ISA 240 (Revised) Stand-back Evaluation: What It Requires and How to Document It

The revised ISA 240 introduces a requirement that has no equivalent in the current standard. Before the engagement partner signs off, they must step back from the detail and evaluate whether the fraud risk assessment still holds and whether the evidence obtained is enough. If you're looking for this in the extant ISA 240, you won't find it.

The ISA 240 (Revised) stand-back evaluation at paragraph 54 requires the engagement partner to evaluate, near completion, whether fraud risk assessments remain appropriate in light of all audit evidence obtained and whether sufficient appropriate audit evidence has been obtained in response to those assessed risks.

What changed and why it matters

Under the current ISA 240, the engagement partner has no explicit requirement to step back at completion and re-evaluate whether the fraud risk assessment is still appropriate. The current standard requires ongoing communication and evaluation of evidence as it comes in, but it never forces a single, documented moment where the partner asks: "Given everything we now know, does our original fraud risk assessment still make sense?"

ISA 240 (Revised) changes this. Paragraph 54 creates two new evaluation requirements, positioned at the completion stage, that apply to every engagement. These are not tick-box confirmations. They require the engagement partner to form a judgment based on the totality of audit evidence obtained across the entire engagement, not just from the fraud-specific procedures.

The distinction matters. Evidence relevant to fraud risk comes from everywhere in the audit: from substantive testing of balances, from analytical procedures, from discussions with management, from group audit communications, from the work of component auditors. The current standard does not require the partner to pull all of this together into one fraud-specific evaluation at completion. The revised standard does.

Before (current ISA 240)

No explicit completion-stage evaluation of whether fraud risk assessments remain appropriate. The partner reviews the file, signs off on individual working papers, but no single step forces a full reassessment of the fraud risk picture. Fraud-related evidence obtained during substantive testing might be noted on the relevant working paper but never formally connected back to the fraud risk assessment.

After (ISA 240 Revised, paragraph 54)

The engagement partner must evaluate whether the assessments of risks of material misstatement due to fraud remain appropriate (paragraph 54(a)) and whether sufficient appropriate audit evidence has been obtained in response to the assessed risks (paragraph 54(b)). Both evaluations must be documented. Both are directed at the engagement partner specifically, not at the engagement team generally.

Effective date

ISA 240 (Revised) is effective for audits of financial statements for periods beginning on or after 15 December 2026. Early adoption is permitted where national law or regulation allows.

What you actually need to do on a real file

Add two documented steps to your completion procedures. The first is a narrative assessment of whether any evidence obtained during the audit (from any source, not just fraud-specific procedures) changes the fraud risk picture established at planning. The second is a sufficiency assessment: looking across all fraud risks, does each one have a documented response with evidence that goes beyond inquiry? If either assessment reveals a gap, you cannot sign the opinion until additional procedures are performed.

This is not something you can delegate to the audit senior and review later. Paragraph 54 is directed at the engagement partner. The partner must perform the evaluation, not just approve someone else's work.

How the fraud stand-back differs from the ISA 330 stand-back

ISA 330.25-26 already requires a stand-back evaluation at completion: the auditor must conclude whether sufficient appropriate audit evidence has been obtained in aggregate. This is a general evaluation covering all risks (error and fraud combined) across all assertions. Many firms already have this documented in their completion working papers.

The ISA 240 (Revised) stand-back is different in four ways.

First, it is fraud-specific. You are not evaluating evidence sufficiency across the whole audit. You are evaluating whether your fraud risk picture is still accurate and whether your fraud responses produced enough evidence. The focus is narrower but the standard of documentation is higher.

Second, it is directed specifically at the engagement partner. ISA 330 does not specify who performs the stand-back. ISA 240 (Revised) does. The partner cannot delegate this to a manager who prepares a summary for partner review. The partner must form and document their own judgment.

Third, it has two limbs (risk reassessment plus evidence sufficiency) rather than the single evidence-sufficiency question in ISA 330. The first limb asks whether the risks you identified are still the right risks. The second asks whether the evidence you obtained is enough. These are distinct questions requiring distinct analysis.

Fourth, it considers whether information from other audit procedures (not just fraud procedures) affects the fraud risk assessment. Evidence obtained during substantive testing, discussions with management, or group audit communications might reveal something that changes the fraud risk picture. The ISA 330 stand-back does not require this cross-pollination between workstreams. The ISA 240 (Revised) stand-back does.

Document them separately. If an inspector opens your file and sees only the ISA 330 stand-back, the ISA 240 (Revised) requirement is not satisfied. Two separate evaluations, two separate conclusions, two separate sign-offs.

The two limbs of paragraph 54

Paragraph 54(a): do fraud risk assessments remain appropriate?

This is a reassessment question. You go back to the fraud risk register and ask whether everything you now know (from every part of the audit, not just fraud procedures) changes any of the following: the risks you identified, the level at which you assessed them (financial-statement level versus assertion level), or the assertions affected.

Common triggers for changing the assessment include: unexpected results from analytical procedures near completion, inconsistencies between management representations and audit evidence, information from component auditors in a group engagement, findings during journal entry testing that suggest a pattern, estimates that show cumulative directional bias across multiple periods, and significant unusual transactions where the business rationale does not hold up under scrutiny.

If the assessment changes, document what changed and why. Then determine what additional procedures are needed and perform them before concluding.

If the assessment does not change, the documentation is still required. A one-sentence confirmation is not enough. The partner should document what evidence was considered and why the original assessment remains appropriate. "I reviewed the audit evidence obtained and confirm the fraud risk assessment remains appropriate" is insufficient. "I reviewed the results of journal entry testing (no exceptions), the estimates retrospective review (consistent directional understatement of provisions noted, assessed as within tolerable range), the significant unusual transactions evaluation (one related-party transaction evaluated, business rationale supported), and analytical procedures at completion (no anomalies identified). No evidence from substantive testing or management discussions changed the fraud risk picture established at planning. The fraud risk assessment remains appropriate" is the level of detail inspectors expect.

Paragraph 54(b): has sufficient appropriate evidence been obtained?

This is a sufficiency question. For each fraud risk in the register, does the response matrix show a completed procedure with evidence that goes beyond inquiry alone? Are there any risks where the only evidence is management's explanation?

This evaluation connects directly to the response matrix. The partner reviews each response row: was the procedure performed as planned? Did the results address the risk? Is the evidence type appropriate (not just inquiry)? Are there any loose ends (for example, a data analytics exception that was noted but never resolved)?

If the evidence is insufficient, you do not sign off. You perform additional procedures or, if additional procedures are not possible, evaluate the effect on the auditor's report under ISA 705.

Where the stand-back sits in the completion workflow

The stand-back at paragraph 54 is the first step in a broader completion sequence. It comes first because everything else depends on it. If the fraud risk assessment has changed, the remaining completion steps must reflect the updated assessment.

A structured evaluation and completion section covers 23 steps in total. The stand-back occupies the first two. What follows is a systematic walk through every remaining fraud-related evaluation the engagement partner must perform or review before signing the auditor's report.

The 23-step evaluation and completion sequence

After the stand-back (steps 1-2), the completion sequence continues with document authenticity evaluation (ISA 240.22): were any conditions identified during the audit suggesting that records or documents may not be authentic, or that undisclosed modifications were made? If yes, what investigation was performed?

Accounting policy evaluation (ISA 240.45) follows: do the entity's accounting policies, particularly for subjective measurements and complex transactions, indicate fraudulent financial reporting? This is not a restatement of the ISA 540 work. It asks whether the choice of policy (not just its application) serves a potential fraud objective.

Estimates-taken-as-a-whole evaluation (ISA 240.51(b)): looking at all accounting estimates in aggregate, does the cumulative pattern suggest management bias? This draws on the individual estimate reviews performed in the estimates and bias review section. The completion evaluation asks the aggregate question.

Significant unusual transactions evaluation (ISA 240.52): consolidating the evaluation of all transactions outside the normal course of business. For each one, does the business rationale (or absence of it) suggest fraudulent financial reporting or concealment of misappropriation?

Analytical procedures near the end of the audit (ISA 240.53): do the results of near-completion analytics indicate a previously unrecognised risk of material misstatement due to fraud? If yes, update the risk register and determine what additional procedures are needed.

Then, if fraud or suspected fraud was identified during the engagement, a seven-step sequence activates: obtain understanding of the matter (ISA 240.55(a)), evaluate the entity's investigation process (ISA 240.55(b)), evaluate remedial actions (ISA 240.55(c)), the engagement partner's determination on additional procedures and legal responsibilities (ISA 240.56), misstatement evaluation including materiality and control deficiency identification (ISA 240.57), consequences of material fraud misstatement for the opinion (ISA 240.58), and the inability-to-continue assessment (ISA 240.59). If no fraud or suspected fraud was identified, these steps are documented as not applicable.

Communication steps follow regardless: ongoing fraud communications log (ISA 240.25), communication with management (ISA 240.64), communication with TCWG (ISA 240.65), and other fraud matters communicated to those charged with governance (ISA 240.66). Then regulatory reporting obligations (ISA 240.67), written representations including the management representation letter fraud paragraphs (ISA 240.63), key audit matters consideration where ISA 701 applies, report-to-file consistency check (a common inspection finding: the fraud section of the auditor's report does not match the audit file), group audit fraud considerations, and a final documentation completeness check.

The entire sequence works as an ordered checklist. Some steps apply to every engagement. Others activate only when specific conditions are met. But the stand-back always comes first.

Worked example: Van der Berg Holding N.V.

Scenario: Van der Berg Holding N.V. is a Dutch property development company with revenue of EUR 92M. The engagement team identified three fraud risks at planning: revenue recognition on percentage-of-completion contracts (assertion-level), management override (presumed), and capitalisation of costs that should be expensed (assertion-level). The audit is now at completion stage.

Before the revised standard: The partner reviews the ISA 240 file sections, checks that journal entry testing was performed, reviews the estimates evaluation, and signs off. There is no single documented moment where the partner explicitly reconsiders the entire fraud risk picture. The partner's sign-off on individual working papers implicitly confirms that the work was adequate, but no working paper asks the partner to step back and evaluate the totality.

After ISA 240 (Revised), paragraph 54:

1. The partner opens the stand-back evaluation section. For paragraph 54(a) (risk reassessment), the partner reviews all evidence obtained during the audit. During substantive testing of capitalised costs, the team found EUR 340,000 of marketing expenses capitalised as project costs. The client corrected the entry. During analytical procedures, no unexpected variances were identified. Journal entry testing revealed no exceptions. The estimates retrospective review showed that percentage-of-completion estimates were within 3% of actual outcomes for completed contracts. Documentation note: "Reviewed all audit evidence for fraud risk implications. Key finding: EUR 340,000 marketing expenses capitalised to project WBS-2024-017 (identified during substantive testing, corrected by management without resistance, no evidence of concealment). Evaluated whether this changes the fraud risk assessment. The misstatement was a single instance, promptly corrected, and does not indicate a pattern of deliberate capitalisation. The capitalisation assertion-level risk remains appropriately assessed as a fraud risk given the covenant pressure identified at planning, but no additional fraud risks identified. Fraud risk assessment remains appropriate."

2. For paragraph 54(b) (evidence sufficiency), the partner reviews each fraud risk against its response. Revenue recognition: full-population analytics on percentage-of-completion adjustments performed, 15 contracts tested against independent surveyor reports, no exceptions. Management override: journal entry testing completed (12,400 entries analysed, 45 selected, no exceptions), estimates review completed (prior-year provisions showed consistent slight overstatement but within acceptable range, no bias indicator), significant unusual transactions reviewed (one related-party land sale evaluated, business rationale documented and supported). Capitalisation risk: sample of 40 capitalised cost items tested against capitalisation criteria, the EUR 340,000 misstatement identified and corrected, no further exceptions. Documentation note: "Evidence reviewed for each assessed fraud risk. All responses in the response matrix show completed procedures with evidence beyond inquiry. One misstatement identified (capitalised marketing costs, EUR 340,000, corrected). No unresolved exceptions. Sufficient appropriate evidence obtained for all assessed fraud risks."

3. The partner signs the stand-back section with the date. The engagement file now contains a documented, partner-level evaluation that satisfies both limbs of paragraph 54, positioned before the remaining completion steps.

Practical checklist

1. Add two documented steps to your completion working papers for the paragraph 54(a) and 54(b) evaluations. Do not bury these inside the ISA 330 stand-back. They are separate requirements.
2. The engagement partner must perform the evaluation personally, not review a prepopulated assessment drafted by a manager. The documentation should reflect the partner's own judgment.
3. For paragraph 54(a), consider evidence from all audit procedures (not just fraud-specific procedures) when evaluating whether the risk assessment remains appropriate.
4. For paragraph 54(b), trace each fraud risk in the register to a completed response with evidence beyond inquiry. If any risk has no completed response, the evaluation fails.
5. If the stand-back reveals a gap (changed risk, insufficient evidence), perform additional procedures before signing off. Document what changed and what was done.
6. Date the stand-back evaluation. Inspectors check that it was performed near completion, not backdated to planning.

Common mistakes

• Combining the ISA 240 fraud stand-back with the ISA 330 stand-back in a single paragraph. The AFM treats these as separate requirements. A single generic "I'm satisfied with the evidence" does not satisfy paragraph 54.
• Delegating the paragraph 54 evaluation to a manager or senior. The revised standard directs this at the engagement partner. A manager's draft with a partner signature is not the same as a partner's evaluation.
• Documenting the paragraph 54(a) reassessment as "No changes to fraud risk assessment" without stating what evidence was considered. The reassessment must show that the partner actually reviewed the evidence obtained during the audit and formed a specific judgment about each fraud risk.
• Performing the stand-back before all audit procedures are complete. The stand-back must consider the totality of audit evidence. If substantive testing is still ongoing when the partner signs the stand-back, the evaluation is premature.