In 2024, Dutch firms identified more fraud risks than the year before (47% of PIE audits flagged more than two). The AFM’s response was not congratulations. It was a finding that follow-up on those identified risks remains “insufficiently specific and in-depth.” We see this pattern constantly in our own reviews: engagement teams fill in the fraud risk factor templates with more ticks than last year, copy the same response paragraphs they used on the prior engagement, and call it done. That is SALY with better narratives. Identifying fraud risk is the easy part. ISA 240 is about what you do after you tick the box.

ISA 240 requires the auditor to identify and respond to risks of material misstatement (RMM) due to fraud. It creates a presumed fraud risk in revenue recognition and mandates specific procedures for management override of controls, including journal entry testing and review of accounting estimates for bias. But the standard was written for a world where fraud looks like fraud. In practice, fraud looks like normal business, and that gap between the standard’s assumptions and what auditors actually face on engagements is where most inspection findings land.

Key takeaways

  • ISA 240 deals with the auditor’s responsibilities for identifying and responding to RMM due to fraud in a FS audit. The auditor is not responsible for preventing fraud but must obtain reasonable assurance that the FS are free from material misstatement, whether caused by fraud or error.
  • Fraud is an intentional act involving deception for an unjust advantage. Error is an unintentional mistake. The auditor’s response to fraud risk must differ fundamentally from the response to error risk because fraud involves deliberate concealment.
  • Two types of fraud matter for the auditor: fraudulent financial reporting (manipulation of the FS) and misappropriation of assets (theft of entity assets).
  • The engagement team must hold a fraud discussion about how and where the entity’s FS might be susceptible to material misstatement due to fraud.
  • ISA 240 presumes that revenue recognition involves fraud risk. This presumption can be rebutted, but only with documented justification.
  • Management override of controls is always a risk and cannot be rebutted. ISA 240 requires three specific procedures in every audit: testing journal entries, reviewing accounting estimates for bias, evaluating the business rationale of significant unusual transactions, and (under the revised standard) performing a stand-back evaluation.
  • A revised ISA 240 was approved in 2025 (effective for periods beginning on or after 15 December 2026), introducing a “fraud lens” approach, stand-back requirements, technology guidance, and enhanced reporting for listed entities.

What is ISA 240?

Every major audit failure of the last twenty years has involved fraud that the auditors did not catch. Not errors. Not differences in judgment. Fraud. And in each post-mortem, the question was the same: did the auditor do what ISA 240 required?

ISA 240, titled “The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements,” sits at the centre of this tension. The public expects auditors to find fraud. The standard itself says the auditor’s objective is reasonable assurance on the FS, not fraud investigation. Both things are true at the same time, and that is what makes ISA 240 so difficult to apply well.

In practice, ISA 240 requires the auditor to do four things:

  1. Maintain professional skepticism throughout the audit, recognising that fraud may exist regardless of prior experience with the entity.
  2. Identify and assess RMM due to fraud.
  3. Obtain sufficient appropriate audit evidence regarding those assessed risks through designing and implementing appropriate responses.
  4. Respond appropriately when fraud or suspected fraud is identified.

Read ISA 240 alongside ISA 315 (risk assessment), ISA 330 (responses to assessed risks), ISA 200 (professional skepticism), and ISA 250 (laws and regulations). Together, these standards create the framework for the auditor’s fraud-related responsibilities.

Fraud vs. error: why the distinction matters

Most audit procedures are built around error. You expect a misstatement, you look for it, you find it (or you don’t). Error is accidental and typically follows predictable patterns. Fraud is the opposite. It is an intentional act by one or more individuals among management, those charged with governance (TCWG), employees, or third parties, involving deception for an unjust or illegal advantage (ISA 240.2). Someone designed the misstatement specifically so you would not find it.

Error, by contrast, is an unintentional misstatement in the FS, including the omission of an amount or a disclosure.

We think this is where many engagement teams trip up. They apply the same procedures and the same level of skepticism to fraud risk as to error risk, because the WPs look the same either way. But an auditor who tests journal entries the same way they test a bank reconciliation will miss fraud. ISA 240 exists because fraud requires a fundamentally different response, and that difference has to show up in your actual procedures, not just in the risk assessment narrative you write at planning.

The two types of fraud

ISA 240 focuses on two types of fraud relevant to the auditor.

Fraudulent financial reporting

This is the category that keeps engagement partners awake. Intentional misstatements or omissions in the FS, designed to deceive users. In practice, it means manipulating or falsifying accounting records, misrepresenting or intentionally omitting transactions or significant information, deliberately misapplying accounting principles, or some combination of all of these at once.

Fraudulent financial reporting often involves management override of controls. What does that actually look like? Recording fictitious journal entries near period end, inappropriately adjusting assumptions in accounting estimates, advancing or delaying recognition of events during the reporting period, and engaging in complex transactions designed to misrepresent financial position. The difficulty is that each of these activities, taken individually, can also be a legitimate management action. That ambiguity is what makes fraud detection so hard.

Misappropriation of assets

Theft of an entity’s assets. This may involve embezzling receipts, stealing physical assets or intellectual property, causing the entity to pay for goods or services not received, or using entity assets for personal purposes. Misappropriation is typically accompanied by false records to conceal the theft. In our experience, misappropriation is easier to detect than financial reporting fraud because the amounts tend to be smaller and the concealment less sophisticated, but it can still be material, particularly for smaller entities where one person controls multiple functions.

The fraud triangle

ISA 240 does not use the term “fraud triangle” explicitly, but its framework for identifying fraud risk factors (Appendix 1) is built around three conditions that are generally present when fraud occurs.

The first is incentive or pressure. Management or employees have a reason to commit fraud. Financial targets that must be met, personal financial difficulties, compensation tied to unrealistic performance metrics, pressure from external stakeholders. In our experience, the pressure element is the one most often documented superficially. Teams write “management has incentive to meet budget” on every engagement. That is true of every company. The useful question is: what specific pressure exists this year that did not exist last year?

The second is opportunity. Circumstances allow fraud to occur. Weak internal controls, inadequate oversight by TCWG, complex organisational structures, or a dominant management personality without effective checks. Opportunity is usually the element auditors assess most accurately, because it overlaps with the internal control work they are already doing.

The third is rationalisation or attitude. Those involved in the fraud justify their actions to themselves. “I’m only borrowing the money.” “The company owes me.” Or simply a culture that tolerates aggressive accounting. Rationalisation is the hardest element to observe from outside, which is why tone-at-the-top assessment matters so much and why it is so rarely done well.

Using the fraud triangle in practice

During the team discussion required by ISA 240.15, work through each element for the specific entity. What pressures does management face this year specifically? Where are the opportunities for override or concealment? What is the tone at the top? Entities where all three conditions are strongly present represent high fraud risk, regardless of how many clean years you have behind you. Prior years without fraud findings do not reduce the risk. They may simply mean the fraud has not yet been detected.

Required procedures

The team discussion

ISA 240.15 requires the engagement team to discuss how the entity’s FS might be susceptible to material misstatement due to fraud. The standard says this discussion must cover how and where fraud could occur, known external and internal fraud risk factors, how unpredictability can be built into audit procedures, and which procedures might respond to those risks.

What actually happens is that the discussion often takes place in fifteen minutes at the end of a planning meeting, with the EP reading from last year’s memo while juniors nod. We have seen inspection findings on this point from the AFM, FRC, and WPK. The discussion must involve the EP and key team members. For multi-location entities, discussions may be needed at different levels. And it has to be revisited as the audit progresses, not just done once at planning and forgotten.

Risk assessment procedures

ISA 240.16–24 requires specific risk assessment procedures. These look straightforward on paper. In practice, most of them are harder than they appear.

Start with inquiries of management regarding their own assessment of fraud risk and their processes for identifying and responding to fraud risks. Ask about their communications with TCWG and with employees about ethical conduct. Then make inquiries of TCWG about their oversight of management’s fraud risk processes and whether they are aware of any actual, suspected, or alleged fraud.

Where appropriate, make inquiries of others within the entity (operating personnel, in-house legal counsel, the chief ethics officer, internal audit). Consider unusual or unexpected relationships identified through analytical procedures during planning, and consider other information such as fraud risk factors and engagement acceptance results.

Here is the honest difficulty: asking management whether they are committing fraud is inherently awkward, and the answers are almost always the same. “No, we are not aware of any fraud.” The value is not in the answer itself. It is in watching how they react, and in creating a documented record if something surfaces later.

The presumed risks

ISA 240 establishes two presumptions that drive most of the standard’s practical impact.

First, revenue recognition involves fraud risk (ISA 240.26). The auditor must presume that RMM due to fraud exist relating to revenue recognition. This presumption can be rebutted, but only with documented reasons specific to the engagement. In practice, rebuttal is uncommon and is most defensible for entities with very simple revenue streams (a single-product entity with long-term fixed-price contracts, for example). At firms like ours, we rebut on perhaps one in twenty engagements.

Second, management override of controls is always a risk (ISA 240.31). Regardless of the auditor’s risk assessment, the auditor must design and perform procedures to test for override. This risk cannot be rebutted. Management, by definition, can override the controls it established.

Mandatory procedures for management override

ISA 240.32–34 requires three specific procedures on every audit.

Procedure What It Involves Why It Matters
Testing journal entries and adjustments Selecting journal entries and other adjustments made at the end of the reporting period, and testing the appropriateness of those entries. Must include entries posted directly to the financial statements (e.g., consolidation adjustments). Fictitious journal entries are the most common mechanism for fraudulent financial reporting. End-of-period entries are particularly susceptible.
Reviewing accounting estimates for bias Reviewing management’s judgments and assumptions in significant accounting estimates for indications of management bias. Must include a retrospective review of prior-year estimates. Biased estimates (consistently aggressive or conservative) can indicate systematic manipulation of reported results.
Evaluating the business rationale of significant unusual transactions For significant transactions outside the normal course of business, or that otherwise appear unusual, evaluating whether the business rationale suggests they may have been entered into to engage in fraudulent reporting or to conceal misappropriation. Complex or unusual transactions with no clear business purpose may be designed to create a misleading financial picture.

Those are the requirements. What actually happens on many engagements is something closer to ticking and bashing: the team pulls the same journal entry population as last year, applies the same selection criteria, tests the same number of entries, and documents the same conclusion. The estimate bias review consists of a paragraph noting that estimates fell within an acceptable range. The unusual transactions evaluation says “none identified.” The procedures are performed. Whether they would actually catch override is a different question.

Worked example: journal entry testing that goes wrong

You are auditing a mid-size manufacturing entity. You pull all manual journal entries posted in the final two weeks of the reporting period, entries posted by senior management, and entries with round-number amounts above PM. Your initial selection gives you 47 entries. You test 15 and find nothing unusual. Then during substantive testing, a team member notices that a year-end revenue accrual of €380,000 was posted as an automated entry rather than a manual one, meaning it fell outside your journal entry selection criteria entirely. The accrual reverses in January and has no supporting contract. Your selection methodology missed the highest-risk entry on the file because you only looked at manual entries. This is the kind of complication ISA 240 is designed for but does not explicitly tell you how to solve. You need to go back, widen your selection criteria, re-evaluate whether the automated/manual distinction is meaningful for this entity, and document why.

Responding to identified fraud risks

Overall responses

ISA 240.28–30 requires the auditor to determine overall responses to the assessed RMM due to fraud at the FS level. These may include assigning more experienced personnel to the engagement, evaluating whether the entity’s accounting policy choices may indicate fraudulent financial reporting, and incorporating unpredictability into procedure selection (performing procedures the entity does not expect, varying timing, using different sampling methods, performing procedures at different locations).

Unpredictability is the one element that genuinely changes behaviour, because it is the only element the client cannot prepare for. I think most firms underinvest in unpredictability because it is difficult to standardise in methodology templates. You cannot have a standard unpredictability procedure. That is a contradiction. But you can build unpredictability into your planning by deliberately choosing one or two procedures each year that differ from the prior year approach.

Specific responses

At the assertion level, ISA 240.30 requires the auditor to design further audit procedures whose nature, timing, and extent respond to the assessed fraud risks. This may involve changing the nature of procedures (performing more physical observation, requesting external confirmations) or performing procedures at period end rather than at interim.

There is a legitimate disagreement in practice about whether increasing sample sizes is an effective fraud response at all. One view holds that larger samples increase the probability of catching a fraudulent item. The other view, which we tend to agree with, is that fraud is usually concentrated in a small number of high-value entries that a targeted selection would catch regardless of sample size, while a random sample of 60 entries instead of 40 mostly adds cost without meaningfully increasing detection risk. The better response is usually to change the nature or timing of the procedure, not the extent.

When fraud is identified or suspected

Communication requirements

ISA 240.40–43 establishes communication obligations when the auditor identifies or suspects fraud. Who you tell, and when, depends on who is involved.

Communicate to management on a timely basis, unless management itself is suspected of involvement. In that case, direct the communication to TCWG instead.

Communicate to TCWG any fraud involving management and any fraud involving employees with significant roles in internal control. Also communicate any other fraud resulting in a material misstatement. Consider communicating any other fraud that comes to your attention, even if immaterial.

Determine whether there is an obligation to report to regulatory authorities outside the entity. In many European jurisdictions, specific reporting obligations exist. In the Netherlands under the Wwft. In Germany through GwG provisions. In the UK under the Proceeds of Crime Act 2002 and the Money Laundering Regulations. These obligations operate independently of ISA 240 and may have different materiality thresholds (often none at all).

Documentation requirements

ISA 240.44–47 requires documentation of the team discussion about fraud susceptibility, the identified and assessed RMM due to fraud at both the FS and assertion level, the overall responses to fraud risks, the results of procedures performed to address management override, communications about fraud made to management or TCWG or regulators, and the reasons for any rebuttal of the presumed revenue recognition fraud risk. That is a long list. In our experience, the documentation gap most often flagged by inspectors is the link between identified fraud risks and the specific procedures designed to respond to them. Teams document the risks. They document the procedures. They do not always document why procedure X responds to risk Y.

The revised ISA 240 (2025)

The IAASB approved ISA 240 (Revised) in 2025, effective for audits of FS for periods beginning on or after 15 December 2026. The revision responds to a decade of criticism that the original standard did not go far enough. Whether the revision actually fixes the problem is debatable, but it does raise the bar in several areas.

The “fraud lens” approach requires auditors to apply a fraud perspective across the entire audit rather than treating fraud as a standalone section of the audit file. In principle, this means fraud thinking should influence risk assessment, substantive testing, completion, and reporting. In practice, it will depend on whether firms build the fraud lens into their methodology or treat it as an additional overlay.

A new stand-back requirement asks auditors, before concluding the engagement, to perform an overall evaluation of whether their fraud risk assessments and responses remain appropriate in light of all evidence obtained. This is the revision’s most operationally significant change, because it forces a documented second look at a point in the audit when teams are under the most time pressure.

Enhanced reporting for listed entities strengthens requirements for communicating fraud-related matters as Key Audit Matters (KAMs) under ISA 701. New technology guidance addresses how entities may use technology to facilitate fraud and how auditors can use automated tools for fraud risk assessment. And the revision explicitly connects fraud risk assessment with going concern evaluation under ISA 570 (Revised 2024), recognising that fraud and financial distress often co-occur.

Firms should begin implementation planning now. The changes require updates to audit methodologies, team training, documentation templates, and quality review checklists. The second-order effect is that the stand-back requirement will generate more late-stage findings, which means more pressure on engagement timelines during the first year of adoption.

ISA 240 in your jurisdiction

In the Netherlands, COS 240 follows ISA 240 closely. Dutch auditors face additional fraud obligations under the Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme), which requires reporting of unusual transactions to the FIU-Nederland. The AFM’s inspection focus consistently includes fraud risk assessment quality, particularly whether the team discussion was substantive, whether the revenue recognition presumption was properly evaluated, and whether journal entry testing was sufficiently rigorous.

In Germany, IDW PS 210 adapts ISA 240 for the German context. German Wirtschaftsprüfer must also consider fraud-related reporting obligations under the GwG (Geldwäschegesetz) and specific provisions of the HGB. The WPK’s inspections examine whether fraud risk assessment is integrated into the overall risk assessment process rather than treated as a separate checklist exercise.

In the United Kingdom, ISA (UK) 240 was revised in 2021 ahead of the international standard, with the FRC introducing UK-specific enhancements including more explicit requirements for fraud risk identification and assessment. UK auditors also have obligations under the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2017. The FRC’s inspection findings consistently highlight fraud as a priority area, particularly the quality of the team discussion, the rigour of journal entry testing, and the adequacy of responses to identified fraud risks.

In France, NEP 240 implements ISA 240 within the French statutory audit framework. French commissaires aux comptes have specific legal obligations regarding fraud detection under the Code de commerce, including the requirement to report criminal offences (révélation des faits délictueux) to the Procureur de la République. This is a significantly stronger reporting obligation than exists in most other European jurisdictions.

Frequently asked questions

Is the auditor responsible for detecting fraud?

The auditor is responsible for obtaining reasonable assurance that the FS are free from material misstatement, whether caused by fraud or error. This means the auditor must design and perform procedures to identify material fraud. But the standard acknowledges that fraud involves deliberate concealment and that even a properly conducted audit may not detect all material fraud. The responsibility for preventing and detecting fraud rests primarily with management and TCWG.

Can the auditor rebut the presumption that revenue recognition is a fraud risk?

Yes, but only with documented justification. The auditor must identify specific facts supporting the conclusion that revenue recognition is not a fraud risk for this particular engagement. Rebuttal is uncommon in practice and is most defensible for entities with very simple, predictable revenue streams (a single-product entity with long-term fixed-price contracts, for example).

Can the auditor rebut the risk of management override of controls?

No. Never. Management override is always present and cannot be rebutted. The three required procedures (journal entry testing, estimate bias review, evaluation of significant unusual transactions) must be performed on every audit engagement regardless of your assessment of the entity.

What should the auditor do if they suspect fraud but cannot confirm it?

Discuss the matter with an appropriate level of management (unless management is suspected of involvement), consult with others within the firm, consider the implications for the audit, obtain additional evidence where possible, and consider whether to communicate the matter to TCWG and to regulatory authorities. The auditor must also consider whether the suspected fraud affects their ability to continue the engagement. This is one of the most stressful situations in audit, and the standard gives you a process but not a clear answer, because the answer depends on the facts.

How does ISA 240 relate to anti-money laundering obligations?

ISA 240 addresses fraud in the context of the FS audit. Anti-money laundering obligations (the EU’s Anti-Money Laundering Directives, the Netherlands’ Wwft, the UK’s Proceeds of Crime Act) impose separate legal obligations on auditors to report suspicious transactions to financial intelligence units. These obligations operate independently of ISA 240 but may overlap. Fraud identified during the audit may trigger AML reporting obligations.

Further reading and source references

  • IAASB Handbook 2024, ISA 240 full text. The authoritative source including all application material and appendices (fraud risk factors, examples of circumstances indicating possible fraud, examples of responses).
  • ISA 240 (Revised). Approved July 2025, effective 15 December 2026. Introduces the fraud lens, stand-back requirement, technology guidance, and enhanced reporting.
  • ISA 315 (Revised 2019). Identifying and Assessing the Risks of Material Misstatement. The standard that governs the risk assessment process ISA 240 builds upon.
  • ISA 330. The Auditor’s Responses to Assessed Risks. Governs how the auditor designs procedures to respond to identified risks, including fraud risks.
  • ISA 701. Communicating Key Audit Matters. Relevant to fraud-related reporting in audits of listed entities.
  • IESBA Code of Ethics. Ethical requirements relating to fraud, including the NOCLAR provisions.

This guide reflects the ISA 240 text as published in the IAASB 2024 Handbook, with reference to the approved ISA 240 (Revised) effective for periods beginning on or after 15 December 2026. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

If you’re building a fraud risk file from scratch, the ISA 240 Fraud Risk Assessment Pack gives you the full assessment structure in one workbook. Risk factors, response linkage, journal entry selection criteria, and management override procedures are cross-referenced to the specific ISA 240 paragraphs. Open the file, fill in the engagement details, and the cross-references are already built.

ISA 240 Fraud Risk Assessment Pack

Production-ready audit templates

Saves 10–20 hours 14-day money-back guarantee Free updates when standards change

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

Related ciferi content

ISA 240 deep dives:

Fraud Risk Brainstorming: How to Run the ISA 240.29 Discussion
Structure, attendees, documentation and common pitfalls
Fraud Risk Response Matrix: Link Every Risk to a Procedure
Build the matrix that connects identified fraud risks to specific audit responses
How to Test Journal Entries for Fraud Under ISA 240
Selection criteria, testing procedures, and documentation
ISA 240 Revised: Stand-Back Evaluation
New requirements under the 2024 revision, effective December 2026

Related ISA guides:

ISA 200: Overall Objectives of the Independent Auditor
Professional skepticism and reasonable assurance: the foundation for fraud responsibilities
ISA 250: Consideration of Laws and Regulations
Legal and regulatory obligations that intersect with fraud reporting
ISA 230: Audit Documentation
Documentation requirements that support fraud-related procedures

Put audit concepts into practice with these free tools:

Materiality Calculator
Overall, performance & trivial materiality
ISA 240 Fraud Risk Pack
Fraud risk factors, procedures & documentation
Sampling Calculator
MUS & classical sample sizes
Analytical Review Tool
Variance analysis with materiality thresholds

This guide reflects the ISA 240 text as published in the IAASB 2024 Handbook, with reference to the approved ISA 240 (Revised) effective for periods beginning on or after 15 December 2026. National implementations may include additional requirements. Always consult the applicable national standard (e.g., COS 240 in the Netherlands, ISA (UK) 240 in the UK, IDW PS 210 in Germany, or NEP 240 in France) alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook