Revisions to two audit standards come into effect for reporting periods beginning on or after 15 December 2026. Here’s what you need to know about the changes and the new responsibilities for auditors, plus the areas experts are flagging as possible areas of concern and emerging risk.

ISA 240: responsibilities relating to fraud

Reporting periods beginning on or after 15 December 2026 in Australia and New Zealand are to adopt the ISA 240 (Revised), The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements.

“At a high level, the new standard will require more robust work by auditors in the area of fraud and also require auditors to reveal more about the audit process through the audit report,” says Greg Schollum, a member of the International Auditing and Assurance Standards Board (IAASB), who helped develop the new standard.

Importantly, fraud encompasses both the misappropriation of assets and fraudulent financial reporting.

Schollum, a former deputy controller and auditor-general for the Office of the Auditor-General, New Zealand, says the new standard isn’t changing the fundamental premise of what an auditor is – a watchdog, not a bloodhound – and the objectives of the auditor still include the need to identify and assess risks of material misstatement in financial statements due to fraud and then respond appropriately to those risks.

“The standard is asking auditors to think more about the risks of fraud and then to respond appropriately to those risks,” he says. “It’s likely to mean more work in many cases, with auditors generally expected to be more sceptical about the risks of fraud.”

No change to auditor responsibilities

The new standard clarifies, but doesn’t change, the auditor’s responsibilities in relation to fraud, as well as those of management. The primary responsibility for the prevention and detection of fraud remains with management and those charged with governance.

However, there is a step up in the requirement for the auditor to engage with management about fraud-related matters throughout the audit, in recognition that fraud can be perpetrated by management and those charged with governance.

The new standard also retains the requirement to include any key audit matters related to fraud in the key audit matters section of the auditor’s report, with a new requirement that the subheading clearly describes that the matter relates to fraud. This is a welcome change to the original proposal to introduce a specific subset of key audit matters for matters related to fraud.

The latter measure wasn’t supported by CA ANZ.

“We do not support the proposal due to several concerns, including the risk it will further increase the expectation gap. In our view this should be an ecosystem approach, in particular, a corresponding responsibility for directors to report on their actions when it comes to fraud,” CA ANZ said last year in a summary of its submission to the IAASB with the Association of Chartered Certified Accountants.

Greater clarity welcomed

David Rodgers FCA, managing partner, Audit and Assurance, at Deloitte Australia, says the firm supports any measure that drives improvements in the prevention and detection of fraud. He acknowledges the important role auditors play in this but says they are only part of the ecosystem that also includes management, boards, regulators and legislators.

“We think it’s positive around the need for greater clarity on what we report to management and the boards,” he says.

Rodgers expects the clarifications to help narrow the expectation gap in the public mind about the role of the auditor. “Good disclosure and good communication should always narrow and reduce the opportunity for miscommunication or misunderstanding,” he says.

And he welcomes the clarification of what auditors should do if they have a suspicion of fraud.

“What we always do if we have a suspicion, is follow it through and we design procedures, interview, corroborate using different data, redesign our testing to follow through whether that suspicion is real or not,” he explains.

Rodgers says Deloitte will implement the changes in the same way it approaches any change to the audit standard, starting with educating staff from the most senior to the most junior. It adjusts its procedures on how it executes audits, so the framing is there to do the right work and ask the right questions.

“Whenever there’s a change, we consider our monitoring stance so we can test and challenge that the changes we’ve put in have stuck, and then we just continue to iterate and adjust to enhance what we do under a culture of continuous improvement,” he says.

Managing investor expectations

As chief executive of the New Zealand Shareholders’ Association, Oliver Mander represents a set of users of financial statements.

“We are in favour of anything that provides clarity in terms of what investors should be able to expect from how an audit is undertaken, or the scope of what that audit covers,” says Mander.

“None of the changes are focused, nor should they be focused, on taking away the core responsibility that directors have to properly assess the risks in their organisation and make sure those risks can be mitigated.”

More broadly, Mander says some investors have a poor understanding of the role of the auditor and there is a need for greater education.

ISA 570: going concern

Changes to the International Standard on Auditing (ISA) 570, Going Concern, strengthen the auditor’s evaluation of management’s assessment of the entity’s ability to continue as a going concern, as well as enhance communication through the audit report on matters related to going concern.

The revised standard, issued in April 2025, applies to audits of financial statements for periods beginning on or after 15 December 2026.

The IAASB’s Schollum says going concern is the biggest judgement call that the preparer and the auditor will each make in relation to a set of financial statements.

“Even though the auditor may have done absolutely nothing wrong, when an entity collapses and there’s a clean audit report with no reference to going concern, questions are asked,” he says.

Bill Edge FCA, also a member of the IAASB and former chair of the Auditing and Assurance Standards Board (AUASB) from 2021 to 2023, states that while the first responsibility for ensuring the entity is a going concern lies with management, “People tend to look to the auditor when something goes wrong.”

A call for professional scepticism

Under the revised ISA 570, the auditor is required in all cases to report on management’s assessment of going concern. Even where it appears straightforward and the entity is clearly a going concern, the auditor needs to do the evaluation and document their thinking and judgements.

The standard has been changed in order to establish the expectation that the auditor will interrogate management’s assessment. Rather than just checking that management has done the assessment and moving on, the auditor is required to challenge management’s key judgements, assumptions and data used in the assessment.

“It involves a challenging mindset and the application of professional scepticism – kicking the tyres to not just accept what management provides, but to really challenge it,” says Schollum.

And knowing that the auditor is more likely to challenge them should prompt management to make their assessments of going concern more robust.

Going concern statements

Auditors will be required to make three explicit statements about going concern in the auditor’s report:

1. Comment on the appropriateness of the going concern basis of accounting.

2. State whether or not there is material uncertainty related to going concern.

3. Reinforce that whatever the auditor is saying in the auditor’s report is not a guarantee as to the entity’s ability to continue as a going concern. It's based on evidence gathered up to the point of the auditor’s report being signed.

The statements represent a shift in reporting by the auditor, that instead of reporting on going concern by exception, the auditor will be required to make these explicit statements about going concern matters in the auditor’s report.

New risks to manage

Nicola Hankinson FCA, national technical director at Baker Tilly Staples Rodway in New Zealand, is concerned that rather than reducing the expectation gap, the new standard might increase it because it will require auditors to specifically refer to going concern in the audit report.

“People reading that report might conclude that the auditor has done enough work to say ‘Yep, this entity is going to continue to exist as a going concern into the future’,” she says.

Hankinson says before the international going concern auditing standard was updated, the relevant international accounting standard should have been updated to require the preparers of accounts to include details of what they’ve taken into account in making their decision on going concern.

She says the revised standard means audit firms will have to carefully manage the additional risks created by requiring auditors to include more detail in their audit reports.

Minimum timeframes and close calls

The revised standard also requires auditors to evaluate management’s assessment of going concern covering a period of at least 12 months from the date of approval of the financial statements, rather than from the date of the financial statements. In Australia and New Zealand the period is already longer – it must be at least 12 months from the date of the auditor’s report. But Hankinson says management sometimes provides assessments for shorter periods, requiring the auditor to ask management to extend their assessment or to consider the impact on the auditor’s report if this is not provided. The updates to the standard won’t change this.

Also, the standard requires additional disclosure for audits of listed entities where there is a significant judgement made by management and the auditor had to evaluate that there was no material uncertainty related to going concern (often referred to as a ‘close call’).

Adds Edge: “We think it’s going to be a positive move to increase the transparency about close call situations for audits of listed entities.”

Take away

The CA Library offers a wealth of resources including these two ebooks: The A3 Framework: Staying Ahead of the Curve by Combining Agile, AI, and Audit by Lynn Wolf-Hill, and Radical Reporting: Writing Better Audit, Risk, Compliance, and Information Security Reports by Sara I James.

Useful links

Australia: APES 110 Code of Ethics for Professional Accountants (including Independence Standards)

Australia: ASA 600 Special Considerations – Audits of a Group Financial Report (Including the Work of Component Auditors)

New Zealand: PES 1 International Code of Ethics for Assurance Practitioners (including International Independence Standards) (New Zealand)

New Zealand: ISA (NZ) 600 (Revised) Special Considerations – Audits of Group Financial Statements (Including the Work of Component Auditors)