Key Takeaways
- ISA 210 governs the auditor's responsibilities in agreeing the terms of the audit engagement with management and, where appropriate, those charged with governance — before audit work begins.
- The auditor must establish that two preconditions are present: (1) the financial reporting framework is acceptable, and (2) management acknowledges and understands its responsibilities for the financial statements, internal control, and providing the auditor unrestricted access to information.
- If the preconditions are not met, the auditor must not accept the engagement — unless required to do so by law or regulation.
- The agreed terms must be documented in an engagement letter (or equivalent written agreement) covering the audit's objective, scope, responsibilities of both parties, the applicable framework, and the expected form of the auditor's report.
- For recurring audits, the auditor must assess each period whether circumstances require revised terms or a reminder of existing terms — issuing a new engagement letter is not always required, but the assessment is.
- If a client requests a change in engagement terms (e.g., from audit to review), the auditor must not agree unless there is a reasonable justification — and must consider the legal and professional consequences before accepting any downgrade.
What is ISA 210?
ISA 210, titled "Agreeing the Terms of Audit Engagements," deals with the practical and legal foundation that must be in place before an audit can properly begin. Where ISA 200 defines what the auditor is trying to achieve, ISA 210 defines the agreement under which that work will be performed.
Think of it this way: ISA 200 is the purpose of the mission. ISA 210 is the contract that authorises it.
The standard addresses four distinct situations:
- New engagements — establishing preconditions and agreeing terms for the first time.
- Recurring engagements — assessing whether existing terms remain appropriate year after year.
- Changes in engagement terms — responding when management asks to downgrade or alter the engagement (e.g., from audit to review).
- Special circumstances — handling situations where law or regulation prescribes the audit terms, or where the financial reporting framework is supplemented or contradicted by legislation.
ISA 210 should be read in conjunction with ISA 200, ISA 220 (Quality Management for an Audit), and ISA 580 (Written Representations). Together, these standards create the contractual, ethical, and procedural infrastructure upon which the entire audit is built.
The standard is effective for audits of financial statements for periods beginning on or after 15 December 2009.
The Objective of the Auditor Under ISA 210
ISA 210.3 states the objective clearly:
The objective of the auditor is to accept or continue an audit engagement only when the basis upon which it is to be performed has been agreed, through: (a) Establishing whether the preconditions for an audit are present; and (b) Confirming that there is a common understanding between the auditor and management and, where appropriate, those charged with governance, of the terms of the audit engagement.
The word "only" is important here. The auditor should not begin audit work — not planning, not risk assessment, not fieldwork — until the basis has been agreed. In practice, some firms start preliminary engagement activities (client acceptance procedures under ISA 220 and ISQM 1) before the engagement letter is signed, but the formal audit cannot proceed without agreed terms.
Preconditions for an Audit
Before the auditor can accept an engagement, ISA 210.6 requires that two preconditions are established:
Precondition 1: An acceptable financial reporting framework
The auditor must determine whether the financial reporting framework to be applied in preparing the financial statements is acceptable (ISA 210.6(a)).
What makes a framework "acceptable"? ISA 210.A3 provides guidance: frameworks established by authorised or recognised standard-setting organisations are generally presumed acceptable for general-purpose financial statements. In practice, for European auditors, this means:
| Framework | Typically Acceptable For | Standard-Setter |
|---|---|---|
| IFRS as adopted by EU | Listed companies, PIEs, consolidated statements | IASB / European Commission |
| Dutch GAAP (RJ) | Dutch statutory accounts, SMEs, foundations | Raad voor de Jaarverslaggeving |
| German HGB | German statutory accounts, GmbHs | German legislator / IDW |
| French PCG | French statutory accounts | ANC |
| UK FRS 102 / FRS 105 | UK companies | FRC |
| IFRS for SMEs | Smaller entities (where jurisdiction permits) | IASB |
When is a framework unacceptable? If the framework does not result in financial statements that provide adequate disclosures, or if it does not properly classify and present transactions, the framework may be unacceptable. This is relatively rare for standard commercial entities in regulated European markets but can arise in special-purpose engagements or bespoke internal reporting frameworks that clients mistakenly believe can serve as the basis for an audit opinion.
When law and standards conflict. ISA 210.18–19 addresses a tricky situation: what happens when the applicable financial reporting framework is prescribed by law but the auditor concludes it is not acceptable? The auditor must first determine whether the framework is nonetheless understandable to users. If it is, the auditor may accept — but must include an Emphasis of Matter paragraph in the report (under ISA 706) and must not state that the financial statements "present a true and fair view" unless specifically required and permitted by law.
Precondition 2: Management acknowledges its responsibilities
ISA 210.6(b) requires the auditor to obtain management's acknowledgment and understanding of its responsibility for:
Preparing the financial statements in accordance with the applicable financial reporting framework, including — where relevant — their fair presentation. This is not a formality. It establishes that the financial statements are management's product, not the auditor's.
Internal control that management determines is necessary to enable the preparation of financial statements free from material misstatement, whether due to fraud or error. This responsibility exists regardless of whether the entity is required to have a formal internal control system. Even a five-person company has a management responsibility for controls.
Providing the auditor with unrestricted access to all information relevant to the preparation of the financial statements, including records, documentation, additional information the auditor may request, and unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence.
Why the "access" precondition matters
This third element — unrestricted access — is where engagements most commonly run into difficulty. If management restricts access to certain personnel, records, or locations, the auditor faces a scope limitation. If the scope limitation is imposed before the engagement begins and would result in a disclaimer of opinion, ISA 210.7 requires the auditor to decline the engagement (unless legally required to accept). If it arises during the engagement, it is addressed under ISA 705. The engagement letter is your documented evidence that management agreed to provide this access — and your contractual basis for insisting on it.
The Engagement Letter
Why it matters
The engagement letter is the contractual foundation of the audit. It documents the agreed terms, protects both parties from misunderstandings, and provides a reference point if disputes arise about scope, responsibilities, or expectations. ISA 210.10 requires that the agreed terms be recorded in an engagement letter or other suitable form of written agreement.
In many European jurisdictions, the engagement letter also serves a legal function — it may form part of the audit firm's defence in professional liability claims, and it may be reviewed by regulators during quality inspections.
Required contents
ISA 210.10 specifies the minimum contents of the engagement letter:
| Required Element | What It Covers | Why It Matters |
|---|---|---|
| Objective and scope | The objective of the audit, the financial period covered | Prevents scope creep; clarifies what the auditor will and will not do |
| Auditor's responsibilities | Form and express an opinion; conduct the audit in accordance with ISAs | Establishes the professional standard the auditor is bound by |
| Management's responsibilities | Preparation of financial statements, internal control, providing access | Allocates accountability; forms the basis for written representations (ISA 580) |
| Applicable framework | Identification of IFRS, local GAAP, or other framework | Defines the benchmark against which the opinion is expressed |
| Expected form of reports | Expected auditor's report format, with a statement that circumstances may cause it to differ | Manages expectations — particularly for clients unfamiliar with modified opinions |
Additional elements commonly included
Fees and billing arrangements. Not required by ISA 210 itself, but virtually always included in practice. The engagement letter should specify the fee basis (fixed fee, hourly rates, or a combination), invoicing schedule, and any provisions for additional fees arising from scope changes.
Reference to inherent limitations. A statement that an audit provides reasonable assurance, not absolute assurance, and that there is an unavoidable risk that some material misstatements may not be detected. This directly references ISA 200's discussion of inherent limitations and provides an important layer of protection.
Communication and reporting obligations. Expected communications with those charged with governance (ISA 260), the management letter on internal control deficiencies (ISA 265), and any sector-specific reporting requirements.
Arrangements for using the work of others. Where the auditor expects to use the work of internal auditors (ISA 610), other auditors in a group context (ISA 600), or experts (ISA 620).
Data protection and confidentiality. Particularly relevant in the EU under GDPR, the engagement letter should address how personal data encountered during the audit will be handled.
Limitation of liability. Permitted in some jurisdictions (e.g., the UK under the Companies Act 2006, section 534) but not in others. Where permitted, this requires specific legal drafting and approval by shareholders.
Applicable law and dispute resolution. Identifying which jurisdiction's laws govern the engagement and how disputes will be resolved.
Template vs. tailored letters
Many audit firms use a template engagement letter that covers the ISA 210 minimum requirements. This is fine as a starting point — but a good engagement letter should be tailored to the specific entity. A manufacturing company with three subsidiaries in different countries has different engagement terms than a single-entity foundation. If you use a template, review it each year against the actual scope, the entity's structure, and any changes in the regulatory environment. Regulators notice when engagement letters are generic and unchanged year after year — it suggests the auditor is not thinking critically about the specific engagement.
Recurring Audits
Many auditors work with the same clients year after year. ISA 210.13 addresses this directly:
On recurring audits, the auditor shall assess whether circumstances require the terms of the audit engagement to be revised, and whether there is a need to remind the entity of the existing terms of the audit engagement.
A new engagement letter is not always required. The standard permits continuing under the existing terms — but only after the auditor has actively considered whether anything has changed that would warrant updating them.
When to issue a new engagement letter
The following circumstances typically require revised terms or a new letter:
| Circumstance | Why It Triggers a Revision |
|---|---|
| Change in financial reporting framework | The audit benchmark has changed — e.g., first-time IFRS adoption, transition from local GAAP |
| Significant change in entity size or structure | Acquisitions, disposals, or major reorganisations change the scope and complexity |
| Change in management or governance | New management may not be bound by (or aware of) the previous agreement's terms |
| Change in ownership | New owners may have different expectations or reporting requirements |
| New legal or regulatory requirements | E.g., the entity becomes a PIE, triggering additional reporting obligations |
| Significant change in audit scope | Additional group components, new business lines, or first-year CSRD reporting |
| Change in the engagement team | A new engagement partner may wish to re-establish terms directly |
When a reminder suffices
If none of the above circumstances apply, the auditor may instead remind management of the existing terms — typically by referencing the prior engagement letter in the planning communication or in a brief confirmation letter. The key is that the assessment is documented and the conclusion (new letter or reminder) is justified.
Requests to Change Engagement Terms
ISA 210.14–17 addresses one of the more challenging situations an auditor faces: the client asks to change the terms of the engagement — typically to downgrade from an audit to a review or compilation.
The auditor's obligation
The auditor must not agree to a change in terms where there is no reasonable justification for doing so (ISA 210.14). This is a firm prohibition, not guidance.
What counts as "reasonable justification"?
ISA 210.A29–A31 provides examples:
Reasonable justification (change may be acceptable):
- A change in circumstances affecting the entity's need for an audit — for example, the entity falls below the statutory audit threshold.
- A genuine misunderstanding about the nature of the original engagement.
- A legitimate business reason — for example, the entity's lender has since accepted a review.
Not reasonable justification (change should be refused):
- The auditor is unable to obtain sufficient appropriate audit evidence — this is a scope limitation, not a basis for downgrading. The appropriate response is a modified opinion (ISA 705).
- Management seeks to avoid a qualified or adverse opinion by converting the engagement.
- Management seeks to limit the scope of work to avoid the auditor discovering a specific issue.
The "downgrade request" red flag
In practice, a client's request to change from audit to review mid-engagement — particularly after the auditor has raised uncomfortable questions — is a significant red flag. If the request appears motivated by a desire to suppress findings or avoid a modified opinion, this should be discussed with the engagement quality reviewer, documented thoroughly, and in many cases refused. If you refuse the change and are not permitted to continue the original engagement, ISA 210.16 requires you to consider whether there is an obligation to report the circumstances to regulators or other parties.
If the change is agreed
If the auditor concludes the change is justified and management agrees, the auditor must:
- Issue a new engagement letter reflecting the revised terms.
- Not reference the original engagement or any audit work performed to date in the new report (ISA 210.17). The review or compilation report stands on its own.
If the change is refused
If the auditor is unable to agree to the change and management does not permit continuation of the original engagement, the auditor must:
- Withdraw from the engagement, where permitted by applicable law or regulation.
- Consider whether to report the circumstances to other parties, such as those charged with governance, the entity's shareholders, or the relevant regulator (ISA 210.16).
Special Circumstances
When law prescribes the audit terms
In many European jurisdictions, the terms of statutory audits are substantially prescribed by company law, audit legislation, or regulatory directives. ISA 210.11 acknowledges this: if law or regulation prescribes in sufficient detail the terms of the audit, the engagement letter need not reproduce all of those terms. However, even in such cases, the engagement letter must still document management's acknowledgment of its responsibilities.
When supplementary reporting is required by law
Some jurisdictions require the auditor to report on matters beyond the financial statements — for example, consistency of the management report with the financial statements (common in the EU under the Audit Directive), or compliance with specific corporate governance codes. These additional responsibilities may be referenced in the engagement letter or addressed separately.
Group audits
For group audit engagements under ISA 600, the group engagement partner must consider additional terms, including the scope of work to be performed on components, access to component information, communication protocols between group and component auditors, and restrictions on the use of component auditor reports. These are typically addressed either in the group engagement letter or in separate instruction letters to component auditors.
The Engagement Letter as a Living Document
The engagement letter is not a file-and-forget document. It has ongoing practical significance throughout the audit:
During planning (ISA 300), the engagement letter defines the scope that the audit plan must address. If the scope described in the letter does not match the actual engagement, one of them needs to be corrected before proceeding.
During the audit, the engagement letter is the auditor's contractual basis for requesting access to records, personnel, and information. When management pushes back on providing a particular document, the engagement letter is what you point to.
At reporting (ISA 700), the auditor's report references the applicable financial reporting framework identified in the engagement letter. The management responsibilities described in the report mirror those agreed in the letter.
When obtaining written representations (ISA 580), management's representations should be consistent with the responsibilities they acknowledged in the engagement letter. If there is a disconnect, it needs to be resolved.
If disputes arise, the engagement letter is the primary evidence of what was agreed. Courts, regulators, and professional bodies will look to this document to determine whether the auditor operated within the agreed scope and whether management fulfilled its commitments.
ISA 210 in Your Jurisdiction
Netherlands. COS 210 follows ISA 210 closely. Dutch statutory audits are governed by BW2 Title 9 and the WTA. The NBA's practice notes provide additional guidance on engagement letter content for Dutch-specific requirements, including Wwft/AML obligations. For OOB (Public Interest Entity) engagements, the EU Audit Regulation adds mandatory firm rotation and non-audit service restrictions that should be referenced in the engagement letter.
Germany. German engagement letters (Auftragsbestätigungen) typically reference the Allgemeine Auftragsbedingungen (AAB) — general terms and conditions — developed by IDW for Wirtschaftsprüfer. These AAB include standard liability limitation clauses well-established in German audit practice. The engagement letter must also address HGB-specific reporting requirements.
United Kingdom. ISA (UK) 210 is substantively aligned with ISA 210. A distinctive UK feature is the statutory right to limit auditor liability under the Companies Act 2006, section 534, which requires a liability limitation agreement approved by shareholders. UK engagement letters also reference the FRC's Ethical Standard rather than the IESBA Code.
France. ISA 210 is implemented through NEP 210 under the supervision of the H3C. French statutory audit operates within a highly codified legal framework — the Code de commerce prescribes many engagement terms directly. The engagement letter must address the specific French requirements for reporting on the management report and on related-party agreements (conventions réglementées).
Related Ciferi Content
Continue building your understanding of the ISA framework:
Put audit concepts into practice with these free tools:
Frequently Asked Questions
What is the purpose of an audit engagement letter?
The engagement letter is the formal written agreement between the auditor and the client that documents the terms of the audit engagement. It establishes the audit's objective and scope, the responsibilities of both the auditor and management, the applicable financial reporting framework, and the expected form of the auditor's report. It serves both as a professional requirement under ISA 210 and as a contractual document that protects both parties.
Is an engagement letter required for every audit?
Yes. ISA 210.10 requires that the agreed terms be recorded in an engagement letter or other suitable form of written agreement. Even where law or regulation prescribes the terms in detail, the engagement letter must at minimum document management's acknowledgment of its responsibilities.
Can the auditor proceed without a signed engagement letter?
The auditor should not begin the audit until terms are agreed. In practice, some firms begin limited preliminary activities before the letter is signed, but the formal audit — planning, risk assessment, fieldwork — should not proceed without documented agreed terms. If management refuses to sign, the auditor should consider whether the preconditions for an audit are met.
What happens if the preconditions for an audit are not met?
The auditor must discuss the matter with management. If the financial reporting framework is unacceptable or if management does not acknowledge its responsibilities, the auditor must not accept the engagement — unless required to do so by law or regulation (ISA 210.8). Where the auditor is legally required to accept despite unmet preconditions, specific provisions apply (ISA 210.19–21).
Does the auditor need a new engagement letter every year?
Not necessarily. For recurring audits, ISA 210.13 requires the auditor to assess whether circumstances require revised terms. If nothing significant has changed, the auditor may continue under existing terms, with or without a formal reminder to management. However, many firms choose to issue a new letter annually as best practice — particularly for PIE engagements.
What should the auditor do if the client asks to downgrade from audit to review?
The auditor must evaluate whether there is a reasonable justification for the change (ISA 210.14). If the justification is reasonable (e.g., the entity no longer meets statutory audit thresholds), the change may be accepted with a new engagement letter. If not reasonable — for example, management is trying to avoid a qualified opinion — the auditor should refuse. If the auditor cannot continue the original engagement and cannot agree to the change, the auditor must withdraw and consider reporting obligations (ISA 210.16).
How does ISA 210 relate to ISA 580 (Written Representations)?
The responsibilities that management acknowledges in the engagement letter under ISA 210 are later confirmed through formal written representations at the end of the audit under ISA 580. The engagement letter establishes the agreement at the start; the representation letter confirms that management fulfilled those responsibilities throughout the period. If management's representations are inconsistent with what was agreed, the auditor must investigate.
Can the engagement letter limit the auditor's liability?
This depends entirely on the jurisdiction. In the UK, the Companies Act 2006 permits liability limitation agreements subject to shareholder approval. In Germany, the IDW's Allgemeine Auftragsbedingungen include standard liability caps. In the Netherlands and France, liability limitation in statutory audit engagement letters is more restricted. Always consult local legal requirements before including such clauses.
Further Reading and Source References
- IAASB Handbook 2024 — The authoritative source for the complete ISA 210 text, including all application material (paragraphs A1–A36) and the appendix with an example engagement letter.
- ISA 200 — Overall Objectives of the Independent Auditor — the overarching framework that ISA 210's engagement terms are designed to serve.
- ISA 220 (Revised) — Quality Management for an Audit — covers client acceptance and continuance procedures that precede and complement ISA 210.
- ISA 580 — Written Representations — the end-of-audit counterpart to the engagement letter's establishment of management's responsibilities.
- ISA 705 — Modifications to the Opinion — relevant when scope limitations arise despite agreed access terms.
- ISA 706 — Emphasis of Matter Paragraphs — relevant when the auditor accepts an engagement with a framework that is acceptable but potentially misleading.
- EU Audit Directive (2014/56/EU) and Regulation (537/2014) — The European legislative framework governing statutory audit terms for PIEs.