ISA 240 Revised 2024: Everything That Changed and What Your Files Need

The genuineness deletion: what it means in practice

Under extant ISA 240 .A8 (and ISA 200 .A47), auditors could accept records and documents as genuine unless they had reason to believe otherwise. ISA 240 (Revised) removes this principle entirely from the fraud context. The principle stays in ISA 200 for general audit purposes, but stripping it from ISA 240 sends a clear message: in a fraud context, the starting point is no longer trust.

This is the single biggest practical change. Not because it adds a new procedure. Because it changes the default.

This doesn’t mean you treat every document as fraudulent. It doesn’t mean you verify the ink on every invoice. It means the starting assumption flipped. Previously, you only investigated when you believed a record was not genuine. Now you investigate when conditions suggest a record may not be authentic or may have been altered. The threshold shifted from belief to conditions. That sounds subtle. In practice, it means your file needs to explain what conditions you considered and why you concluded authenticity was not in question, not simply state that no red flag appeared.

For files where you’ve been documenting “no conditions identified to suggest records are not genuine” as your standard fraud response, that language will need to change. Your fraud risk assessment WPs will need to show the conditions you evaluated. If you’re already using our ISA 240 fraud risk pack, the revised templates handle this. If you’re working from your own templates, build the conditions assessment into your fraud risk section now, not next year when you’re rolling forward the PY file under pressure.

Professional scepticism without the safety net

Here’s the problem the IAASB was trying to solve: the longer you audit a client, the more you trust them, and the less sceptical you become. The extant standard made this worse by including a qualifier allowing auditors to maintain scepticism while recognising “the auditor’s past experience of the honesty and integrity of the entity’s management and those charged with governance (TCWG).” ISA 240 (Revised) deletes this qualifier.

The IAASB concluded that referencing past experience of management’s honesty directly undermined professional scepticism. The revised standard requires what the IAASB called a “fresh pair of eyes” on every engagement. A continuing engagement with a long-standing client doesn’t reduce the requirement. If anything, familiarity creates its own bias risk, and the application material now acknowledges this explicitly.

In practice, this is the change that will feel most uncomfortable. We’ve seen it on 10-year engagements where the engagement partner (EP) genuinely trusts management. That trust isn’t wrong. But documenting it as the basis for your scepticism assessment is now explicitly prohibited. Your file needs to show scepticism applied through procedures, not satisfied through familiarity. Nobody enjoys being the one who has to push back on a CFO they’ve worked with for a decade, but that’s the moment the revised standard is built around.

ISA 240 (Revised) also introduces an ongoing alertness requirement: remain alert throughout the audit for information indicative of fraud or suspected fraud. The application material emphasises this includes the final stages, when time pressure to complete is highest. The AFM’s 2025 inspection report concentrated on exactly that stage: deficient fraud-response procedures in 17 of 20 files at non-PIE firms and 6 of 12 at PIE firms.

The fraud lens on risk assessment

The largest structural change is the integration of a “fraud lens” across the entire risk identification and assessment process, anchored to ISA 315 (Revised 2019). Under the extant standard, fraud risk assessment ran in parallel with the general risk assessment. The revised standard weaves fraud considerations directly into the ISA 315 framework.

Specifically, ISA 240 (Revised) requires auditors to:

• Obtain an understanding of matters related to the entity and its environment that may increase susceptibility to management bias or other fraud risk factors (new requirement, no equivalent in the extant standard)
• Understand the entity’s internal controls relevant to fraud prevention and detection, including any whistleblower programme or other reporting mechanisms
• Determine whether identified control deficiencies are relevant to fraud prevention or detection
• Take fraud risk factors into account when identifying and assessing risks of material misstatement due to fraud, and determine whether those risks exist at the financial statement level or the assertion level

That’s a lot of requirements. In practice, most firms will need to add a fraud column or section to their ISA 315 risk assessment working paper. The fraud assessment can no longer live in a separate memo that nobody connects to the main risk matrix.

What the engagement team discussion needs to cover now

Paragraph 29 expands the team discussion to explicitly cover: how and where the financial statements (FS) are susceptible to fraud (including how fraud might be concealed), known fraud risk factors, how assets may be misappropriated by management or others, and how the team will maintain professional scepticism.

Under the extant standard, the discussion was required but the content was less prescribed. From the files we’ve reviewed, most team discussions under the old standard lasted about 15 minutes at the end of a planning meeting and produced a single-paragraph note. That won’t pass under the revised standard. A 15-minute ticking and bashing session where someone reads the template aloud and the team nods along is not what paragraph 29 describes. The discussion needs to be substantive, and the documentation needs to reflect that substance.

Management override and revenue recognition

Management override is now explicitly required to be assessed as a significant risk at the FS level. The extant standard didn’t specify the level, leaving room for inconsistency. You must also determine whether override gives rise to additional risks at the assertion level.

The revenue recognition presumption remains. But ISA 240 (Revised) strengthens it by requiring you to determine (taking fraud risk factors into account) which specific types of revenue, revenue transactions, or assertions give rise to the presumed risk. The application material now includes expanded examples of conditions where rebuttal is inappropriate: emerging industries, estimation uncertainty in revenue, contradictory evidence from risk assessment, or incentive structures creating pressure on reported figures.

The AFM’s 2024 review specifically flagged that firms frequently failed to recognise the presumed risk at the assertion level. In regulatory language: “presented an overly positive picture of the audit procedures performed.” In practice: the file described what the team planned to do, not what it actually did. Retaining the presumption without linking it to specific revenue streams or assertions won’t pass under the revised standard. It barely passes under the current one.

Responding to fraud or suspected fraud

ISA 240 (Revised) adds a new section on the auditor’s response when fraud or suspected fraud is identified, whether through audit procedures, external sources, management, or TCWG. The auditor must obtain an understanding of the matter and evaluate the entity’s response.

The “clearly inconsequential” threshold is new. For instances the auditor determines to be clearly inconsequential (after obtaining sufficient understanding), further consideration is not required. This is a scalability provision. A minor expense fraud by a junior employee doesn’t need the same response as revenue manipulation by the CFO.

For anything above clearly inconsequential, the engagement partner determines whether to perform additional risk assessment or further audit procedures. Qualitative materiality matters here: fraud by senior management is ordinarily qualitatively material regardless of amount, and intentional manipulation of KPIs may render a quantitatively immaterial misstatement qualitatively material.

Third-party fraud is now explicitly covered with application material and examples: related parties colluding with management, suppliers or customers creating fictitious transactions, service providers exploiting system access, and unknown third parties gaining unauthorised IT access. The definition of fraud hasn’t changed (it always included third parties), but the guidance is now much more specific about what to look for.

The fraud stand-back at completion

ISA 240 (Revised) introduces a fraud-specific stand-back, separate from the general stand-back in ISA 330 . Near the end of the audit, you must evaluate whether the fraud risk assessment remains appropriate and whether you obtained sufficient evidence in response.

This is harder than it sounds.

The IFIAR comment letter on ED-240 argued the stand-back should use stronger language, suggesting “challenge, question and reconsider.” The final standard requires you to consider the cumulative effect of audit evidence obtained throughout the engagement. Evidence that wasn’t initially recognised as fraud-relevant (a pattern in journal entries, an inconsistency in management’s explanations, a change in accounting estimates, an unusual trend in non-financial data) must be reconsidered in light of the completed picture.

The practical difficulty is timing. The stand-back happens at completion. It’s 9pm on a Thursday. The team has been clearing RNs for three days. The partner wants to sign tomorrow morning. The client’s FD has already told the board the audit is done. And this is the moment when the standard asks you to step back and genuinely reconsider whether you missed fraud. I’d estimate this will be the requirement that generates the most findings in the first inspection cycle, because it requires genuine reflection at the exact moment when every incentive points toward “just finish it.”

Transparency in the auditor’s report

Where ISA 701 applies (listed entities and PIEs, unless local regulation extends this), ISA 240 (Revised) introduces new requirements for fraud-related KAMs. The auditor must determine which fraud-related matters required significant attention and which were of most significance in the audit.

The application material is direct: fraud-related matters often require significant auditor attention, and because investors have specifically highlighted their interest, these are ordinarily of most significance. The practical effect: most auditor’s reports under ISA 701 will now include a fraud-related KAM unless the auditor can justify its absence.

For non-PIE firms in the Netherlands, ISA 701 doesn’t currently apply, so the KAM requirement has no immediate effect. But the auditor’s report for all audits gets updated language describing the auditor’s fraud responsibilities and procedures. Update your report template before the effective date.

Worked example: before and after on a real file

How the file looks under extant ISA 240

1. Engagement team discussion. The file notes that “fraud risk was discussed including management override and the presumption of fraud in revenue recognition.”

What’s missing: no specifics on how fraud might be concealed, which revenue streams are at risk, or what the new CFO’s incentive structure means for bias risk.

2. Fraud risk assessment. Identifies management override and revenue recognition as risks. States: “No conditions identified to suggest records are not genuine.”

What’s missing: revenue recognition risk not linked to specific assertions or contract types. Genuineness addressed by absence of red flag rather than evaluation of conditions.

3. Journal entry testing. 25 entries selected at year-end based on amount. Sub testing follows the same template as PY.

What’s missing: no documented rationale for excluding interim periods. No risk-based selection criteria. No consideration of automated extraction. The WPs are essentially a roll-forward with updated numbers.

4. Completion. Partner signs off. No fraud-specific stand-back.

How the file must look under ISA 240 (Revised)

1. Engagement team discussion (paragraph 29). Covers four specific areas: percentage-of-completion estimates on fixed-price contracts, timing of cost recognition on the two largest projects, new CFO’s incentive structure tied to EBITDA targets, and the opportunity created by the decentralised project accounting system. Documents how fraud could be concealed (premature cost deferral across project stages). Participants listed.

Documentation note: each susceptibility area linked to a specific fraud risk factor. Discussion was substantive, not a 15-minute add-on to the planning meeting.

2. Fraud risk assessment with fraud lens. Management bias susceptibility assessed in the context of the new CFO’s first full-year results. Whistleblower programme status documented (Van Leeuwen has no formal programme; noted as a control environment weakness). Revenue recognition presumption retained with specific identification that the input method on fixed-price contracts creates assertion-level risk in accuracy and cut-off. Management override assessed as significant risk at the FS level with additional assertion-level risks in construction contract estimates.

Documentation note: fraud risk factors mapped to specific inherent risk and control risk assessments. Absence of whistleblower programme linked to opportunity factor. No genuineness presumption relied upon.

3. Journal entry testing. Full population extracted automatically. Entries selected using risk-based criteria: manual entries above EUR 50K, entries posted by the CFO or financial controller, entries to revenue or WIP accounts outside normal patterns, and weekend postings. Testing covers both year-end and interim periods. Rationale documented.

Documentation note: selection criteria linked to identified fraud risk factors. Automated tools used and documented.

The complication

4. Fraud stand-back at completion. The engagement partner performs the stand-back and notices: the Rijkswaterstaat contract shows a EUR 1.2M positive variance between budgeted and actual margin, and three manual journal entries to WIP were posted in the final week by the financial controller. Neither fact was flagged during fieldwork because individually they looked routine. Together, at the stand-back stage, they raise a question. The partner requests additional procedures on the WIP adjustments. The team tests the three entries, confirms they relate to legitimate cost allocations between project phases, and documents the conclusion with specific reasoning.

Documentation note: stand-back explicitly references cumulative evidence. Specific items reconsidered. The fact that additional procedures were needed validates the stand-back, not undermines it. A stand-back that never identifies anything is probably not being done properly.

Implementation checklist

1. Update your engagement team discussion template to include the four paragraph 29 topics: susceptibility to fraud, fraud risk factors, asset misappropriation, maintaining professional scepticism. Do this before the effective date so the template is ready.
2. Remove any standard wording referencing “accepting records as genuine” or “past experience of management’s honesty” from your fraud risk assessment templates and methodology documents.
3. Add a fraud lens section to your ISA 315 risk assessment working paper that maps fraud risk factors to each significant account and assertion. The fraud assessment can no longer live in a separate memo.
4. Build a fraud-specific stand-back step into your completion checklist. Include prompts to reconsider cumulative evidence and document the conclusion with specific references to matters considered.
5. Update your management representation letter to require confirmation they have “appropriately fulfilled” (not just “acknowledge”) their internal control responsibilities, and lower the reporting threshold for fraud involving others from “material” to “any matters that could affect the FS.”
6. If you’re short on time, start with two things: remove the genuineness language and build the stand-back step. Those are the changes that will generate findings fastest if they’re missed.

Common mistakes during transition

• Updating templates without changing execution. The AFM’s 2025 inspection found deficient procedures in 17 of 20 files at non-PIE firms. The gap was in execution, not template design. If your team’s instinct is to SALY the fraud risk assessment and just roll it forward with new dates, a better template won’t save you. Partners need to allocate real time for the fraud discussion and the stand-back, not treat them as sign-off formalities.
• Keeping the single-paragraph fraud discussion note. The revised standard’s paragraph 29 requirements are specific enough that a generic note (“fraud risk was discussed”) will be flagged as non-compliant. The discussion documentation needs to address each of the four required topics with entity-specific content.
• Retaining the revenue recognition presumption without assertion-level detail. The AFM’s 2024 review flagged this specifically. Under the revised standard, you must identify which revenue types, transactions, or assertions give rise to the presumed risk. “Revenue recognition is a presumed fraud risk” without further specification is no longer acceptable.
• Treating the stand-back as a sign-off step. The stand-back requires genuine reflection on cumulative evidence at a moment when the team wants to go home and the EP wants to sign. “Fraud risk assessment considered appropriate” is not a stand-back. It’s a sign-off. Reference specific matters you reconsidered and why your assessment didn’t change (or did).

Related content

• Fraud risk factors (glossary) covers the fraud risk factor framework under both the extant and revised ISA 240 , with examples for different entity types.
• ISA 520 Analytical Review Calculator produces documented analytical procedures that identify unusual patterns in revenue and cost accounts, supporting the fraud lens in your risk assessment.
• ISA 570 (Revised 2024): what changed covers the parallel revision that takes effect on the same date and shares implementation dependencies with ISA 240 (Revised).

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB: ISA 240 (Revised), The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, approved March 2025, PIOB-certified July 2025.
• ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement: the risk assessment framework the fraud lens integrates with.
• ISA 570 (Revised 2024), Going Concern: the parallel revision aligned with ISA 240 (Revised) and effective on the same date.
• AFM: Fraud Risk Analysis Review 2024, review of 32 statutory audits examining fraud risk assessment quality.
• Fraud risk factors: ciferi glossary entry covering the ISA 240 Appendix 1 framework.