ISA 240: Auditor’s Responsibilities for Fraud in an Audit

International Standard on Auditing (ISA) 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, provides a framework for auditors. In March 2025, a revised version, ISA 240 (Revised), was approved and becomes effective for audits of financial periods beginning on or after December 15, 2026.

While management holds the primary responsibility for preventing and detecting fraud, the auditor is responsible for obtaining reasonable assurance that financial statements are free from material misstatement, whether caused by fraud or error. The standard guides the auditor in identifying, assessing, and responding to the risks of such misstatements.

Core Principles and Auditor Mindset

An auditor’s objective under ISA 240 is to understand what constitutes fraud in an audit context. The standard distinguishes fraud from error by the element of intent. Fraud is an intentional act by individuals involving deception to obtain an unjust or illegal advantage.

Two types of intentional misstatements are the focus for the auditor. The first is fraudulent financial reporting, which involves deliberate misstatements or omissions in financial statements to deceive users. The second is the misappropriation of assets, which involves stealing an entity’s assets, such as embezzling receipts or stealing physical property.

A central duty under ISA 240 is applying professional skepticism. This attitude includes a questioning mind and a critical assessment of audit evidence. Auditors must remain alert for contradictory evidence or information that questions the reliability of documents or management responses. Maintaining this mindset throughout the audit helps counter the tendency to overlook inconsistencies.

Identifying and Assessing Fraud Risks

The process of identifying fraud risks begins with a mandatory discussion among the engagement team members. This discussion emphasizes the susceptibility of the entity’s financial statements to material misstatement due to fraud and allows for the sharing of insights among team members.

Auditors are required to make specific inquiries to gather information from management, those charged with governance, and sometimes others within the entity. Auditors ask management about their assessment of fraud risk and their response process. Inquiries of those charged with governance focus on their oversight and whether they know of any actual or suspected fraud.

Auditors also consider fraud risk factors, often conceptualized as the “fraud triangle.” This framework identifies three conditions present when fraud occurs: incentive or pressure, a perceived opportunity, and a rationalization for the action. For example, pressure to meet expectations provides an incentive, while weak internal controls present an opportunity.

The auditor must also evaluate whether unusual relationships identified during analytical procedures, particularly those related to revenue, may indicate risks of material misstatement. Revenue recognition is presumed to have a fraud risk because of the ways it can be manipulated. These procedures help identify and assess fraud risks at both the financial statement and assertion levels.

Responding to Assessed Fraud Risks

Once fraud risks are assessed, ISA 240 requires the auditor to determine appropriate responses at three levels.

Overall Responses

The first level of response addresses risks at the financial statement level. These broad actions may include assigning more experienced personnel to the audit or increasing supervision. Another response is to incorporate unpredictability into audit procedures, making it harder for those committing fraud to anticipate the auditor’s actions.

Specific Audit Procedures

The second level involves designing audit procedures that are responsive to assessed fraud risks at the assertion level. This means altering the nature, timing, and extent of audit procedures for specific accounts. For instance, if a risk of inflated inventory is identified, the auditor might observe inventory counts at multiple locations on an unannounced basis.

Addressing Management Override

The third tier of response addresses the risk of management override of controls. Because management can perpetrate fraud by overriding controls, ISA 240 mandates specific procedures. One required procedure is testing the appropriateness of journal entries and other adjustments made during financial statement preparation.

Another mandatory procedure is to review accounting estimates for biases. This involves reconsidering management’s judgments and assumptions from the prior year and assessing the reasonableness of current year estimates. The auditor must also evaluate the business rationale for significant unusual transactions to determine if they were intended to engage in fraudulent financial reporting.

Evaluation and Communication

After performing audit procedures, the auditor must evaluate the evidence obtained. This evaluation helps determine whether any misstatement identified is indicative of fraud. If a misstatement is found, the auditor must consider if it is an isolated incident or if it points to a broader issue.

If an auditor identifies fraud or obtains information indicating it may exist, they must communicate this promptly to the appropriate level of management. If the fraud involves senior management or those with significant internal control roles, the communication must be made directly to those charged with governance.

The standard also requires the auditor to determine if they have a responsibility to report the suspicion of fraud to a party outside the entity. These responsibilities can arise from legal and regulatory requirements that may override the auditor’s duty of confidentiality. For example, auditors may have a statutory duty to report fraud to a regulatory authority.

The auditor must also consider the implications of any identified fraud for the audit opinion. If the fraud results in a material misstatement that is not corrected, the auditor will issue a qualified or adverse opinion. If the auditor cannot obtain sufficient evidence, a qualified opinion or a disclaimer of opinion may be necessary.

Documentation Requirements

ISA 240 requires thorough documentation of the auditor’s work related to fraud. The audit file must record:

• Significant decisions from the engagement team’s discussion about fraud risk.
• The identified and assessed risks of material misstatement due to fraud at the financial statement and assertion levels.
• The overall responses and the nature, timing, and extent of audit procedures performed, including their linkage to assessed risks.
• The results of procedures addressing management override of controls.
• The nature of communications about fraud made to management, those charged with governance, and any external authorities.