Key Points
- The IESBA Code is adopted or used as the basis for national ethics codes in over 130 jurisdictions.
- Part 4A of the Code sets independence rules for audit and review engagements; Part 4B covers other assurance engagements.
- The revised public interest entity definition took effect for audits of periods beginning on or after 15 December 2024.
- Firms that fail to apply the Code's threat-and-safeguard framework risk independence breaches that invalidate the audit opinion.
What is IESBA (International Ethics Standards Board for Accountants)?
The IESBA operates as an independent board under the International Federation of Accountants (IFAC), though it sets its own agenda and approves its own standards. Its primary output is the International Code of Ethics for Professional Accountants (including International Independence Standards), structured in four parts. Part 1 sets out fundamental principles: integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour (IESBA Code Section 110.1 A1). Parts 2 and 3 apply those principles to professional accountants in practice and in business, respectively. Parts 4A and 4B contain the independence standards that audit firms must follow.
The Code operates through a conceptual framework rather than a rules-based checklist. Section 120.1 requires the professional accountant to identify threats to compliance with the fundamental principles and evaluate whether those threats are at an acceptable level. Where they are not, the accountant applies safeguards to eliminate them or reduce them to an acceptable level. If no safeguard is available, the accountant must decline or discontinue the engagement. National standard-setters adopt the IESBA Code directly or use it as the baseline for their own codes. In the Netherlands, the NBA's Verordening inzake de onafhankelijkheid van accountants (ViO) and the Verordening gedrags- en beroepsregels accountants (VGBA) implement the Code's principles. In Germany, the WPK's professional regulations mirror the same framework.
Worked example: Rossi Alimentari S.p.A.
Client: Italian food production company, FY2025, revenue EUR 67M, IFRS reporter. The statutory audit is performed by Galli & Associati, a 45-person firm based in Milan.
Step 1 — Identify the threat
Galli & Associati's tax department prepared Rossi Alimentari's corporate income tax return for FY2024. The engagement partner evaluates this against IESBA Code Section 604.4 A1, which identifies a self-review threat when the audit firm provides tax return preparation services to an audit client. The threat arises because the audit team would be reviewing figures that another part of the same firm produced.
Documentation note: record the service identified (FY2024 tax return preparation) and the specific threat category (self-review per Section 604.4 A1). Include the engagement partner's initial assessment of the threat's significance and the basis for that assessment.
Step 2 — Evaluate the threat level
The engagement partner considers the materiality of the tax amounts involved. Rossi Alimentari's corporate income tax expense is EUR 4.8M (7.2% of revenue). The tax return preparation was mechanical (transposing figures from the financial statements into the tax form), with no exercise of judgment on tax positions. Section 604.4 A2 indicates that a self-review threat from tax return preparation is generally not at a level that would require safeguards when the service involves routine computations.
Documentation note: record the quantification of the tax amounts and the nature of the tax return preparation (mechanical versus judgmental). State the conclusion that the threat level is acceptable without further safeguards, referencing Section 604.4 A2.
Step 3 — Assess changed circumstances for FY2025
Rossi Alimentari's CFO requests that Galli & Associati also advise on a EUR 2.1M R&D tax credit claim for FY2025. This involves judgment on the eligibility of specific expenditures. The engagement partner reclassifies the threat from acceptable to significant under Section 604.11 A1, because the audit team would now need to evaluate the R&D credit treatment that the firm's own tax specialists recommended.
Documentation note: record the new service request, the reclassified threat level, the specific paragraph relied upon (Section 604.11 A1), and the safeguards considered (using a separate reviewer not involved in the tax advisory work, or declining the R&D advisory engagement).
Step 4 — Apply safeguards or decline
The firm decides that no safeguard can reduce the self-review threat to an acceptable level given the judgment involved in the R&D credit. Galli & Associati declines the R&D advisory engagement and refers Rossi Alimentari to an independent tax adviser. The engagement partner documents the decision under Section 120.10 A1.
Documentation note: record the decision to decline, the rationale, the referral made, and the engagement partner's final conclusion that the remaining tax return preparation service does not impair independence for the FY2025 audit.
Conclusion: the four-step evaluation is defensible because each decision traces back to a specific Code section and the threat was quantified rather than assessed generically. The firm chose to decline the service rather than accept a residual self-review threat that safeguards could not address.
Why it matters in practice
- Firms frequently document independence as a one-time assessment at engagement acceptance and neglect the ongoing obligation. Section 320.3 A1 of the Code requires monitoring throughout the engagement period. When new non-audit services are proposed mid-engagement (as with the R&D advisory in the example above), the threat assessment must be repeated. The FRC's Audit Quality Inspection results have repeatedly flagged that firms fail to reassess independence when the scope of non-audit services changes during the engagement.
- Smaller firms often apply the Code's threat-and-safeguard framework in general terms ("we considered self-review threats and concluded they were acceptable") without identifying the specific Code section or quantifying the threat. Section 120.8 A2 requires the evaluation to be more than a conclusory statement. Engagement quality reviewers who accept boilerplate independence conclusions compound the problem.
IESBA Code vs. national ethics codes
| Dimension | IESBA Code | National ethics code (e.g., NBA ViO) |
|---|---|---|
| Issued by | IESBA (independent board under IFAC) | National professional body or regulator |
| Legal status | Framework standard; not directly enforceable | Enforceable regulation within the jurisdiction |
| Scope | Global; applies to all professional accountants where adopted | Jurisdiction-specific; may cover only statutory auditors or all accountants |
| Floor or ceiling | Sets the minimum; jurisdictions may add stricter requirements | May exceed the IESBA Code (e.g., the Netherlands prohibits most non-audit services for PIE audit clients beyond what the Code requires) |
| Update mechanism | IESBA exposure drafts with public comment periods; multi-year revision cycles | National body decides when to adopt IESBA revisions into local rules |
The practical consequence: a Dutch auditor must comply with the ViO, which incorporates the IESBA Code's principles but adds stricter local prohibitions on non-audit services. Citing the IESBA Code alone is insufficient if the local code imposes additional restrictions that the auditor has overlooked.
Related terms
Frequently asked questions
Does the IESBA Code apply directly to my firm?
The Code itself is not binding law. It becomes enforceable when a national body adopts it into local regulation. In the Netherlands, the NBA implements the Code through the ViO and VGBA. In Germany, the WPK incorporates its principles into professional regulations. Section 100.1 of the Code states its scope; local adoption determines the legal force.
What changed in the IESBA's definition of public interest entity?
The revised PIE definition, effective for audits of periods beginning on or after 15 December 2024, replaces "listed entity" with the broader category "publicly traded entity" and adds mandatory PIE categories that national bodies must adopt or expand upon. Part 4A, Section 400.8 now requires firms to apply enhanced independence requirements to a wider population of entities than the previous definition covered.
How does the IESBA Code relate to sustainability assurance?
The IESBA approved the International Ethics Standards for Sustainability Assurance (IESSA) as a new Volume 2 of the Handbook. IESSA becomes effective for sustainability assurance engagements for periods beginning on or after 15 December 2026. It extends the Code's fundamental principles and independence requirements to sustainability assurance practitioners, with specific provisions for value chain considerations.