ISA 240 Revised: New Fraud Brainstorming Requirements Explained

Your fraud brainstorming template probably has two sections: one for revenue recognition and one for management override of controls. The engagement team ticks the boxes and writes a paragraph of conclusions. Done. The AFM reviewed 32 statutory audits in 2023 and found that teams routinely failed to specify how management could actually commit fraud in the context of their specific client. ISA 240 (Revised) rewrites the rules for this discussion. If your template hasn't changed, your next file under the revised standard will have a gap.

ISA 240 (Revised), effective for periods beginning on or after 15 December 2026, expands the engagement team fraud discussion under paragraph 29 to require explicit consideration of third-party misappropriation and specific fraud risk factors, along with documentation of the "matters discussed" rather than just the "significant decisions" reached.

What changed in the engagement team discussion requirement

Extant ISA 240.15 requires the engagement partner and other key members of the engagement team to discuss the susceptibility of the entity's financial statements to material misstatement due to fraud, and how and where the entity's financial statements may be susceptible. Application material in extant ISA 240.A10–A11 suggests topics the discussion "may include," such as an exchange of ideas about how fraud might occur and the risk of management override of controls.

ISA 240 (Revised) paragraph 29 converts several of those suggestions into requirements. The discussion must now explicitly include how the entity's financial statements may be susceptible to material misstatement due to fraud, including through fraudulent financial reporting, misappropriation of assets by employees, and (this is new) misappropriation of assets by third parties. The team must also discuss fraud risk factors identified through the risk assessment procedures performed under both ISA 315 (Revised 2019) and ISA 240 (Revised).

The wording matters. Under the extant standard, most firms treat the fraud discussion as a planning checklist. The engagement partner raises revenue recognition and management override, possibly adds a client-specific risk. The team agrees. Someone writes it up. Under the revised standard, the discussion must cover specific categories of fraud, and the documentation must capture what was discussed, not just what was decided. That's the shift from "significant decisions" to "matters discussed."

The IAASB's Basis for Conclusions explains that this change was made to align the engagement team discussion requirement with ISA 315 (Revised 2019) paragraph 17, which uses the same "matters discussed" formulation for the broader risk assessment discussion. The alignment is deliberate. Fraud isn't a standalone planning step anymore. It's a lens applied to the entire ISA 315 risk assessment process.

Third-party misappropriation: the new category most teams will miss

ISA 240 (Revised) paragraph 29(a)(ii)c. requires the engagement team to exchange ideas about how assets could be misappropriated by third parties. This is entirely new. The extant standard doesn't mention third-party misappropriation as a required discussion topic.

Why does this matter? Think about what it covers. Inventory held at third-party warehouses or on consignment at customer premises. Cash collected by third-party agents. Digital assets or intellectual property accessible to contractors or external IT providers. Financial instruments held by custodians. For a manufacturing client with €30M of inventory across four third-party logistics providers, the risk that one of those providers misappropriates stock is real and auditable. Most current fraud brainstorming templates don't prompt the team to consider it.

The supporting application material (ISA 240 (Revised) paragraph A84) explains that the auditor's understanding of the entity's risk assessment process may include consideration of the entity's own assessment of its susceptibility to third-party fraud. If the entity has assessed this risk, you're documenting their assessment and your evaluation of it. If they haven't, that gap itself is a finding worth recording.

For firms working in sectors with significant third-party exposure (logistics, retail with franchise models, entities holding assets in custody), this requirement will add genuine substance to the fraud discussion. For entities with minimal third-party asset exposure, a brief documented assessment explaining why the risk is low will satisfy the requirement. Either way, the discussion must happen and the documentation must reflect it.

Fraud risk factors: from checklist to conversation

The extant standard requires you to consider fraud risk factors when identifying risks of material misstatement due to fraud. ISA 240 (Revised) strengthens this by requiring the engagement team discussion to explicitly include fraud risk factors identified through the risk assessment procedures performed.

The practical difference is this: under the extant standard, many teams treat the Appendix 1 fraud risk factor examples as a checklist. The partner runs down the list during planning, ticks which factors are present, and maps them to fraud risks. Under the revised standard, the fraud risk factors must be discussed in the engagement team discussion, not just assessed by the partner in isolation. The team needs to talk about which factors are present for this specific client and why. They also need to discuss what those factors mean for how fraud could occur and how the team plans to respond.

The revised standard also adds new guidance on the relationship between fraud risk factors on one hand and inherent risks and control risks on the other. Fraud risk factors are conditions or events that indicate an incentive or pressure to commit fraud, or an opportunity to do so. They're not fraud risks themselves. A fraud risk factor (the CFO has a bonus tied to reported EBITDA) combined with an opportunity (the CFO has the ability to post manual journal entries) creates a fraud risk (management manipulation of EBITDA through manual entries). Your brainstorming should follow that logic: identify the factor and the opportunity, then articulate the fraud risk. That chain of reasoning is what "matters discussed" means in the documentation.

The revenue recognition presumption is harder to rebut

ISA 240 (Revised) retains the presumption that there are risks of material misstatement due to fraud in revenue recognition. But it changes the emphasis. New guidance states that the significance of fraud risk factors related to revenue recognition, individually or in combination, ordinarily makes it inappropriate to rebut the presumption.

Under the extant standard, some firms treat rebuttal as a routine exercise. The entity has simple revenue streams and limited management incentives tied to revenue, so the presumption is rebutted. Under the revised standard, the bar is higher. You need to demonstrate not only that the entity has simple revenue streams but also that no fraud risk factors related to revenue recognition are present. The emphasis has shifted from developing a rebuttal argument to evaluating whether the specific circumstances genuinely support one.

For the fraud brainstorming session, this means the team should discuss fraud risk factors related to revenue before deciding whether rebuttal is appropriate. In most engagements, the team will conclude that at least one fraud risk factor exists (management incentives, pressure from investors, performance-based compensation). Where that's the case, the revised standard's guidance suggests rebuttal is ordinarily inappropriate.

This will affect a significant number of engagements. The AFM's 2023 fraud risk analysis review found that the presumed fraud risk in revenue recognition was "often not recognised" across the 32 audits reviewed. The revised standard directly responds to that finding.

Who needs to be in the room

The extant standard requires the engagement partner and "other key members of the engagement team" to participate in the discussion. ISA 240 (Revised) keeps this requirement but adds emphasis on two areas.

First, the revised standard highlights the importance of IT expertise in the fraud discussion. Application material notes the relevance of considering changes in the entity's IT environment during risk assessment and the potential to use automated tools to facilitate the discussion. For mid-tier firms without dedicated IT audit specialists, this means either including someone with relevant IT knowledge or documenting why IT risk isn't significant for the specific engagement.

Second, for group audits, the IAASB's Basis for Conclusions notes that the discussion should consider which component auditor engagement team members to include. ISA 240 (Revised) paragraph 29's requirement applies to the group engagement team's consideration of fraud, and the component auditor's knowledge of local conditions, industry-specific fraud risk factors, and management behaviour at the component level can be directly relevant. If your group audit fraud brainstorming doesn't include component teams (even by call or written input), the revised standard will make that omission more visible.

Worked example: running a fraud brainstorming for Van der Berg Holding N.V.

Van der Berg Holding N.V. is a Dutch holding company with four subsidiaries operating in food distribution. Consolidated revenue is €112M. The group employs 340 people across the Netherlands and Belgium. The engagement is in its second year. The previous year's fraud discussion working paper contains a single page with two risks identified: revenue recognition and management override.

Participants: Engagement partner M. ten Brink, senior auditor S. Vermeulen, staff auditors P. Hendriks and A. Claessens (the Belgian subsidiary lead). The session was held on 3 October 2027 and lasted 55 minutes.

1. Fraudulent financial reporting

The team discussed the following fraud risk factors. The holding company's bank covenants require a minimum EBITDA of €8.5M. Consolidated EBITDA for the prior year was €9.1M, leaving a margin of €600K. This creates incentive pressure on management to maintain or overstate EBITDA. The CFO prepares the consolidation entries without a secondary review. Two of the four subsidiaries use different ERP systems, and consolidation adjustments are made in Excel. The team identified a fraud risk: manipulation of consolidation entries to inflate EBITDA, specifically in the areas of intercompany elimination adjustments and cost allocation between subsidiaries.

2. Misappropriation of assets by employees

The team discussed cash handling at the two retail distribution centres. Daily cash receipts average €15K per centre. Cash is counted by the warehouse supervisor and deposited by the same person. No segregation of duties exists for amounts below €5K. The team identified this as a fraud risk for the assertion of completeness of cash receipts, though the potential misstatement amount (estimated at €50K annually even in a worst case) is below performance materiality of €220K. The team assessed this risk as present but not significant.

3. Misappropriation of assets by third parties

The team discussed the group's use of third-party cold storage facilities for perishable inventory. Two facilities in Rotterdam hold approximately €6.8M of frozen goods at year-end. The entity receives monthly stock confirmations from the facility operators but conducts physical counts only annually, in March (three months after year-end). The team identified a fraud risk: overstatement of inventory held at third-party locations, particularly given the €6.8M balance and the reliance on management-obtained confirmations without independent verification between annual counts.

4. Fraud risk factors and revenue recognition

The team considered the revenue recognition presumption. Van der Berg's revenue consists of food product sales to supermarket chains under framework contracts. Pricing is set annually. Volume bonuses are calculated quarterly. The team discussed whether the presumption could be rebutted. Two fraud risk factors are present: the EBITDA covenant creates incentive to overstate revenue, and the volume bonus calculations involve estimates based on projected volumes. The team concluded that rebuttal is inappropriate given the presence of these fraud risk factors, consistent with the revised standard's guidance that fraud risk factors ordinarily make rebuttal inappropriate. Revenue recognition (specifically: cut-off and valuation of volume bonus accruals) remains an identified fraud risk.

5. Whistleblower programme

Van der Berg has a whistleblower policy adopted in 2024 following the Wet bescherming klokkenluiders (Dutch Whistleblower Protection Act). One report was received in the prior year concerning employee expense claims. Management investigated and found the claim substantiated (€3.2K). The team documented their understanding of the programme and considered whether the one report indicated broader control weaknesses.

Conclusion of the discussion: Four fraud risks were identified: (1) manipulation of consolidation entries to inflate EBITDA, (2) misappropriation of cash receipts at distribution centres (present but not significant), (3) overstatement of third-party held inventory, and (4) revenue cut-off and volume bonus accrual valuation. Management override of controls was assessed as a significant risk at the financial statement level.

Your implementation checklist

1. Restructure your fraud brainstorming template into four required discussion categories: fraudulent financial reporting, employee misappropriation, third-party misappropriation, and fraud risk factors. Each category needs space for the matters discussed, not just a conclusion field.
2. Add a specific prompt for third-party misappropriation. For each entity, identify assets held by or accessible to third parties and document the team's assessment of how those assets could be misappropriated (ISA 240 (Revised) paragraph 29(a)(ii)c.).
3. Change your template's documentation heading from "significant decisions" to "matters discussed." This isn't cosmetic. Every section should capture the reasoning and the fraud risk factors considered, not only the risks identified.
4. For revenue recognition, reorder your template so that fraud risk factors related to revenue are discussed before the rebuttal assessment. If any fraud risk factors are present, your template should flag that rebuttal is ordinarily inappropriate under the revised standard.
5. Add a whistleblower programme section to your planning working papers. Record whether the entity has a programme and any reports received. Document the entity's response to any reports and the implications for the control environment where no programme exists.
6. For group audits, decide which component team members will participate in the fraud discussion (in person, by call, or through written input). Document their participation and any component-specific fraud risk factors they raised.

Common mistakes to watch for

The AFM's January 2025 report on fraud audit procedures found insufficient professional scepticism in 6 of 32 reviewed statutory audits, characterised by multiple procedural findings combined with no follow-up of contraindications. The revised standard's requirement to document "matters discussed" is designed to make the quality of the fraud discussion visible to reviewers. A one-paragraph conclusion won't demonstrate scepticism.

Treating the fraud discussion as a planning-only event is another common gap. Extant ISA 240.A12 already notes that further discussions may be beneficial at later stages. ISA 240 (Revised) reinforces this by requiring communication with management and those charged with governance about fraud matters at appropriate times throughout the audit. If new fraud risk factors emerge during fieldwork, the file should show that the engagement team revisited its fraud assessment.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024: the authoritative source for the complete extant ISA 240 text, including extant paragraphs 15 and A10–A11 on the engagement team discussion.
• ISA 240 (Revised), as approved March 2025 and certified July 2025: paragraph 29 and supporting application material on the revised engagement team discussion requirements.
• ISA 315 (Revised 2019), Identifying and Assessing Risks of Material Misstatement: paragraph 17 on the engagement team discussion, which ISA 240 (Revised) now aligns with.
• AFM, Fraud in Financial Statement Audits (2023): inspection findings on fraud discussion quality across 32 statutory audits.
• Ciferi glossary: Fraud risk factors – maps each Appendix 1 category to practical examples for non-Big 4 engagements.