the team identified €180K in revenue recorded in December 2027 for goods not shipped until January 2028. The client corrected the misstatement. The team evaluated whether this constituted fraud or error and concluded it was an isolated cut-off error based on shipping documentation. The original fraud risk assessment for revenue cut-off was confirmed as appropriate. No new fraud risk factors were identified during the audit. The evidence obtained (detailed cut-off testing of the final two weeks, journal entry testing across all periods, estimate review for warranty provisions) was sufficient to respond to the assessed fraud risks.

Your update checklist

1. Compare your current fraud discussion template against ISA 240 (Revised) paragraph 29. Add separate sections for fraudulent financial reporting, employee misappropriation, and third-party misappropriation. Each section should capture the fraud risk factors discussed and the team’s reasoning, not just the conclusion.
2. Add a field for whistleblower programme understanding. If the entity has no programme, your template should prompt documentation of that gap and its implications for the control environment.
3. Update your risk register so management override of controls is classified as a significant risk at the financial statement level. Add a prompt to determine whether additional assertion-level risks arise from it (ISA 240 (Revised)).
4. Review your revenue recognition rebuttal documentation. If your template treats rebuttal as a standard option, update the wording to reflect the revised standard’s position that rebuttal is ordinarily inappropriate where fraud risk factors are present.
5. Add a fraud-specific stand-back section to your completion working papers. This is separate from the ISA 330 overall stand-back. It should list each fraud risk identified at planning, the response performed, the evidence obtained, any new risk factors identified during fieldwork, and whether the original assessment still holds.
6. If you don’t already have a separate working paper section for identified or suspected fraud, create one. It should capture the understanding obtained, the entity’s response, the engagement partner’s assessment of whether the matter is clearly inconsequential, and the determination on further procedures.

Common mistakes to watch for

• The AFM’s January 2025 fraud review found that auditors perform “standard procedures” without adapting their nature, timing, and extent to the specific fraud risk. ISA 240 (Revised)’s enhanced documentation requirements are designed to force that specificity. Documenting the risk without documenting why your planned procedures address that specific risk is the most likely failure point.
• In its 2023 fraud risk analysis review, the AFM found that teams frequently failed to recognise the presumed fraud risk in revenue recognition. Under the revised standard, the documentation bar for rebutting that presumption is higher. Rebuttal without a specific rationale tied to the entity’s circumstances will be a finding.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB: ISA 240 (Revised), The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, approved March 2025, PIOB-certified July 2025.
• ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement: the risk assessment framework the fraud lens integrates with.
• ISA 330, The Auditor’s Responses to Assessed Risks: contains the general stand-back requirement that the fraud-specific stand-back builds upon.
• AFM: Fraud Risk Analysis Review 2023 and January 2025 inspection report on fraud procedures at regular and PIE audit firms.
• Fraud risk factors: Ciferi glossary entry covering ISA 240 Appendix 1 fraud risk factors with worked examples.