Side-by-side comparison
| Dimension | Review Engagement | Audit Engagement |
|---|---|---|
| Governing standard | ISRE 2400 | ISA 200 and the full suite of ISAs |
| Assurance level | Limited | Reasonable (high but not absolute) |
| Primary procedures | Inquiry of management and analytical procedures | Inspection, observation, external confirmation, recalculation, reperformance, analytical procedures, inquiry |
| Risk assessment | Understanding the entity required, no assertion-level risk assessment | Full risk assessment under ISA 315, including assertion-level risks |
| Output | Review report with negative conclusion | Auditor's report with positive opinion |
| Typical application | Interim financial statements, voluntary engagements, small-entity reviews | Statutory audits, listed-entity annual reports |
| Documentation | Working papers supporting the review procedures | Full audit file compliant with ISA 230 |
Key Points
- A review is not a scaled-down audit. The procedures and the assurance level differ fundamentally.
- Reviews rely primarily on inquiry and analytical procedures. Audits use the full ISA evidence toolkit.
- The engagement type is fixed at acceptance. You cannot switch from review to audit mid-engagement.
- Most statutory audits in the EU require an audit engagement. Reviews apply to voluntary or threshold-exempt entities.
When the distinction matters on an engagement
The distinction matters at two points. First, at acceptance. ISRE 2400.21 requires the practitioner to agree the engagement terms before starting work. If the client later requests an audit (because a lender or regulator requires it), you need a new engagement letter and a new scope of work. The review procedures you already performed do not count toward the audit evidence threshold under ISA 200.5. You are starting over.
Second, it matters when unexpected findings arise during a review. ISRE 2400.80 requires the practitioner to consider whether a discovered misstatement or limitation can be resolved within the review scope. If it cannot (for example, management refuses to correct a material error and you cannot resolve it through inquiry alone), the only options are a modified conclusion or withdrawal. You cannot simply "do more testing" because the engagement letter does not authorise ISA-level procedures.
Worked example: Kelleher Software Ltd
Client: Irish technology company, FY2024, revenue €12M, Irish GAAP (FRS 102) reporter. Below the statutory audit threshold in Ireland. The board has requested a review engagement. However, the company's primary bank has a loan covenant requiring audited financial statements.
Review engagement (before the bank covenant was identified)
The practitioner issues an engagement letter under ISRE 2400. The team inquires of the CFO about significant transactions during FY2024 and applies analytical procedures comparing revenue and cost of sales to prior-year figures and industry benchmarks.
Documentation note: "ISRE 2400.46 procedures completed. Inquiry of CFO on 12 January 2025 covered revenue recognition policy, capitalised development costs, related party transactions, and post-year-end events. Analytical review compared FY2024 margins to FY2023 and to industry benchmarks."
The conclusion would read: "Based on our review, nothing has come to our attention that causes us to believe that the financial statements are not prepared, in all material respects, in accordance with FRS 102."
Audit engagement (bank requires it)
Three weeks into the review, Kelleher's bank notifies the board that the loan covenant requires audited (not reviewed) financial statements. The practitioner issues a new engagement letter under ISA 210. The entire scope changes. A risk assessment under ISA 315 is required. The team must obtain sufficient appropriate audit evidence for revenue, not just perform inquiry and analytical procedures. External confirmations to the top ten customers and a sample test of 25 revenue transactions against contracts and delivery records enter scope. The team must also test capitalised development costs under IAS 38.
Documentation note: "Original ISRE 2400 engagement superseded. New ISA 210 engagement letter signed 4 February 2025. Review procedures do not constitute audit evidence. Full ISA risk assessment initiated."
If the practitioner had continued the review engagement and simply added audit-style testing without issuing a new engagement letter, the resulting report would be neither a valid review conclusion nor a valid audit opinion. The bank would reject it.
What reviewers get wrong
Teams occasionally repurpose review working papers as audit evidence when an engagement is upgraded. ISRE 2400 procedures (inquiry and analytical procedures) do not meet the ISA 500 evidence requirements. Inquiry alone is not sufficient appropriate evidence for most assertions. The audit file must contain its own independent evidence.
Small-firm practitioners sometimes apply a "light audit" approach to review engagements, performing substantive testing that exceeds ISRE 2400's scope but falling short of full ISA compliance. This creates a file that satisfies neither standard. If a reviewer inspects it, the question becomes which standard governs the engagement, and a hybrid approach has no governing standard at all.
Key standard references
- ISRE 2400.11–14: Defines the review engagement and its limited assurance objective.
- ISA 200.5 and 200.11: Defines the audit engagement and its reasonable assurance objective.
- ISRE 2400.21: Requires agreement of engagement terms before starting work.
- ISRE 2400.80: Addresses procedures when unexpected findings arise during a review.
Related terms
Related reading
Frequently asked questions
Can review procedures count as audit evidence if the engagement is upgraded?
No. ISRE 2400 procedures (inquiry and analytical procedures) do not meet ISA 500 evidence requirements. If a review engagement is upgraded to an audit, the audit file must contain its own independent evidence. The review working papers do not transfer.
What happens if I discover fraud during a review engagement?
ISRE 2400.80 requires the practitioner to consider whether the matter can be resolved within the review scope. If it cannot be resolved through inquiry alone, the options are a modified conclusion or withdrawal. You cannot simply perform additional audit-level testing under a review engagement letter.