Key Points
- ISAs apply to audits of historical financial information and are binding in most EU/EEA countries through national adoption or endorsement.
- The suite currently contains 36 operative standards, numbered from ISA 200 through ISA 810, plus two quality management standards.
- Non-compliance with a single ISA requirement (unless explicitly permitted by the standard's own conditional language) can result in a regulatory finding on the entire engagement.
- EU Regulation 537/2014, Article 26, requires statutory auditors of public-interest entities to conduct audits in accordance with ISAs as adopted by the Member State.
What is International Standards on Auditing (ISAs)?
The IAASB (International Auditing and Assurance Standards Board) develops ISAs under a transparent due-process that includes exposure drafts, public comment periods, PIOB oversight, and formal basis-for-conclusions documents. Each standard follows a uniform drafting convention established by ISA 200.18: requirements are expressed using "shall," and application material (the A-paragraphs) provides guidance on how to apply those requirements without creating additional obligations. This distinction matters on every engagement because a reviewer can cite a missing "shall" requirement as a deficiency, while departure from an A-paragraph requires only a documented rationale.
ISA 200.14 establishes the overarching objective: the auditor shall obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Every other ISA flows from this objective. ISA 200.22-23 introduces the concept of relevant ethical requirements and links them to the quality management framework under ISQM 1.
European adoption varies. The Netherlands incorporates ISAs through NV COS (issued by the NBA), while Germany uses IDW Pruefungsstandards that follow ISA content but carry local numbering. The UK applies ISAs (UK) with limited supplements. In practice, a Dutch or German practitioner works with the ISA substance daily, even when the local wrapper differs.
Worked example: Rossi Alimentari S.p.A.
Client: Italian food production company, FY2025, revenue EUR 67M, IFRS reporter. The engagement team at a mid-tier Italian firm is planning the statutory audit.
Step 1 — Establish the applicable framework
Italy adopts ISAs through the ISA Italia series, published by the Ministry of Economy and Finance on recommendation of CONSOB and Assirevi. The engagement partner confirms that ISA Italia standards are substantively identical to IAASB-issued ISAs for this engagement, with supplementary Italian requirements on going concern disclosure.
Step 2 — Map ISA requirements to the engagement
The engagement manager prepares an ISA compliance matrix listing every "shall" requirement from the standards relevant to Rossi's circumstances. For a manufacturing IFRS reporter of this size, key standards include ISA 315 (Revised 2019) for risk assessment, ISA 330 for responses to assessed risks, ISA 540 for accounting estimates (particularly inventory provisions and revenue cut-off), ISA 570 for going concern, and ISA 700 for the auditor's report.
Step 3 — Address conditional exemptions
ISA 200.24 permits departure from a requirement only when the requirement is conditional and the condition does not apply. The team identifies one relevant instance: ISA 505.7 requires external confirmations for receivables unless the auditor concludes that confirmations would be ineffective. Rossi's top ten receivables (totalling EUR 11.4M, representing 68% of the trade receivables balance) are with large retailers that historically do not respond to confirmation requests. The team documents the ineffectiveness conclusion and designs alternative procedures under ISA 505.12.
Step 4 — Quality review against ISA completion checklist
Before the audit report is signed, the engagement quality reviewer reviews the ISA compliance matrix against the file. Two gaps are identified: ISA 260.16(a) requires communication of significant audit findings to those charged with governance, and the draft governance letter omitted the inventory provision sensitivity. The team updates the communication before signing.
Conclusion: the engagement file demonstrates ISA compliance through a documented compliance matrix paired with conditional departure rationale, plus a pre-issuance quality review that caught two omissions before the report was signed.
Why it matters in practice
The AFM's 2023 inspection report on non-PIE audit firms found that engagement teams frequently treated ISA application material (A-paragraphs) as optional background reading rather than as guidance that shapes how requirements are applied. ISA 200.A76 clarifies that application material is relevant to the proper application of a requirement, and ignoring it weakens the basis for concluding that the requirement was met. The finding appeared in six of the twelve engagements reviewed.
Teams at smaller firms often omit an explicit ISA compliance assessment at the planning stage, relying instead on their audit software's embedded workflow to ensure coverage. ISA 300.7 requires the auditor to develop an audit plan that includes the nature, timing, and extent of planned procedures. A software workflow is a tool, not a substitute for the auditor's own assessment of which ISA requirements are relevant given the entity's circumstances.
ISAs vs. ISAEs
| Dimension | ISAs (200-810) | ISAEs (3000, 3402, 3410) |
|---|---|---|
| Scope | Audits of historical financial information | Assurance engagements on subject matters other than historical financial statements |
| Assurance level | Reasonable assurance (positive opinion) | Reasonable or limited assurance, depending on the engagement |
| Output | Auditor's report expressing an opinion on the financial statements | Assurance report expressing a conclusion on the subject matter (e.g., internal controls at a service organisation, greenhouse gas statements) |
| Typical engagement | Statutory audit, group audit | ISAE 3402 Type II report, sustainability assurance under ISAE 3410 |
| Regulatory driver | Audit Directive, national audit law | Contractual (ISAE 3402) or regulatory (CSRD sustainability assurance) |
The distinction matters because engagement teams sometimes apply ISA procedures to an ISAE engagement or vice versa. ISA requirements around sampling, materiality, and audit evidence do not automatically apply when the engagement is governed by ISAE 3000. The practitioner must identify the correct standard series at acceptance and scope the work accordingly.
Related terms
Frequently asked questions
Are ISAs legally binding in the EU?
ISAs become binding when adopted by a Member State or through EU regulation. EU Regulation 537/2014 requires PIE audits to follow adopted ISAs. For non-PIE statutory audits, the Audit Directive (2006/43/EC, as amended) permits Member States to adopt ISAs, and most have done so. The legal force comes from the national adoption instrument, not from the IAASB directly.
What happens if I cannot comply with a specific ISA requirement?
ISA 200.24 permits departure only when a requirement is conditional and the condition does not apply to the engagement. For unconditional "shall" requirements, departure is not permitted. If compliance is impossible in rare circumstances, ISA 200.23 requires the auditor to perform alternative procedures to achieve the objective of that requirement and document the reasons for the departure.
Do ISAs apply to review engagements or agreed-upon procedures?
No. ISAs apply only to audits of historical financial information. Review engagements fall under ISRE 2400, and agreed-upon procedures fall under ISRS 4400 (Revised). Both are issued by the IAASB but form separate standard series with different objectives and assurance levels.