Side-by-side comparison
| Dimension | Current ISA 240 | ISA 240 (Revised 2024) |
|---|---|---|
| Fraud risk factors | ISA 240.25 requires the auditor to evaluate whether information indicates fraud risk factors. The identification step is embedded within the broader risk assessment. | The revised standard separates identification of fraud risk factors as a distinct, documented step. The auditor must identify fraud risk factors before assessing risks of material misstatement due to fraud. |
| Scepticism | ISA 240.12 requires professional scepticism throughout, referencing ISA 200 . No additional specific requirements. | New requirements for demonstrating professional scepticism at specific points, including when evaluating management representations and assessing the plausibility of management explanations for unusual transactions. |
| Unpredictability | ISA 240.30 (c) requires an element of unpredictability. Limited application guidance on what qualifies. | More specific requirements with additional guidance. Explicit expectation that unpredictability goes beyond varying sample sizes and includes changes to the nature and timing of procedures. |
| Management override | ISA 240.32 requires testing journal entries and reviewing estimates for bias, plus evaluating the business rationale for unusual transactions. | Same core requirements retained. Expanded application guidance on identifying high-risk journal entries and evaluating estimates for indicators of management bias. |
| Communication | ISA 240.40 -42 requires communication of fraud to management and governance. Regulatory reporting where law requires it. | Broader requirements. The auditor must communicate identified fraud risk factors (not just identified fraud) to those charged with governance. This is a new requirement. |
| Documentation | ISA 240.47 requires documentation of the fraud risk assessment and the procedures performed in response. | New documentation requirements reflecting the separated identification and assessment steps. The file must show both the fraud risk factors identified and how those factors were translated into assessed risks. |
Key Points
- ISA 240 (Revised 2024) separates fraud risk factor identification from the risk assessment, requiring each step to be documented independently.
- The revised standard adds explicit scepticism requirements that go beyond the general requirement in ISA 200 .
- Firms have until December 2026 to implement, but early adoption of the documentation approach reduces transition risk.
- Fraud risk factors must now be communicated to governance (not just identified fraud).
When the distinction matters on an engagement
Most implementation effort will concentrate on the separated identification step. Under the current standard, many engagement teams combine fraud risk factor identification with the risk assessment into a single working paper section. ISA 240 (Revised 2024) does not allow this.
Instead, the auditor must first identify the fraud risk factors present on the engagement (client characteristics, industry conditions, management behaviour, incentive structures) and document those factors. Only then does the auditor assess whether those factors give rise to risks of material misstatement due to fraud at the assertion level.
In our experience, this means two documented steps where teams currently produce one. Firms that update their templates before the December 2026 effective date can run both approaches in parallel during the transition period. Firms that wait will need to restructure their fraud risk documentation across all active engagements at once.
Worked example: Müller Bau AG
Client: Austrian construction company, FY2026, revenue €195M, IFRS reporter. The engagement period begins 1 January 2027, so ISA 240 (Revised 2024) applies.
Under the current ISA 240 (for comparison)
A typical fraud risk working paper under the current standard would read: "Revenue recognition: presumed fraud risk per ISA 240.27 . The entity operates in a competitive construction market with percentage-of-completion revenue recognition. Risk assessed as significant."
Documentation note (current standard): "Fraud risk assessment: revenue recognition assessed as a risk of material misstatement due to fraud. ISA 240.27 presumption not rebutted. Procedures designed per ISA 240.31 ."
Under ISA 240 (Revised 2024)
Under the revised standard, the team must produce two distinct documented steps.
Step 1: Identification of fraud risk factors
Documentation note: "Fraud risk factors identified per ISA 240 (Revised 2024): (1) Percentage-of-completion method requires management estimates of costs to complete, which are inherently subjective and susceptible to bias. (2) Three fixed-price contracts exceeding €15M each, where cost overruns in Q3 2027 create incentive to defer cost recognition to protect reported margins. (3) CFO compensation includes a margin-based bonus with a €2.1M threshold. (4) Two project managers left during the period and were replaced with less experienced staff, reducing the reliability of cost-to-complete estimates at the project level."
Step 2: Assessment of risks of material misstatement due to fraud
Documentation note: "Based on the fraud risk factors identified above: revenue recognition on the three fixed-price contracts exceeding €15M is assessed as a risk of material misstatement due to fraud at the assertion level (accuracy, cut-off). The ISA 240.27 presumption applies. The margin-based compensation structure combined with the cost overrun pattern creates a specific fraud risk that costs to complete on these contracts may be understated to protect reported margins. Procedures: test cost-to-complete estimates by obtaining independent quantity surveyor reports, compare Q4 cost accruals to post-year-end actual costs, inspect subcontractor invoices for the two largest contracts, test journal entries affecting project margins in the final month of the period."
Under the current standard, a single paragraph covering both identification and assessment would have been compliant. Under the revised standard, the two steps must be distinct and sequenced. If the team produced the same combined working paper it uses today, the documentation would not comply even if the procedures themselves were sufficient. We've seen teams try to split an existing combined section into two headings and call it done, but that is not what the standard requires. Ticking and bashing the old template into a new shape will not work here; the identification step needs its own evidence trail.
What reviewers get wrong
Under the current ISA 240 , inspection reports consistently flag the same problem: engagement teams document the ISA 240.27 presumption on revenue recognition but never go beyond it. No entity-specific fraud risk factors, no entity-specific responses. It is frustrating how often what should be a genuine risk conversation turns into SALY with better narratives. The revised standard's separated identification step directly targets this finding.
Communication of fraud risk factors to those charged with governance is a new requirement that does not exist in the current standard. Teams accustomed to communicating only identified fraud ( ISA 240.40 ) will need to expand their governance communications to include fraud risk factors identified during the engagement, regardless of whether those factors resulted in an assessed fraud risk.
Key standard references
- ISA 240 (Revised 2024): Effective for audits of financial statements for periods beginning on or after 15 December 2026.
- ISA 240.25 (current): Embeds fraud risk factor identification within the broader risk assessment.
- ISA 240.27 : Presumption of fraud risk in revenue recognition, retained in the revised standard.
- ISA 240.32 : Management override testing requirements, retained with expanded guidance.
Related terms
Related reading
Frequently asked questions
When does ISA 240 (Revised 2024) become effective?
ISA 240 (Revised 2024) is effective for audits of financial statements for periods beginning on or after 15 December 2026. Early adoption of the documentation approach is permitted and reduces transition risk.
What is the biggest practical change in the revised standard?
The separation of fraud risk factor identification from the risk assessment. Under the current standard, many teams combine both into a single working paper section. The revised standard requires two distinct, documented steps: first identify the fraud risk factors present, then assess whether those factors give rise to risks of material misstatement due to fraud.