ISA 240 Revised 2024: Everything That Changed

Why the IAASB rewrote ISA 240

Corporate failures from Wirecard to Steinhoff exposed a gap between what investors expected auditors to do about fraud and what the extant standard required. The IAASB initiated research in early 2020, published an exposure draft (ED-240) in February 2024, and approved the final standard with a unanimous 16–0 vote in March 2025. The PIOB certified the standard on 8 July 2025.

The revised standard aligns with ISA 570 (Revised 2024) on going concern, and the IAASB encourages jurisdictions to adopt both as a package. For calendar year-end audits, the first engagements under the revised standard will be 2027 audits. Early adoption is permitted and encouraged.

The “accept records as genuine” deletion

Under extant ISA 240.A8 (and ISA 200.A47), auditors could accept records and documents as genuine unless they had reason to believe otherwise. ISA 240 (Revised) removes this principle entirely from the fraud context. The principle remains in ISA 200 for general audit purposes, but stripping it from ISA 240 sends a clear message: in a fraud context, the starting point is not trust.

This doesn’t mean you treat every document as fraudulent. The IAASB was explicit on that point. But it does mean you can no longer rely on the absence of a red flag as sufficient justification for accepting a record at face value when fraud risk factors are present. If conditions suggest a record may not be authentic or may have been altered, the revised standard requires investigation. Previously, you only investigated when you believed the record was not genuine. The threshold has shifted from belief to conditions.

For files where you’ve been documenting “no conditions identified to suggest records are not genuine” as your standard fraud response, that language will need to change. Your fraud risk assessment working papers will need to explain what conditions you considered and why you concluded authenticity was not in question, not simply state that no red flag appeared.

Professional scepticism without the safety net

The extant standard included a qualifier that allowed auditors to maintain professional scepticism while still recognising “the auditor’s past experience of the honesty and integrity of the entity’s management and those charged with governance.” ISA 240 (Revised) deletes this qualifier.

The IAASB concluded that referencing past experience of management’s honesty directly undermined the exercise of professional scepticism. The revised standard now requires auditors to approach each audit with what the IAASB called a “fresh pair of eyes.” A continuing engagement with a long-standing client doesn’t reduce the scepticism requirement. If anything, familiarity creates its own bias risk, and the application material now acknowledges this explicitly.

ISA 240 (Revised) also introduces a new ongoing alertness requirement. The auditor must remain alert throughout the audit for information that is indicative of fraud or suspected fraud. The application material emphasises that this includes the final stages of the engagement, when time pressure to complete the audit is highest. The AFM’s 2025 inspection report concentrated on exactly that stage: the AFM observed findings in the execution of fraud-response procedures in 17 of 20 statutory audits at regular audit firms and 6 of 12 at PIE firms.

The fraud lens on risk assessment

The single largest structural change is the integration of a “fraud lens” across the entire risk identification and assessment process, anchored to ISA 315 (Revised 2019). Under the extant standard, fraud risk assessment ran in parallel with the general risk assessment. The revised standard weaves fraud considerations directly into the ISA 315 framework.

Specifically, ISA 240 (Revised) requires auditors to:

• Obtain an understanding of matters related to the entity and its environment that may lead to increased susceptibility to management bias or other fraud risk factors (a new requirement with no equivalent in the extant standard)
• Understand aspects of the entity’s internal control system relevant to the prevention and detection of fraud, including the entity’s whistleblower programme or other mechanisms for reporting fraud
• Determine whether deficiencies identified in internal control are relevant to fraud prevention or detection
• Take fraud risk factors into account when identifying and assessing risks of material misstatement due to fraud and when determining whether those risks exist at the financial statement level or the assertion level

Engagement team discussions

ISA 240 (Revised).29 expands the engagement team discussion. The discussion must now explicitly cover how and where the financial statements may be susceptible to material misstatement due to fraud (including how fraud might be concealed), known fraud risk factors, how assets of the entity may be misappropriated by management or others, and how the engagement team will maintain professional scepticism. Under the extant standard, the discussion was required but the specific content was less prescribed.

Management override and revenue recognition

Management override of controls is now explicitly required to be assessed as a significant risk at the financial statement level. The extant standard did not specify at which level this risk was assessed, leaving room for inconsistency. The auditor must also determine whether management override gives rise to additional risks at the assertion level.

The revenue recognition presumption remains. But ISA 240 (Revised) strengthens it by requiring the auditor to determine (taking fraud risk factors into account) which specific types of revenue, revenue transactions, or assertions give rise to the presumed risk. The application material now includes expanded examples of conditions that make rebuttal inappropriate, including situations where the entity operates in emerging industries, where revenue involves estimation uncertainty, or where contradictory evidence exists from risk assessment procedures.

The AFM’s 2023 review of 32 statutory audits specifically flagged that firms frequently failed to recognise the presumed risk of fraud in revenue recognition. The revised standard addresses this directly by making the presumption harder to rebut and by requiring more specific documentation when the presumption is retained.

Responding to fraud or suspected fraud

ISA 240 (Revised) adds a new section on the auditor’s response to identified or suspected fraud. When the auditor identifies fraud or suspected fraud (whether directly through audit procedures or indirectly through information from external sources, management, or TCWG), the revised standard requires the auditor to obtain an understanding of the matter and evaluate how the entity has responded.

The “clearly inconsequential” threshold is new. For instances of fraud or suspected fraud that the auditor determines to be clearly inconsequential (after obtaining a sufficient understanding of the matter), the auditor may exclude them from further consideration. This is a scalability provision. For a mid-tier firm auditing an entity with a minor instance of expense fraud by a junior employee, the response doesn’t need to be the same as for a revenue manipulation scheme by the CFO.

For anything above clearly inconsequential, the engagement partner must determine whether to perform additional risk assessment procedures or further audit procedures. And the qualitative materiality assessment matters here: fraud committed by senior management is ordinarily considered qualitatively material regardless of the amount, and intentional manipulation of KPIs to influence market expectations may render a quantitatively immaterial misstatement qualitatively material.

Third-party fraud is now explicitly covered. The definition of fraud hasn’t changed (it still includes third parties), but the revised standard adds application material and examples of what constitutes third-party fraud. This includes related parties who may collude with management, suppliers or customers who create fictitious transactions, service providers who may exploit their access to the entity’s systems, and unknown third parties who gain unauthorised access to the entity’s IT environment.

The stand-back requirement

ISA 240 (Revised) introduces a fraud-specific stand-back requirement, separate from the general stand-back in ISA 330. Near the end of the audit, the auditor must evaluate whether the assessment of the risks of material misstatement due to fraud remains appropriate, and whether sufficient appropriate audit evidence has been obtained in response to the assessed fraud risks.

This is not a formality. The IFIAR comment letter on ED-240 specifically argued that the stand-back should use stronger language, suggesting terms like “challenge, question and reconsider” to describe what auditors should do during this evaluation. The final standard requires the auditor to consider the cumulative effect of audit evidence obtained throughout the engagement. Audit evidence that wasn’t initially recognised as relevant to fraud (a pattern in journal entries, an inconsistency in management’s explanations, a change in accounting estimates) must be reconsidered in light of the completed picture.

Transparency in the auditor’s report

Where ISA 701 applies (listed entities and PIEs, unless local regulation extends this), ISA 240 (Revised) introduces new requirements for fraud-related key audit matters. The auditor must determine which matters related to fraud required significant auditor attention and, of those, which were of most significance in the audit.

The application material is clear: fraud-related matters often require significant auditor attention, and because investors have specifically highlighted their interest in fraud-related matters, these are ordinarily of most significance. The practical effect is that where ISA 701 applies, most auditor’s reports will now include a fraud-related KAM unless the auditor can justify its absence.

The auditor’s report for all audits also gets updated language describing the auditor’s responsibilities and procedures related to fraud, though the changes here are more limited than the KAM requirements.

Documentation and written representations

The revised standard expands documentation requirements in four areas: the auditor’s risk assessment procedures (including the fraud lens applied), the rationale for significant judgements when identifying and assessing fraud risks, the fraud or suspected fraud identified and the results of related procedures (including significant professional judgements and conclusions), and communications with TCWG.

Written representations have changed in two ways. First, management must now represent that they have “appropriately fulfilled” their responsibilities for the design, implementation, and maintenance of internal control to prevent or detect fraud. The extant standard required only an acknowledgement of those responsibilities. Second, the threshold for written representations about fraud involving “others” (employees, third parties) has been lowered from matters that are material to “any matters that could have an effect on the financial statements.”

Worked example: before and after on a real file

Client scenario: Van Leeuwen Bouw B.V., a Dutch construction company with €78M revenue, long-term construction contracts recognised under IFRS 15 using the input method, 14 active projects, and a new CFO who joined six months before year-end.

How the file looks under extant ISA 240

1. The engagement team discussion notes that “fraud risk was discussed including the risk of management override of controls and the presumption of fraud in revenue recognition.”

2. The fraud risk assessment identifies management override and revenue recognition as risks. The risk assessment states: “No conditions identified to suggest records are not genuine.”

3. Journal entry testing performed on year-end entries only. 25 entries selected based on amount.

4. Engagement partner signs off. No fraud-specific stand-back documented.

How the file must look under ISA 240 (Revised)

1. The engagement team discussion (ISA 240 (Revised).29) covers how Van Leeuwen’s financial statements are susceptible to misstatement due to fraud in four specific areas: percentage-of-completion estimates on fixed-price contracts, the timing of cost recognition on the two largest projects (Rijkswaterstaat infrastructure contract at €22M and Schiphol terminal renovation at €18M), new CFO’s incentive structure tied to EBITDA targets, and the opportunity created by the decentralised project accounting system.

2. The fraud risk assessment applies the fraud lens to ISA 315 (Revised 2019) requirements. Management bias susceptibility assessed in the context of the new CFO’s first full-year results. Whistleblower programme status documented (Van Leeuwen has no formal programme; this is noted as a control environment weakness). Revenue recognition presumption retained with specific identification that the input method on fixed-price contracts creates assertion-level risk in accuracy and cut-off. Management override assessed as a significant risk at the financial statement level with additional assertion-level risks identified in construction contract estimates.

3. Journal entry testing uses automated extraction of the full population. Entries selected using risk-based criteria: manual entries above €50K, entries posted by the CFO or financial controller, entries to revenue or WIP accounts outside normal posting patterns, and weekend or holiday postings. Testing covers both year-end and interim periods. The rationale for selection criteria is documented.

4. Fraud-specific stand-back (ISA 240 (Revised)) performed at completion. The engagement partner evaluates whether the fraud risk assessment remains appropriate given: the €1.2M positive variance between budgeted and actual margin on the Rijkswaterstaat contract, and the three manual journal entries to WIP that were posted in the final week. Conclusion documented that additional procedures were performed on the WIP adjustment and the risk assessment remains appropriate.

Implementation checklist

1. Update your engagement team discussion template to include the four ISA 240 (Revised).29 topics (susceptibility to fraud, fraud risk factors, asset misappropriation, maintaining professional scepticism). Do this before the standard takes effect so the template is ready.
2. Remove any standard wording that references “accepting records as genuine” or “past experience of management’s honesty and integrity” from your fraud risk assessment templates and methodology.
3. Add a fraud lens column or section to your ISA 315 risk assessment working paper that maps fraud risk factors to each significant account and assertion, not just management override and revenue recognition.
4. Build a fraud-specific stand-back step into your completion checklist. Include a prompt to reconsider cumulative audit evidence and document the conclusion with specific references to matters considered.
5. Update your written representation letter to require management to confirm they have “appropriately fulfilled” (not just “acknowledge”) their internal control responsibilities, and lower the reporting threshold for fraud involving others from “material” to “any matters that could have an effect on the financial statements.”
6. If your audit engagements fall under ISA 701, prepare a fraud-related KAM template. Draft example KAM language for management override and revenue recognition as starting points.

Common mistakes to avoid during transition

• The AFM’s 2023 review of 32 statutory audits found that firms frequently failed to specify the presumed risk of fraud in revenue recognition at the assertion level. Under the revised standard, retaining the presumption without linking it to specific revenue types or assertions won’t pass review.
• The AFM’s 2025 inspection report observed findings in fraud-response procedures in 17 of 20 statutory audits at regular firms. The most common gap was insufficient depth in the execution of procedures, not their design. Updating templates is necessary but not sufficient if the team doesn’t change how it executes.
• Firms that currently use a single-paragraph fraud risk discussion note will need to restructure entirely. The revised standard’s engagement team discussion requirements are specific enough that a generic note will be flagged as non-compliant.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB: ISA 240 (Revised), The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, approved March 2025, PIOB-certified July 2025.
• ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement: the risk assessment framework that the fraud lens integrates with.
• ISA 570 (Revised 2024), Going Concern: the parallel revision aligned with ISA 240 (Revised) and effective on the same date.
• AFM: Fraud Risk Analysis Review 2023 – review of 32 statutory audits examining fraud risk assessment quality.
• Fraud risk factors: Ciferi glossary entry covering the ISA 240 Appendix 1 framework with examples for different entity types.