ISA 240 Revised: Strengthened Management Override Procedures

What changed in management override testing and why

The extant ISA 240 paragraph 32 lists management override procedures as a required response on every audit, regardless of assessed risk. That much hasn’t changed. What has changed is how the IAASB expects you to design and document those procedures.

Under the old standard, you could accept records and documents as genuine unless you identified a reason to believe otherwise. ISA 240 (Revised) removes that language entirely. The principle still exists in ISA 200, but the IAASB deliberately took it out of the fraud standard to prevent auditors from treating it as a default posture when assessing override risk. That single deletion changes the baseline. You are no longer starting from a position of trust and looking for contradictions. You are starting from a position of professional scepticism and looking for evidence.

The revised standard also tightens the link between ISA 240 and ISA 315 (Revised 2019). The management override procedures in the revised paragraphs 48 to 53 now require the auditor to design journal entry tests, estimate reviews, and unusual transaction evaluations that respond to the specific fraud risk factors identified during the ISA 315 risk assessment. A generic set of override procedures applied identically across all engagements will no longer satisfy the standard.

Early adoption is permitted. The IAASB encourages jurisdictions to adopt ISA 240 (Revised) and ISA 570 (Revised 2024) as a package.

The revised application material also expands the guidance on unpredictability. Under the extant standard, incorporating an element of unpredictability was a general override response. The revised standard provides specific examples: performing procedures at different locations or on an unannounced basis, using different sampling methods than in prior years, varying the timing of procedures, and selecting items for testing that would not otherwise be expected. For a mid-market firm running 30 similar engagements, that last point matters. If every audit uses the same journal entry selection criteria from the same template, the procedures are predictable. And predictable procedures are exactly what management override exploits.

Journal entry testing: from generic to risk-driven

The extant standard requires you to test journal entries and other adjustments. The revised standard keeps that requirement but adds layers.

First, the selection criteria for journal entries must now respond to assessed fraud risks, not just to generic risk characteristics like entries posted after hours or entries made by senior management. If your risk assessment identifies revenue manipulation as a fraud risk, your journal entry population and selection criteria must specifically target entries affecting revenue accounts. If the risk relates to expense capitalisation, the criteria must target entries moving costs from the income statement to the balance sheet. The AFM’s 2022 position paper on fraud procedures found that audit teams at regular (non-PIE) firms had one or more findings related to the execution of fraud procedures in a significant proportion of reviewed files, with a recurring issue being that teams only plan and perform standard procedures without adapting the nature, timing, and extent to the specific fraud risk.

Second, the revised application material explicitly addresses technology. The IAASB added guidance on using automated tools to test full populations of journal entries rather than samples, and on identifying entries that meet fraud risk criteria through data analytics. For firms already using journal entry testing tools, this formalises what good practice already looks like. For firms still working from Excel-based manual selection, the gap is wider.

Third, the revised standard is more explicit about testing throughout the period, not just at period end. Under the extant ISA 240 paragraph 32(a)(iii), the auditor was already required to consider whether to test entries throughout the year. ISA 240 (Revised) retains this but strengthens the application material to explain why period-end-only testing may miss fraud that accumulates over months.

Accounting estimate bias review: the ISA 540 connection

A retrospective review of accounting estimates for management bias was already required under the extant paragraph 32(b). ISA 240 (Revised) strengthens this by explicitly linking the review to ISA 540 (Revised).

This matters because ISA 540 (Revised) already requires a retrospective review (ISA 540.22) as a risk assessment procedure. The revised ISA 240 clarifies that the two reviews overlap but serve different purposes. ISA 540 looks at estimation effectiveness. ISA 240 looks at bias. The practical implication: you need documentation that shows you considered bias specifically, not just accuracy. A working paper that says “prior year estimates were within an acceptable range” satisfies ISA 540 but does not satisfy the revised ISA 240 unless it also addresses whether the direction of estimation differences (all provisions understated, or all asset valuations optimistic) indicates possible management bias.

The revised application material gives a concrete test. If all estimates are individually reasonable but collectively biased in the same direction, the auditor must reevaluate whether that pattern represents a risk of material misstatement due to fraud. The previous standard said the same thing, but the revised version places it within the management override section, making it impossible to skip during the mandatory override procedures.

For financial ratio analysis, this means the period-on-period trend in provisions, impairments, fair value adjustments, and revenue accruals becomes part of the fraud assessment, not just the analytical review.

Significant unusual transactions and related parties

ISA 240 (Revised) strengthens the link to ISA 550 (Related Parties). Under the extant paragraph 32(c), the auditor had to evaluate business rationale for significant transactions outside the normal course of business. What’s new is the explicit connection: related party involvement in such transactions is a fraud risk factor that the auditor must specifically consider in the override procedures.

Application material now includes examples of how management can use related party transactions to manipulate results. These range from pricing transactions at non-arm’s length terms to routing revenue through related entities to meet targets. If your engagement has material related party transactions, the revised standard expects your override procedures to address them directly, not as a separate ISA 550 exercise disconnected from your fraud assessment.

The new stand-back requirement at completion

ISA 240 (Revised) adds a stand-back requirement before the conclusion of the audit. This mirrors the stand-back in ISA 330 but applies specifically to fraud. The auditor must evaluate whether the assessments of ROMM due to fraud remain appropriate and whether sufficient appropriate audit evidence has been obtained to respond to those risks.

In practice, this means a documented re-evaluation at completion. If new information emerged during fieldwork (a late adjustment, a change in a key estimate, a related party transaction that was not disclosed at planning), the stand-back requires you to reconsider whether your fraud risk assessment and your override procedures still cover the actual risks. A completion memo that simply states “fraud risk assessment remains unchanged” is unlikely to satisfy this requirement unless the file supports that conclusion.

The stand-back also interacts with the new documentation requirements. ISA 240 (Revised) requires the auditor to document key elements of the understanding obtained, the sources of information, and the risk assessment procedures performed. If fraud or suspected fraud is identified, the auditor must document the procedures performed, the significant professional judgments made, and the conclusions reached.

Worked example: Dijkstra Logistics B.V.

Client profile: Dijkstra Logistics B.V., a Dutch freight forwarding company with €68M revenue, 180 employees, owner-managed. Audit year: 2027 (first year under ISA 240 Revised). Identified fraud risks: management override of controls (presumed) and revenue overstatement through premature recognition of freight bookings.

1. Journal entry testing (risk-driven criteria)

Revenue-related fraud risk drives the selection. Journal entry criteria target: entries crediting revenue accounts posted in the final two weeks of December 2027 and the first week of January 2028, entries posted by the CFO or finance director personally, and entries debiting trade receivables with an offsetting credit to revenue accounts outside the normal billing cycle.

2. Accounting estimate bias review

Prior year estimates tell the story. The provision for doubtful debts was €180K against a final outturn of €210K. Claims provision: €95K against settlements of €140K. Fuel hedging fair value adjustment: €35K favourable against a realised €12K favourable. All individually within acceptable ranges, but the direction is consistently optimistic.

3. Unusual transactions and related parties

In November 2027, Dijkstra entered a €2.1M subcontracting agreement with Bakker Freight B.V., a company owned by the spouse of Dijkstra’s CEO. The transaction was disclosed as a related party transaction but priced 15% above market rates for equivalent services.

4. Stand-back at completion

At completion, the stand-back memo captures: the original fraud risk assessment (revenue overstatement, management override), evidence obtained during fieldwork (journal entry testing found no anomalies, estimate review identified directional bias, related party transaction overpriced), and the updated conclusion that related party pricing manipulation was added as a fraud risk factor. The engagement partner signed off on the updated assessment.

A reviewer would see a file that connects the assessed fraud risks to specific journal entry criteria, links the estimate review to ISA 540 with an explicit bias analysis, addresses the related party transaction as a fraud risk factor (not just an ISA 550 disclosure issue), and concludes with a documented stand-back that updates the original risk assessment.

Practical checklist

1. Review your journal entry testing template. Does it require the team to design selection criteria that respond to specific assessed fraud risks, or does it use a generic checklist? If generic, redesign before the December 2026 effective date. ISA 240 (Revised) paragraph 48.
2. Add a directional bias analysis to your estimate review working paper. For each significant estimate, record the prior year estimate, the outturn, and the direction of difference. If the direction is consistently optimistic or pessimistic across multiple estimates, document whether this represents a fraud risk factor. ISA 240 (Revised) paragraph 50.
3. Cross-reference your ISA 550 related party file to your management override working paper. If material related party transactions exist, your override procedures must address them as potential fraud risk factors. ISA 240 (Revised) paragraph 52.
4. Build a stand-back section into your completion memo template. This section must document: the original fraud risk assessment, any new information obtained during fieldwork, whether the assessment was updated, and the engagement partner’s conclusion. ISA 240 (Revised) stand-back requirement.
5. If your firm does not use data analytics for journal entry testing, evaluate whether full-population testing tools would improve your fraud response. The revised application material explicitly references automated tools for this purpose.
6. Remove any template language that says “records and documents accepted as genuine” from your fraud procedures. That language was removed from ISA 240 (Revised) for a reason.

Common mistakes

• The AFM’s position paper on insufficient audit procedures in response to fraud risks found that at regular (non-PIE) firms, auditors only plan and perform standard override procedures without adapting them to the specific fraud risk. The revised standard makes this a clear non-compliance, not a quality improvement point.
• The PCAOB’s 2024 inspection spotlight identified failure to support the rationale for journal entry selection criteria as a recurring deficiency across all firm types. The revised ISA 240 requires the same rigour internationally.
• Teams frequently perform the ISA 540 retrospective estimate review and the ISA 240 bias review as a single procedure without distinguishing their purposes. Under the revised standard, the bias analysis must be explicitly documented as a management override procedure, not buried in the ISA 540 working paper.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB: ISA 240 (Revised), The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, paragraphs 48–53 on management override procedures.
• ISA 540 (Revised), Auditing Accounting Estimates and Related Disclosures: the companion standard for the retrospective estimate review.
• ISA 550, Related Parties: the standard that intersects with management override procedures for significant unusual transactions.
• AFM: Position paper on insufficient audit procedures in response to fraud risks (2022).
• Management override of controls: Ciferi glossary entry covering the ISA 240 definition and the presumed significant risk.