Side-by-side comparison
| Dimension | Current ISA 240 | ISA 240 (Revised 2024) |
|---|---|---|
| Fraud risk factors | ISA 240.25 requires the auditor to evaluate whether information indicates fraud risk factors. The identification step is embedded within the broader risk assessment. | The revised standard separates identification of fraud risk factors as a distinct, documented step. The auditor must identify fraud risk factors before assessing risks of material misstatement due to fraud. |
| Scepticism | ISA 240.12 requires professional scepticism throughout, referencing ISA 200. No additional specific requirements. | New requirements for demonstrating professional scepticism at specific points, including when evaluating management representations and assessing the plausibility of management explanations for unusual transactions. |
| Unpredictability | ISA 240.30(c) requires an element of unpredictability. Limited application guidance on what qualifies. | More specific requirements with additional guidance. Explicit expectation that unpredictability goes beyond varying sample sizes and includes changes to the nature and timing of procedures. |
| Management override | ISA 240.32 requires testing journal entries and reviewing estimates for bias, plus evaluating the business rationale for unusual transactions. | Same core requirements retained. Expanded application guidance on identifying high-risk journal entries and evaluating estimates for indicators of management bias. |
| Communication | ISA 240.40-42 requires communication of fraud to management and governance. Regulatory reporting where law requires it. | Broader requirements. The auditor must communicate identified fraud risk factors (not just identified fraud) to those charged with governance. This is a new requirement. |
| Documentation | ISA 240.47 requires documentation of the fraud risk assessment and the procedures performed in response. | New documentation requirements reflecting the separated identification and assessment steps. The file must show both the fraud risk factors identified and how those factors were translated into assessed risks. |
Key Points
- ISA 240 (Revised 2024) separates fraud risk factor identification from the risk assessment, requiring each step to be documented independently.
- The revised standard adds explicit scepticism requirements that go beyond the general requirement in ISA 200.
- Firms have until December 2026 to implement, but early adoption of the documentation approach reduces transition risk.
- Fraud risk factors must now be communicated to governance — not just identified fraud.
When the distinction matters on an engagement
The separated identification step is where most implementation effort will concentrate. Under the current standard, many engagement teams combine the identification of fraud risk factors with the risk assessment into a single working paper section. The revised standard does not allow this.
ISA 240 (Revised 2024) requires the auditor to first identify the fraud risk factors present on the engagement (client characteristics, industry conditions, management behaviour, incentive structures) and document those factors. Only then does the auditor assess whether those factors give rise to risks of material misstatement due to fraud at the assertion level.
The practical consequence is two documented steps where teams currently produce one. Firms that update their templates before the December 2026 effective date can run both approaches in parallel during the transition period. Firms that wait until the effective date will need to restructure their fraud risk documentation across all active engagements simultaneously.
Worked example: Müller Bau AG
Client: Austrian construction company, FY2026, revenue €195M, IFRS reporter. The engagement period begins 1 January 2027, so ISA 240 (Revised 2024) applies.
Under the current ISA 240 (for comparison)
The team's fraud risk working paper would read: "Revenue recognition: presumed fraud risk per ISA 240.27. The entity operates in a competitive construction market with percentage-of-completion revenue recognition. Risk assessed as significant."
Documentation note (current standard): "Fraud risk assessment: revenue recognition assessed as a risk of material misstatement due to fraud. ISA 240.27 presumption not rebutted. Procedures designed per ISA 240.31."
Under ISA 240 (Revised 2024)
The team must now produce two distinct documented steps.
Step 1: Identification of fraud risk factors
Documentation note: "Fraud risk factors identified per ISA 240 (Revised 2024): (1) Percentage-of-completion method requires management estimates of costs to complete, which are inherently subjective and susceptible to bias. (2) Three fixed-price contracts exceeding €15M each, where cost overruns in Q3 2027 create incentive to defer cost recognition to protect reported margins. (3) CFO compensation includes a margin-based bonus with a €2.1M threshold. (4) Two project managers left during the period and were replaced with less experienced staff, reducing the reliability of cost-to-complete estimates at the project level."
Step 2: Assessment of risks of material misstatement due to fraud
Documentation note: "Based on the fraud risk factors identified above: revenue recognition on the three fixed-price contracts exceeding €15M is assessed as a risk of material misstatement due to fraud at the assertion level (accuracy, cut-off). The ISA 240.27 presumption applies. The margin-based compensation structure combined with the cost overrun pattern creates a specific fraud risk that costs to complete on these contracts may be understated to protect reported margins. Procedures: test cost-to-complete estimates by obtaining independent quantity surveyor reports, compare Q4 cost accruals to post-year-end actual costs, inspect subcontractor invoices for the two largest contracts, test journal entries affecting project margins in the final month of the period."
Under the current standard, a single paragraph covering both identification and assessment would have been compliant. Under the revised standard, the two steps must be distinct and sequenced. If the team produced the same combined working paper it uses today, the documentation would not comply even if the procedures themselves were sufficient.
What reviewers get wrong
Under the current ISA 240, inspection reports have identified that engagement teams frequently fail to go beyond the ISA 240.27 presumption on revenue recognition. Teams document the presumption but do not identify entity-specific fraud risk factors or design entity-specific responses. The revised standard's separated identification step directly targets this finding.
The communication of fraud risk factors to those charged with governance is a new requirement under the revised standard that does not exist in the current ISA 240. Teams accustomed to communicating only identified fraud (ISA 240.40) will need to expand their governance communications to include the fraud risk factors identified during the engagement, regardless of whether those factors resulted in an assessed fraud risk.
Key standard references
- ISA 240 (Revised 2024): Effective for audits of financial statements for periods beginning on or after 15 December 2026.
- ISA 240.25 (current): Embeds fraud risk factor identification within the broader risk assessment.
- ISA 240.27: Presumption of fraud risk in revenue recognition, retained in the revised standard.
- ISA 240.32: Management override testing requirements, retained with expanded guidance.
Related terms
Related reading
Frequently asked questions
When does ISA 240 (Revised 2024) become effective?
ISA 240 (Revised 2024) is effective for audits of financial statements for periods beginning on or after 15 December 2026. Early adoption of the documentation approach is permitted and reduces transition risk.
What is the biggest practical change in the revised standard?
The separation of fraud risk factor identification from the risk assessment. Under the current standard, many teams combine both into a single working paper section. The revised standard requires two distinct, documented steps: first identify the fraud risk factors present, then assess whether those factors give rise to risks of material misstatement due to fraud.