ISA 240 (Revised) Stand-Back Evaluation Guide

What you'll learn

You'll understand exactly what ISA 240 (Revised) paragraph 54 requires and why it was added
You'll be able to distinguish the fraud-specific stand-back from the ISA 330 stand-back (they are separate evaluations)
You'll know how to document both limbs of the stand-back: risk reassessment (paragraph 54(a)) and evidence sufficiency (paragraph 54(b))
You'll be able to position the stand-back within the broader evaluation and completion workflow that follows it

Completion meeting, Friday afternoon. The engagement partner (EP) opens the file, reviews the ISA 330 stand-back, signs the checklist, and moves on. The fraud risk register from planning is still sitting exactly where it was in October. Nobody has asked whether anything found during the audit actually changes the picture. Under the revised standard, that moment is the one the AFM will read first.

The ISA 240 (Revised) stand-back evaluation at paragraph 54 requires the EP to evaluate, near completion, whether fraud risk assessments remain appropriate in light of all audit evidence obtained and whether sufficient appropriate audit evidence has been obtained in response to those assessed risks.

What changed and why it matters

Under the current ISA 240 , the engagement partner has no explicit requirement to step back at completion and re-evaluate whether the fraud risk assessment is still appropriate. The current standard requires ongoing communication and evaluation of evidence as it comes in, but it never forces a single, documented moment where the partner asks: "Given everything we now know, does our original fraud risk assessment still make sense?"

ISA 240 (Revised) changes this. Paragraph 54 creates two new evaluation requirements, positioned at the completion stage, that apply to every engagement. These are not checkbox confirmations. They require the EP to form a judgment (exercising professional skepticism) based on the totality of audit evidence obtained across the entire engagement, not just from the fraud-specific procedures. This is not SALY with better narratives.

The distinction matters. Evidence relevant to fraud risk comes from everywhere in the audit: substantive testing of balances, analytical procedures, discussions with management, group audit communications, and the work of component auditors. The current standard does not require the partner to pull all of this together into one fraud-specific evaluation at completion. The revised standard does.

Before (current ISA 240 )

No explicit completion-stage evaluation of whether fraud risk assessments remain appropriate. The partner reviews the file, signs off on individual working papers, but no single step forces a full reassessment of the fraud risk picture. Fraud-related evidence obtained during substantive testing might be noted on the relevant working paper but never formally connected back to the fraud risk assessment.

After ( ISA 240 Revised, paragraph 54)

The EP must evaluate whether the assessments of risks of material misstatement (RMM) due to fraud remain appropriate (paragraph 54(a)) and whether sufficient appropriate audit evidence has been obtained in response to the assessed risks (paragraph 54(b)). Both evaluations must be documented. Both are directed at the EP specifically, not at the engagement team generally.

Effective date

ISA 240 (Revised) is effective for audits of financial statements (FS) for periods beginning on or after 15 December 2026. Early adoption is permitted where national law or regulation allows.

What you actually need to do on a real file

Add two documented steps to your completion procedures. The first is a narrative assessment of whether any evidence obtained during the audit (from any source, not just fraud-specific procedures) changes the fraud risk picture established at planning. The second is a sufficiency assessment: looking across all fraud risks, does each one have a documented response with evidence that goes beyond inquiry? If either assessment reveals a gap, you cannot sign the opinion until additional procedures are performed.

This is not something you can delegate to the audit senior and review later. Paragraph 54 is directed at the EP. The partner must perform the evaluation, not just approve someone else's work. In our experience, this is the finding that generates the most review notes on fraud files.

How the fraud stand-back differs from the ISA 330 stand-back

ISA 330.25 -26 already requires a stand-back evaluation at completion: the auditor must conclude whether sufficient appropriate audit evidence has been obtained in aggregate. This is a general evaluation covering all risks (error and fraud combined) across all assertions. From the files we've reviewed, most firms already have this documented in their completion working papers (WPs).

The ISA 240 (Revised) stand-back is different in four ways.

First, it is fraud-specific. You are not evaluating evidence sufficiency across the whole audit. You are evaluating whether your fraud risk picture is still accurate and whether your fraud responses produced enough evidence. The focus is narrower but the standard of documentation is higher.

Second, it is directed specifically at the engagement partner. ISA 330 does not specify who performs the stand-back. ISA 240 (Revised) does. The EP cannot delegate this to a manager who prepares a summary for partner review. The EP must form and document their own judgment.

Third, it has two limbs (risk reassessment plus evidence sufficiency) rather than the single evidence-sufficiency question in ISA 330 . The first limb asks whether the risks you identified are still the right risks. The second asks whether the evidence you obtained is enough. These are distinct questions requiring distinct analysis.

Fourth, it considers whether information from other audit procedures (not just fraud procedures) affects the fraud risk assessment. Evidence obtained during substantive testing, discussions with management, or group audit communications might reveal something that changes the fraud risk picture. The ISA 330 stand-back does not require this cross-pollination between workstreams. The ISA 240 (Revised) stand-back does.

Document them separately. If an inspector opens your file and sees only the ISA 330 stand-back, the ISA 240 (Revised) requirement is not satisfied. Two separate evaluations, two separate conclusions, two separate sign-offs.

The two limbs of paragraph 54

Paragraph 54(a): do fraud risk assessments remain appropriate?

This is a reassessment question. You go back to the fraud risk register and ask whether everything you now know (from every part of the audit, not just fraud procedures) changes any of the following four things: the risks you identified, the level at which you assessed them (financial-statement level versus assertion level), the assertions affected, or the level of response required.

Common triggers for changing the assessment include: unexpected results from analytical procedures near completion, inconsistencies between management representations and audit evidence, information from component auditors in a group engagement, findings during journal entry testing that suggest a pattern, estimates that show cumulative directional bias across multiple periods, and significant unusual transactions where the business rationale does not hold up under scrutiny.

If the assessment changes, document what changed and why. Then determine what additional procedures are needed and perform them before concluding.

If the assessment does not change, the documentation is still required. A one-sentence confirmation is not enough. The EP should document what evidence was considered and why the original assessment remains appropriate. "I reviewed the audit evidence obtained and confirm the fraud risk assessment remains appropriate" is insufficient. "I reviewed the results of journal entry testing (no exceptions), the estimates retrospective review (consistent directional understatement of provisions noted, assessed as within tolerable range), the significant unusual transactions evaluation (one related-party transaction evaluated, business rationale supported), and analytical procedures at completion (no anomalies identified). No evidence from substantive testing or management discussions changed the fraud risk picture established at planning. The fraud risk assessment remains appropriate" is the level of detail inspectors expect.

Paragraph 54(b): has sufficient appropriate evidence been obtained?

This is a sufficiency question. For each fraud risk in the register, does the response matrix show a completed procedure with evidence that goes beyond inquiry alone? Are there any risks where the only evidence is management's explanation?

This evaluation connects directly to the response matrix. The EP reviews each response row: was the procedure performed as planned? Did the results address the risk? Is the evidence type appropriate (not just inquiry)? Are there any loose ends (for example, a data analytics exception that was noted but never resolved)?

If the evidence is insufficient, you do not sign off. You perform additional procedures or, if additional procedures are not possible, evaluate the effect on the auditor's report under ISA 705 .

Where the stand-back sits in the completion workflow

The stand-back at paragraph 54 is the first step in a broader completion sequence. It comes first because everything else depends on it. If the fraud risk assessment has changed, the remaining completion steps must reflect the updated assessment.

A structured evaluation and completion section covers 23 steps in total. The stand-back occupies the first two. What follows is a systematic walk through every remaining fraud-related evaluation the engagement partner must perform or review before signing the auditor's report.

The 23-step evaluation and completion sequence

After the stand-back (steps 1-2), the completion sequence continues with document authenticity evaluation ( ISA 240.22 ): were any conditions identified during the audit suggesting that records or documents may not be authentic, or that undisclosed modifications were made? If yes, what investigation was performed?

Accounting policy evaluation ( ISA 240.45 ) follows: do the entity's accounting policies, particularly for subjective measurements and complex transactions, indicate fraudulent financial reporting? This is not a restatement of the ISA 540 work. It asks whether the choice of policy (not just its application) serves a potential fraud objective.

Estimates-taken-as-a-whole evaluation ( ISA 240.51 (b)): looking at all accounting estimates in aggregate, does the cumulative pattern suggest management bias? This draws on the individual estimate reviews performed in the estimates and bias review section. The completion evaluation asks the aggregate question.

Significant unusual transactions evaluation ( ISA 240.52 ): consolidating the evaluation of all transactions outside the normal course of business. For each one, does the business rationale (or absence of it) suggest fraudulent financial reporting or concealment of misappropriation?

Analytical procedures near the end of the audit ( ISA 240.53 ): do the results of near-completion analytics indicate a previously unrecognised risk of material misstatement due to fraud? If yes, update the risk register and determine what additional procedures are needed.

Then, if fraud or suspected fraud was identified during the engagement, a seven-step sequence activates: obtain understanding of the matter ( ISA 240.55 (a)), evaluate the entity's investigation process ( ISA 240.55 (b)), evaluate remedial actions ( ISA 240.55 (c)), the engagement partner's determination on additional procedures and legal responsibilities ( ISA 240.56 ), misstatement evaluation including materiality and control deficiency identification ( ISA 240.57 ), consequences of material fraud misstatement for the opinion ( ISA 240.58 ), and the inability-to-continue assessment ( ISA 240.59 ). If no fraud or suspected fraud was identified, these steps are documented as not applicable.

Communication steps follow regardless: ongoing fraud communications log ( ISA 240.25 ), communication with management ( ISA 240.64 ), communication with TCWG ( ISA 240.65 ), and other fraud matters communicated to those charged with governance ( ISA 240.66 ). Then regulatory reporting obligations ( ISA 240.67 ), written representations including the management representation letter fraud paragraphs ( ISA 240.63 ), key audit matters consideration where ISA 701 applies, report-to-file consistency check (a common inspection finding: the fraud section of the auditor's report does not match the audit file), group audit fraud considerations, and a final documentation completeness check.

The entire sequence works as an ordered checklist. Some steps apply to every engagement. Others activate only when specific conditions are met. But the stand-back always comes first.

Worked example: Van der Berg Holding N.V.

Scenario. Van der Berg Holding N.V. is a Dutch property development company with revenue of EUR 92M. At planning, the engagement team identified two assertion-level fraud risks (revenue recognition on percentage-of-completion contracts and capitalisation of costs that should be expensed), plus the presumed management override risk. The audit is now at completion stage.

Under the current standard, the EP reviews the ISA 240 file sections, checks that journal entry testing was performed, reviews the estimates evaluation, and signs off. There is no single documented moment where the EP explicitly reconsiders the entire fraud risk picture. The EP's sign-off on individual WPs implicitly confirms that the work was adequate, but no working paper asks the EP to step back and evaluate the totality.

Under ISA 240 (Revised), paragraph 54, the sequence looks different.

Perform the paragraph 54(a) risk reassessment

The EP opens the stand-back evaluation section. For paragraph 54(a) (risk reassessment), the EP reviews all evidence obtained during the audit. During substantive testing of capitalised costs, the team found EUR 340,000 of marketing expenses capitalised as project costs. The client corrected the entry. During analytical procedures, no unexpected variances were identified. Journal entry testing revealed no exceptions. The estimates retrospective review showed that percentage-of-completion estimates were within 3% of actual outcomes for completed contracts. Documentation note: "Reviewed all audit evidence for fraud risk implications. Key finding: EUR 340,000 marketing expenses capitalised to project WBS-2024-017 (identified during substantive testing, corrected by management without resistance, no evidence of concealment). Evaluated whether this changes the fraud risk assessment. The misstatement was a single instance, promptly corrected, and does not indicate a pattern of deliberate capitalisation. The capitalisation assertion-level risk remains appropriately assessed as a fraud risk given the covenant pressure identified at planning, but no additional fraud risks identified. Fraud risk assessment remains appropriate."

Perform the paragraph 54(b) evidence sufficiency check

For paragraph 54(b) (evidence sufficiency), the EP reviews each fraud risk against its response. Revenue recognition: full-population analytics on percentage-of-completion adjustments performed, 15 contracts tested against independent surveyor reports, no exceptions. Management override: journal entry testing completed (12,400 entries analysed, 45 selected, no exceptions), estimates review completed (PY provisions showed consistent slight overstatement but within acceptable range, no bias indicator), significant unusual transactions reviewed (one related-party land sale evaluated, business rationale documented and supported). Capitalisation risk: sample of 40 capitalised cost items tested against capitalisation criteria, the EUR 340,000 misstatement identified and corrected, no further exceptions. Documentation note: "Evidence reviewed for each assessed fraud risk. All responses in the response matrix show completed procedures with evidence beyond inquiry. One misstatement identified (capitalised marketing costs, EUR 340,000, corrected). No unresolved exceptions. Sufficient appropriate evidence obtained for all assessed fraud risks."

Sign and date the stand-back section

The EP signs the stand-back section with the date. The engagement file now contains a documented, partner-level evaluation that satisfies both limbs of paragraph 54, positioned before the remaining completion steps.

Practical checklist

Action items

What to do Monday morning

Add two documented steps to your completion working papers for the paragraph 54(a) and 54(b) evaluations. Do not bury these inside the ISA 330 stand-back. They are separate requirements.
The engagement partner must perform the evaluation personally, not review a prepopulated assessment drafted by a manager. The documentation should reflect the partner's own judgment.
For paragraph 54(a), consider evidence from all audit procedures (not just fraud-specific procedures) when evaluating whether the risk assessment remains appropriate.
For paragraph 54(b), trace each fraud risk in the register to a completed response with evidence beyond inquiry. If any risk has no completed response, the evaluation fails.
If the stand-back reveals a gap (changed risk, insufficient evidence), perform additional procedures before signing off. Document what changed and what was done.
Date the stand-back evaluation. Inspectors check that it was performed near completion, not backdated to planning.

Common mistakes

Combining the ISA 240 fraud stand-back with the ISA 330 stand-back in a single paragraph. The AFM treats these as separate requirements. Ticking and bashing a single generic "I'm satisfied with the evidence" does not satisfy paragraph 54.
Delegating the paragraph 54 evaluation to a manager or senior. The revised standard directs this at the EP. A manager's draft with a partner signature is not the same as a partner's evaluation.
Documenting the paragraph 54(a) reassessment as "No changes to fraud risk assessment" without stating what evidence was considered. The reassessment must show that the partner actually reviewed the evidence obtained during the audit and formed a specific judgment about each fraud risk.
Performing the stand-back before all audit procedures are complete. The stand-back must consider the totality of audit evidence. If substantive testing is still ongoing when the partner signs the stand-back, the evaluation is premature.

Frequently asked questions

What does ISA 240 (Revised) paragraph 54 require at the completion stage?

Paragraph 54 introduces two evaluation requirements that must be performed near completion on every engagement. Paragraph 54(a) requires the engagement partner to evaluate whether the assessments of risks of material misstatement due to fraud remain appropriate in light of all audit evidence obtained. Paragraph 54(b) requires the partner to evaluate whether sufficient appropriate audit evidence has been obtained in response to those assessed fraud risks. Both evaluations must be documented and both are directed specifically at the engagement partner.

How does the ISA 240 (Revised) fraud stand-back differ from the ISA 330 stand-back?

The ISA 240 stand-back is fraud-specific, evaluating only the fraud risk picture rather than evidence sufficiency across the entire audit. ISA 240 (Revised) directs the stand-back specifically at the engagement partner, whereas ISA 330.25–26 does not specify who performs it. The ISA 240 stand-back has two limbs (risk reassessment plus evidence sufficiency) compared to ISA 330's single evidence-sufficiency question. They must be documented as two separate evaluations in the audit file.

Can the engagement partner delegate the paragraph 54 stand-back evaluation to a manager?

No. ISA 240 (Revised) paragraph 54 is directed specifically at the engagement partner. The partner must perform the evaluation and form their own judgment, not simply review or approve a prepopulated assessment drafted by a manager. The documentation should reflect the partner's own judgment based on reviewing all audit evidence obtained during the engagement, and the partner must sign and date the evaluation to demonstrate it was performed near completion.

What documentation is expected when the fraud risk assessment does not change after the stand-back?

Even when the assessment does not change, a substantive narrative is required. A one-sentence confirmation is insufficient. The partner should document what specific evidence was considered (for example, journal entry testing results, estimates retrospective review findings, and significant unusual transactions evaluation) and explain why the original assessment remains appropriate in light of that evidence. Inspectors expect to see that the partner actually reviewed evidence from across the audit.

When does ISA 240 (Revised) take effect?

ISA 240 (Revised) is effective for audits of financial statements for periods beginning on or after 15 December 2026, with early adoption permitted where national law or regulation allows. Firms should add two documented steps to their completion working papers: one for the paragraph 54(a) risk reassessment narrative and one for the paragraph 54(b) evidence sufficiency assessment. If either assessment reveals a gap, additional procedures must be performed before the auditor's report is signed.

ISA 240 Fraud Risk Assessment Pack. Includes the stand-back evaluation template, fraud risk register, and response matrix that produce the evidence the partner evaluates at completion.
ISA 450 Misstatement Tracker. Where misstatements with potential fraud indicators are accumulated before the stand-back evaluation.
How to build a fraud risk response matrix. The response matrix that the paragraph 54(b) evidence sufficiency review traces through.
How to document management override procedures. The three mandatory procedures whose results feed into the stand-back evaluation.
ISA 240 (Revised): fraud brainstorming requirements. The planning-stage discussion that produces the fraud risk assessment reassessed at completion.

Related tools

This content is for educational purposes and does not constitute legal or professional advice. Always consult applicable national standards alongside international texts.

Last reviewed: March 2026