Side-by-side comparison
| Dimension | Compilation (ISRS 4410) | Review (ISRE 2400) | Audit (ISA 200 + full ISAs) |
|---|---|---|---|
| Assurance level | None | Limited | Reasonable (high but not absolute) |
| Primary procedures | Compiling financial data into a presentable format | Inquiry of management, analytical procedures | Full evidence toolkit: confirmation, inspection, observation, recalculation, reperformance, inquiry, analytical procedures |
| Risk assessment | Not required | Understanding of entity required, no assertion-level risk assessment | Full risk assessment under ISA 315, including assertion-level |
| Who the report addresses | Management (typically not third parties) | Intended users as specified in the engagement letter | Shareholders, regulators, third parties |
| Output document | Compilation report stating no assurance is provided | Review report with negatively worded conclusion | Auditor's report with positively worded opinion |
| Independence required | Not required under ISRS 4410, but disclosure required if not independent | Required under ISRE 2400.22 | Required under ISA 200.14 and the IESBA Code |
Key Points
- A compilation produces financial statements from client-supplied data. No verification, no assurance.
- A review provides limited assurance through inquiry and analytical procedures only.
- An audit provides reasonable assurance through substantive testing and results in a positive opinion.
- The engagement types are not points on a spectrum. Each has its own standard and its own output.
When the distinction matters on an engagement
The distinction matters most when a third party relies on the output. A bank evaluating a loan application will not accept a compilation report because it provides no assurance. If the entity's lender requires "audited accounts," a review report does not satisfy that requirement either, even though it provides some assurance.
It also matters for the practitioner's liability exposure. ISRS 4410.A30 makes clear that the practitioner in a compilation is not required to verify the accuracy of the information supplied by management. If the compiled financial statements contain a material error that the practitioner did not detect, the practitioner has no obligation under the standard to have detected it (provided the engagement was performed in compliance with ISRS 4410). That protection disappears entirely the moment the engagement moves to a review or an audit.
Worked example: Transportes Navarro S.L.
Client: Spanish logistics company, FY2024, revenue €8M, reporting under Spanish GAAP (PGC). Owner-managed, no external shareholders. Two bank facilities.
Compilation (no bank covenant requiring assurance)
Navarro's bookkeeper provides the trial balance. The practitioner compiles the balance sheet and income statement in the required PGC format.
Documentation note: "ISRS 4410.17 engagement. Compiled from trial balance provided by client on 20 January 2025. No verification of underlying data performed. Compilation report states that no assurance is expressed."
The compilation report states that the practitioner compiled the financial information from data provided by management and that no assurance is provided.
Review (bank requires limited assurance)
Navarro's primary bank requires at least a reviewed set of financial statements. The practitioner issues a new engagement letter under ISRE 2400. The team inquires of the managing director about revenue recognition, fuel cost fluctuations, fleet depreciation policy, and related party transactions with the owner. Analytical procedures compare current-year margins to prior year and to industry data.
Documentation note: "ISRE 2400.46 procedures. Inquiry of managing director on 3 February 2025. Analytical review of gross margin (FY2024: 14.2% vs FY2023: 13.8%) and fuel cost ratio (FY2024: 31% of revenue vs FY2023: 34%). No matters requiring further investigation identified."
The review conclusion reads: "Nothing has come to our attention that causes us to believe the financial statements are not prepared, in all material respects, in accordance with PGC."
Audit (new bank requires audited accounts)
Navarro secures a second bank facility. This bank requires audited financials. A new engagement letter under ISA 210. The team performs a full risk assessment, sends external confirmations to the top five customers (representing €5.1M of revenue), tests a sample of 20 freight invoices against delivery manifests, and physically inspects the fleet to confirm existence of the 14 trucks on the fixed asset register.
Documentation note: "ISA 210 engagement letter signed 18 February 2025. Full ISA risk assessment completed. Revenue sample of 20 items tested. Fleet physical inspection completed 22 February 2025. Opinion: unmodified."
Consequence of confusing the engagement types
If the practitioner had submitted the compilation report to Navarro's bank, the bank would reject it outright. If the practitioner had issued a review report but the bank covenant specified "audited," the report would not satisfy the covenant, potentially triggering a technical default on the facility.
What reviewers and practitioners get wrong
Practitioners sometimes perform compilation engagements without issuing a compilation report, relying instead on a transmittal letter or no report at all. ISRS 4410.37 requires a compilation report for every compilation engagement. Without it, the practitioner has no documentation that the engagement was a compilation (with no assurance) rather than something else. If a dispute arises, the absence of a report creates ambiguity about what the practitioner was engaged to do.
Small firms occasionally perform review-level procedures on a compilation engagement — running analytical procedures, making inquiries about unusual balances — without upgrading the engagement letter. This creates liability risk: if the work product resembles a review but the engagement letter says compilation, the practitioner may be held to the review standard in a negligence claim.
Key standard references
- ISRS 4410.7–11: Defines the compilation engagement and the practitioner's responsibilities.
- ISRS 4410.37: Requires a compilation report for every compilation engagement.
- ISRE 2400.11–14: Defines limited assurance and the review engagement objective.
- ISA 200.5 and 200.11: Defines reasonable assurance and the overall objectives of the auditor.
Related terms
Related reading
Frequently asked questions
Can a bank accept a compilation report instead of audited financial statements?
No. A compilation report provides no assurance, so it does not satisfy a covenant requiring audited or reviewed financial statements. If the bank covenant specifies 'audited accounts,' only an audit report under the ISAs will meet the requirement. Submitting a compilation report may trigger a technical default on the facility.
Does the practitioner need to be independent for a compilation engagement?
ISRS 4410 does not require independence for a compilation engagement. However, the standard does require the practitioner to disclose in the compilation report if they are not independent. For review engagements (ISRE 2400.22) and audit engagements (ISA 200.14), independence is mandatory under the IESBA Code.
What happens if I perform review-level procedures on a compilation engagement?
You create liability risk. If the work product resembles a review but the engagement letter says compilation, you may be held to the review standard in a negligence claim. Either upgrade the engagement letter to ISRE 2400 or limit your procedures to what ISRS 4410 permits.