Key Takeaways
- ISA 240 (Revised) paragraph 32(a) promotes the whistleblower programme understanding from application material to a requirement. The auditor must understand how the programme operates, what reports were received, and how the entity responded.
- The revised standard broadens scope to include third-party fraud – cybercrime, invoice fraud by external actors, supply chain manipulation, and payment system compromises are now explicitly addressed in the application material.
- A new "clearly inconsequential" threshold allows the auditor to exclude minor fraud matters from further consideration, but only after obtaining a sufficient understanding and documenting the reasoning.
- For Dutch audit clients, the Wet bescherming klokkenluiders means most entities already must have a whistleblower programme – absence is both a fraud risk factor and a potential legal non-compliance.
The ACFE's 2024 Report to the Nations found that 43% of occupational fraud cases were detected through tips. Not through audits, not through internal controls, but through someone picking up a phone or sending an email. Until now, ISA 240 said almost nothing about how auditors should engage with an entity's whistleblower programme or handle fraud allegations from parties outside the entity. The revised standard changes that.
ISA 240 (Revised), effective for periods beginning on or after 15 December 2026, introduces a new requirement in paragraph 32(a) for auditors to obtain an understanding of the entity's whistleblower programme (or equivalent fraud reporting mechanism), and creates a separate section with requirements for responding to fraud or suspected fraud identified through any source, including third-party allegations.
The whistleblower programme requirement: what paragraph 32(a) asks for
The extant ISA 240 mentioned whistleblower programmes only in application material, as one of several possible sources of information about fraud. ISA 240 (Revised) promotes this to a requirement. Paragraph 32(a) requires the auditor to obtain an understanding of the entity's whistleblower programme (or other programme for reporting fraud), if one exists.
The IAASB's Basis for Conclusions explains the reasoning. Understanding the whistleblower programme strengthens fraud risk identification. But the requirement is conditional. If no programme exists, you don't create one. What you do document is whether the absence of a programme is itself a fraud risk factor, particularly for entities where legal or regulatory requirements mandate one.
The understanding itself must be practical, not superficial. The application material requires the auditor to understand how the programme operates, who receives and investigates reports, what types of reports have been received, how the entity responded, and whether any reports remain unresolved. Asking management "do you have a whistleblower hotline?" and ticking a box falls short. The standard expects you to read the investigation files for any fraud-related reports and form your own view on whether the entity's response was adequate.
Terminology varies. Some entities call it a fraud reporting hotline, an integrity reporting channel, or a compliance reporting system. ISA 240 (Revised) applies regardless of the label.
Why this matters for Dutch audit clients
For auditors working in the Netherlands, this requirement intersects with the Wet bescherming klokkenluiders (Dutch Whistleblower Protection Act), which came into force on 18 February 2023 and transposed the EU Whistleblowing Directive (2019/1937) into Dutch law. Every employer with 50 or more employees must have an internal reporting procedure in place. Entities in the financial services sector and those subject to the Wwft (Prevention of Money Laundering and Terrorist Financing Act) must comply regardless of size. Financial sector entities covered by the Wwft have been required to comply since 17 December 2023, even if they have fewer than 50 employees. For auditors of these entities, the existence of a reporting programme is not just expected under ISA 240 (Revised) but legally mandated under Dutch law.
This means the vast majority of Dutch audit clients already have (or should have) a whistleblower programme. For the auditor, the question is no longer whether one exists but whether it functions. If a client with 200 employees has no programme, that's not just an ISA 240 fraud risk factor. It's a legal non-compliance that may trigger ISA 250 (Revised) responsibilities.
The Dutch law also introduced direct external reporting. Reporters can go straight to the AFM, DNB, or other competent authorities without first reporting internally. This has practical implications for the auditor's understanding. A client's internal programme may show zero reports, but that doesn't mean zero fraud allegations exist. External reports to the AFM or the Huis voor Klokkenluiders bypass the entity entirely. The auditor should ask management whether they are aware of any external reports, but should also recognise that management may genuinely not know.
Practical tip
For Dutch clients with 50+ employees, add a two-part check to your planning template: (1) does the entity have an internal reporting procedure compliant with the Wet bescherming klokkenluiders, and (2) is management aware of any reports filed directly with external authorities? Document both answers regardless of the response.
Third-party fraud: a new category in the auditor's scope
The extant ISA 240 focused primarily on fraud committed by management and employees. ISA 240 (Revised) broadens the scope to include third parties.
The application material defines these as parties unknown to the entity that may attempt to gain unauthorised access to the IT environment, disrupt financial reporting, or misappropriate assets. This is not a new responsibility in the sense that auditors were previously allowed to ignore external fraud. Rather, it reflects a changed fraud risk environment. Cybercrime, invoice fraud by external actors, supply chain manipulation, and payment system compromises are now common enough that the standard needed to address them directly. The revised application material provides specific examples of how third-party fraud can affect the financial statements.
For the auditor, the practical impact is in the risk assessment. When you assess fraud risk factors under the revised ISA 240, you now explicitly consider external threats alongside internal ones. If the entity operates in an industry with high exposure to invoice fraud (construction, logistics, recruitment), or if the entity's IT controls over external access are weak, those factors should appear in your fraud risk assessment documentation.
Third-party fraud may also constitute non-compliance with laws and regulations. If you identify a cyberattack that resulted in misappropriation of client funds, ISA 250 (Revised) kicks in alongside ISA 240.
Responding to fraud or suspected fraud: the new section
One of the most significant structural changes in ISA 240 (Revised) is the creation of a dedicated section for when fraud or suspected fraud is identified. The extant standard scattered these requirements across multiple paragraphs. The revised standard consolidates them.
When the auditor identifies or suspects fraud through any means (whistleblower reports, data analytics anomalies, third-party allegations, or information from management inquiries), the revised standard requires the auditor to first obtain an understanding of the matter: what happened, who was involved, when it occurred, how the entity responded. A critical clarification: allegations of fraud are treated as suspected fraud for ISA 240 purposes. A report from a whistleblower hotline is suspected fraud until the auditor determines otherwise.
Two paths open after obtaining that understanding. If the fraud or suspected fraud is "clearly inconsequential," the auditor may exclude it from further consideration. If not, the engagement partner must determine whether additional procedures are needed.
That engagement partner involvement is new and non-delegable. Under the extant standard, the team could handle many fraud-related matters without explicit partner determination. The revised standard requires the engagement partner to take personal responsibility for evaluating the audit impact of any matter that crosses the "clearly inconsequential" threshold.
The "clearly inconsequential" threshold
The "clearly inconsequential" threshold is a proportionality mechanism. Without it, every petty cash discrepancy reported through a whistleblower hotline would require engagement partner evaluation and potentially additional procedures. The threshold allows the auditor to apply judgment.
But the threshold comes with conditions. You can only apply it after you have obtained a sufficient understanding of the fraud-related matter. You cannot dismiss a report without first understanding what it alleges and whether the entity has investigated it. The application material in ISA 240 (Revised) paragraph A162 clarifies that the auditor may consider the entity's own processes for filtering and investigating whistleblower reports when making the "clearly inconsequential" determination.
In practice, this means you need to document your reasoning. A working paper note that says "whistleblower report received, determined to be clearly inconsequential" is insufficient. The note must explain what was reported, what understanding was obtained, and why the matter is clearly inconsequential to the audit. If the entity investigated and found the report to be without merit, you can reference that investigation, but you still need your own assessment.
Worked example: Van der Berg Holding N.V.
Client profile: Van der Berg Holding N.V., a Dutch mid-market industrial group with €92M consolidated revenue across four subsidiaries. 320 employees. Supervisory board in place. Audit year: 2027 (first year under ISA 240 Revised). The entity has a whistleblower programme administered by an external compliance provider (IntegrityLine).
1. Understanding the whistleblower programme
During planning, the audit team meets with the compliance officer responsible for the whistleblower programme. The team documents: the programme is operated through IntegrityLine, reports can be filed anonymously online or by telephone, reports go to the compliance officer and the chair of the supervisory board simultaneously, the entity received four reports in FY2027. Of these, two related to workplace safety concerns (not fraud-related), one alleged expense claim inflation by a subsidiary manager, and one alleged that a supplier had submitted duplicate invoices with the knowledge of a procurement officer.
Documentation note
"Understanding of entity's whistleblower programme obtained per ISA 240 (Revised) para. 32(a). Programme operated via IntegrityLine (external provider). Reports received by compliance officer and SB chair. Entity compliant with Wet bescherming klokkenluiders requirements (320 employees, internal reporting procedure in place, works council approved procedure in 2023). Four reports received in FY2027. Two non-fraud. Two fraud-related. See assessment of fraud-related reports below."
2. Evaluating fraud-related whistleblower reports
Report A: A subsidiary manager allegedly inflated expense claims by approximately €4,200 over six months. Management investigated, confirmed the overcharging, terminated the employee, and recovered €3,800. A remaining €400 was written off. This qualifies as clearly inconsequential. Amount is immaterial (materiality: €920K), the entity responded appropriately, the employee was terminated, and recovery was substantially complete.
Documentation note
"Report A evaluated per ISA 240 (Revised) fraud response section. Amount (€4,200) is 0.46% of materiality. Entity conducted investigation, confirmed the fraud, terminated the individual, and recovered substantially all funds. Determined to be clearly inconsequential. No further audit procedures required."
Report B: A whistleblower alleged that a supplier submitted duplicate invoices totalling approximately €185K, and that a procurement officer at the subsidiary level was aware and had approved both payments. The entity initiated an investigation in October 2027 but had not concluded it by the audit planning date.
This is not clearly inconsequential. €185K represents 20% of materiality. Collusion between an employee and a third party is alleged. The investigation is incomplete.
Documentation note
"Report B evaluated per ISA 240 (Revised) fraud response section. Alleged amount (€185K) is material at 20% of overall materiality. Allegation involves employee-third party collusion (procurement officer and supplier). Entity investigation ongoing, not concluded. Engagement partner determination: additional audit procedures required. (1) Obtain and review the entity's investigation file as it progresses. (2) Test accounts payable transactions with the named supplier for the full year. (3) Extend duplicate payment testing across all suppliers in the affected subsidiary. (4) Assess whether the fraud risk assessment needs updating to include procurement fraud at the subsidiary level. (5) Communicate with TCWG (supervisory board) per ISA 240 (Revised) communication requirements."
3. Third-party fraud assessment
During the risk assessment, the team identifies that Van der Berg's logistics subsidiary processes approximately 12,000 supplier invoices annually, primarily through an electronic procurement portal. The IT environment includes standard access controls, but the team notes that the subsidiary does not perform automated duplicate invoice detection. Given the whistleblower allegation in Report B, the team adds procurement fraud by external suppliers as a fraud risk factor in the risk assessment.
Documentation note
"Third-party fraud risk factor identified per ISA 240 (Revised). The logistics subsidiary's procurement portal processes 12,000 invoices annually without automated duplicate detection. Combined with the whistleblower allegation (Report B), this constitutes a fraud risk factor. Included in updated fraud risk assessment. Response: extend ISA 520 analytical procedures on supplier payment patterns and perform Benford's Law analysis on invoice amounts for the top 20 suppliers by volume."
4. Documentation of whistleblower programme assessment feeding into fraud risk assessment
The stand-back memo at completion records: the whistleblower programme understanding was obtained at planning, the two fraud-related reports were evaluated (one clearly inconsequential, one requiring additional procedures), the procurement fraud risk was added to the fraud risk assessment, the additional procedures on Report B identified two confirmed duplicate payments totalling €127K (the remaining €58K of the alleged amount was a billing error, not fraud), and the €127K was communicated to TCWG. Management recovered €127K from the supplier and terminated the procurement officer.
A reviewer would see a file that connects the whistleblower programme understanding directly to the fraud risk assessment, treats each allegation with a documented evaluation, and traces the additional procedures from identification through to resolution and communication.
Practical checklist
- Add a whistleblower programme section to your planning template. The section should capture: whether a programme exists, who administers it, how reports are received and investigated, and what reports were received in the period. ISA 240 (Revised) paragraph 32(a).
- For Dutch clients, verify compliance with the Wet bescherming klokkenluiders. If the entity has 50 or more employees and no programme, document this as both a fraud risk factor and a potential ISA 250 non-compliance issue.
- Ask management about external reports. Whistleblower reports to external bodies bypass the entity's internal programme entirely. Ask whether any fraud allegations were received from regulators, law enforcement, or counterparties during the period.
- For each fraud-related report, document your evaluation: what was alleged, what the entity's response was, whether the matter is clearly inconsequential, and if not, what additional procedures the engagement partner determined were necessary.
- Update your fraud risk assessment template to include a field for third-party fraud risk factors (cybercrime, invoice fraud, supply chain manipulation). The revised standard expects these to be considered alongside internal fraud risks.
- If the entity has no programme but is not legally required to have one, document whether the absence is itself a fraud risk factor given the entity's size, industry, ownership structure, and control environment.
Common mistakes
The IAASB's Basis for Conclusions specifically warns against concluding that the absence of a whistleblower programme is automatically a fraud risk factor in all cases. The requirement is conditional: understand the programme if one exists, and consider whether its absence is a risk factor in context. Do not create a presumption that the standard does not contain.
The AFM's position paper on fraud procedures identified that auditors at regular firms frequently fail to adapt procedures to specific fraud risks. Applying this to whistleblower reports: teams will be tempted to create a generic "whistleblower programme assessment" checklist applied identically to every client, rather than connecting the findings to the specific fraud risk assessment for each engagement.
Related working papers
ISA 240 Fraud Risk Assessment Toolkit
Brainstorming agenda, risk matrix, journal entry testing, and management override procedures.
View the toolkit →Get practical audit insights, weekly.
No exam theory. Just what makes audits run faster.
No spam — we're auditors, not marketers.
Related Ciferi content
Related guides:
Put audit concepts into practice with these free tools:
Frequently asked questions
What does ISA 240 (Revised) require for whistleblower programmes?
ISA 240 (Revised) paragraph 32(a) requires the auditor to obtain an understanding of the entity's whistleblower programme (or equivalent fraud reporting mechanism), if one exists. The understanding must cover how the programme operates, who receives and investigates reports, what types of reports have been received, how the entity responded, and whether any reports remain unresolved. If no programme exists, the auditor must document whether the absence is itself a fraud risk factor.
What is the "clearly inconsequential" threshold in ISA 240 (Revised)?
The "clearly inconsequential" threshold is a proportionality mechanism that allows the auditor to exclude instances of fraud or suspected fraud from further consideration if a sufficient understanding has been obtained and the matter is determined to be clearly inconsequential. The auditor must document what was reported, what understanding was obtained, and why the matter is clearly inconsequential. You cannot dismiss a report without first understanding what it alleges.
How does the Wet bescherming klokkenluiders affect Dutch audits under ISA 240 (Revised)?
The Dutch Whistleblower Protection Act requires every employer with 50 or more employees to have an internal reporting procedure. Financial sector entities covered by the Wwft must comply regardless of size. For auditors, this means the vast majority of Dutch audit clients already have or should have a programme. If a qualifying client has no programme, that is both an ISA 240 fraud risk factor and a potential ISA 250 non-compliance issue.
Does ISA 240 (Revised) cover cybercrime and external fraud?
Yes. ISA 240 (Revised) broadens the scope to include third-party fraud. The application material specifically addresses parties unknown to the entity that may attempt to gain unauthorised access to the IT environment, disrupt financial reporting, or misappropriate assets. When assessing fraud risk factors, auditors must now explicitly consider external threats (cybercrime, invoice fraud, supply chain manipulation) alongside internal ones.
What happens when the engagement partner determines fraud is not clearly inconsequential?
When fraud or suspected fraud crosses the clearly inconsequential threshold, the engagement partner must personally determine whether additional risk assessment or further audit procedures are needed. This engagement partner involvement is new and non-delegable. Under the extant standard, the team could handle many fraud-related matters without explicit partner determination.
Further reading and source references
- ISA 240 (Revised), as approved March 2025 and certified July 2025: paragraph 32(a) on whistleblower programme understanding, the fraud response section, and application material on third-party fraud.
- Wet bescherming klokkenluiders (Dutch Whistleblower Protection Act), in force 18 February 2023: transposition of EU Directive 2019/1937 into Dutch law.
- ACFE, Report to the Nations 2024: global occupational fraud data, including detection methods and tip-reporting statistics.
- ISA 250 (Revised), Consideration of Laws and Regulations: relevant when whistleblower programme absence constitutes a legal violation or when fraud constitutes non-compliance with laws and regulations.
- AFM, Position Paper on Fraud Audit Procedures: findings on how auditors at regular firms adapt (or fail to adapt) procedures to specific fraud risks.