ISA 240 Revised Implementation Checklist for Non-Big 4 Firms

Key Takeaways

How to build an implementation plan for ISA 240 (Revised) that prioritises by risk of inspection findings
Which templates and working papers need to change, with specific paragraph references for each change
What the transition looks like on a real mid-tier engagement file
How to handle the resource constraints that non-Big 4 firms face when implementing a standard of this scope

The implementation timeline you're working with

The AFM's 2025 inspection report found findings in fraud-response audit procedures in 17 of 20 statutory audits at regular audit firms. That's under the current standard. ISA 240 (Revised) raises the bar on engagement team discussions, risk assessment documentation, journal entry testing, and completion procedures. If your firm hasn't started planning, 15 December 2026 will arrive faster than your methodology team can rewrite templates.

ISA 240 (Revised) was approved by the IAASB in March 2025 with a unanimous 16-0 vote. The PIOB certified it on 8 July 2025. It takes effect for audits of financial statements for periods beginning on or after 15 December 2026. For calendar year-end clients, that means your 2027 audits are the first engagements under the revised standard. For June year-end clients, the first engagement is the year ending 30 June 2027.

Early adoption is permitted and the IAASB encourages it, particularly as a package with ISA 570 (Revised 2024) on going concern. The two standards share an effective date and several overlapping requirements (fraud and financial distress are often interrelated, and the IAASB designed them to work together).

For a non-Big 4 firm, the realistic timeline is tight. Big 4 and large network firms will update their global methodologies centrally. Your firm needs to do that work internally, with fewer people and no global methodology team generating materials for you. Start in mid-2026 at the latest.

What regulators are already finding under the current standard

The revised standard didn't emerge in a vacuum. Regulators have been flagging fraud-related deficiencies for years, and the pattern of findings tells you where your implementation effort needs the most weight.

The AFM reviewed 32 statutory audits for fraud risk analysis quality in 2023. The most common deficiencies were failure to specify the presumed risk of fraud in revenue recognition at the assertion level, failure to specify management fraud risk beyond the generic "management override of controls," and insufficient attention to fraud risk factors during engagement team discussions. The AFM stated it would review how audit firms deal with fraud again in 2024, and its 2025 follow-up report found findings in 17 of 20 regular firm audits and 6 of 12 PIE firm audits.

The FRC's 2022–23 inspection of Tier 2 and Tier 3 firms found going concern and fraud among the top deficiency areas. The FRC found that 38% of inspected audits required significant improvements, and specifically flagged weaknesses in the linkage between journal entry testing and the presumed fraud risk of management override. The FRC also found that 69% of inspected audits had findings related to fraud and journal entry testing (up from 31% in the prior period).

These findings map directly to the areas ISA 240 (Revised) strengthens. Your implementation plan should prioritise them accordingly.

Phase 1: methodology and template changes

Start here. Template changes need to be done before training, because training without updated materials produces confusion. Allow four to six months for this phase.

Engagement team discussion template

ISA 240 (Revised).29 prescribes four topics the engagement team discussion must cover. The extant standard required a discussion but was less specific about content. Your template needs prompts for each of the four topics: how the financial statements may be susceptible to material misstatement due to fraud (including how fraud might be concealed), known fraud risk factors specific to the entity, how assets of the entity might be misappropriated by management or others, and how the engagement team will maintain professional scepticism throughout the engagement.

Build these as separate sections with space for entity-specific responses. A one-paragraph generic discussion note will not survive inspection under the revised standard. Each topic should require the team to document entity-specific observations, not boilerplate.

Fraud risk assessment working paper

The revised standard integrates the fraud risk assessment with ISA 315 (Revised 2019) through a "fraud lens" that runs across the entire risk identification and assessment process. Your working paper needs to map fraud risk factors to specific assertions and accounts, not just list "management override" and "revenue recognition" as two standalone risks.

Add fields for: the entity's susceptibility to management bias (a new requirement with no extant equivalent), the entity's whistleblower programme or reporting mechanism (or a documented note if none exists), any deficiencies in internal control relevant to fraud prevention or detection, and how fraud risk factors relate to inherent risk versus control risk.

The revenue recognition presumption now requires you to identify which types of revenue, transactions, or assertions give rise to the presumed risk. Build this into the template as a mandatory field. Under the extant standard, many files list the presumption without specifying what it attaches to. The AFM flagged exactly this gap in 2023.

Practical tip: fraud lens integration

Add a fraud lens integration column to your ISA 315 risk assessment working paper. For each identified risk, the column prompts the team to consider whether fraud risk factors are present and how they affect the risk assessment at the assertion level. This avoids treating fraud as a standalone section disconnected from the overall risk assessment.

Professional scepticism documentation

Two principles that auditors have relied on for years are gone from ISA 240. The principle allowing you to accept records as genuine unless you had reason to believe otherwise has been removed (it remains in ISA 200 for general audit purposes, but not in the fraud context). The qualifier allowing recognition of "past experience of the honesty and integrity of management" has also been deleted.

Remove any standard wording in your templates that references either principle. If your risk assessment template contains "no conditions identified to suggest records are not genuine," replace it with a prompt that requires the team to document what conditions they considered and why authenticity was not in question.

Journal entry testing approach

The revised standard adds practical guidance on journal entry testing, including the use of automated tools and techniques to identify unusual or high-risk entries. If your firm still selects journal entries manually based on amount alone, the revised standard expects more. The application material covers selection criteria linked to fraud risk factors, automated extraction of the full population, risk-based identification of unusual entries, and testing throughout the period (not just year-end).

For firms without specialised audit software, the minimum change is documenting risk-based selection criteria linked to your fraud risk assessment. For firms with access to data analytics tools (even Excel-based), consider building a standard journal entry analysis that flags entries meeting defined risk criteria: entries by senior management, entries outside normal posting patterns, manual entries above a threshold, and entries to unusual account combinations.

The FRC's 2022–23 inspection found findings on journal entry testing in 69% of inspected Tier 2 and Tier 3 audits, up from 31% in the prior period. The most common deficiency was weak linkage between the journal entry testing approach and the presumed fraud risk of management override. Under the revised standard, that linkage must be explicit. Your journal entry selection criteria should trace directly to the fraud risk factors identified in your risk assessment.

Practical tip: journal entry testing with Excel

For mid-tier firms working with clients on standard Dutch accounting software (Exact, Afas, Twinfield), the full journal entry population is typically exportable as a CSV or Excel file. The revised standard doesn't mandate expensive audit analytics platforms. It mandates a documented, risk-linked approach. Export the complete journal entry listing, apply risk-based filters, document the filter criteria and their link to the fraud risk assessment, select entries for testing from the filtered population, and document the rationale for entries tested and not tested.

Completion stand-back

ISA 240 (Revised) introduces a fraud-specific stand-back requirement. Near the end of the audit, the engagement partner must evaluate whether the fraud risk assessment remains appropriate and whether sufficient appropriate audit evidence has been obtained. Add this as a mandatory sign-off step in your completion checklist, with a prompt requiring the partner to reference specific audit evidence reconsidered and document the conclusion.

Representation letter

Two changes. First, management must confirm they have "appropriately fulfilled" their responsibilities for internal control over fraud prevention and detection (the extant standard required only an acknowledgement). Second, the threshold for representations about fraud involving others drops from "material" to "any matters that could have an effect on the financial statements." Update your standard representation letter template and brief engagement teams on why the wording changed.

Auditor's report (if ISA 701 applies)

Where ISA 701 applies, the revised standard requires fraud-related key audit matters. Draft two template KAM paragraphs (one for management override, one for revenue recognition) as starting points. Most engagement teams will customise from these templates rather than drafting from scratch.

Phase 2: training your teams

Template changes without training produce updated documents filled with old thinking. Allow two to four months for training, overlapping with the final stages of Phase 1.

What to cover

The two deleted principles (genuineness of records, past experience of management's honesty) need specific attention because they've been embedded in audit culture for decades. Teams need to understand what has changed and why, not just see a revised template.

The fraud lens concept requires explanation because it changes how teams think about risk assessment, not just what they document. Walk through a real engagement file and show where the ISA 315 risk assessment now needs fraud-specific considerations at each stage.

The stand-back requirement is new, and teams will underestimate it unless they see what it looks like on a real file. Use a worked example showing an engagement partner reconsidering cumulative evidence at completion.

How to deliver it

For a non-Big 4 firm, a half-day workshop per office is realistic. Build it around a case study (a fictional mid-market client with fraud risk factors present) and have teams work through the updated templates with the case facts. This produces better retention than slides.

Run the workshop before the first engagements under the revised standard, ideally during your firm's annual training cycle in the second half of 2026. Partners and managers need the workshop first, because they'll be reviewing files against the new requirements.

Phase 3: first-year execution

Pilot on two or four engagements

Select a small number of engagements to pilot the updated templates in the first cycle. Choose engagements with enough fraud risk complexity to test the templates properly (a construction company with long-term contracts, a retail entity with high-volume transactions, a holding company with intercompany activity). Avoid piloting on the simplest engagements in the portfolio, because that won't surface template gaps.

Real-time quality review

Assign an experienced partner or director to review the pilot files during fieldwork, not after sign-off. The goal is to catch template gaps and misunderstandings while there's still time to fix them. Feed findings back into the templates before rolling them out firm-wide.

Post-season debrief

After the first cycle, collect feedback from every engagement team that used the new templates. Common questions will reveal where training was insufficient or where templates need additional guidance. Update both before the second cycle.

Worked example: implementing at a 15-partner firm

Firm scenario: Jansen & Partners, a 15-partner audit firm in the Netherlands with 85 audit staff, 120 statutory audit clients, SRA member, no proprietary audit software (uses CaseWare and Excel), annual training budget of €45K.

Phase 1 (January–June 2026)

The firm's methodology partner and one senior manager form a two-person project team. They spend 40 hours each over six months reviewing the revised standard, mapping changes to the firm's existing templates, and producing updated working papers. Total cost: approximately €12K in opportunity cost (80 hours at blended rates).

Implementation note: The project team starts with the engagement team discussion template because the AFM has already flagged this area. They build four section prompts based on ISA 240 (Revised).29, with entity-specific response fields. The fraud risk assessment working paper gets a fraud lens integration column that maps fraud risk factors to ISA 315 assertions.

Phase 2 (September–October 2026)

Two half-day workshops, one for partners and managers (35 people) and one for seniors and staff (50 people). Built around a case study: Brouwer Installatie B.V., a mechanical installation company with €28M revenue, percentage-of-completion contracts, and a new financial controller. Total cost: approximately €8K (trainer time plus materials plus half-day of staff time).

Implementation note: The partners and managers workshop focuses on the stand-back requirement and the changed representation letter. The seniors and staff workshop focuses on journal entry testing criteria and the fraud lens in risk assessment. Both groups work through the Brouwer Installatie case using the updated templates.

Phase 3 (January–March 2027)

Four pilot engagements selected: a construction company (€62M revenue), a wholesale distributor (€41M revenue), a technology services company (€23M revenue), and a manufacturing entity (€88M revenue). The methodology partner reviews each file at interim and completion. Template adjustments made after the first two completions.

Implementation note: The pilot surfaces two gaps. First, the fraud risk assessment template doesn't have enough space for the whistleblower programme documentation (most smaller clients don't have formal programmes, and teams need room to document why the absence matters). Second, the stand-back prompt needs an example of what a completed stand-back looks like, because two of the four engagement partners wrote a single generic sentence.

Implementation checklist

Map ISA 240 (Revised) requirements to your firm's current methodology and identify every section that needs updating. Do this first. It takes one person approximately 20 hours.
Update the engagement team discussion template with the four ISA 240 (Revised).29 topics. Build entity-specific response fields, not generic tick boxes. This is the highest-priority template because regulators are already flagging discussion quality.
Rebuild your fraud risk assessment working paper to integrate the fraud lens with ISA 315 (Revised 2019). Add mandatory fields for management bias susceptibility, whistleblower programme status, fraud-related control deficiencies, and assertion-level mapping of the revenue recognition presumption.
Remove all references to "accept records as genuine" and "past experience of management's honesty" from your templates. Replace with prompts that require documentation of conditions considered.
Document your firm's approach to journal entry testing under the revised standard: selection criteria linked to fraud risk factors, full population extraction (even if manual), and testing throughout the period where risk factors warrant it.
Add a fraud-specific stand-back to your completion checklist with a prompt requiring the engagement partner to reference specific evidence reconsidered and document the conclusion with reasoning.

Common mistakes during transition

Updating templates without training. The AFM's 2025 inspection report found that the most common gap was insufficient depth in the execution of fraud procedures, not their design. New templates won't fix execution problems unless teams understand what the revised standard actually requires.
Treating the engagement team discussion as a tick-box exercise. ISA 240 (Revised).29 requires entity-specific content across four topics. The FRC's Tier 2 and Tier 3 inspection found that 38% of inspected audits required significant improvements, and many findings traced back to superficial engagement team discussions.
Underestimating the journal entry testing change. The FRC found findings on journal entry testing in 69% of inspected audits in 2022–23. The revised standard's guidance on automated tools and risk-based selection criteria means firms can't rely on selecting 25 entries by amount from the year-end population.

Related working papers

ISA 240 Fraud Risk Assessment Toolkit

Brainstorming agenda, risk matrix, journal entry testing, and management override procedures.

View the toolkit →

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

No spam — we're auditors, not marketers.

Frequently asked questions

When does ISA 240 (Revised) take effect?

ISA 240 (Revised) takes effect for audits of financial statements for periods beginning on or after 15 December 2026. For calendar year-end clients, the 2027 audit is the first engagement under the revised standard. Early adoption is permitted and encouraged alongside ISA 570 (Revised 2024).

What are the biggest changes for non-Big 4 firms?

The most significant changes are the structured engagement team discussion with four mandatory topics, the fraud lens integration with ISA 315 risk assessment, removal of the principle allowing auditors to accept records as genuine, enhanced journal entry testing requirements with risk-based selection criteria, a new fraud-specific completion stand-back, and updated representation letter wording.

Do I need specialised audit software for journal entry testing under ISA 240 (Revised)?

No. The revised standard does not mandate specific software. It requires a documented, risk-linked approach to journal entry testing. For firms using standard accounting software (Exact, Afas, Twinfield), the full journal entry population is typically exportable as CSV or Excel. What matters is defined risk-based selection criteria linked to the fraud risk assessment, not the tool used to apply them.

How long should Phase 1 (methodology and template changes) take?

Allow four to six months for Phase 1. The work involves mapping every requirement change to your current methodology, updating engagement team discussion templates, rebuilding the fraud risk assessment working paper, revising journal entry testing procedures, adding the completion stand-back, and updating the representation letter. For a mid-tier firm, this typically requires a two-person project team spending approximately 80 hours total.

Can I adopt ISA 240 (Revised) early?

Yes. Early adoption is permitted. The IAASB encourages early adoption as a package with ISA 570 (Revised 2024), recognising that fraud and financial distress are often interrelated risks. Both standards share the 15 December 2026 effective date.