December 2026 ISA Deadline: 7 Standards Changing at Once

December 2026 is less than nine months away. For audits of financial statements for periods beginning on or after 15 December 2026, seven revised ISAs take effect simultaneously. That means every engagement file opened for a December 2027 year-end (or later) must comply with all seven. No firm can absorb that volume of methodology change in the final quarter before go-live. The SALY approach (same as last year) does not work when seven standards change at once.

The seven ISAs effective for periods beginning on or after 15 December 2026 are ISA 240 (Revised), ISA 500 (Revised), ISA 200 (Revised), ISA 220 (Revised 2024), ISA 230 (Revised), ISA 700 (Revised), and ISA 570 (Revised 2024), each introducing changes that affect audit planning, evidence gathering, documentation, and reporting.

The seven standards at a glance

The IAASB has not released this many revised standards with the same effective date since the Clarity Project completed in 2009. The coordination is intentional. Several of the revisions interact: the changes to ISA 200 on professional scepticism flow through to ISA 240 's fraud requirements and ISA 500 's evidence evaluation, and then surface in ISA 700 's reporting obligations. Treating each standard as an isolated update will miss the connections.

All seven standards share the same effective date: periods beginning on or after 15 December 2026. Early adoption is permitted for each, subject to local jurisdictional rules. For a December 2027 year-end client, the new standards apply. For a September 2027 year-end client, they do not (because the period begins 1 October 2026, which is before 15 December 2026).

Here is the one-sentence summary for each, with detail in the sections that follow.

ISA 240 (Revised): fraud procedures after fieldwork

ISA 240 (Revised) introduces a mandatory stand-back evaluation at the end of the audit (paragraph 54) requiring the engagement partner to assess whether fraud risk assessments remain appropriate and whether sufficient appropriate audit evidence has been obtained regarding those risks.

This stand-back is new. It has no equivalent in the current ISA 240 . Under the current standard, the engagement partner's fraud-related obligations concentrate on planning and response. The revised standard extends them to completion.

Paragraph 54(a) requires the partner to evaluate whether the initial fraud risk assessments remain appropriate in light of audit evidence obtained. Paragraph 54(b) asks whether the audit procedures performed actually addressed those risks. This is distinct from the ISA 330 stand-back (which covers all risk responses, not just fraud). The ISA 240 fraud risk assessment pack includes a dedicated completion tab that maps directly to these new requirements.

The revised standard also tightens requirements around the presumption of fraud risk in revenue recognition. Paragraph 28 describes rebutting the presumption as "ordinarily inappropriate," which is a stronger position than the current standard's framing. Revenue-stream-by-stream analysis becomes the expected approach rather than a blanket entity-level assessment.

Practical impact: firms need a completion-stage fraud evaluation form or working paper section that addresses paragraphs 54(a) and 54(b) separately. Templates built for the current ISA 240 do not have this section.

ISA 500 (Revised): evidence in a digital environment

ISA 500 (Revised) restructures how auditors evaluate the relevance and reliability of information used as audit evidence, with explicit requirements for technology-generated information and automated tools.

The current ISA 500 was written in an era when audit evidence was primarily paper or simple electronic records. The revised standard acknowledges that auditors now receive data extracts and rely on system-generated reports, often processed through automated audit tools. Paragraph 9 introduces requirements for the auditor to consider the source and nature of information, including whether it was generated by the entity's IT systems, by a third party, by the auditor's own technology, or by some combination of these.

The most significant change is the requirement in paragraph 10 to evaluate whether technology-produced information is sufficiently reliable for the auditor's purposes. This applies to both the entity's system-generated data (for example, an aged receivables report from the ERP system) and to outputs from the auditor's own data analytics tools. If you use a data analytics tool to identify journal entries for testing, the revised ISA 500 requires you to consider the reliability of the data input and the tool's processing logic.

Practical impact: every audit file that relies on system-generated reports or data analytics needs documentation supporting the reliability assessment. A one-line note stating "data obtained from client ERP" is insufficient under the revised standard.

ISA 200 (Revised): professional scepticism reframed

ISA 200 (Revised) repositions professional scepticism from a general attitude to a set of specific behaviours that permeate the entire audit, with new application material on how scepticism applies to evidence evaluation and engagement team discussions.

The current ISA 200.15 defines professional scepticism but provides limited guidance on what it looks like in practice. The revised standard expands the application material to describe scepticism as an active, ongoing evaluation rather than a disposition. Paragraph A24 (revised) links scepticism directly to the auditor's assessment of evidence quality: the auditor considers whether information from the entity is consistent with other evidence obtained and whether indicators of management bias exist.

This revision is the conceptual backbone of the other six standards. ISA 240 (Revised) applies scepticism to fraud. ISA 500 (Revised) applies it to evidence reliability. ISA 570 (Revised 2024) applies it to going concern. The IAASB designed these revisions to create a consistent scepticism thread across the audit.

Practical impact: training programmes should address ISA 200 (Revised) first, because its concepts feed into every other standard in this package.

ISA 220 (Revised 2024): engagement-level quality management

ISA 220 (Revised 2024) builds on the 2022 revision by adding specific requirements for the engagement partner's involvement in quality management at the engagement level, including expanded direction, supervision, and review requirements and a stronger link to ISQM 1.

What changes most in this iteration is the engagement partner's responsibility to determine that the engagement quality management responses (designed under ISQM 1) are being applied on the specific engagement. Paragraph 15 (revised) requires the partner to take responsibility for the nature, timing, and extent of direction, supervision, and review based on the assessed risks of the engagement. This replaces the more general "sufficient involvement" requirement.

Paragraph 30 (revised) adds a requirement for the engagement partner to stand back (before the auditor's report date) and determine whether the partner's involvement has been sufficient to conclude that significant judgements and conclusions are appropriate. This parallels the ISA 240 stand-back and the ISA 330 stand-back, creating a pattern: the IAASB wants partners to perform explicit completion-stage evaluations, not just sign off.

Practical impact: firms using a single quality checklist for all engagements will need to differentiate based on engagement risk. A listed entity audit and a small private company audit require different levels of direction, supervision, and review under the revised standard.

ISA 230 (Revised): documentation that tells the story

ISA 230 (Revised) introduces the concept that audit documentation should enable an experienced auditor with no previous connection to the engagement to understand not just what was done, but the reasoning behind significant professional judgements.

Currently, ISA 230.8 requires documentation sufficient to enable an experienced auditor to understand the work performed, evidence obtained, and conclusions reached. The revised standard adds explicit language about documenting the auditor's reasoning in reaching those conclusions. Paragraph 8(b) (revised) focuses on documenting how the auditor exercised professional scepticism and professional judgement on significant matters.

This connects directly to ISA 200 (Revised). If scepticism is now defined by specific behaviours, the documentation standard must require evidence of those behaviours. Inspectors at the FRC and AFM have flagged documentation of professional scepticism as a recurring deficiency. This revision makes the expectation explicit.

Practical impact: WP templates need a "rationale" or "reasoning" field for significant judgements. A WP that states the conclusion without explaining how the auditor reached it will not meet the revised ISA 230 requirements.

ISA 700 (Revised): the auditor's report changes

ISA 700 (Revised) introduces modifications to the standard auditor's report format, including updated descriptions of the auditor's responsibilities and new language on the exercise of professional scepticism, aligning the report with the ISA 200 (Revised) framework.

Paragraph 38 (revised) expands the report section describing the auditor's responsibilities to explicitly reference the exercise of professional scepticism throughout the audit. The change to the report wording itself is small, but it signals to readers (and regulators) that scepticism is embedded, not assumed.

Practical impact: firms must update their auditor's report templates. For any audit where the revised standards apply, using the old report template creates a non-compliance with ISA 700 . This is the easiest change to implement but the most visible if missed.

ISA 570 (Revised 2024): going concern on a gross basis

ISA 570 (Revised 2024) requires auditors to identify events and conditions that may cast significant doubt on going concern on a gross basis (before considering management's mitigating plans) and then separately evaluate the feasibility and effectiveness of those plans.

This is the most significant operational change in the package. Under the current ISA 570 , we see most mid-tier teams combine the identification of going concern events with management's response in a single assessment. The revised standard forces a two-step process. First, identify every event or condition that (taken alone) casts doubt. Second, evaluate what management intends to do about each one.

Paragraph 16 (revised) makes the gross-basis assessment explicit. The going concern checklist can be used to structure this identification step. Paragraph 19 (revised) then requires the auditor to evaluate management's plans and whether those plans are feasible given the entity's circumstances.

In practice, this matters. Under the current approach, an entity with a current ratio below 1.0 but a signed refinancing agreement might never appear in the going concern WP as a concern at all. Under the revised standard, the low current ratio is identified as a gross-basis indicator, and the refinancing agreement is evaluated separately as a mitigating plan. Both must be documented.

Practical impact: going concern WPs need structural redesign. The current single-step assessment (is there a problem, yes or no?) becomes a two-column analysis: gross-basis indicators in one column, management's mitigating plans in the other. Nobody enjoys rebuilding going concern WPs from scratch, but this is the section regulators look at first on inspections.

What firms should start doing now

Training is the first priority. ISA 200 (Revised) should anchor the training because its scepticism framework feeds into every other standard. Run it before the standard-specific sessions. A firm that trains on ISA 570 (Revised 2024) without first covering the ISA 200 changes will find teams confused about why the going concern approach changed.

Template updates come second. The changes to ISA 240 (stand-back evaluation), ISA 570 (gross-basis assessment), ISA 230 (reasoning documentation), and ISA 700 (report wording) all require new or modified WP templates. Firms that use third-party methodology providers should confirm the provider's update timeline now, not in Q4 2027.

Dry runs matter. Pick two or four engagements with periods beginning before 15 December 2026 and apply the revised standards voluntarily. Early adoption is permitted. The dry run reveals template gaps and training deficiencies before they appear on a live engagement with a regulatory deadline.

Quality management system updates are also required. ISQM 1 responses should reflect the revised ISA 220 requirements for engagement-level quality management. The firm's monitoring and remediation process under ISQM 1.43 should include a check that the revised standards have been embedded in methodology and practice.

Worked example: mapping the changes to a single engagement

Dijkstra Logistics B.V. is a Dutch transport and warehousing company with €62M revenue and a December 2027 year-end. The engagement team is planning the audit, which is the first engagement to fall under all seven revised standards.

1. The engagement partner reviews the firm's updated planning template, which now includes a section mapping applicable revised standards to the engagement. All seven revised ISAs are flagged as applicable because the period begins 1 January 2027 (after 15 December 2026).

Documentation note: "This engagement is subject to ISA 240 (Revised), ISA 500 (Revised), ISA 200 (Revised), ISA 220 (Revised 2024), ISA 230 (Revised), ISA 700 (Revised), and ISA 570 (Revised 2024). Templates updated to reflect all seven standards."

2. During the risk assessment, the team identifies that Dijkstra has a current ratio of 0.92 and a loan covenant that requires a minimum current ratio of 1.1 as at 31 December 2027. Under ISA 570 (Revised 2024), paragraph 16, these are gross-basis indicators. The team documents them in the left column of the new two-column going concern WP before considering management's plans.

Documentation note: "Gross-basis going concern indicators identified: (1) current ratio of 0.92 at interim, below covenant threshold of 1.1; (2) loan covenant breach likely at year-end based on current trajectory. These indicators are documented before evaluating management's mitigating plans per ISA 570.16 (revised)."

3. The team uses data analytics to select journal entries for fraud testing under ISA 240 . Under ISA 500 (Revised), paragraph 10, they document the reliability of the data extract: the ERP system version, the extraction method, completeness checks performed, and the logic applied by the analytics tool.

Documentation note: "Journal entry population extracted from SAP S/4HANA on 15 February 2028. Completeness verified by reconciling total debits and credits to trial balance. Analytics tool applied selection criteria [parameters listed]. Reliability of technology-produced information assessed per ISA 500.10 (revised)."

4. At completion, the engagement partner performs three separate stand-back evaluations: the ISA 330 stand-back on overall audit responses, the ISA 240 (Revised) paragraph 54 stand-back on fraud risk assessments and evidence, and the ISA 220 (Revised 2024) paragraph 30 stand-back on the partner's own involvement and the sufficiency of engagement quality management.

Documentation note: " ISA 240.54 stand-back completed. (a) Fraud risk assessments remain appropriate based on evidence obtained during fieldwork. (b) Audit procedures performed addressed all identified fraud risks. No additional procedures required. ISA 220.30 stand-back completed. Partner involvement sufficient for all significant judgements."

5. The auditor's report uses the updated ISA 700 (Revised) wording, including the expanded professional scepticism language in the auditor's responsibilities section.

Documentation note: "Auditor's report prepared using updated firm template reflecting ISA 700 (Revised) paragraph 38 wording. Report reviewed for compliance with revised report requirements."

A reviewer opening this file sees a clear trail: each revised standard is identified and each change is addressed in the relevant WP. The completion-stage evaluations are documented separately and cross-referenced to the standards that require them.

Practical checklist for the transition

Common mistakes in standard transitions

• Applying the revised standards to engagements where the period began before 15 December 2026. The effective date is the beginning of the period, not the report date. A December 2026 year-end (period beginning 1 January 2026) falls under the current standards, not the revised ones.

Frequently asked questions

Related content

• ISA 570 going concern checklist: interactive tool supporting the gross-basis indicator identification required under ISA 570 (Revised 2024) paragraph 16.
• ISA 240 fraud risk assessment pack: Includes the stand-back evaluation tab that maps to ISA 240 (Revised) paragraph 54.
• ISA 700 forming an opinion: the completion checklist before you sign: Covers the updated auditor's report requirements and the quality management sign-offs before issuing the report.
• ISA effective date tracker: Full table of all revised ISA standards with effective dates and transition provisions.

Related tools