Revised ISA Standards 2026: What’s Changing

Why these two standards arrived together

The IAASB didn’t revise ISA 240 and ISA 570 in parallel by accident. Corporate failures over the past decade exposed a pattern: entities that collapsed often showed going concern indicators and fraud indicators simultaneously, but audit files treated them in separate sections with separate teams. The revised standards share an effective date (15 December 2026, meaning calendar year 2027 audits) precisely because the IAASB wants firms to implement them as one package.

ISA 570 (Revised 2024) was approved in November 2024 and published in April 2025. ISA 240 (Revised) was approved in March 2025 and published in July 2025. Both went through the IAASB’s full due process including Public Interest Oversight Board certification. The FRC has already launched its consultation on adopting both into ISA (UK), and the IAASB has explicitly encouraged jurisdictions to adopt both standards alongside the narrow-scope amendments for publicly traded entities as a single package.

For a mid-tier firm running 40 to 80 statutory audits a year, this means a single methodology update window in late 2026 that touches fraud, going concern, the auditor’s report, and entity classification. That’s a lot to land at once, but the overlap between the two standards actually makes implementation easier if you plan them together.

What changed in ISA 570 (Revised 2024)

The old ISA 570 (Revised) let auditors assess going concern risk in a way that many files compressed into a single step: identify events or conditions, consider management’s plans, and conclude. ISA 570 (Revised 2024) breaks that apart.

The gross basis requirement

The single biggest change is the requirement to identify events and conditions on a gross basis first, before considering management’s mitigating plans. Under the previous standard, most teams would find a risk indicator (say, a major loan maturing in nine months) and immediately evaluate management’s refinancing plan in the same paragraph of the working paper. The revised standard prohibits that collapse.

ISA 570 (Revised 2024) requires a two-step process. You identify every event or condition that may cast significant doubt. You document each one without reference to what management intends to do about it. Only then do you evaluate whether management’s plans are feasible and supported by evidence. If your file merges those two steps into a single assessment, it won’t hold under the revised framework.

This sounds procedural, but it changes the structure of your working paper. You need a separate section (or separate columns in a matrix) for gross identification and for mitigation evaluation.

Management’s assessment period

ISA 570 (Revised 2024) paragraph 21 requires that management’s going concern assessment covers at least twelve months from the date of approval of the financial statements (as defined in ISA 560). The previous standard required twelve months from the date of the financial statements. That distinction matters. For a 31 December 2027 year-end with financial statements approved in April 2028, management’s assessment now needs to run through at least April 2029, not December 2028.

If management’s assessment covers a shorter period, the auditor must request an extension. This is a hard requirement, not a suggestion.

Reporting changes

ISA 570 (Revised 2024) introduces two explicit conclusions in the auditor’s report. The auditor must now state a conclusion on whether management’s use of the going concern basis of accounting is appropriate, and a separate conclusion on whether a material uncertainty exists. Both statements appear in every auditor’s report, not only when a problem is found. For listed entities, additional content is required, including reporting on situations where management has made significant judgements in concluding that no material uncertainty exists (the “close call” scenario).

The close call scenario is new territory. Under the previous standard, if management concluded no material uncertainty existed and the auditor agreed, the auditor’s report said nothing specific about going concern beyond the standard boilerplate. Under ISA 570 (Revised 2024), a close call is treated as a key audit matter (when ISA 701 applies) and reported in the going concern section of the report, not the KAM section.

What changed in ISA 240 (Revised)

ISA 240 (Revised) reorganises the auditor’s fraud responsibilities from a passive baseline (“accept records as genuine unless reason to believe otherwise”) to an active one.

The “accept records as genuine” removal

Under the previous ISA 240, paragraph 13(b) allowed auditors to treat records and documents as genuine unless conditions suggested otherwise. ISA 240 (Revised) removes this provision entirely. The revised standard requires auditors to remain alert throughout the audit for conditions indicating that a record or document may not be authentic, without the previous default assumption of authenticity.

This doesn’t mean you verify every invoice. It means your file can no longer cite “accepted as genuine per ISA 240.13(b)” as a blanket statement in the audit evidence section. You need to document what conditions you considered and why you assessed the records as authentic in the specific circumstances.

Fraud risk identification aligned with ISA 315

ISA 240 (Revised) now explicitly aligns fraud risk identification with the risk assessment process in ISA 315 (Revised 2019). Rather than treating fraud as a separate bolt-on exercise, the revised standard requires auditors to integrate a fraud perspective into the broader risk assessment. The presumption that revenue recognition carries a fraud risk remains, and the standard makes rebuttal harder by requiring more specific documentation of why the presumption doesn’t apply to a particular entity.

Communication requirements

The previous ISA 240 required communication with those charged with governance about fraud-related matters primarily at the conclusion of the audit. ISA 240 (Revised) introduces a requirement for ongoing communication throughout the engagement, starting at planning. The auditor must communicate fraud-related matters with management and TCWG at appropriate times, not just at the end.

For audits of publicly traded entities, ISA 240 (Revised) also introduces requirements around key audit matters related to fraud. When ISA 701 applies, the auditor must determine which fraud-related matters required significant attention and report the most significant ones as KAMs.

Technology and data analytics

ISA 240 (Revised) includes new application material on using automated tools for fraud detection. The guidance covers using data analytics to test journal entries, assess management bias in estimates, and identify anomalies across full populations rather than samples. This is guidance, not a requirement, but it signals where regulators will set expectations for inspection.

The ISA 530 audit sampling calculator helps you determine when full-population testing with automated tools becomes more efficient than traditional sampling, a question ISA 240 (Revised) now explicitly raises.

Where the two standards interact

ISA 570 (Revised 2024) and ISA 240 (Revised) share effective dates because the IAASB designed them to work together. Fraud and financial distress often coexist. An entity manipulating revenue to meet covenants is both a fraud issue (ISA 240) and a going concern issue (ISA 570). The revised standards make this connection explicit.

ISA 240 (Revised) paragraph 26 requires auditors to consider whether identified fraud or suspected fraud affects the going concern assessment. ISA 570 (Revised 2024) paragraph A12 requires auditors to consider whether events or conditions that cast doubt on going concern also indicate fraud risk factors. Your file needs to show this cross-reference. A going concern working paper that never mentions fraud, or a fraud risk assessment that ignores financial distress indicators, will not satisfy either revised standard.

For your going concern assessment, the practical implication is straightforward: your ISA 570 working paper should reference the ISA 240 fraud risk assessment, and your ISA 240 fraud risk matrix should include going concern indicators as potential fraud risk factors.

Worked example: updating a live file

Client: Van der Berg Holding N.V. — Revenue: €67M | Industry: wholesale distribution | Year-end: 31 December 2027 (first year under revised standards)

Step 1: Gross basis going concern identification

The engagement team identifies two events without considering management’s plans: (a) a €12M revolving credit facility expires in August 2028 with no renewal confirmed, and (b) the entity’s EBITDA margin dropped from 8.2% to 3.1% year-over-year.

Step 2: Management assessment period check

Financial statements will be approved by the board on 18 March 2028. ISA 570 (Revised 2024) paragraph 21 requires coverage through at least 18 March 2029. Management’s draft assessment covers only through 31 December 2028. The engagement partner requests a written extension of the assessment period.

Step 3: Mitigation evaluation

Management provides a signed refinancing term sheet from ING for a €15M facility at 4.8% and a board-approved cost reduction programme targeting €2.4M in annual savings. The team evaluates both plans against ISA 570’s feasibility criteria.

Step 4: Fraud lens cross-reference

The engagement team checks whether the EBITDA margin decline corresponds to any revenue recognition anomalies flagged in the ISA 240 fraud risk assessment. A full-population journal entry analysis using audit software identified 14 manual postings to revenue in Q4 totalling €890K. The team designs targeted procedures for these entries.

Step 5: Reporting assessment

The engagement partner concludes that the going concern basis is appropriate, no material uncertainty exists, but management’s judgement on the credit facility renewal was significant. For a listed entity, this would trigger the close call reporting requirement. Van der Berg is unlisted, so the standard going concern conclusions apply.

Practical checklist for December 2026

1. Map your current going concern working paper against the ISA 570 (Revised 2024) gross basis requirement. If your template merges identification and mitigation into one step, split them into separate sections or columns before the 2027 audit cycle starts.
2. Update your engagement letter template to reference ISA 570 (Revised 2024) paragraph 21 on the management assessment period. Include the requirement for twelve months from the approval date, not the balance sheet date.
3. Remove any boilerplate reference to “records accepted as genuine per ISA 240.13(b)” from your audit evidence templates. Replace with a documentation prompt that asks the engagement team to state what conditions they considered.
4. Add a cross-reference field between your ISA 240 fraud risk matrix and your ISA 570 going concern working paper. Both revised standards require this link to be documented.
5. Review your auditor’s report template. ISA 570 (Revised 2024) requires two explicit conclusions on going concern in every report. Draft the wording now using the IAASB’s illustrative examples (published alongside the standard in April 2025) so your report template is ready before the first 2027 year-end file opens.
6. Schedule a firm-wide training session on both standards together. The IAASB published a video series and fact sheets for both ISA 240 (Revised) and ISA 570 (Revised 2024) in Q3 2025. Use those as your training baseline.

Common mistakes to watch for

• Treating the gross basis requirement as a formality. The IAASB’s basis for conclusions on ISA 570 (Revised 2024) states that the two-step process (gross identification, then mitigation) exists because inspectors consistently found that auditors were skipping the first step. If your file still shows a single blended assessment, expect it to be flagged.
• Leaving the “accept records as genuine” boilerplate in your templates. ISA 240 (Revised) explicitly removed this provision. Any file that still cites it after December 2026 is referencing a paragraph that no longer exists in the standard.
• Failing to extend management’s assessment period when it falls short of twelve months from the approval date. ISA 570 (Revised 2024) paragraph 21 makes this a hard requirement, not a matter of judgement.

Related content

Frequently asked questions

Further reading and source references

• ISA 570 (Revised 2024), Going Concern: approved November 2024, published April 2025. Introduces the gross basis requirement, extended assessment period, and two explicit auditor’s report conclusions.
• ISA 240 (Revised), The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements: approved March 2025, published July 2025. Removes “accept records as genuine” default, aligns fraud risk with ISA 315, expands TCWG communication.
• ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement: the framework for risk assessment that ISA 240 (Revised) now explicitly integrates with.
• IAASB illustrative auditor’s reports: published alongside ISA 570 (Revised 2024) in April 2025, covering four reporting scenarios.