How to Audit Related Party Transactions Under ISA 550

The client’s largest sale of the year went to an entity registered in Luxembourg. Same ultimate beneficial owner. Nobody flagged it. The engagement team tested the transaction as part of the regular revenue sample, ticked it off, and moved on. Six months later, the regulator pulled the file. The transaction was €2.8M above market price, the margin on it propped up the full-year result, and the related party disclosure was missing from the notes entirely. ISA 550 existed to prevent exactly this.

To audit related party transactions under ISA 550, the auditor must identify related parties and related party transactions (including those not disclosed by management), evaluate whether those transactions have been appropriately accounted for and disclosed under the applicable financial reporting framework, and obtain sufficient appropriate evidence about the assessed risks of material misstatement associated with related party relationships (ISA 550.3–4).

Why related parties are a fraud risk indicator under ISA 240

Related party transactions sit at the intersection of ISA 550 and ISA 240. The reason is simple: a transaction between parties that can influence each other’s decisions doesn’t carry the natural check of opposing economic interests. A sale to an independent customer gets negotiated on price. A sale to a company owned by your client’s director gets negotiated on whatever the director wants it to be negotiated on.

ISA 240.A29 specifically identifies related party transactions outside the normal course of business as a fraud risk factor. ISA 550.18 reinforces this by requiring the engagement team to evaluate whether any previously unidentified related party relationships or transactions suggest fraud risks that ISA 240 requires a response to. In practice, this means two things. First, related party transactions that are unusual in nature or terms should trigger a reassessment of your fraud risk. Second, the discovery of undisclosed related parties late in the audit is itself a fraud indicator, not just a disclosure gap.

For non-Big 4 engagements, the risk concentrates in owner-managed businesses where the director controls multiple entities. A Dutch B.V. with a director who also owns a property company, a management consultancy, and a holding structure in another jurisdiction is a standard client profile at mid-tier firms. The transactions between these entities (management fees, property leases, intercompany loans, asset transfers) represent a large proportion of the related party audit work you’ll encounter.

What ISA 550 actually requires you to do

ISA 550 splits the related party audit into four distinct requirements, and each one needs its own procedure.

ISA 550.11 requires the engagement team to discuss the susceptibility of the financial statements to material misstatement due to related party relationships during the team discussion required by ISA 315. This isn’t a formality. The team discussion is where someone should raise the fact that the client’s director also owns the building the company leases, or that the client’s biggest supplier shares a registered address with the client.

ISA 550.13 requires the auditor to obtain from management the identity of related parties, the nature of the relationships, and whether any transactions occurred during the period. ISA 550.14 then adds a second, harder requirement: the auditor must also perform procedures to identify related parties and transactions that management has not disclosed. Relying solely on management’s list is insufficient. The standard is explicit about this.

ISA 550.20–24 governs what you do once you’ve identified related party transactions. You evaluate whether they’ve been properly accounted for and disclosed. For transactions outside the normal course of business, ISA 550.23 requires you to inspect the underlying agreements, evaluate the business rationale (or lack of it), and determine whether the terms are consistent with management’s explanations. ISA 550.A41 notes that a business rationale that doesn’t make economic sense may indicate the transaction was structured to achieve fraudulent financial reporting.

ISA 550.25–27 addresses disclosures. You evaluate whether the related party relationships and transactions have been properly identified and disclosed in accordance with the applicable framework. Under IAS 24, this means testing completeness and accuracy of the disclosures against your own list of identified related parties, not just against management’s list.

How to identify related parties the client didn’t tell you about

Management’s list is your starting point but never your finish line. ISA 550.14–17 requires independent identification procedures. Here are the ones that work on mid-tier engagements.

Chamber of Commerce and registry searches

In the Netherlands, the KVK (Kamer van Koophandel) register shows directors and shareholders for every B.V. and N.V., along with their registered addresses. Search the names of all directors and shareholders with significant influence. Cross-reference their registered addresses. Two entities sharing a registered address at a trust office in Amsterdam doesn’t confirm a related party, but it warrants investigation. For entities registered outside the Netherlands, use the equivalent registry (Companies House in the UK, Handelsregister in Germany, Crossroads Bank for Enterprises in Belgium).

Journal entry analysis for undisclosed transactions

ISA 240.32 requires testing journal entries as part of the fraud risk response. Use that procedure to also scan for related party indicators. Filter the journal population for entries to counterparties not on the approved supplier or customer list, entries to entities with similar names to the client or its directors, round-sum payments, and entries with no supporting description. An unexplained €50,000 payment to a company with the same director as your client is both a journal entry anomaly under ISA 240 and an undisclosed related party transaction under ISA 550.

Group structure and UBO analysis

Obtain the client’s group structure chart. For every entity in the group, identify the ultimate beneficial owner (UBO). Under the Dutch Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme), every Dutch entity must register its UBO. Cross-reference UBOs across all entities you’re aware of. If the UBO of the client’s key supplier is the same natural person as the UBO of the client, that’s a related party regardless of what management’s list says.

Minutes and legal correspondence

ISA 550.14(c) requires you to read minutes of meetings of those charged with governance. Board minutes frequently reference transactions with entities connected to directors (approval of lease agreements, loan arrangements, management service contracts) that haven’t made it onto management’s related party list. Legal correspondence can reveal litigation or disputes between group entities that indicate relationships management hasn’t disclosed.

Prior year files

Check the prior year related party working paper. Related parties from the prior year that don’t appear on management’s current list require investigation. Did the relationship end, or did management simply omit it?

Evaluating whether the transaction was at arm’s length

When the client asserts that a related party transaction was conducted on arm’s length terms (or when the disclosure framework requires you to evaluate this), ISA 550.A34–A36 provides guidance. But “arm’s length” is one of the hardest assertions in auditing to test because you’re comparing the actual transaction to a hypothetical one that didn’t happen.

Property leases

For property leases between related parties, obtain comparable market rents from independent sources. In the Netherlands, property valuers (taxateurs) registered with the NRVT can provide rental comparisons for commercial property. If the client leases office space from the director’s property company at €180 per square metre and comparable space in the same area rents for €140–155 per square metre, you have a measurable above-market transaction that affects both the expense in the income statement and the disclosure in the notes.

Management fees

For management fees charged by a holding company to operating subsidiaries, the test is whether the fee reflects a genuine service at a justifiable rate. Request a breakdown of the management fee: what services does the holding company provide, how many hours, at what rates? If the holding company employs one person and charges €400,000 in annual management fees to four subsidiaries, the arithmetic matters. Compare the effective hourly rate to market rates for equivalent services. If the holding company charges €250 per hour for administrative services that an external provider would charge €80–120 per hour for, that spread needs to appear in your working paper.

Intercompany loans

For intercompany loans, compare the interest rate to what the borrowing entity could obtain from an independent lender. Under Dutch GAAP (RJ 330) and under IAS 24, the terms of the loan (interest rate, repayment schedule, security) need disclosure. If a director’s holding company lends €1.5M to the operating company at 1% when the company’s bank facility charges 5.2%, the below-market rate has accounting implications (potentially a capital contribution or distribution) and requires disclosure.

How to structure the related party working paper

ISA 550.28 requires specific documentation. The working paper needs to contain the names of identified related parties and the nature of each relationship, the results of procedures performed to identify previously undisclosed related parties, and the nature and evaluation of significant transactions outside the normal course of business.

A practical format that passes review: start with a complete related party register. List every identified related party (from management’s list and from your independent procedures), the nature of the relationship, the source of identification (management representation, KVK search, prior year file, minutes review), and the date of identification. This register is the backbone of the working paper. Every subsequent section references it.

Below the register, include a transaction summary. For each related party with transactions during the period, list the transaction type, the amount, the terms, and whether the transaction is in the normal course of business or outside it. Cross-reference each transaction to the GL extract filed as supporting evidence.

For transactions outside the normal course of business, you need a separate evaluation for each one. ISA 550.23 requires you to document the business rationale, the terms, and whether the terms are consistent with management’s explanations. Structure this as a per-transaction memo: state the transaction, state management’s explanation, state the evidence you obtained, and state your conclusion. Don’t combine multiple transactions into a single assessment.

End the working paper with a disclosure reconciliation. Compare your identified related party list to the disclosures in the draft financial statements. Any entity on your list that doesn’t appear in the disclosures is a potential misstatement. Any transaction that isn’t disclosed at the correct amount or with the correct terms is a potential misstatement. File the reconciliation as a schedule and cross-reference each line to the financial statement note.

One point that gets missed: ISA 550.27 requires the auditor to evaluate whether identified related party relationships and transactions have been appropriately accounted for, not just disclosed. If a management fee from a holding company is above market, the accounting question is whether the excess represents a distribution to the shareholder rather than a genuine expense. Under IAS 24.10, the substance of the transaction determines the accounting treatment, not its legal form. If the substance is a disguised distribution, it needs to be accounted for as one, regardless of how the invoice is labelled.

Worked example: De Vries Vastgoed B.V.

De Vries Vastgoed B.V. is a Dutch property management company. Revenue for 2024: €12M. The sole director, J. de Vries, also owns De Vries Holding B.V. (100% shareholder of the client), DVV Consultancy B.V. (a management consultancy billing the client), and two rental properties leased to the client. Management’s related party list names only De Vries Holding B.V.

1. Obtain and challenge management’s related party list

Management provided a list with one entity: De Vries Holding B.V. This is incomplete. A KVK search on J. de Vries returns four entities where he is registered as director or UBO. DVV Consultancy B.V. and the two property-holding entities are not on management’s list.

2. Identify all transactions with newly identified related parties

Request a general ledger extract for all transactions with DVV Consultancy B.V. and the two property entities. The extract reveals:

None of these transactions appeared in the prior year related party disclosure.

3. Evaluate the business rationale and terms

Management fee. DVV Consultancy B.V. has one employee (J. de Vries). The client already employs a financial controller and an office manager. The management fee of €180,000 for unspecified “strategic advisory” services from the sole director to his own company lacks a documented service agreement. At an assumed 1,400 billable hours per year, the implied rate is approximately €129 per hour for services the client’s own staff partially duplicate. Comparable market rates for part-time CFO or strategic advisory in the Netherlands range from €100–150 per hour, but the absence of a service level agreement and time records means the actual service delivered cannot be verified.

Rent. Obtain a rental comparison from an NRVT-registered valuer or from publicly available rental data for the same postcode area. De Vries Onroerend Goed I B.V. charges €200 per square metre for 480 sqm of office space. Comparable office space in the same area: €150–170 per square metre. The premium is approximately €14,400–24,000 per year above market.

4. Evaluate disclosure completeness

Under IAS 24.18, the financial statements must disclose the nature of the related party relationship, the amount of transactions, outstanding balances, and terms. None of the four related party entities had any disclosure in the prior year or the current draft financial statements. Prepare a proposed adjustment to the disclosures covering all four entities, the nature of each relationship, transaction amounts, and terms.

Conclusion. The file now shows that management’s related party list was incomplete, that the engagement team independently identified four related parties (not one), that €420,000 of related party transactions were undisclosed, and that at least one transaction (the office lease) was above market. The reviewer sees the KVK search, the GL extract, the market comparison, and a proposed disclosure adjustment. The fraud risk under ISA 240 was reassessed based on the discovery of undisclosed relationships.

Your engagement checklist

1. During the ISA 315 team discussion, raise related party risks specifically. Document which related parties are known, what transactions are expected, and what fraud indicators the team should watch for (ISA 550.11).
2. Obtain management’s related party list at planning. Then run independent KVK or registry searches on every director and UBO, plus any shareholder with significant influence. Compare the results and document any discrepancies (ISA 550.13–14).
3. For every related party transaction outside the normal course of business, inspect the underlying agreement and evaluate whether the business rationale makes economic sense (ISA 550.23).
4. Test arm’s length assertions with external evidence: rental comparisons, market interest rates, comparable service rates. If you can’t obtain independent evidence, document the limitation (ISA 550.A34–A36).
5. Cross-reference your identified related party list to the financial statement disclosures under IAS 24. Every entity and every transaction needs to appear. File a reconciliation between your list and the disclosures.
6. If you identify previously undisclosed related parties during the audit, reassess fraud risk under ISA 240 and document the reassessment. The discovery itself is a risk indicator (ISA 550.18).

Common mistakes regulators flag

• The AFM has repeatedly found that audit teams relied exclusively on management’s related party list without performing independent identification procedures. ISA 550.14 is not optional. A KVK search takes ten minutes and can uncover entities that management chose not to disclose.
• The FRC’s Audit Quality Inspection Report identified that audit teams failed to evaluate the business rationale for related party transactions, instead accepting management’s assertion that the transaction was “in the normal course of business” without testing what that meant or obtaining evidence to support it (ISA 550.23).

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions