ISA 240 Revised vs ISA 240 Current: Side-by-Side Comparison

How to read this comparison

Each section below covers one area of the standard. The “extant” column reflects ISA 240 as it exists today. The “revised” column reflects ISA 240 (Revised), approved March 2025 and released July 2025 after PIOB certification. Where paragraph numbers are cited, the extant references use the current ISA numbering and the revised references use ISA 240 (Revised) paragraph numbers as published.

This comparison covers only substantive changes. Drafting improvements and restructuring that don’t change the auditor’s obligation are excluded.

Auditor’s responsibilities and inherent limitations

Under extant ISA 240 , the description of the auditor’s responsibilities and the inherent limitations of an audit appeared together in paragraphs 5 through 7. The intermingling of “here is what the auditor must do” with “here is why audits have limits” created a perception problem: readers (including investors and regulators) interpreted the structure as qualifying the auditor’s responsibilities before they were even fully stated.

ISA 240 (Revised) separates these two concepts. The auditor’s responsibilities now appear first in the standard, before the responsibilities of management and TCWG. The inherent limitations section follows separately. The IAASB added explicit language that inherent limitations do not diminish the auditor’s responsibilities and are not a justification for accepting less than persuasive audit evidence (a principle from ISA 200 now repeated in ISA 240 for emphasis).

From the files we’ve reviewed, the practical impact hits firms that currently draft their fraud risk assessment methodology statements with language that echoes the extant structure. If your methodology references inherent limitations alongside your statement of fraud responsibilities, revise the ordering.

Professional scepticism

Two deletions define this section.

First, extant ISA 240 included the principle that auditors may “accept records and documents as genuine” unless they had reason to believe otherwise. ISA 240 (Revised) removes this principle from the fraud standard entirely. It still exists in ISA 200 .A47 for general audit purposes, but its removal from ISA 240 means that in a fraud context, the auditor can no longer point to the absence of a red flag as a basis for accepting a record. The revised standard requires investigation when conditions suggest a record may not be authentic. The shift is from “believe it’s not genuine” (a high bar) to “conditions suggest it may not be authentic” (a lower bar).

Second, extant ISA 240 allowed auditors to maintain professional scepticism while still recognising their “past experience of the honesty and integrity of the entity’s management and those charged with governance.” ISA 240 (Revised) deletes this qualifier entirely. The IAASB concluded it directly undermined scepticism, particularly on continuing engagements where familiarity builds over years. The revised standard requires what the Board described as a “fresh pair of eyes” approach on every engagement.

The revised standard also adds a new ongoing alertness requirement: the auditor must remain alert throughout the audit for information indicative of fraud or suspected fraud. This applies with particular force during the final stages of the engagement, where time pressure is highest and where the AFM’s 2025 inspection report found the most deficiencies.

Risk identification and assessment

This is the area with the most new content.

Under extant ISA 240 , fraud risk assessment ran somewhat independently from the ISA 315 risk assessment process. ISA 240 (Revised) integrates the two by requiring a “fraud lens” to be applied across every ISA 315 (Revised 2019) requirement. The auditor must now obtain an understanding of matters related to the entity and its environment that may lead to increased susceptibility to management bias or other fraud risk factors. This requirement has no equivalent in the extant standard.

New specific understanding requirements include the entity’s whistleblower programme (or the absence of one, which itself becomes a documented fraud risk factor) and how the entity uses its IT environment in ways that may create opportunities for fraud.

The engagement team discussion under extant ISA 240.15 required the team to discuss fraud but did not prescribe what the discussion had to cover. ISA 240 (Revised).29 specifies four required topics: how the financial statements may be susceptible to material misstatement due to fraud (including concealment methods), known fraud risk factors specific to the entity, how assets might be misappropriated, and how the team will maintain professional scepticism.

Management override of controls was always required to be treated as a significant risk. ISA 240 (Revised) makes explicit that this risk is assessed at the financial statement level and requires the auditor to determine whether it also gives rise to assertion-level risks. The extant standard did not specify the level.

The revenue recognition presumption remains unchanged in principle. The revised standard strengthens it by requiring the auditor to identify (considering fraud risk factors) which specific revenue streams and which assertions give rise to the presumed risk, rather than simply noting that the presumption exists. The application material expands the examples of conditions that make rebuttal inappropriate and adds new illustrations, including entities operating in emerging industries and revenue involving complex accounting estimates. The AFM’s 2023 review of 32 statutory audits found that revenue recognition was frequently listed as a presumed risk without being linked to specific assertions or revenue streams. The revised standard directly targets this deficiency.

Response to fraud or suspected fraud

Extant ISA 240 addressed the auditor’s response to fraud primarily through the lens of risk response ( ISA 240.28 -33) and communication requirements. ISA 240 (Revised) adds an entirely new section on responding to identified or suspected fraud.

When the auditor identifies fraud or suspected fraud (from audit procedures, external sources, TCWG communications, or whistleblower reports), the revised standard requires the auditor to obtain an understanding of the matter and evaluate how the entity has responded to it. The EP must then determine whether to perform additional risk assessment or further audit procedures.

The “clearly inconsequential” threshold is new. It allows the auditor to exclude instances of fraud or suspected fraud from further consideration if the auditor has obtained a sufficient understanding and determined the matter is clearly inconsequential. This is a scalability provision that did not exist in the extant standard, which treated every instance of identified or suspected fraud with the same level of required response.

The revised standard also expands qualitative materiality guidance: fraud committed by senior management is ordinarily qualitatively material regardless of amount, and intentional manipulation of KPIs to influence market expectations can render a quantitatively immaterial misstatement qualitatively material. Extant ISA 240 contained less specific guidance on this point.

Third-party fraud was technically within the scope of extant ISA 240 (the definition always included third parties), but the revised standard adds application material with specific examples: related parties who may collude with management, suppliers or customers who create fictitious transactions, service providers who may exploit system access, and unknown parties who gain unauthorised access to the IT environment. For an auditor at a mid-tier firm, the practical implication is that fraud risk factors related to the client’s supply chain or customer relationships now need to be explicitly considered and documented.

Stand-back, reporting, documentation, and representations

ISA 240 (Revised) introduces a fraud-specific stand-back requirement that has no equivalent in the extant standard. Near the end of the audit, the auditor must evaluate whether the assessment of fraud risks remains appropriate and whether sufficient appropriate audit evidence has been obtained. This is separate from the general stand-back in ISA 330 and requires the auditor to consider the cumulative effect of all audit evidence obtained during the engagement.

Where ISA 701 applies, the revised standard adds new KAM requirements for fraud. The auditor must determine which fraud-related matters required significant auditor attention and which were of most significance. The application material steers auditors toward including fraud-related KAMs by noting that fraud matters often require significant attention and that investors have specifically requested greater transparency on fraud.

Documentation requirements expanded in four areas: risk assessment procedures (including the fraud lens), significant judgements in fraud risk identification and assessment, fraud or suspected fraud identified and the results of related procedures, and communications with TCWG.

Written representations changed in two ways. Management must now confirm that they have “appropriately fulfilled” their internal control responsibilities for fraud prevention and detection (the extant standard required only an acknowledgement). And the threshold for representations about fraud involving others dropped from “material” matters to “any matters that could have an effect on the financial statements.”

Worked example: the same engagement under both standards

Client scenario. Bakker Industrial B.V. is a Dutch manufacturing company with €52M revenue, supplying automotive components under long-term supply agreements, audited by a mid-tier firm.

Under extant ISA 240

The engagement team discussion note states that fraud risks were discussed, including management override and the presumption of fraud in revenue recognition. The fraud risk assessment lists management override as a significant risk and retains the revenue recognition presumption without specifying which assertions or revenue streams. The file contains a standard sentence: “No conditions identified to suggest records and documents are not genuine.” Journal entry testing covers year-end entries selected by amount. No stand-back specific to fraud is documented at completion. The representation letter states that management “acknowledges” responsibility for internal controls to prevent or detect fraud.

Documentation note. This file would pass under the extant standard. Generic discussion and unspecific risk assessment (paired with standard genuineness wording) are common across most mid-tier files. In our experience, this is SALY with better narratives.

Under ISA 240 (Revised)

The engagement team discussion covers four specific areas: susceptibility of revenue cut-off and volume rebate estimates to manipulation (the two Stellantis supply contracts at €18M combined represent 35% of revenue and include volume-based rebates requiring estimation), the opportunity created by the financial controller’s ability to post manual journal entries without secondary approval above €25K, the new general manager’s performance bonus structure tied to gross margin targets, and the team’s plan for maintaining scepticism during the compressed two-week fieldwork window. The fraud risk assessment maps each fraud risk factor to specific assertions: revenue cut-off and accuracy on the Stellantis contracts, valuation on the €1.8M volume rebate accrual, management override at the FS level, and assertion-level risk on the volume rebate estimate itself.

The file documents the absence of a formal whistleblower programme and notes it as a control environment gap. The engagement partner (EP) documents a fraud-specific stand-back at completion: the €340K positive variance between budgeted and actual rebate income on the Stellantis contracts was investigated, and the conclusion references the additional procedures performed. The representation letter states that management has “appropriately fulfilled” its internal control responsibilities and discloses any instances of fraud or suspected fraud involving others “that could have an effect on the financial statements.”

Documentation note. Every element traces to a specific revised standard requirement. The discussion covers the four ISA 240 (Revised).29 topics. The risk assessment maps fraud risk factors to assertions. The stand-back references cumulative evidence.

Decision guide: what to update first

If your firm is planning the transition to ISA 240 (Revised), prioritise by impact on existing files.

Start with your engagement team discussion template. This is the most visible change and the area where the AFM has already flagged deficiencies under the current standard. Nobody enjoys rebuilding a brainstorm template, but skipping it is how files get flagged. Building the four required topics into your template takes a day. Getting teams to actually use them takes training.

Update your fraud risk assessment working paper next. Add the fraud lens integration with ISA 315 (Revised 2019). Map fraud risk factors to specific assertions and accounts, not just to “management override” and “revenue recognition” as two generic lines. Add a prompt for the whistleblower programme (or its absence).

Then update your completion checklist to include the fraud-specific stand-back. The EP cannot just be ticking and bashing the old checklist. Create a template prompt that requires the EP to reference specific audit evidence reconsidered and document the conclusion.

Update your representation letter last. This is the simplest change (“acknowledge” becomes “appropriately fulfilled”) but has the lowest risk of being missed because it’s a single document.

If your audits fall within ISA 701 ’s scope, add fraud-related KAM preparation to your planning process. Draft example KAM paragraphs for management override and revenue recognition as starting templates.

1. Update engagement team discussion template with the four ISA 240 (Revised).29 topics
2. Rebuild fraud risk assessment to integrate the fraud lens with ISA 315 (Revised 2019)
3. Add fraud-specific stand-back to your completion checklist
4. Revise the written representation letter (wording and threshold change)
5. If ISA 701 applies, prepare fraud-related KAM templates
6. Train engagement teams on the deletion of “accept records as genuine” and the “past experience” qualifier

Related content

• Fraud risk factors (glossary) covers the full taxonomy of fraud risk factors under both the extant and revised standards.
• ISA 520 Analytical Review Calculator generates documented analytical procedures that support the fraud lens on revenue and cost accounts.
• ISA 240 Revised 2024: Everything that changed goes deeper on each individual change with full paragraph references and implementation guidance.
• ISA 240 (Revised): fraud brainstorming requirements covers the planning-stage discussion that produces the fraud risk assessment reassessed at completion.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024 is the authoritative source for the complete extant ISA 240 text.
• ISA 240 (Revised), as approved March 2025 and certified July 2025, contains the revised standard text with all new requirements and application material.
• ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement. The fraud lens integrates with this standard's requirements.
• ISA 701 , Communicating Key Audit Matters. Expanded fraud-related KAM requirements under the revised standard.
• AFM, Fraud in Financial Statement Audits (2023). Inspection findings on fraud risk assessment quality across 32 statutory audits.