ISA 240 Revised: New Fraud Brainstorming Requirements Explained

What changed in the engagement team discussion requirement

Extant ISA 240.15 requires the engagement partner (EP) and other key members of the engagement team to discuss the susceptibility of the entity’s financial statements (FS) to material misstatement due to fraud, and how and where the FS may be susceptible. Application material in extant ISA 240 .A10-A11 suggests topics the discussion “may include,” such as an exchange of ideas about how fraud might occur and the risk of management override of controls.

ISA 240 (Revised) paragraph 29 converts several of those suggestions into requirements. The discussion must now explicitly include how the entity’s FS may be susceptible to material misstatement due to fraud, including through fraudulent financial reporting, misappropriation of assets by employees, misappropriation of assets by third parties (this is new), and fraud risk factors identified through risk assessment procedures. The team must discuss those factors as identified under both ISA 315 (Revised 2019) and ISA 240 (Revised).

The wording matters. Under the extant standard, we've seen most firms treat the fraud discussion as a planning checklist. The EP raises revenue recognition and management override, possibly adds a client-specific risk. The team agrees. Someone writes it up. Under the revised standard, the discussion must cover specific categories of fraud, and the documentation must capture what was discussed, not just what was decided. That’s the shift from “significant decisions” to “matters discussed.”

The IAASB’s Basis for Conclusions explains that this change was made to align the engagement team discussion requirement with ISA 315 (Revised 2019) paragraph 17, which uses the same “matters discussed” formulation for the broader risk assessment discussion. The alignment is deliberate. Fraud isn’t a standalone planning step anymore. It’s a lens applied to the entire ISA 315 risk assessment process.

Third-party misappropriation: the new category most teams will miss

ISA 240 (Revised) paragraph 29(a)(ii)c. requires the engagement team to exchange ideas about how assets could be misappropriated by third parties. This is entirely new. The extant standard doesn’t mention third-party misappropriation as a required discussion topic.

Why does this matter? Think about what it covers: inventory held at third-party warehouses or on consignment at customer premises, cash collected by third-party agents, digital assets accessible to contractors or external IT providers, and financial instruments held by custodians. For a manufacturing client with €30M of inventory across four third-party logistics providers, the risk that one of those providers misappropriates stock is real and auditable. Most current fraud brainstorming templates don’t prompt the team to consider it.

The supporting application material ( ISA 240 (Revised) paragraph A84) explains that the auditor’s understanding of the entity’s risk assessment process may include consideration of the entity’s own assessment of its susceptibility to third-party fraud. If the entity has assessed this risk, you’re documenting their assessment and your evaluation of it. If they haven’t, that gap itself is a finding worth recording.

At firms working in sectors with significant third-party exposure (logistics, retail with franchise models, entities holding assets in custody, or entities using third-party collection agents), this requirement will add genuine substance to the fraud discussion. For entities with minimal third-party asset exposure, a brief documented assessment explaining why the risk is low will satisfy the requirement. Either way, the discussion must happen and the documentation must reflect it.

Fraud risk factors: from checklist to conversation

The extant standard requires you to consider fraud risk factors when identifying risks of material misstatement due to fraud. ISA 240 (Revised) strengthens this by requiring the engagement team discussion to explicitly include fraud risk factors identified through the risk assessment procedures performed.

The practical difference is this: under the extant standard, in our experience about half of teams treat the Appendix 1 fraud risk factor examples as a checklist. The EP runs down the list during planning, ticks which factors are present, and maps them to fraud risks. Under the revised standard, the fraud risk factors must be discussed in the engagement team discussion, not just assessed by the EP in isolation. The team needs to talk about which factors are present for this specific client and why, and what those factors mean for how fraud could occur and how the team plans to respond.

The revised standard also adds new guidance on the relationship between fraud risk factors and inherent risk and control risk. Fraud risk factors are conditions or events that indicate an incentive or pressure to commit fraud, or an opportunity to do so. They’re not fraud risks themselves. A fraud risk factor (the CFO has a bonus tied to reported EBITDA) combined with an opportunity (the CFO can post manual journal entries without a second approval) creates a fraud risk (management manipulation of EBITDA through manual entries). Your brainstorming should follow that logic: identify the factor and the opportunity, then articulate the fraud risk. That chain of reasoning is what “matters discussed” means in the documentation.

The ciferi glossary entry on fraud risk factors maps each Appendix 1 category to practical examples relevant to mid-tier engagements.

The revenue recognition presumption is harder to rebut

ISA 240 (Revised) retains the presumption that there are risks of material misstatement due to fraud in revenue recognition. But it changes the emphasis. New guidance states that the significance of fraud risk factors related to revenue recognition, individually or in combination, ordinarily makes it inappropriate to rebut the presumption.

Under the extant standard, some firms treat rebuttal as a routine exercise. The entity has simple revenue streams and limited management incentives tied to revenue, so the presumption is rebutted. Under the revised standard, the bar is higher. You need to demonstrate not only that the entity has simple revenue streams but also that no fraud risk factors related to revenue recognition are present. The emphasis has shifted from developing a rebuttal argument to evaluating whether the specific circumstances genuinely support one.

For the fraud brainstorming session, this means the team should discuss fraud risk factors related to revenue before deciding whether rebuttal is appropriate. We've seen this on about half the engagements we review: the team will conclude that at least one fraud risk factor exists (management incentives, pressure from investors, performance-based compensation, or covenant requirements). Where that’s the case, the revised standard’s guidance suggests rebuttal is ordinarily inappropriate.

This will affect a significant number of engagements. The AFM’s 2023 fraud risk analysis review found that the presumed fraud risk in revenue recognition was “often not recognised” across the 32 audits reviewed. The revised standard directly responds to that finding. Honestly, the rebuttal conversation has always been uncomfortable: nobody wants to be the person who argues the presumption should stay when the EP has already decided to rebut it. The revised standard at least gives you something concrete to point to.

Who needs to be in the room

The extant standard requires the EP and “other key members of the engagement team” to participate in the discussion. ISA 240 (Revised) keeps this requirement but adds emphasis on two areas.

First, the revised standard highlights the importance of IT expertise in the fraud discussion. Application material notes the relevance of considering changes in the entity’s IT environment during risk assessment and the potential to use automated tools to facilitate the discussion. For mid-tier firms without dedicated IT audit specialists, this means either including someone with relevant IT knowledge or documenting why IT risk isn’t significant for the specific engagement.

Second, for group audits, the IAASB’s Basis for Conclusions notes that the discussion should consider which component auditor engagement team members to include. ISA 240 (Revised) paragraph 29’s requirement applies to the group engagement team’s consideration of fraud, and the component auditor’s knowledge of local conditions and industry-specific fraud risk factors can be directly relevant. If your group audit fraud brainstorming doesn’t include component teams (even by call or written input), the revised standard will make that omission more visible.

Worked example: running a fraud brainstorming for Van der Berg Holding N.V.

Van der Berg Holding N.V. is a Dutch holding company with four subsidiaries operating in food distribution. Consolidated revenue is €112M. The group employs 340 people across the Netherlands and Belgium. The engagement is in its second year. The previous year’s fraud discussion working paper contains a single page with two risks identified: revenue recognition and management override.

The brainstorming session under ISA 240 (Revised)

The participants were engagement partner M. ten Brink, senior auditor S. Vermeulen, staff auditors P. Hendriks and A. Claessens (the Belgian subsidiary lead). The session was held on 3 October 2027 and lasted 55 minutes.

Documentation note: Record participants, date, duration, and the format of the discussion. The “matters discussed” requirement means the file should show that a genuine discussion took place, not that a template was completed.

1. Fraudulent financial reporting

The team discussed the following fraud risk factors. The holding company’s bank covenants require a minimum EBITDA of €8.5M. Consolidated EBITDA for the prior year was €9.1M, leaving a margin of €600K. This creates incentive pressure on management to maintain or overstate EBITDA. The CFO prepares the consolidation entries without a secondary review. Two of the four subsidiaries use different ERP systems, and consolidation adjustments are made in Excel. The team identified a fraud risk: manipulation of consolidation entries to inflate EBITDA, specifically through intercompany elimination adjustments and cost allocation between subsidiaries.

Documentation note: The fraud risk factor (covenant pressure) is linked to the opportunity (unreviewed consolidation entries) to articulate a specific fraud risk. This factor-to-opportunity-to-risk chain is what the revised standard expects in the working papers (WPs).

2. Misappropriation of assets by employees

The team discussed cash handling at the two retail distribution centres. Daily cash receipts average €15K per centre. Cash is counted by the warehouse supervisor and deposited by the same person. No segregation of duties exists for amounts below €5K. The team identified this as a fraud risk for the assertion of completeness of cash receipts, though the potential misstatement amount (estimated at €50K annually even in a worst case) is below performance materiality (PM) of €220K. The team assessed this risk as present but not significant.

Documentation note: Document the assessment even where the risk is below materiality. The revised standard’s “matters discussed” requirement means the team’s reasoning should be visible.

3. Misappropriation of assets by third parties

The team discussed the group’s use of third-party cold storage facilities for perishable inventory. Two facilities in Rotterdam hold approximately €6.8M of frozen goods at year-end. The entity receives monthly stock confirmations from the facility operators but conducts physical counts only annually, in March (three months after year-end). The team identified a fraud risk: overstatement of inventory held at third-party locations, particularly given the €6.8M balance and the reliance on management-obtained confirmations without independent verification between annual counts.

Documentation note: This is the new ISA 240 (Revised) paragraph 29(a)(ii)c. category. The team considered assets held by third parties and articulated a specific risk.

4. Fraud risk factors and revenue recognition

The team considered the revenue recognition presumption. Van der Berg’s revenue consists of food product sales to supermarket chains under framework contracts. Pricing is set annually. Volume bonuses are calculated quarterly. The team discussed whether the presumption could be rebutted. Two fraud risk factors are present: the EBITDA covenant creates incentive to overstate revenue, and the volume bonus calculations involve estimates based on projected volumes. The team concluded that rebuttal is inappropriate given the presence of these fraud risk factors, consistent with the revised standard’s guidance that fraud risk factors ordinarily make rebuttal inappropriate. Revenue recognition (specifically: cut-off and valuation of volume bonus accruals) remains an identified fraud risk.

Documentation note: Under the revised standard, the team should document the fraud risk factors considered before deciding on rebuttal, not after.

5. Whistleblower programme

Van der Berg has a whistleblower policy adopted in 2024 following the Wet bescherming klokkenluiders (Dutch Whistleblower Protection Act). One report was received in the prior year concerning employee expense claims. Management investigated and found the claim substantiated (€3.2K). The team documented their understanding of the programme and considered whether the one report indicated broader control weaknesses.

Documentation note: New requirement under ISA 240 (Revised). Document the understanding obtained, including whether any reports have been received and how the entity responded.

Conclusion of the discussion

Four fraud risks were identified: (1) manipulation of consolidation entries to inflate EBITDA, (2) misappropriation of cash receipts at distribution centres (present but not significant), (3) overstatement of third-party held inventory, and (4) revenue cut-off and volume bonus accrual valuation. Management override of controls was assessed as a significant risk at the financial statement level.

Your implementation checklist

1. Restructure your fraud brainstorming template into four required discussion categories: fraudulent financial reporting, employee misappropriation, third-party misappropriation, and fraud risk factors. Each category needs space for the matters discussed, not just a conclusion field.
2. Add a specific prompt for third-party misappropriation. For each entity, identify assets held by or accessible to third parties and document the team’s assessment of how those assets could be misappropriated ( ISA 240 (Revised) paragraph 29(a)(ii)c.).
3. Change your template’s documentation heading from “significant decisions” to “matters discussed.” This isn’t cosmetic. Every section should capture the reasoning and the fraud risk factors considered, not only the risks identified.
4. For revenue recognition, reorder your template so that fraud risk factors related to revenue are discussed before the rebuttal assessment. If any fraud risk factors are present, your template should flag that rebuttal is ordinarily inappropriate under the revised standard.
5. Add a whistleblower programme section to your planning working papers. Record whether the entity has a programme and any reports received. Document the entity’s response to any reports and the implications for the control environment where no programme exists.
6. For group audits, decide which component team members will participate in the fraud discussion (in person, by call, through written input, or via a pre-meeting questionnaire). Document their participation and any component-specific fraud risk factors they raised.

Common mistakes to watch for

• The AFM’s January 2025 report on fraud audit procedures found insufficient professional scepticism in 6 of 32 reviewed statutory audits, characterised by multiple procedural findings combined with no follow-up of contraindications. The revised standard’s requirement to document “matters discussed” is designed to make the quality of the fraud discussion visible to reviewers. A one-paragraph conclusion won’t demonstrate scepticism.
• Treating the fraud discussion as a planning-only event. Extant ISA 240 .A12 already notes that further discussions may be beneficial at later stages. ISA 240 (Revised) reinforces this by requiring communication with management and those charged with governance (TCWG) about fraud matters at appropriate times throughout the audit. If new fraud risk factors emerge during fieldwork, the file should show that the engagement team revisited its fraud assessment.

Related content

• Fraud risk factors: ciferi glossary entry covering ISA 240 Appendix 1 fraud risk factors with worked examples for mid-tier engagements
• ISA 520 analytical review calculator: Useful for identifying unusual fluctuations during fieldwork that may indicate fraud risk factors not identified at planning
• How to update your fraud documentation for ISA 240 Revised: Companion post covering the full documentation requirements including the stand-back and identified fraud procedures

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024 is the authoritative source for the complete extant ISA 240 text, including extant paragraphs 15 and A10–A11 on the engagement team discussion.
• ISA 240 (Revised), as approved March 2025 and certified July 2025, covers paragraph 29 and supporting application material on the revised engagement team discussion requirements.
• ISA 315 (Revised 2019), Identifying and Assessing Risks of Material Misstatement, paragraph 17 on the engagement team discussion, which ISA 240 (Revised) now aligns with.
• AFM, Fraud in Financial Statement Audits (2023), covers inspection findings on fraud discussion quality across 32 statutory audits.
• The ciferi glossary entry on fraud risk factors maps each Appendix 1 category to practical examples for mid-tier engagements.