Key Takeaways
- ISA 240 deals with the auditor's responsibilities for identifying and responding to risks of material misstatement due to fraud in an audit of financial statements. The auditor is not responsible for preventing fraud — but must obtain reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error.
- The standard distinguishes between fraud (intentional act involving deception for an unjust advantage) and error (unintentional mistake). The auditor's response to fraud risk must be fundamentally different from the response to error risk because fraud involves deliberate concealment.
- Two types of fraud are relevant to the auditor: fraudulent financial reporting (manipulation of the financial statements) and misappropriation of assets (theft of entity assets).
- The auditor must hold a team discussion about the susceptibility of the entity's financial statements to material misstatement due to fraud, including how and where fraud might occur.
- ISA 240 establishes a presumption that revenue recognition involves fraud risk — this presumption can be rebutted, but only with documented justification.
- The risk of management override of controls is always present and cannot be rebutted. ISA 240 requires three specific procedures in every audit: testing journal entries, reviewing accounting estimates for bias, and evaluating the business rationale of significant unusual transactions.
- A revised ISA 240 was approved in 2025 (effective for periods beginning on or after 15 December 2026), introducing a "fraud lens" approach, stand-back requirements, and enhanced reporting for listed entities.
What is ISA 240?
ISA 240, titled "The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements," is one of the most scrutinised standards in the ISA framework. It addresses the fundamental tension at the heart of audit: the public expects auditors to find fraud, yet the auditor's primary objective is to provide reasonable assurance on the financial statements — not to serve as a fraud investigator.
ISA 240 navigates this tension by requiring the auditor to:
- Maintain professional skepticism throughout the audit, recognising that fraud may exist regardless of the auditor's prior experience with the entity.
- Identify and assess the risks of material misstatement due to fraud.
- Obtain sufficient appropriate audit evidence regarding those assessed risks through designing and implementing appropriate responses.
- Respond appropriately when fraud or suspected fraud is identified.
The standard should be read alongside ISA 200 (professional skepticism), ISA 315 (risk assessment), ISA 330 (responses to assessed risks), and ISA 250 (laws and regulations). Together, these standards create the framework for the auditor's fraud-related responsibilities.
Fraud vs. Error: Why the Distinction Matters
ISA 240.2 makes a critical distinction:
Fraud is an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage.
Error refers to an unintentional misstatement in financial statements, including the omission of an amount or a disclosure.
This distinction is not academic — it fundamentally changes the auditor's approach. Error is accidental and typically follows predictable patterns. Fraud is deliberate and specifically designed to evade detection. An auditor who applies the same level of skepticism and the same procedures to fraud risk as to error risk will miss fraud. ISA 240 exists precisely because fraud requires a heightened and different response.
The Two Types of Fraud
ISA 240 focuses on two types of fraud relevant to the auditor:
Fraudulent financial reporting
Intentional misstatements or omissions in the financial statements designed to deceive users. Examples include: manipulating or falsifying accounting records or supporting documents, misrepresenting or intentionally omitting events, transactions, or other significant information, and deliberately misapplying accounting principles relating to amounts, classification, presentation, or disclosure.
Fraudulent financial reporting often involves management override of controls and can include recording fictitious journal entries (particularly near period end), inappropriately adjusting assumptions used in accounting estimates, omitting or advancing/delaying recognition of events that have occurred during the reporting period, concealing facts that could affect amounts recorded, and engaging in complex transactions designed to misrepresent financial position or performance.
Misappropriation of assets
Theft of an entity's assets, which may be accomplished by embezzling receipts, stealing physical assets or intellectual property, causing the entity to pay for goods or services not received, or using the entity's assets for personal purposes. Misappropriation is often accompanied by false or misleading records to conceal the theft.
The Fraud Triangle
While ISA 240 does not use the term "fraud triangle" explicitly, its framework for identifying fraud risk factors (Appendix 1) is built around three conditions that are generally present when fraud occurs:
Incentive/Pressure. Management or employees have a reason to commit fraud — financial targets that must be met, personal financial difficulties, compensation structures tied to unrealistic performance metrics, or pressure from external stakeholders.
Opportunity. Circumstances allow fraud to occur — weak internal controls, inadequate oversight by those charged with governance, complex organisational structures, dominant management personalities without effective checks, or the nature of the industry or transactions.
Rationalisation/Attitude. Those involved in the fraud are able to justify their actions — "I'm only borrowing the money," "the company owes me," "everyone does it," or a culture that tolerates aggressive accounting.
Using the fraud triangle in practice
The fraud triangle is not just a theoretical framework — it is a practical risk assessment tool. During the team discussion required by ISA 240.15, work through each element for the specific entity: What pressures does management face? Where are the opportunities for override or concealment? What is the tone at the top? Entities where all three conditions are strongly present represent high fraud risk, regardless of the auditor's prior positive experience. Prior years without fraud findings do not reduce the risk — they may simply mean the fraud has not yet been detected.
Required Procedures
The team discussion
ISA 240.15 requires the engagement team to discuss the susceptibility of the entity's financial statements to material misstatement due to fraud. This discussion must include:
- How and where the financial statements might be susceptible to fraud, including how fraud could occur.
- Known external and internal fraud risk factors.
- How an element of unpredictability can be incorporated into the audit procedures.
- Which audit procedures might be used to respond to the fraud risks.
The discussion must involve the engagement partner and should include key members of the engagement team. For entities with multiple locations or business components, discussions may be needed at different levels. The discussion should occur during planning but must be revisited as the audit progresses and new information emerges.
Risk assessment procedures
ISA 240.16–24 requires specific risk assessment procedures:
Inquiries of management regarding their assessment of fraud risk, their processes for identifying and responding to fraud risks, their communications with those charged with governance about fraud, and their communications with employees about ethical conduct and business practices.
Inquiries of those charged with governance about their oversight of management's fraud risk identification and response processes, and whether they are aware of any actual, suspected, or alleged fraud.
Inquiries of others within the entity where appropriate — including operating personnel, in-house legal counsel, the chief ethics officer, and internal audit.
Consideration of unusual or unexpected relationships identified through analytical procedures performed during planning.
Consideration of other information — including fraud risk factors, the results of engagement acceptance procedures, and information from the entity's interim financial statements.
The presumed risks
ISA 240 establishes two critical presumptions:
Revenue recognition involves fraud risk. ISA 240.26 requires the auditor to presume that there are risks of material misstatement due to fraud relating to revenue recognition. This presumption can be rebutted — but only if the auditor documents the specific reasons why revenue recognition is not a fraud risk for the particular engagement. In practice, rebuttal is relatively rare and must be well-justified.
Management override of controls is always a risk. ISA 240.31 states that regardless of the auditor's assessment of the risks of management override, the auditor must design and perform procedures to test for it. This risk cannot be rebutted — management, by definition, has the ability to override the controls it has established.
Mandatory procedures for management override
ISA 240.32–34 requires three specific procedures on every audit:
| Procedure | What It Involves | Why It Matters |
|---|---|---|
| Testing journal entries and adjustments | Selecting journal entries and other adjustments made at the end of the reporting period, and testing the appropriateness of those entries. Must include entries posted directly to the financial statements (e.g., consolidation adjustments). | Fictitious journal entries are the most common mechanism for fraudulent financial reporting. End-of-period entries are particularly susceptible. |
| Reviewing accounting estimates for bias | Reviewing management's judgments and assumptions in significant accounting estimates for indications of management bias. Must include a retrospective review of prior-year estimates. | Biased estimates (consistently aggressive or conservative) can indicate systematic manipulation of reported results. |
| Evaluating the business rationale of significant unusual transactions | For significant transactions outside the normal course of business, or that otherwise appear unusual, evaluating whether the business rationale suggests they may have been entered into to engage in fraudulent reporting or to conceal misappropriation. | Complex or unusual transactions with no clear business purpose may be designed to create a misleading financial picture. |
Responding to Identified Fraud Risks
Overall responses
ISA 240.28–30 requires the auditor to determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level. These may include:
- Assigning more experienced or specialised personnel to the engagement.
- Evaluating whether the entity's selection of accounting policies may indicate fraudulent financial reporting.
- Incorporating an element of unpredictability in the selection of audit procedures — performing procedures that the entity does not expect, varying the timing of procedures, using different sampling methods, or performing procedures at different locations.
Specific responses
At the assertion level, ISA 240.30 requires the auditor to design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed fraud risks. This may involve changing the nature of procedures (performing more physical observation, requesting external confirmations), performing procedures at the period end rather than at an interim date, or increasing sample sizes.
When Fraud Is Identified or Suspected
Communication requirements
ISA 240.40–43 establishes communication obligations when the auditor identifies or suspects fraud:
To management — on a timely basis, unless the fraud involves management, in which case communication should be directed to those charged with governance.
To those charged with governance — the auditor must communicate any fraud involving management, fraud involving employees with significant roles in internal control, and any other fraud that results in a material misstatement. The auditor should also consider communicating any other fraud that comes to their attention.
To regulatory authorities — the auditor must determine whether there is an obligation to report fraud to parties outside the entity. In many European jurisdictions, specific reporting obligations exist: in the Netherlands under the Wwft (anti-money laundering), in Germany through WPO provisions, and in the UK under the Proceeds of Crime Act 2002 and the Money Laundering Regulations.
Documentation requirements
ISA 240.44–47 requires documentation of:
- The team discussion about fraud susceptibility.
- The identified and assessed risks of material misstatement due to fraud at both the financial statement and assertion level.
- The overall responses to fraud risks.
- The results of procedures performed to address management override.
- Communications about fraud to management, those charged with governance, and regulators.
- The reasons for any rebuttal of the presumed revenue recognition fraud risk.
The Revised ISA 240 (2025)
The IAASB approved ISA 240 (Revised) in 2025, effective for audits of financial statements for periods beginning on or after 15 December 2026. Key enhancements include:
The "fraud lens" approach. The revised standard is designed to be applied in an integrated manner with other ISAs, applying a fraud perspective across the entire audit rather than treating fraud as a standalone consideration.
Stand-back requirement. Before concluding the engagement, auditors must perform a holistic evaluation of whether their fraud risk assessments and responses remain appropriate in light of all evidence obtained during the audit.
Enhanced reporting for listed entities. The revised standard strengthens requirements for communicating fraud-related matters as Key Audit Matters (KAMs) under ISA 701.
Technology guidance. New application material addresses how entities may use technology to facilitate fraud and how auditors can use automated tools for fraud risk assessment and testing.
Alignment with ISA 570 (Revised 2024). Recognising that fraud and financial distress often co-occur, the revised standard explicitly connects fraud risk assessment with going concern evaluation.
Firms should begin implementation planning now, as the changes require updates to audit methodologies, team training, and documentation templates.
ISA 240 in Your Jurisdiction
Netherlands. COS 240 follows ISA 240 closely. Dutch auditors face additional fraud-related obligations under the Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme), which requires reporting of unusual transactions to the FIU-Nederland. The AFM's inspection focus consistently includes fraud risk assessment quality — particularly whether the team discussion was substantive, whether the revenue recognition presumption was properly evaluated, and whether journal entry testing was sufficiently rigorous.
Germany. IDW PS 210 adapts ISA 240 for the German context. German Wirtschaftsprüfer must also consider fraud-related reporting obligations under the GwG (Geldwäschegesetz — anti-money laundering law) and specific provisions of the HGB. The WPK's inspections examine whether fraud risk assessment is integrated into the overall risk assessment process rather than treated as a separate checklist exercise.
United Kingdom. ISA (UK) 240 was revised in 2021 ahead of the international standard, with the FRC introducing UK-specific enhancements including more explicit requirements for fraud risk identification and assessment. UK auditors also have obligations under the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2017. The FRC's inspection findings have consistently highlighted fraud as a priority area — particularly the quality of the team discussion, the rigor of journal entry testing, and the adequacy of responses to identified fraud risks.
France. NEP 240 implements ISA 240 within the French statutory audit framework. French commissaires aux comptes have specific legal obligations regarding fraud detection under the Code de commerce, including the requirement to report criminal offences (révélation des faits délictueux) to the Procureur de la République. This is a significantly stronger reporting obligation than exists in many other European jurisdictions.
Related Ciferi Content
Continue building your understanding of the ISA framework:
Put audit concepts into practice with these free tools:
Frequently Asked Questions
Is the auditor responsible for detecting fraud?
The auditor is responsible for obtaining reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error. This means the auditor must design and perform procedures to identify material fraud — but the standard acknowledges that fraud involves deliberate concealment and that even a properly conducted audit may not detect all material fraud. The responsibility for preventing and detecting fraud rests primarily with management and those charged with governance.
Can the auditor rebut the presumption that revenue recognition is a fraud risk?
Yes, but only with documented justification. The auditor must identify specific facts that support the conclusion that revenue recognition is not a fraud risk for the particular engagement. In practice, rebuttal is relatively uncommon and is most defensible for entities with very simple, predictable revenue streams (for example, a single-product entity with long-term fixed-price contracts).
Can the auditor rebut the risk of management override of controls?
No. The risk of management override is always present and cannot be rebutted. The three required procedures (journal entry testing, estimate bias review, and evaluation of significant unusual transactions) must be performed on every audit engagement.
What should the auditor do if they suspect fraud but cannot confirm it?
The auditor should discuss the matter with an appropriate level of management (unless management is suspected of involvement), consult with others within the firm, consider the implications for the audit, obtain additional evidence where possible, and consider whether to communicate the matter to those charged with governance and to regulatory authorities. The auditor must also consider whether the suspected fraud affects the auditor's ability to continue the engagement.
How does ISA 240 relate to anti-money laundering obligations?
ISA 240 addresses fraud in the context of the financial statement audit. Anti-money laundering obligations (such as the EU's Anti-Money Laundering Directives, the Netherlands' Wwft, or the UK's Proceeds of Crime Act) impose separate legal obligations on auditors to report suspicious transactions to financial intelligence units. These obligations operate independently of ISA 240 but may overlap — fraud identified during the audit may trigger AML reporting obligations.
Further Reading and Source References
- IAASB Handbook 2024 — The authoritative source for the complete ISA 240 text, including all application material and appendices (fraud risk factors, examples of circumstances indicating possible fraud, examples of responses).
- ISA 240 (Revised) — Approved July 2025, effective 15 December 2026 — introduces the fraud lens, stand-back requirement, and enhanced reporting.
- ISA 315 (Revised 2019) — Identifying and Assessing the Risks of Material Misstatement — the standard that governs the risk assessment process ISA 240 builds upon.
- ISA 330 — The Auditor's Responses to Assessed Risks — governs how the auditor designs procedures to respond to identified risks, including fraud risks.
- ISA 701 — Communicating Key Audit Matters — relevant to fraud-related reporting in audits of listed entities.
- IESBA Code of Ethics — Ethical requirements relating to fraud, including the NOCLAR provisions.