Key takeaways
- ISA 200 is the foundational standard in the ISA framework. It defines the purpose of an audit and the objectives every auditor must achieve before issuing an opinion.
- The auditor has two overall objectives. First, obtain reasonable assurance about whether the financial statements (FS) are free from material misstatement. Second, report on those FS in accordance with the auditor's findings.
- Reasonable assurance is a high, but not absolute, level of assurance. An audit cannot guarantee that FS are 100% accurate, and ISA 200 explains exactly why.
- The standard introduces the audit risk model (Audit Risk = Inherent Risk × Control Risk × Detection Risk), which forms the basis for all risk-based audit planning under ISAs 315, 320, and 330.
- ISA 200 mandates professional skepticism and professional judgment throughout the audit. These are not abstract principles but enforceable requirements that regulators actively assess.
- Every other ISA derives its purpose and context from ISA 200. Understanding this standard is essential to understanding why audit procedures exist and what they are designed to achieve.
- What is ISA 200?
- The two overall objectives of the auditor
- Reasonable assurance: what it means (and what it does not)
- The audit risk model
- Professional skepticism
- Professional judgment
- Ethical requirements and independence
- How ISA 200 connects to every other ISA
- Sufficient appropriate audit evidence
- Applicable financial reporting framework
- Compliance with ISAs: the “comply or explain” principle
- Commonly tested exam topics and common misunderstandings
- ISA 200 in your jurisdiction
- Frequently asked questions
What is ISA 200?
Every time a partner tells me "we need to apply professional skepticism here" without saying what that means for the testing strategy, I know we're about to audit this year the way we audited last year with a methodology shield on top. SALY with a fresh paragraph citing ISA 200.15 in the planning memo. AFM inspection reports for 2024 still flag professional skepticism as a recurring root-cause finding on Dutch engagements, and the frustrating thing is that quoting ISA 200.17 on reasonable assurance never once closed the gap inspectors were pointing at. The partner quotes the standard, the file does not change, the inspection letter lands a year later, and the cycle repeats.
ISA 200, titled "Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing," is the cornerstone of the entire ISA framework. Issued by the International Auditing and Assurance Standards Board (IAASB), it defines what an audit is and what it does (and does not) achieve.
Think of ISA 200 as the constitution of the ISA system. Just as a constitution establishes the fundamental principles that all subsequent laws must follow, ISA 200 establishes the objectives and principles that every other ISA (from risk assessment in ISA 315 to reporting in ISA 700) is designed to serve.
The standard answers four fundamental questions.
- What is the auditor trying to achieve? Reasonable assurance about the FS.
- What form does the output take? A report expressing an opinion on those FS.
- On what basis? Sufficient appropriate audit evidence, gathered with professional skepticism and judgment.
- Within what constraints? Inherent limitations that make absolute assurance impossible.
ISA 200 applies to audits of historical financial information and has been effective for audits of FS for periods beginning on or after 15 December 2009. It is adopted (with or without national modifications) across more than 130 jurisdictions worldwide, including all EU member states via the EU Audit Directive framework.
The two overall objectives of the auditor
ISA 200.11 states the auditor's overall objectives plainly. There are exactly two.
Objective 1: obtain reasonable assurance
Obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework.
In practical terms this means the auditor must gather enough credible evidence to form a basis for their opinion. The standard does not require certainty. It requires a high level of assurance that the FS are not materially wrong.
Objective 2: report on the financial statements
Report on the financial statements, and communicate as required by the ISAs, in accordance with the auditor's findings.
This second objective recognises that the audit is not complete at the evidence-gathering stage. The auditor must also communicate their conclusion through the auditor's report (ISA 700) and, where required, through communications with those charged with governance (ISA 260), management letters (ISA 265), key audit matters (ISA 701), and other reporting obligations under national law.
There is a critical implication. If reasonable assurance cannot be obtained and a qualified opinion would be insufficient for the circumstances, the auditor must either disclaim an opinion or withdraw from the engagement entirely (ISA 200.11(b)). The standard leaves no room for issuing a clean report when the evidence base is inadequate.
Reasonable assurance: what it means (and what it does not)
Reasonable assurance is one of the most misunderstood concepts in auditing. Clients misread it, the public misreads it, and sometimes auditors themselves misread it. ISA 200 defines it precisely.
What reasonable assurance is
Reasonable assurance is a high, but not absolute, level of assurance (ISA 200.5). It is obtained when the auditor has reduced audit risk to an acceptably low level. That means the auditor has gathered sufficient appropriate evidence to conclude that the FS are not materially misstated.
The concept exists on a spectrum.
| Assurance Level | Meaning | Where Used |
|---|---|---|
| No assurance | No conclusion expressed | Compilation (ISRS 4410) |
| Limited assurance | “Nothing has come to our attention…” | Review engagements (ISRE 2400) |
| Reasonable assurance | “In our opinion, the financial statements…” | Statutory audit (ISA 200) |
| Absolute assurance | Guarantee of accuracy | Does not exist in auditing |
What reasonable assurance is not
ISA 200.A45-A52 is explicit. Reasonable assurance is not a guarantee. The standard identifies several inherent limitations that make absolute assurance impossible.
The nature of financial reporting matters. FS require management judgment (estimates, assumptions, classification decisions, and choices among acceptable accounting policies). Two equally competent preparers could produce materially different FS that both comply with IFRS. The auditor evaluates the reasonableness of these judgments but cannot eliminate the subjectivity inherent in them.
The nature of audit procedures also matters. Audit evidence is persuasive, not conclusive. Testing is based on sampling (ISA 530), and even 100% testing of transactions would not catch misstatements arising from collusion, sophisticated fraud, deliberately withheld information, or management override of controls.
Timeliness and cost come next. Users expect audit opinions within a reasonable timeframe and at proportionate cost. Exhaustive verification of every transaction is neither practical nor expected. The standard explicitly recognises the need for audits to be completed within reasonable time and cost constraints (ISA 200.A46).
Fraud risk is the fourth. ISA 200 specifically notes that the risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting one resulting from error (ISA 200.A51). Fraud involves intentional concealment (forged documents, collusion, deliberate override of controls, and suppressed records), which is inherently harder to detect than unintentional error.
Why this matters in practice
When clients ask "Why didn't you catch this?" after a restatement or fraud is discovered, your answer is rooted in ISA 200. The audit was designed to provide reasonable assurance, a high level of confidence, not a guarantee. Your engagement letter (ISA 210) should reference these limitations and your audit documentation (ISA 230) should evidence how you addressed identified risks. Your communications with governance (ISA 260) should explain what the audit can and cannot achieve.
The audit risk model
ISA 200 introduces the conceptual foundation for the audit risk model, which the entire risk-based audit approach is built upon. Understanding this model is essential because it determines how you plan the audit, where you focus your effort, and how much evidence you need.
The formula
Audit Risk = Risk of Material Misstatement × Detection Risk
Where Risk of Material Misstatement is further composed of:
Risk of Material Misstatement = Inherent Risk × Control Risk
So the full model is:
AR = IR × CR × DR
Each component
Inherent Risk (IR) is the susceptibility of an assertion to material misstatement, before considering any related internal controls. Some account balances are simply riskier than others by their nature. Revenue recognition is inherently riskier than prepaid insurance. Complex estimates (like expected credit losses under IFRS 9) carry more inherent risk than straightforward bank balances. The auditor assesses inherent risk using their understanding of the entity and its environment (ISA 315).
Control Risk (CR) is the risk that a material misstatement will not be prevented, detected, or corrected by the entity's internal controls. Even well-designed controls can fail because of human error, management override, system gaps, or staff turnover. If an entity has strong controls over accounts receivable (automated matching, segregation of duties, exception reporting, and management review), control risk for receivables assertions is lower. If controls are weak or non-existent, control risk is higher, and the auditor must compensate with more testing.
Detection Risk (DR) is the risk that the auditor's procedures will fail to detect a material misstatement that exists. This is the only component the auditor directly controls. When inherent risk and control risk are high, the auditor must lower detection risk by performing more extensive and more targeted audit procedures.
How the model drives audit planning
In my second year I spent most of the AR receivables workpaper setting expectations before cracking a confirmation. That's where the risk model actually lives on the file. The four scenarios below are taken from engagements I've worked, scrubbed of client details.
| Scenario | Inherent Risk | Control Risk | Required Response |
|---|---|---|---|
| Cash in bank at a simple entity | Low | Low | Lower detection risk acceptable → basic confirmation and reconciliation may suffice |
| Revenue at a tech company with complex contracts | High | Medium | Lower detection risk required → detailed testing of contracts, cut-off procedures, analytical review |
| Related-party transactions with weak controls | High | High | Very low detection risk required → extended substantive testing, third-party confirmations, management inquiry at multiple levels |
| Inventory at a manufacturer with automated perpetual system | Medium | Low | Moderate detection risk acceptable → test counts on sample basis, rely partially on controls |
Applying this in your audit file
When documenting your risk assessment (ISA 315) and audit strategy (ISA 300), your reasoning should trace directly back to this model. If a reviewer (or a regulator) asks “Why did you only test 25 receivable confirmations and not 60?”, your answer should demonstrate that inherent risk was low (stable customer base, standard terms), control risk was low (automated matching, monthly reconciliation reviewed by the financial controller), and therefore a higher level of detection risk was acceptable.
Professional skepticism
ISA 200 defines professional skepticism as “an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence” (ISA 200.13(l)).
This is not optional guidance. It is a requirement. ISA 200.15 mandates that the auditor plan and perform the audit with professional skepticism, recognising that circumstances may exist that cause the FS to be materially misstated.
What professional skepticism looks like in practice
Professional skepticism is not about distrusting management. It is about maintaining independence of mind, being willing to challenge explanations, seek corroborating evidence, and consider whether evidence might be unreliable.
What does skepticism look like on an engagement?
- Management explains a significant journal entry as a “year-end reclassification.” A skeptical auditor asks: Who authorised it? What supporting documentation exists? Is the reversal in the subsequent period consistent with a reclassification? Does the timing align with a pattern of late entries?
- The client provides a going concern assessment showing adequate cash flow projections. A skeptical auditor compares those projections to historical accuracy of prior forecasts, assesses the reasonableness of key assumptions, and considers external evidence (market data, covenant compliance).
- External confirmations come back agreeing to the client’s balances. A skeptical auditor still considers whether the confirmation process was controlled adequately. Did management have access to outgoing confirmation requests? Could responses have been intercepted?
- An estimate for a provision sits at the very bottom of a reasonable range. A skeptical auditor asks whether the direction of management bias across all estimates points the same way, and whether that pattern warrants further testing.
The opposite of skepticism is not trust. It is complacency. Regulators consistently flag insufficient professional skepticism as a root cause of audit failures. The Public Company Accounting Oversight Board (PCAOB), the Financial Reporting Council (FRC) in the UK, the AFM in the Netherlands, and ESMA across the EU have all identified skepticism deficiencies as a recurring finding in inspection reports.
The difference between skepticism and suspicion
ISA 200.A20 clarifies that professional skepticism does not mean the auditor should assume management is dishonest, nor does it mean the auditor should assume they are honest. The standard requires an objective assessment. The auditor neither trusts nor distrusts, but evaluates evidence on its merits.
In practice, this means:
- Accept management representations as a starting point, but do not treat them as sufficient evidence on their own (ISA 580 explicitly acknowledges that representations are necessary but not sufficient).
- When evidence contradicts management’s position, investigate. Do not rationalise.
- When evidence supports management’s position, consider whether the evidence could be misleading (especially in fraud scenarios involving collusion or falsified documents).
- Treat the absence of contradictory evidence as exactly that: absence, not confirmation. A clean confirmation response rate of 100% on receivables still warrants consideration of whether the process was properly controlled.
Professional judgment
ISA 200 defines professional judgment as “the application of relevant training, knowledge, and experience, within the context provided by auditing, accounting, and ethical standards, in making informed decisions about the courses of action that are appropriate in the circumstances of the audit engagement” (ISA 200.13(k)).
Where professional judgment is required
Professional judgment is not a catch-all justification for arbitrary decisions. ISA 200.A25 identifies specific areas where it is exercised, including:
- Materiality, where the auditor determines what level of misstatement would influence the economic decisions of users (ISA 320).
- Audit risk, where the auditor assesses the nature, timing, and extent of procedures needed to reduce risk to an acceptable level.
- Sufficiency and appropriateness of evidence, where the auditor decides whether enough credible evidence has been obtained to support the opinion.
- Evaluating management’s judgments, including whether accounting estimates, policy selections, disclosure completeness, and presentation choices fall within a reasonable range.
- Drawing conclusions and forming the overall audit opinion based on the cumulative evidence gathered.
Documenting judgment
Judgment must be documented. Not because the standard demands paperwork for its own sake, but because undocumented judgment is indistinguishable from no judgment at all. ISA 230 requires documentation sufficient for an experienced auditor, having no previous connection with the audit, to understand the significant judgments made. The practical test: if you were replaced tomorrow, could your successor understand why you made the decisions you made? I've read files where the answer was clearly no, and it's demoralising to sit in a review meeting explaining a predecessor's logic when even they probably couldn't reconstruct it.
Ethical requirements and independence
ISA 200.14 requires the auditor to comply with relevant ethical requirements, including those relating to independence, for financial statement audit engagements. The standard references the International Ethics Standards Board for Accountants (IESBA) Code, which establishes five fundamental principles:
| Principle | Core Meaning |
|---|---|
| Integrity | Be straightforward and honest in all professional relationships |
| Objectivity | Do not allow bias, conflict of interest, or undue influence to override professional judgment |
| Professional competence and due care | Maintain knowledge and skill at the level required; act diligently |
| Confidentiality | Respect the confidentiality of information acquired through professional relationships |
| Professional behaviour | Comply with laws and regulations; avoid actions that discredit the profession |
Independence is not listed as a separate principle in the IESBA Code because it is treated as an overarching requirement with two dimensions:
- Independence of mind is the state of mind that permits an auditor to act with integrity, objectivity, and professional skepticism.
- Independence in appearance means avoiding facts and circumstances so significant that a reasonable and informed third party would question the auditor’s integrity, objectivity, or professional skepticism.
In the EU, independence requirements are further strengthened by the EU Audit Regulation (537/2014), which imposes mandatory firm rotation for public interest entities (PIEs), a blacklist of prohibited non-audit services, fee caps on non-audit services provided to audit clients, and cooling-off periods for key audit personnel.
How ISA 200 connects to every other ISA
ISA 200 is explicitly the “umbrella” standard. Every other ISA serves one or both of the overall objectives established here. Understanding this architecture helps you see the audit as an integrated system rather than a checklist of disconnected requirements.
The ISA framework, mapped to ISA 200’s objectives
| ISA Group | Standards | Connection to ISA 200 |
|---|---|---|
| Engagement & Quality | ISA 210, 220 | Establishes the preconditions (agreed terms, quality management) that make it possible to pursue the objectives |
| Planning | ISA 300 | Translates the objectives into a specific audit strategy and plan |
| Risk Assessment | ISA 315, 320, 330 | Implements the audit risk model introduced in ISA 200 — identify risks, set materiality, design responses |
| Evidence | ISA 500–580 | Provides the framework for gathering “sufficient appropriate audit evidence” — the mechanism by which reasonable assurance is obtained |
| Special Areas | ISA 540, 550, 560, 570 | Addresses specific high-risk areas (estimates, related parties, subsequent events, going concern) where the inherent limitations noted in ISA 200 are most acute |
| Using Others’ Work | ISA 600, 610, 620 | Extends the evidence-gathering objective to group audits, internal auditors, and experts |
| Reporting | ISA 700–720 | Fulfils the second overall objective — reporting on the financial statements and communicating findings |
The practical implication
When you encounter a requirement in any ISA, ask: How does this serve the objectives in ISA 200? This transforms compliance from a tick box exercise into purposeful action. For example:
- ISA 330 requires the auditor to design further audit procedures responsive to assessed risks. Why? Because ISA 200 requires reducing audit risk to an acceptably low level.
- ISA 505 provides guidance on external confirmations. Why? Because ISA 200 requires sufficient appropriate evidence, and third-party confirmation is one of the most reliable forms of evidence.
- ISA 570 requires the auditor to evaluate going concern. Why? Because ISA 200 requires the auditor to assess whether the FS are prepared in accordance with the applicable framework, and if that framework assumes going concern but the entity cannot continue, the statements are fundamentally misstated.
- ISA 240 requires the auditor to consider fraud risk throughout the engagement. Why? Because ISA 200 acknowledges that fraud-related misstatements are harder to detect than errors, and the overall objective of reasonable assurance covers both.
Sufficient appropriate audit evidence
ISA 200 introduces the concept of “sufficient appropriate audit evidence” (ISA 200.17), which is then elaborated in ISA 500. Understanding the two dimensions is critical:
Sufficiency refers to the quantity of evidence. Is there enough? This is influenced by the assessed risk of material misstatement (higher risk = more evidence needed) and the quality of the evidence obtained (higher quality = less quantity may suffice).
Appropriateness refers to the quality of evidence, specifically its relevance and reliability. Evidence is more reliable when it:
- Is obtained from independent sources external to the entity
- Is generated internally with effective controls
- Is obtained directly by the auditor (rather than indirectly)
- Exists in documentary form (physical or electronic) rather than oral form
- Consists of originals rather than copies
| Evidence Type | Reliability | Example |
|---|---|---|
| External confirmation (direct from third party) | High | Bank confirmation letter |
| Documents from external sources held by entity | Medium-High | Supplier invoices |
| Internally generated documents with strong controls | Medium | System-generated reports with audit trail |
| Oral representations from management | Lower | Explanation for unusual journal entry |
| Management representations alone | Lowest (necessary but not sufficient) | Representation letter (ISA 580) |
The standard is clear: the auditor exercises professional judgment in evaluating whether sufficient appropriate evidence has been obtained. There is no mathematical formula, but there is a professional standard that regulators will measure you against.
Applicable financial reporting framework
ISA 200.13(a) defines the applicable financial reporting framework as the framework adopted by management and, where appropriate, those charged with governance, in preparing the FS. The auditor must evaluate whether this framework is acceptable for the entity’s circumstances (ISA 210).
In practice, European auditors encounter several frameworks:
| Framework | Typical Application | Key Standard-Setter |
|---|---|---|
| IFRS (as adopted by EU) | Listed companies, PIEs, consolidated statements | IASB / European Commission |
| Local GAAP (e.g., Dutch RJ, German HGB, French PCG) | Statutory accounts, SMEs, non-PIEs | National accounting boards |
| IFRS for SMEs | Smaller entities in jurisdictions permitting it | IASB |
ISA 200 does not prescribe which framework an entity should use. That is a matter of applicable law and regulation. But it does require the auditor to assess whether the chosen framework results in FS that achieve fair presentation (or, in the case of a compliance framework, comply with the framework’s requirements).
Compliance with ISAs: the “comply or explain” principle
ISA 200.18 establishes a critical compliance principle: the auditor shall comply with all ISAs relevant to the audit. An ISA is relevant when it is in effect and the circumstances addressed by it exist.
However, ISA 200.22–23 provides an important nuance. In exceptional circumstances, the auditor may judge it necessary to depart from a relevant requirement. When this occurs, the auditor must:
- Perform alternative audit procedures to achieve the aim of that requirement.
- Document the reasons for the departure and how the alternative procedures achieved the requirement’s objective.
This is a high bar. It is not a general permission to skip inconvenient requirements. Regulators expect departure to be genuinely exceptional and thoroughly documented.
ISA 200.20 also clarifies that the auditor shall not represent compliance with ISAs in the auditor’s report unless the auditor has complied with all ISAs relevant to the audit. Partial compliance cannot be claimed.
Commonly tested exam topics and common misunderstandings
For students preparing for professional exams (ACA, ACCA, CPA, RA) and for practitioners refreshing their knowledge, these are the areas most frequently tested and most commonly misunderstood:
“The auditor guarantees the financial statements are correct.”
Wrong. The auditor provides reasonable assurance, a high but not absolute level of confidence. ISA 200 explicitly lists the inherent limitations that prevent absolute assurance.
“Professional skepticism means assuming management is dishonest.”
Wrong. ISA 200.A20 clarifies that skepticism requires neither an assumption of dishonesty nor an assumption of unquestioned honesty. It requires a critical, evidence-based mindset.
“Detection risk is beyond the auditor’s control.”
Wrong. Detection risk is the only component of audit risk that the auditor directly controls, by varying the nature, timing, and extent of audit procedures (ISA 330). Inherent risk and control risk exist independently of the audit.
“If the audit fails to detect fraud, the auditor was negligent.”
Not necessarily. ISA 200 acknowledges that even a properly planned and performed audit may fail to detect material misstatements arising from fraud, due to the sophisticated concealment techniques involved. The question is whether the auditor exercised reasonable care (including professional skepticism) in accordance with the standards.
“ISA 200 is purely theoretical and does not affect daily audit work.”
Wrong. ISA 200 directly shapes the risk assessment, the audit strategy, the level of testing, and the audit opinion. Every decision about how much evidence to gather, which areas to focus on, when to push back on management, and how to report traces back to the objectives and principles in ISA 200.
ISA 200 in your jurisdiction
While ISA 200 applies universally as an international standard, many European jurisdictions adopt it with national modifications. Here is how the standard is implemented in key markets:
Netherlands. The NBA (Koninklijke Nederlandse Beroepsorganisatie van Accountants) adopts ISAs through the COS (Controlestandaarden) framework. COS 200 is closely aligned with ISA 200 but must be read alongside Dutch-specific requirements under the WTA (Wet toezicht accountantsorganisaties) and BW2 Title 9. The AFM actively inspects for professional skepticism and judgment. These are recurring focus areas in inspection reports.
Germany. IDW (Institut der Wirtschaftsprüfer) has historically maintained its own auditing standards (IDW PS series), though Germany is converging toward ISA adoption. IDW PS 200 covers similar ground to ISA 200, with German-specific requirements under the HGB and WPK (Wirtschaftsprüferkammer) framework. The 2024 reforms continue this convergence process.
United Kingdom. The FRC issues ISA (UK) 200, which is substantively aligned with ISA 200 but includes UK-specific ethical requirements and references to the FRC’s Ethical Standard rather than the IESBA Code. Post-Brexit, the UK maintains its own standard-setting framework while remaining closely aligned with international standards.
France. The H3C (Haut Conseil du Commissariat aux Comptes) and the CNCC adopt ISAs as NEP (Normes d’Exercice Professionnel). French implementation adds specific requirements relating to the legal framework for statutory audit (commissariat aux comptes) and the dual reporting system.
Frequently asked questions
What is the purpose of ISA 200?
ISA 200 establishes the overall objectives of the independent auditor when conducting a financial statement audit. It defines what reasonable assurance means, introduces the audit risk model, and mandates professional skepticism and professional judgment. Every other ISA derives its context and purpose from ISA 200.
What is the difference between reasonable assurance and absolute assurance?
Reasonable assurance is a high but not absolute level of assurance. It acknowledges that no audit can guarantee financial statements are completely free from misstatement. Absolute assurance would require verifying every transaction with perfect information, which is impossible due to the inherent limitations of financial reporting, audit procedures, and the nature of fraud. ISA 200 requires reasonable assurance; absolute assurance does not exist in auditing.
What are the five ethical principles under ISA 200?
ISA 200 references the IESBA Code, which establishes five fundamental principles: integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour. Independence (both of mind and in appearance) underpins all five principles for audit engagements.
How does ISA 200 relate to ISA 315 and ISA 330?
ISA 200 introduces the audit risk model (AR = IR × CR × DR) as a conceptual framework. ISA 315 operationalises this by requiring the auditor to identify and assess risks of material misstatement. ISA 330 then requires the auditor to design and perform further audit procedures responsive to those assessed risks. Together, they form the core of the risk-based audit approach.
What happens if the auditor cannot obtain reasonable assurance?
ISA 200.11(b) is clear: if reasonable assurance cannot be obtained and a qualified opinion in the auditor’s report is insufficient for purposes of reporting to intended users, the auditor must either disclaim an opinion or withdraw from the engagement, where withdrawal is legally permitted.
Is ISA 200 testable in professional exams?
Yes. ISA 200 is a foundational topic in virtually all professional accounting qualifications, including ACCA (Audit and Assurance paper), ACA (Audit and Assurance module), CPA (Auditing and Attestation section), and the Dutch RA qualification. Exam questions typically focus on the definition of reasonable assurance, the audit risk model, professional skepticism, and the inherent limitations of an audit.
Does ISA 200 apply to review engagements or agreed-upon procedures?
No. ISA 200 applies specifically to audits of historical financial statements. Review engagements are governed by ISRE 2400 (which provides limited assurance rather than reasonable assurance), and agreed-upon procedures are governed by ISRS 4400 (which provides no assurance, only a report of factual findings).
Further reading and source references
- The IAASB Handbook 2024 contains the ISA 200 full text and is the authoritative source for the complete standard, including all application material (paragraphs A1–A76).
- The IESBA Code of Ethics is referenced in ISA 200.14 for ethical requirements including independence.
- ISA 210 (Agreeing the Terms of Audit Engagements) is the practical first step after accepting the objectives in ISA 200.
- ISA 315 (Revised 2019) (Identifying and Assessing Risks of Material Misstatement) operationalises the audit risk model.
- ISA 320 (Materiality in Planning and Performing an Audit) defines how material misstatement is quantified.
- The EU Audit Directive (2014/56/EU) and Regulation (537/2014) form the European legislative framework within which ISAs are applied for statutory audits.
This guide reflects the ISA 200 text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard (e.g., COS 200 in the Netherlands, ISA (UK) 200 in the UK, IDW PS 200 in Germany) alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.
Related ciferi content
Related guides:
Put audit concepts into practice with these free tools:
Production-ready audit templates