Here's the call I had last February. The CFO of a new client wanted paragraph four of the draft engagement letter crossed out, the paragraph that says management takes responsibility for internal controls. His argument was that the prior auditor had never made him sign anything like it, so why should we. I told him ISA 210 doesn't let me start the financial statements (FS) audit without that acknowledgment in writing. He didn't sign for six weeks, and we nearly walked.
Most of us have seen the opposite problem too. The engagement letter that gets rolled forward every year on a SALY basis (same as last year), re-dated, re-signed, and never re-read by anyone. Regulators call it a tick box exercise. The AFM and FRC have both flagged it in recent inspection rounds. ISA 210 isn't hard to comply with. It's hard to comply with honestly. The file should tell a story about why you accepted this client and what you agreed to do for them, not just confirm that a template was signed.
ISA 210 requires auditors to establish that two preconditions for an audit are present (an acceptable financial reporting framework and management's acknowledgment of its responsibilities, including unrestricted access) and to document the agreed terms in an engagement letter before audit work begins.
Key takeaways
- ISA 210 governs the auditor's responsibilities in agreeing the terms of the audit engagement with management (and, where appropriate, those charged with governance) before audit work begins.
- Two preconditions must be present: (1) the financial reporting framework is acceptable, and (2) management acknowledges its responsibilities for the FS, internal control, and providing unrestricted access to information.
- If the preconditions are not met, the auditor must not accept the engagement unless required to do so by law or regulation.
- The agreed terms must be documented in an engagement letter (or equivalent written agreement) covering the audit's objective, scope, responsibilities of both parties, the applicable framework, and the expected form of the auditor's report.
- For recurring audits, the auditor must assess each period whether circumstances require revised terms or a reminder of existing terms. Issuing a new engagement letter is not always required, but the assessment is.
- If a client requests a change in engagement terms (for example, from audit to review), the auditor must not agree unless there is a reasonable justification, and must consider the legal and professional consequences before accepting any downgrade.
- What is ISA 210?
- The objective of the auditor under ISA 210
- Preconditions for an audit
- The engagement letter
- Recurring audits
- Requests to change engagement terms
- Special circumstances
- The engagement letter as a living document
- Worked example: first-year engagement for a Dutch B.V.
- Practical checklist
- Common mistakes
- Related content
- ISA 210 in your jurisdiction
- Frequently asked questions
What is ISA 210?
ISA 210, titled "Agreeing the Terms of Audit Engagements," deals with the practical and legal foundation that must be in place before an audit can properly begin. Where ISA 200 defines what the auditor is trying to achieve, ISA 210 defines the agreement under which that work will be performed. ISA 200 is the purpose of the mission. ISA 210 is the contract that authorises it.
The standard addresses four situations:
- New engagements, where the auditor establishes preconditions and agrees terms for the first time.
- Recurring engagements, where the auditor assesses whether existing terms remain appropriate year after year.
- Changes in engagement terms, where management asks to downgrade or alter the engagement (for example, from audit to review).
- Special circumstances, where law or regulation prescribes the audit terms, or where the financial reporting framework is supplemented or contradicted by legislation.
ISA 210 should be read in conjunction with ISA 200, ISA 220 (Quality Management for an Audit), ISA 580 (Written Representations), and ISA 300 (Planning). Together, these standards create the contractual and procedural infrastructure the entire audit is built on.
The standard is effective for audits of financial statements for periods beginning on or after 15 December 2009.
The objective of the auditor under ISA 210
ISA 210.3 states the objective clearly:
The objective of the auditor is to accept or continue an audit engagement only when the basis upon which it is to be performed has been agreed, through:
(a) Establishing whether the preconditions for an audit are present; and
(b) Confirming that there is a common understanding between the auditor and management and, where appropriate, those charged with governance, of the terms of the audit engagement.
The word "only" is important here. The auditor should not begin audit work (not planning, not risk assessment, not fieldwork, not even preliminary analytics) until the basis has been agreed. In practice, some firms start preliminary engagement activities (client acceptance procedures under ISA 220 and ISQM 1) before the engagement letter is signed, but the formal audit cannot proceed without agreed terms.
Preconditions for an audit
Before the auditor can accept an engagement, ISA 210.6 requires that two preconditions are established:
Precondition 1: An acceptable financial reporting framework
The auditor must determine whether the financial reporting framework to be applied in preparing the financial statements is acceptable (ISA 210.6(a)).
What makes a framework "acceptable"?
ISA 210.A3 provides guidance: frameworks established by authorised or recognised standard-setting organisations are presumed acceptable for general-purpose FS. For European auditors, this means:
| Framework | Typically Acceptable For | Standard-Setter |
|---|---|---|
| IFRS as adopted by EU | Listed companies, PIEs, consolidated statements | IASB / European Commission |
| Dutch GAAP (RJ) | Dutch statutory accounts, SMEs, foundations | Raad voor de Jaarverslaggeving |
| German HGB | German statutory accounts, GmbHs | German legislator / IDW |
| French PCG | French statutory accounts | ANC (Autorité des normes comptables) |
| UK FRS 102 / FRS 105 | UK companies | FRC |
| IFRS for SMEs | Smaller entities (where jurisdiction permits) | IASB |
When is a framework unacceptable?
If the framework does not result in FS that provide adequate disclosures, or if it does not properly classify and present transactions, the framework may be unacceptable. We've seen this come up in special-purpose engagements, entities incorporated in less-regulated jurisdictions, bespoke internal reporting frameworks that clients mistakenly believe can serve as the basis for an audit opinion, and occasionally in cross-border groups where the parent applies one framework and the subsidiary another. It is uncommon for standard commercial entities in regulated European markets.
When law and standards conflict
ISA 210.18–19 addresses a tricky situation: what happens when the applicable financial reporting framework is prescribed by law but the auditor concludes it is not acceptable? The auditor must first determine whether the framework is nonetheless understandable to users. If it is, the auditor may accept, but must include an Emphasis of Matter paragraph in the report (under ISA 706) and must not state that the FS "present a true and fair view" or "present fairly" unless specifically required and permitted by law. If even this is insufficient, the auditor should decline the engagement unless legally required to perform the audit.
Precondition 2: Management acknowledges its responsibilities
ISA 210.6(b) requires the auditor to obtain management's acknowledgment and understanding of its responsibility in three areas.
First, preparing the FS in accordance with the applicable financial reporting framework, including (where relevant) their fair presentation. This is not a formality. It establishes that the FS are management's product, not the auditor's. The auditor expresses an opinion on the statements. Management prepares them.
Second, internal control that management determines is necessary to enable the preparation of FS free from material misstatement, whether due to fraud or error. This responsibility exists regardless of whether the entity is required to have a formal internal control system. Even a five-person company has a management responsibility for controls, even if those controls are informal.
Third, providing the auditor with unrestricted access to all information relevant to the preparation of the FS, including records and documentation, additional information that the auditor may request, and unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence.
Why the "access" precondition matters
This third element (unrestricted access) is where engagements most commonly run into difficulty. If management restricts access to certain personnel or records, the auditor faces a scope limitation. If the scope limitation is imposed before the engagement begins and would result in a disclaimer of opinion, ISA 210.7 requires the auditor to decline the engagement (unless legally required to accept). If it arises during the engagement, it is addressed under ISA 705 (Modifications to the Opinion). The engagement letter is your documented evidence that management agreed to provide this access, and your contractual basis for insisting on it. I've had a controller tell me the bank confirmations were "not available" for three consecutive weeks. Without the signed letter, that conversation has no teeth.
The engagement letter
Why it matters
The engagement letter is the contractual foundation of the audit. It documents the agreed terms and protects both parties from misunderstandings about scope and responsibilities. ISA 210.10 requires that the agreed terms be recorded in an engagement letter or other suitable form of written agreement.
In many European jurisdictions, the engagement letter also serves a legal function. It may form part of the audit firm's defence in professional liability claims, and it may be reviewed by regulators during quality inspections.
Required contents
ISA 210.10 specifies the minimum contents of the engagement letter:
| Required Element | What It Covers | Why It Matters |
|---|---|---|
| Objective and scope | The objective of the audit of the financial statements, the financial period covered | Prevents scope creep; clarifies what the auditor will and will not do |
| Auditor’s responsibilities | The auditor’s responsibility to form and express an opinion; conduct the audit in accordance with ISAs | Establishes the professional standard the auditor is bound by |
| Management’s responsibilities | Preparation of financial statements, internal control, providing access and information | Allocates accountability; forms the basis for written representations (ISA 580) |
| Applicable financial reporting framework | Identification of IFRS, local GAAP, or other framework | Defines the benchmark against which the opinion is expressed |
| Expected form and content of reports | Reference to the expected auditor’s report format, with a statement that circumstances may cause it to differ | Manages expectations (particularly important for clients unfamiliar with modified opinions) |
Additional elements commonly included
While ISA 210.10 specifies the minimum, the standard's appendix and common practice suggest including additional elements.
Fees and billing arrangements are not required by ISA 210 itself, but at firms we've worked with they are almost always included. The engagement letter should specify the fee basis (fixed fee, hourly rates, or a blend), invoicing schedule, provisions for additional fees arising from scope changes, and payment terms.
A reference to inherent limitations is also standard. The letter should state that an audit conducted in accordance with ISAs is designed to provide reasonable assurance, not absolute assurance, and that there is an unavoidable risk that some material misstatements may not be detected. This directly references ISA 200's discussion of inherent limitations and provides a layer of protection.
Communication and reporting obligations should cover expected communications with those charged with governance (ISA 260), the management letter on internal control deficiencies (ISA 265), any sector-specific reporting requirements (for example, reporting to the AFM in the Netherlands or BaFin in Germany), and the expected timeline for delivering those communications.
Arrangements for using the work of others should be included where the auditor expects to rely on internal auditors (ISA 610), other auditors in a group context (ISA 600), or experts (ISA 620).
Data protection and confidentiality provisions are particularly relevant in the EU under GDPR. The engagement letter should address how personal data encountered during the audit will be handled, and may reference a separate data processing agreement.
Limitation of liability is permitted in some jurisdictions (for example, the UK under the Companies Act 2006, section 534) but not in others. Where permitted, this requires specific legal drafting and approval by shareholders.
Applicable law and dispute resolution clauses should identify which jurisdiction's laws govern the engagement and how disputes will be resolved (mediation, arbitration, or litigation).
Template vs. tailored letters
Most firms use a template engagement letter that covers the ISA 210 minimum. Fine as a starting point. But I'll be honest: the engagement letter is the document everyone signs and no one re-reads until a dispute forces it open. I've caught myself rolling forward PY letters three years in a row on a SALY basis without actually rereading them, and the reviewer caught it on the fourth year. A manufacturing group with three foreign subs has different terms than a single-entity foundation. If you're using a template, sit with it each year against the actual scope, the entity's structure, and the current regulatory environment. Regulators notice when engagement letters are generic and unchanged year after year. It reads as a tick box exercise, not thinking.
Recurring audits
Many auditors work with the same clients year after year. ISA 210.13 addresses this directly:
On recurring audits, the auditor shall assess whether circumstances require the terms of the audit engagement to be revised, and whether there is a need to remind the entity of the existing terms of the audit engagement.
A new engagement letter is not always required. The standard permits continuing under the existing terms, but only after the auditor has actively considered whether anything has changed that would warrant updating them.
When to issue a new engagement letter
The following circumstances typically require revised terms or a new letter:
| Circumstance | Why It Triggers a Revision |
|---|---|
| Change in financial reporting framework | The audit benchmark has changed (e.g., first-time IFRS adoption, transition from local GAAP) |
| Significant change in entity size or structure | Acquisitions, disposals, or major reorganisations change the scope and complexity of the engagement |
| Change in management or governance | New management may not be bound by (or aware of) the previous agreement’s terms |
| Change in ownership | New owners may have different expectations or reporting requirements |
| New legal or regulatory requirements | E.g., the entity becomes a PIE, triggering additional reporting obligations |
| Significant change in audit scope | Additional group components, new business lines, or first-year CSRD reporting |
| Change in the engagement team | A new engagement partner may wish to re-establish terms directly |
When a reminder suffices
If none of the above circumstances apply, the auditor may instead remind management of the existing terms, typically by referencing the prior engagement letter in the planning communication or in a brief confirmation letter. The key is that the assessment is documented and the conclusion (new letter or reminder) is justified.
Requests to change engagement terms
ISA 210.14–17 addresses one of the more challenging situations an auditor faces: the client asks to change the terms of the engagement, typically to downgrade from an audit to a review or compilation.
The auditor's obligation
The auditor must not agree to a change in terms where there is no reasonable justification for doing so (ISA 210.14). This is a firm prohibition, not guidance.
What counts as "reasonable justification"?
ISA 210.A29–A31 provides examples:
Reasonable justification (change may be acceptable):
- A change in circumstances affecting the entity’s need for an audit (for example, the entity falls below the statutory audit threshold and no longer requires a statutory audit).
- A genuine misunderstanding about the nature of the original engagement (for example, the client initially requested a review but the engagement letter mistakenly described an audit).
- A legitimate business reason (for example, the entity’s lender initially required an audit but has since accepted a review).
- A change in the legal or regulatory environment that removes the statutory audit requirement for the entity’s category.
Not reasonable justification (change should be refused):
- The auditor is unable to obtain sufficient appropriate audit evidence. This is a scope limitation, not a basis for downgrading. The appropriate response is a modified opinion (ISA 705), not a conversion to a review.
- Management seeks to avoid a qualified or adverse opinion by converting the engagement to one that does not require an opinion, or seeks to limit the scope of work to prevent the auditor from discovering a specific issue.
The "downgrade request" red flag
A client's request to change from audit to review mid-engagement (particularly after the auditor has raised uncomfortable questions) is a significant red flag. If the request appears motivated by a desire to suppress findings or avoid a modified opinion, this should be discussed with the engagement quality reviewer (EQCR) and documented thoroughly. We've seen this on about half the engagements where a going concern issue surfaces late. If you refuse the change and are not permitted to continue the original engagement, ISA 210.16 requires you to consider whether there is an obligation to report the circumstances to regulators or other parties.
If the change is agreed
If the auditor concludes the change is justified and management agrees, the auditor must:
- Issue a new engagement letter reflecting the revised terms.
- Not reference the original engagement or any audit work performed to date in the new report (ISA 210.17). The review or compilation report stands on its own.
If the change is refused
If the auditor is unable to agree to the change and management does not permit continuation of the original engagement, the auditor must:
- Withdraw from the engagement, where permitted by applicable law or regulation.
- Consider whether to report the circumstances to other parties, such as those charged with governance, the entity's shareholders, or the relevant regulator (ISA 210.16).
Special circumstances
When law prescribes the audit terms
In many European jurisdictions, the terms of statutory audits are substantially prescribed by company law or regulatory directives. ISA 210.11 acknowledges this: if law or regulation prescribes in sufficient detail the terms of the audit, the engagement letter need not reproduce all of those terms. However, even in such cases, the engagement letter must still document management's acknowledgment of its responsibilities. This requirement cannot be satisfied solely by reference to legislation.
When supplementary reporting is required by law
Some jurisdictions require the auditor to report on matters beyond the financial statements. Examples include consistency of the management report with the financial statements (common in the EU under the Audit Directive) or compliance with specific corporate governance codes. ISA 210.A23 notes that these additional responsibilities may be referenced in the engagement letter or addressed separately.
Group audits
For group audit engagements under ISA 600, the group EP must consider additional terms, including the scope of work to be performed on components, access to component information, communication protocols between group and component auditors, and restrictions on the use of component auditor reports. These are typically addressed either in the group engagement letter or in separate instruction letters to component auditors.
The engagement letter as a living document
The engagement letter is not a file-and-forget document. It has ongoing practical significance throughout the audit.
During planning (ISA 300), the engagement letter defines the scope that the audit plan must address. If the scope described in the letter does not match the actual engagement, one of them needs to be corrected before proceeding.
During the audit, the engagement letter is the auditor's contractual basis for requesting access to records and personnel. When management pushes back on providing a particular document, the engagement letter is what you point to.
At reporting (ISA 700), the auditor's report references the applicable financial reporting framework identified in the engagement letter. The management responsibilities described in the report mirror those agreed in the letter.
When obtaining written representations (ISA 580), management's representations should be consistent with the responsibilities they acknowledged in the engagement letter. If there is a disconnect, it needs to be resolved.
If disputes arise, the engagement letter is the primary evidence of what was agreed. Courts and regulators will look to this document to determine whether the auditor operated within the agreed scope and whether management fulfilled its commitments.
Worked example: first-year engagement for a Dutch B.V.
Van Dijk Vastgoed B.V. is a Dutch real estate holding company with €28M in revenue and 12 commercial properties across the Netherlands. The firm has been appointed as statutory auditor for the first time, replacing the previous auditor who resigned. The FS are prepared under Dutch GAAP (RJ).
Step 1: Assess the financial reporting framework. The team confirms that Dutch GAAP as issued by the Raad voor de Jaarverslaggeving is an acceptable framework for a non-listed Dutch B.V. preparing statutory accounts under BW2 Title 9. The prior-year FS used the same framework, and no change is anticipated.
Documentation note: WP records the framework assessment, references RJ guidelines applicable to the entity's size category, notes that BW2 Title 9 applies, and confirms no change from the prior year.
Step 2: Evaluate preconditions with management. The engagement partner (EP) meets with Van Dijk's managing director and financial controller. Management confirms responsibility for preparing the FS, maintaining internal controls, and providing unrestricted access to all records, staff, and property valuations. One issue arises: the managing director initially objects to providing personal bank statements for his director's current account. The EP explains this falls under the unrestricted access requirement of ISA 210.6(b)(iii) and that the engagement cannot proceed without it. Management agrees.
Documentation note: file memo records the discussion, the initial objection, the resolution, and management's final agreement to all preconditions.
Step 3: Draft the engagement letter. The letter includes the audit objective (opinion on the 2025 Dutch GAAP FS), the applicable framework, management's responsibilities, the auditor's responsibilities under COS (the Dutch ISA equivalent), reference to ISA 580 representation letter requirements, fee arrangements (fixed fee of €38,000 plus disbursements), GDPR data processing provisions, and the expected report format. The letter also references the firm's Wwft/AML obligations and the NBA's practice guidance on first-year engagements.
Documentation note: signed engagement letter filed with date of signature, countersigned by both the managing director and the EP.
Step 4: Communicate with the predecessor auditor. Before finalising acceptance, the team contacts the previous auditor (with client consent) to ask whether there are professional reasons not to accept the engagement, consistent with ISA 300 and NBA guidance. The predecessor auditor confirms no such reasons exist but notes a disagreement with management over the valuation method for one investment property.
Documentation note: predecessor communication logged, noting the valuation disagreement for follow-up during the ISA 510 opening balances work.
Practical checklist
- Before drafting the engagement letter, confirm the financial reporting framework is acceptable for the entity type and jurisdiction (ISA 210.6(a)). For Dutch entities, verify BW2 Title 9 applicability and the correct RJ size category.
- Obtain management's explicit acknowledgment of all responsibilities: FS preparation, internal controls, unrestricted access, and willingness to provide written representations at year-end (ISA 210.6(b)). Document any pushback and its resolution.
- For first-year engagements, communicate with the predecessor auditor before finalising acceptance. Document the communication and any professional concerns raised (ISA 300.13).
- Review the engagement letter against the ISA 210.10 minimum contents checklist and add jurisdiction-specific items (Wwft/AML obligations, GDPR provisions, regulatory reporting to AFM or equivalent). Appears reasonable is not a sufficient conclusion here. Actually read the letter against the scope.
- For recurring engagements, document your annual assessment of whether the existing terms remain appropriate (ISA 210.13). Flag any changes in entity structure, framework, or ownership that would require a new letter.
- If a client requests a change from audit to review mid-engagement, evaluate whether reasonable justification exists before agreeing. Document the evaluation and involve the EQCR if the request follows contentious audit findings (ISA 210.14).
Common mistakes
- Treating the engagement letter as a template exercise. The AFM's 2025 inspection findings ("Sector in Beeld 2025") noted that non-PIE firms (now representing 40% of the Dutch audit market) frequently issue generic engagement letters that are not tailored to the entity's specific scope, structure, regulatory environment, or fee basis. Regulators read engagement letters during file reviews, and an unchanged template year after year signals a lack of critical thinking about the engagement.
- Not documenting the preconditions assessment for recurring engagements. The FRC's Annual Review 2025 identified engagement acceptance and continuance as an area where Tier 3 firms show persistent weakness. On recurring engagements, many teams skip the ISA 210.13 assessment entirely because "nothing changed." The standard requires the assessment to be performed and documented each period, even when the conclusion is that existing terms remain appropriate.
- Confusing a scope limitation with a basis for downgrading the engagement. When management restricts access to specific records or personnel during fieldwork, some teams consider converting the audit to a review. ISA 210.14 is clear: inability to obtain sufficient appropriate audit evidence is not a reasonable justification for changing the engagement terms. The correct response is a modified opinion under ISA 705, not a downgrade.
- Rolling forward the engagement letter on a SALY basis without rereading it. At firms like ours, the letter from Year 1 might reference a single-entity audit when the client acquired two subsidiaries in Year 2. That mismatch becomes a file deficiency the moment an inspector opens the engagement acceptance section.
Related content
- Engagement letter (glossary) defines the engagement letter and its role as the contractual foundation of the audit relationship, directly connected to the ISA 210 requirements covered in this guide.
- Materiality calculator (tool). Once the engagement terms are agreed and the framework confirmed, the next step is setting materiality. This calculator helps determine overall and performance materiality (PM) for the entity type specified in the engagement letter.
- First-year audit engagement checklist (blog) walks through the full acceptance process for new engagements, including the ISA 210 preconditions assessment, predecessor auditor communication, and planning considerations that follow the signed engagement letter.
ISA 210 in your jurisdiction
In the Netherlands, COS 210 follows ISA 210 closely. Dutch statutory audits are governed by BW2 Title 9 (for reporting requirements) and the WTA (for audit firm supervision). The NBA's practice notes provide additional guidance on engagement letter content for Dutch-specific requirements, including Wwft/AML obligations that may affect the engagement. For OOB (Public Interest Entity) engagements, the EU Audit Regulation adds mandatory firm rotation and non-audit service restrictions that should be referenced in the engagement letter.
In Germany, the IDW PS 210 / ISA 210 adaptation applies. German engagement letters (Auftragsbestätigungen) typically reference the Allgemeine Auftragsbedingungen (AAB, general terms and conditions) developed by IDW for Wirtschaftsprüfer. These AAB include standard liability limitation clauses that are well-established in German audit practice. The engagement letter must also address HGB-specific reporting requirements and, for PIEs, the additional requirements under the EU Audit Regulation as implemented in German law (WPO).
In the United Kingdom, ISA (UK) 210 is substantively aligned with ISA 210. A distinctive UK feature is the statutory right to limit auditor liability under the Companies Act 2006, section 534, which requires a liability limitation agreement approved by shareholders and disclosed in the notes to the FS. UK engagement letters also reference the FRC's Ethical Standard rather than the IESBA Code.
In France, ISA 210 is implemented through NEP 210 under the supervision of the H3C. French statutory audit (commissariat aux comptes) operates within a highly codified legal framework. The Code de commerce prescribes many engagement terms directly. The engagement letter must address the specific French requirements for the auditor's report on the management report (rapport de gestion) and the report on related-party agreements (conventions réglementées).
Frequently asked questions
What is the purpose of an audit engagement letter?
The engagement letter is the formal written agreement between the auditor and the client that documents the terms of the audit engagement. It establishes the audit's objective and scope, the responsibilities of both the auditor and management, the applicable financial reporting framework, and the expected form of the auditor's report. It serves both as a professional requirement under ISA 210 and as a contractual document that protects both parties.
Is an engagement letter required for every audit?
Yes. ISA 210.10 requires that the agreed terms be recorded in an engagement letter or other suitable form of written agreement. Even where law or regulation prescribes the terms in detail, the engagement letter must at minimum document management's acknowledgment of its responsibilities.
Can the auditor proceed without a signed engagement letter?
The auditor should not begin the audit until terms are agreed. In practice, some firms begin limited preliminary activities (such as client acceptance procedures) before the letter is signed, but the formal audit (planning, risk assessment, fieldwork) should not proceed without documented agreed terms. If management refuses to sign, the auditor should consider whether the preconditions for an audit are met.
What happens if the preconditions for an audit are not met?
The auditor must discuss the matter with management. If the financial reporting framework is unacceptable or if management does not acknowledge its responsibilities, the auditor must not accept the engagement, unless required to do so by law or regulation (ISA 210.8). Where the auditor is legally required to accept despite unmet preconditions, specific provisions apply (ISA 210.19–21).
Does the auditor need a new engagement letter every year?
Not necessarily. For recurring audits, ISA 210.13 requires the auditor to assess whether circumstances require revised terms. If nothing significant has changed, the auditor may continue under existing terms, with or without a formal reminder to management. However, many firms choose to issue a new letter annually, particularly for PIE engagements or where the regulatory environment is evolving.
What should the auditor do if the client asks to downgrade from audit to review?
The auditor must evaluate whether there is a reasonable justification for the change (ISA 210.14). If the justification is reasonable (for example, the entity no longer meets statutory audit thresholds), the change may be accepted with a new engagement letter. If the justification is not reasonable (for example, management is trying to avoid a qualified opinion or limit the auditor's ability to investigate), the auditor should refuse. If the auditor cannot continue the original engagement and cannot agree to the change, the auditor must withdraw and consider reporting obligations (ISA 210.16).
How does ISA 210 relate to ISA 580 (Written Representations)?
The responsibilities that management acknowledges in the engagement letter under ISA 210 are later confirmed through formal written representations at the end of the audit under ISA 580. The engagement letter establishes the agreement at the start. The representation letter confirms that management fulfilled those responsibilities throughout the period. If management's representations are inconsistent with what was agreed in the engagement letter, the auditor must investigate the discrepancy.
Can the engagement letter limit the auditor's liability?
This depends entirely on the jurisdiction. In the UK, the Companies Act 2006 permits liability limitation agreements subject to shareholder approval. In Germany, the IDW's Allgemeine Auftragsbedingungen include standard liability caps. In the Netherlands and France, liability limitation in statutory audit engagement letters is more restricted. Always consult local legal requirements before including such clauses.
Further reading and source references
- IAASB Handbook 2024, ISA 210 full text. The authoritative source including all application material (paragraphs A1–A36) and the appendix with an example engagement letter.
- ISA 200, Overall Objectives of the Independent Auditor. The overarching framework that ISA 210's engagement terms are designed to serve.
- ISA 220 (Revised), Quality Management for an Audit. Covers the firm's client acceptance and continuance procedures that precede and complement ISA 210.
- ISA 580, Written Representations. The end-of-audit counterpart to the engagement letter's establishment of management's responsibilities.
- ISA 705, Modifications to the Opinion. Relevant when scope limitations arise despite agreed access terms.
- ISA 706, Emphasis of Matter Paragraphs. Relevant when the auditor accepts an engagement with a framework that is acceptable but potentially misleading.
- EU Audit Directive (2014/56/EU) and Regulation (537/2014). The European legislative framework governing statutory audit terms for PIEs.
This guide reflects the ISA 210 text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard (e.g., COS 210 in the Netherlands, ISA (UK) 210 in the UK, IDW adaptation in Germany, NEP 210 in France) alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.
Production-ready audit templates
Related ciferi content
Related guides:
Put audit concepts into practice with these free tools: