ISA 240 (Revised) DEALS with the auditor’s responsibilities relating to FRAUD in an ‘Audit‘ of Financial Statements.
At a Glance
- Addresses both fraudulent financial reporting and asset misappropriation
- Mandates a persistent “fraud lens” throughout the entire audit
- Strengthens professional skepticism requirements
- Introduces Key Audit Matter (KAM) reporting on fraud for listed entities
- Aligns with ISA 570 (Revised 2024) on Going Concern
- Scalable guidance for small and mid-sized practices (SMPs)
What Is ISA 240?
International Standard on Auditing (ISA) 240 formally titled “The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements” is the principal global standard governing how independent auditors must plan, conduct, and report on fraud risk during a financial statement audit. Issued by the International Auditing and Assurance Standards Board (IAASB), it forms a cornerstone of the broader suite of International Standards on Auditing.
At its core, ISA 240 recognizes that financial statement fraud is a deliberate act, not a mere accounting error and demands that auditors adopt a fundamentally skeptical, proactive, and risk-responsive approach to detecting material misstatements arising from fraudulent conduct.
An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage.
The standard draws a critical distinction between fraud and error. The determining factor is intent: fraud involves deliberate deception, whereas error is unintentional. This distinction underpins the entire audit approach, because concealment makes fraud inherently harder to detect than error, even with a well-designed and properly executed audit.
Issuing Body
The IAASB, part of the International Federation of Accountants (IFAC), responsible for global audit and assurance standards.
Historical Origin
First issued in 2001; substantially revised in 2004 to align with the US SAS 99 and the audit risk model; re-revised in 2025.
Global Reach
Adopted across 130+ jurisdictions worldwide, making it the most widely applied fraud-related audit standard globally.
Scope, Purpose & Objectives
ISA 240 applies to audits of financial statements of all entities, regardless of their size, sector, complexity, or legal form. From a Sole-trader audit to a multinational public interest entity, the standard’s foundational requirements bind every auditor operating under ISAs.
Primary Objective
The auditor’s objective under ISA 240 is to identify and assess the risks of material misstatement of the financial statements due to fraud, obtain sufficient appropriate audit evidence regarding such risks, and respond appropriately to identified or suspected fraud.
- Identify and assess the risks of material misstatement due to fraud at the financial statement and assertion levels
- Design and implement audit procedures that respond appropriately to assessed fraud risks
- Respond appropriately when fraud is identified or reasonably suspected during the audit
- Communicate matters related to fraud to management, those charged with governance and where required, regulators
- Document all fraud-related risk assessments, procedures, and findings in sufficient detail
Key limitation to understand: ISA 240 explicitly acknowledges that even a properly planned and executed audit may not detect every instance of fraud. The inherent limitations of an audit including sophisticated concealment mean that a “clean” audit opinion does not guarantee the complete absence of fraud. However, the revised standard makes clear that these inherent limitations do not diminish the auditor’s responsibilities under ISA 240.
Who Bears Primary Responsibility?
ISA 240 is unequivocal: the primary responsibility for the prevention and detection of fraud rests with management and those charged with governance (TCWG). Management is responsible for establishing robust internal controls; the board or audit committee is responsible for oversight. The auditor’s role is to provide reasonable, not absolute assurance that the financial statements are free from material misstatement, whether due to fraud or error.
The Two Types of Fraud in ISA 240
ISA 240 focuses on two specific categories of fraud that directly give rise to material misstatements in financial statements. Understanding both is essential for auditors designing an effective audit response.
| Dimension | Fraudulent Financial Reporting | Misappropriation of Assets |
|---|---|---|
| Definition | Intentional misstatements or omissions in financial statements to deceive users | Theft or misuse of entity assets by employees or management |
| Common Methods | Manipulating accounting estimates, falsifying journal entries, omitting disclosures, revenue inflation | Embezzlement, theft of cash/inventory, fictitious vendors, payroll fraud |
| Typical Perpetrator | Senior management or executives | Employees with access to assets; sometimes management |
| Scale | Usually material by nature | Often smaller amounts, but can aggregate to materiality |
| Qualitative Materiality | Always considered qualitatively material if perpetrated by senior management | Qualitative factors assessed; even small amounts may be material if systemic |
| Key Risk Area | Revenue recognition (always a presumed risk) | Access controls over cash, inventory, payroll, and procurement |
ISA 240 (Revised) also extends the auditor’s consideration to third-party fraud including fraud committed against the entity by customers, suppliers, related parties, or service providers where such fraud could give rise to a material misstatement in the financial statements.
The Fraud Triangle & Risk Factors
ISA 240 structures its fraud risk factor analysis around the internationally recognized Fraud Triangle model. This framework holds that three conditions are generally present whenever fraud occurs. Auditors are required to evaluate the presence of these conditions at every engagement.
The Three Conditions of the Fraud Triangle
ISA 240 Appendix 1 classifies all fraud risk factors according to these three elements.
Incentive / Pressure
A reason or motivation to commit fraud such as financial distress, bonus targets, analyst expectations, or personal debt.
Opportunity
A perceived weakness in controls, oversight, or governance that enables fraud to occur and go undetected such as poor segregation of duties.
Rationalization / Attitude
The individual’s ability to justify the fraudulent act such as believing they are owed compensation, or that the act is temporary.
Examples of Fraud Risk Factors
ISA 240 Appendix 1 provides an extensive, illustrative (not exhaustive) list of fraud risk factors, grouped by fraud type and triangle element. Auditors must exercise professional judgment in evaluating these factors for each specific engagement context.
| Category | Fraudulent Financial Reporting | Misappropriation of Assets |
|---|---|---|
| Incentive / Pressure | Earnings management pressure; debt covenants near breach; declining financial performance | Employee personal financial pressures; excessive gambling debts; lifestyle changes |
| Opportunity | Complex transactions; significant estimates; weak internal controls; single dominant executive | Large cash holdings; inadequate access controls; lack of segregation of duties |
| Attitude / Rationalization | Management sets aggressive targets and communicates that “results must be met” | Disregard for control monitoring; belief that theft will go unnoticed or is trivial |
The Auditor’s Responsibilities Under ISA 240
ISA 240 sets out a structured, sequential set of obligations that flow through the audit from planning to completion. These responsibilities represent the minimum standard of care expected of every auditor operating under ISAs.
1. Maintain Professional Skepticism
The auditor must maintain an attitude of professional skepticism throughout the audit, recognizing that material misstatement due to fraud is always a possibility regardless of prior experience with or trust in management.
2. Engage in Team Discussion
Engagement team members must discuss the susceptibility of the entity’s financial statements to material misstatement due to fraud including the risk of management override of controls at the planning stage.
3. Perform Risk Assessment Inquiries
The auditor must inquire of management (and TCWG) about their knowledge of actual, suspected, or alleged fraud; their assessments of fraud risk; and the programs and controls in place to address fraud.
4. Identify & Assess Fraud Risks
Identify risks of material misstatement due to fraud at both the financial statement level and the assertion level, considering fraud risk factors and the entity’s internal control environment.
5. Presume Revenue Recognition Risk
ISA 240 establishes a rebuttable presumption that improper revenue recognition is always a fraud risk. If this presumption is rebutted, the reasoning must be documented.
6. Address Management Override of Controls
Regardless of assessed risk level, the auditor must always perform specific procedures to address the risk of management override including testing journal entries, reviewing accounting estimates for bias, and evaluating significant unusual transactions.
7. Evaluate Audit Evidence
If conditions indicate that fraud may have occurred, the auditor must evaluate the implications including whether material misstatement may exist that has not yet been detected.
8. Communicate and Report
Communicate identified or suspected fraud to appropriate levels of management and TCWG, and where applicable to regulators and other external parties in accordance with legal and professional obligations.
Fraud Risk Assessment in Practice
ISA 240 closely aligns with ISA 315 (Revised 2019), requiring the auditor to embed a “fraud lens” into the broader risk identification and assessment process. Risk assessment for fraud is not a standalone checklist exercise; it is an ongoing, dynamic process that runs throughout the engagement.
Sources of Information for Fraud Risk Assessment
- Inquiries of management regarding fraud risk and control programs (including whistleblower mechanisms)
- Inquiries of internal audit, in-house legal counsel, and others with relevant knowledge
- Analytical procedures applied to financial and non-financial information to identify unexpected relationships
- Observation and inspection of operations, facilities, and key documents
- Information obtained from other sources, including prior-year workpapers and engagement team knowledge
- Understanding of the entity’s internal control system, specifically controls relevant to fraud prevention and detection
The Presumed Fraud Risk: Revenue Recognition
One of ISA 240’s most significant requirements is the rebuttable presumption that revenue recognition gives rise to a risk of material misstatement due to fraud. This reflects the reality that revenue manipulation is among the most common forms of financial statement fraud. Auditors who rebut this presumption must document their specific reasoning clearly.
ISA 240 & Management Override: Even when an entity has strong internal controls, management by virtue of their authority can override those controls. ISA 240 therefore requires auditors to always test journal entries and accounting estimates for bias, and investigate any significant unusual transactions, regardless of the overall fraud risk assessment.
Scalability for Smaller Entities
ISA 240 (Revised) introduces explicit scalability guidance. For small and medium practices (SMPs) and smaller entities, the standard acknowledges that some requirements may need adapted application. For instance, in smaller entities, management domination may itself represent both a risk factor and a control requiring nuanced judgment rather than a formulaic response.
Professional Skepticism: The Backbone of ISA 240
Professional skepticism is not merely a procedural requirement under ISA 240 (Revised), it is the foundational mindset underpinning the entire audit approach to fraud. The revised standard significantly strengthens this emphasis, making it the central thread running through every stage of the engagement.
Critical Evaluation
Auditors must critically assess all audit evidence, not passively accept it. This includes scrutinizing management explanations for inconsistencies and challenging unsupported assumptions.
Alert Throughout
Skepticism must be sustained throughout the engagement not just during planning. New fraud risk factors identified at any stage require reassessment and updated responses.
No Safe Harbor
ISA 240 (Revised) removed the allowance to “accept records as genuine unless reason to believe otherwise,” signaling that a more critical and interrogative mindset is always required.
Technology-Enabled
Auditors are now expected to leverage data analytics and audit technology to expand their fraud detection capabilities for example, testing 100% of journal entries rather than a sample.
Why this matters: Research consistently shows that a significant number of fraud cases are detected not through formal audit procedures, but through tips, accidental discovery, or management review. Professional skepticism is the auditor’s primary tool for ensuring that formal audit procedures are rigorous enough to detect what routine inspection might miss.
ISA 240 (Revised): Key Changes in the 2025 Edition
Following extensive global consultation including a Discussion Paper in 2020, an Exposure Draft in February 2024, and engagement with regulators, investors, and audit practitioners worldwide the IAASB approved and issued ISA 240 (Revised) in 2025. The revision represents the most substantive overhaul of the standard since 2004.
Seven Key Enhancement Areas
1. Clearer Responsibility Framework
Auditor responsibilities are now presented first in the standard ahead of management’s role and are clearly separated from inherent limitations, removing historical ambiguity about what auditors are actually required to do.
2. Strengthened Skepticism Requirements
The “accept unless reason to doubt” clause has been removed. Auditors must now maintain active, evidence-based skepticism challenging management explanations, using data analytics, and remaining perpetually alert.
3. Enhanced Risk Identification
Stronger alignment with ISA 315 (Revised); mandatory understanding of the entity’s whistleblower program; expanded guidance on fraud risk factors for fraudulent financial reporting and misappropriation.
4. Improved Transparency & Reporting
For listed and public interest entities: new requirements to communicate significant fraud-related matters as Key Audit Matters (KAMs) in the auditor’s report, enhancing public transparency.
5. ISA 570 Alignment
Explicit linkage with ISA 570 (Revised 2024) on Going Concern recognizing that financial distress and fraud are frequently interrelated risks that must be addressed in a coordinated manner.
6. Scalability for SMPs
New illustrative examples and documentation guidance support smaller audit practices in applying the standard proportionately without compromising rigor or the public interest objective.
7. Materiality Clarity
Clearer guidance on qualitative materiality even quantitatively small fraud by senior management is ordinarily considered qualitatively material, reflecting the gravity of intentional deception.
Communication & Reporting Requirements
ISA 240 establishes a clear hierarchy of communication obligations when fraud is identified or suspected. These requirements operate at multiple levels; internal to the engagement, to the client, and (where mandated) externally to regulators.
| Audience | When Required | Nature of Communication |
|---|---|---|
| Engagement Partner | Immediately upon identification of suspected fraud | Timely escalation within the audit team |
| Management (appropriate level) | When fraud involves employees below management level | Factual communication without prejudging outcomes |
| Those Charged with Governance | When fraud involves management or significant employee fraud | Direct, clear reporting (bypassing management if necessary) |
| Regulators / External Authorities | When legally or professionally required (e.g., NOCLAR reporting) | As mandated by applicable laws and IESBA NOCLAR guidance |
| Successor Auditor | On change of auditor (subject to confidentiality rules) | Responding to inquiries about reasons for change |
Key Audit Matters (KAMs) & Fraud
Under ISA 240 (Revised), for audits of publicly traded entities, the standard introduces enhanced requirements linked to ISA 701. Where fraud-related matters are identified that are significant to the audit, these must be considered for inclusion as Key Audit Matters in the audit report providing investors and other stakeholders with greater transparency about the auditor’s work on fraud detection.
Documentation Requirements
ISA 240 imposes robust documentation requirements to create an auditable record of the auditor’s fraud-related work. These requirements serve both quality control purposes and regulatory accountability.
- Document team discussions regarding fraud risk susceptibility, including the significant decisions reached
- Record all identified and assessed risks of material misstatement due to fraud at both the financial statement and assertion levels
- Document audit procedures responsive to assessed fraud risks, including the rationale for any rebuttal of the revenue recognition presumption
- Record communications about fraud to management, TCWG, regulators, and other relevant parties
- If fraud or suspected fraud is identified, document how the matter was addressed including the nature of the fraud, the amounts involved, and the disposition
- Document the nature and timing of journal entry testing, and the results thereof
Documentation and the “Clearly Inconsequential” Threshold: ISA 240 (Revised) introduces a “clearly inconsequential” threshold to assist with proportionality in documentation. Auditors are not required to document matters that are clearly inconsequential, allowing documentation effort to be scaled appropriately to the engagement while still providing a comprehensive picture of fraud-related work.
ISA 240 — Key Questions Answered
(Qualified) Chartered Accountant – ICAP
Master of Commerce – HEC, Pakistan
Bachelor of Accounting (Honours) – AeU, Malaysia