Related Parties

What are related parties?

On at least half the engagements we've seen, the related party register is a copy-paste from last year's file (SALY) with no independent verification. A senior asks management "has anything changed?", management says no, and the register goes straight into the working papers (WPs). That approach doesn't satisfy ISA 550 , and it's one of the most common inspection deficiencies across European regulators.

ISA 550 exists because related party relationships create opportunities for the financial statements to be misstated, whether through undisclosed transactions or through transactions conducted at terms that wouldn't occur between independent parties. ISA 550.11 requires the auditor to inquire of management about the identity of related parties and the nature of the relationships, including whether any transactions occurred during the period. But inquiry alone isn't sufficient. ISA 550.17 requires the auditor to remain alert throughout the audit for information that may indicate previously unidentified related party relationships.

In practice, these pop up in unexpected places. A bank confirmation reveals a guarantee by a company with the same shareholder. A contract has terms that don't make commercial sense. A journal entry routes cash to a counterparty the team hasn't seen before. Any of these can surface a related party that management didn't disclose.

ISA 550.18 treats any previously undisclosed related party relationship or significant transaction identified by the auditor (rather than by management) as a fraud risk factor. This is one of the stronger presumptions in the ISAs. The auditor must evaluate why management failed to disclose the relationship and consider the implications for the risk assessment and the rest of the audit. ISA 550.26 then requires written representations from management confirming the completeness of the related party information provided.

Why it matters in practice

The AFM's inspection reports have flagged audit files where the related party register was compiled solely from management's representations without any independent verification (such as company registry searches or bank confirmation cross-checks). ISA 550.11 requires inquiry, but ISA 550.17 requires the auditor to stay alert for indicators throughout the engagement. A register built only from management's list does not satisfy the standard.

Teams often test the accounting treatment of disclosed related party transactions but fail to evaluate whether the terms were at arm's length when the applicable framework requires that disclosure. IAS 24.18 requires disclosure of the nature of the relationship, the amount of the transaction, any outstanding balances, and the terms under which they were conducted. IAS 24.19 adds that when the entity claims transactions were at arm's length, the auditor should evaluate whether that claim is supportable. Testing the amount without testing the pricing is an incomplete procedure. It's the kind of thing that looks fine in the WPs until an inspector reads them.

Worked example: Callan Software Ltd

Client: Irish software company, FY2024, revenue €38M, IFRS reporter, founder-CEO holds 62% of shares and sits on the boards of two other companies. The team obtains the CRO (Companies Registration Office) filings for the CEO's other directorships. The two companies (a consulting firm and a property investment vehicle) are identified as related parties under IAS 24.9 . Management provides a list of five entities.

During receivables testing, the team identifies a €280K receivable from a company called TechBridge Solutions Ltd. That name doesn't appear on management's related party list. A CRO search reveals the CEO's spouse is a 45% shareholder. Under IAS 24.9 , this entity qualifies as a related party. Management didn't disclose it. Per ISA 550.22 , the team discusses the omission with the CEO and those charged with governance. He states the omission was inadvertent.

Digging into the €280K receivable, it relates to a software licence agreement at €140K per year, which is above the market rate for comparable licences (the team benchmarks against two similar agreements with unrelated customers at €95K and €110K). Because the previously undisclosed related party triggered the ISA 550.18 fraud risk consideration, and the pricing isn't at arm's length, it's flagged for disclosure assessment under IAS 24.19 . Updated representation letters now cover the revised related party list.

Related parties vs arm's length transaction

Related parties are defined by the relationship between the parties. An arm's length transaction is defined by the terms of the transaction. Both concepts intersect but aren't opposites: related parties can transact at arm's length, and unrelated parties can transact at non-arm's-length terms (though less commonly).

In practice, related party transactions carry a presumption that the terms may not reflect what independent parties would agree. IAS 24.19 permits the entity to assert that a related party transaction was conducted at arm's length, but only if that assertion can be substantiated. Under ISA 550 , the auditor's job is to evaluate whether the entity's assertion is supported by evidence (such as market comparables or independent valuations), not to assume it.

Key standard references

Below are the paragraphs that come up most often during file review and inspection prep. On busy engagements it's easy to treat the related party section as a tick box exercise, but these are the specific references inspectors check against.

• ISA 550.11 requires the auditor to inquire of management about the identity of related parties and any transactions during the period.
• ISA 550.17 requires the auditor to remain alert throughout the audit for indicators of previously unidentified related party relationships.
• ISA 550.18 treats undisclosed related party relationships identified by the auditor as a fraud risk factor.
• ISA 550.26 requires written representations from management on the completeness of related party identification and disclosure.
• IAS 24.9 –12 defines the scope of related party relationships, covering control, joint control, significant influence, and key management personnel.
• IAS 24.18 –19 sets out disclosure requirements for related party transactions, including the basis for arm's length assertions.

Related terms

Related reading

Jurisdiction notes

ISA 550 sets the global framework for auditing related-party relationships and transactions. In the United Kingdom, ISA (UK) 550 requires the auditor to obtain an understanding of the entity’s related party relationships and transactions sufficient to recognise fraud risk factors; the FRC has identified insufficient identification of related parties as a recurring inspection deficiency. In the Netherlands, NV COS 550 applies identical requirements; the AFM expects auditors to consider whether related-party transactions are conducted at arm’s length and documented with appropriate commercial substance. In Australia, ASA 550 mirrors the base ISA and ASIC inspections focus on the completeness of related-party disclosures in the financial report.

In the United States, related-party auditing is governed by AU-C 550 for non-public entities and PCAOB AS 2410, Related Parties, for SEC registrant audits. AS 2410 requires the auditor to perform specific procedures to identify related-party relationships and transactions, evaluate whether the company has properly identified its related parties, assess related-party transactions for proper accounting and disclosure, and evaluate the business purpose and economic substance of significant related-party transactions. PCAOB inspection reports have cited failures to identify all related parties and insufficient evaluation of the terms of related-party transactions, particularly in the context of SEC disclosure requirements under Regulation S-K Item 404.

Frequently asked questions