I will admit something. For the first few years of my career, I treated the management representation letter the same way most teams do: print last year’s template, update the date, walk it to the CFO’s desk, get the signature, file it. Done. On to the next engagement. I never once had a CFO push back on a single line.
That should have worried me. It didn’t.
The first time a CFO actually read the letter (and refused to sign one paragraph), I had no idea what to do. I had never planned for that scenario because I had never treated ISA 580 as a real procedure. What I eventually learned is that the standard is not about the letter. It is about the conversation the letter forces. When management hesitates, qualifies, or refuses, that is audit evidence. Sometimes it is the most important evidence in the file.
Key takeaways
- ISA 580 requires the auditor to obtain written representations from management (and, where appropriate, those charged with governance) confirming management’s responsibilities and supporting other audit evidence. They are necessary evidence. The audit cannot be completed without them.
- Two categories are mandatory in every engagement: management acknowledges responsibility for preparing the financial statements under the applicable framework, and management confirms it has provided the auditor with all relevant information and access.
- At least eight other ISAs require their own specific representations. ISA 240 (fraud), ISA 250 (laws and regulations), ISA 450 (uncorrected misstatements), ISA 501 (litigation and claims), ISA 540 (estimates), ISA 550 (related parties), ISA 560 (subsequent events), and ISA 570 (going concern) all feed into the same letter.
- Representations are necessary but not sufficient. They support other evidence. They cannot substitute for procedures the auditor could reasonably perform.
- If management refuses to provide any requested representation, the auditor must discuss the refusal with management, re-evaluate management’s integrity, and determine the effect on the opinion. Refusal of the two mandatory categories under ISA 580.10 –11 leads to a disclaimer.
- Why refusals matter more than the letter
- The two mandatory categories
- Representations required by other ISAs
- Additional representations
- Practical requirements
- When things go wrong
- Worked example: De Groot Techniek B.V.
- Practical checklist
- Common mistakes
- ISA 580 in your jurisdiction
- Frequently asked questions
Why refusals matter more than the letter
Here is the contradiction at the centre of ISA 580 : written representations are “necessary” audit evidence ( ISA 580.4 ), but they are explicitly “not sufficient” on their own. So the auditor must obtain something that, by itself, proves nothing. That sounds like a formality. It is not.
What actually happens on most engagements is that the letter gets filed without friction. Management signs, the team moves on. The standard earns its place on the engagements where that does not happen. A CFO who objects to the related party completeness representation, a managing director who insists on adding “to the best of my knowledge” to the completeness clause, a board that delays signing until after the report date. Those reactions are data. I think the real purpose of ISA 580 is not the signed letter sitting in the completion section. It is the integrity test that the signing process creates.
We should be honest about how rarely this test gets applied with any rigour. On most files I have reviewed, the representation letter is identical to the prior year, the discussion with management is not documented, and no one has considered whether the specific risks identified during fieldwork should have generated tailored representations. The file should tell a story about how the auditor evaluated management’s willingness to stand behind specific assertions. On most files, it tells no story at all.
The two mandatory categories
Responsibility for the financial statements
ISA 580.10 requires the auditor to request written representations confirming that management has fulfilled its responsibility for preparing the financial statements in accordance with the applicable financial reporting framework, including (where relevant) their fair presentation.
What actually happens: teams copy this paragraph from last year’s letter and rarely check whether the wording still mirrors the engagement letter ( ISA 210 ). The standard requires consistency between the two. If the engagement letter describes responsibilities one way and the representation letter describes them differently, you have a documentation problem that a reviewer will find. This representation is not subject to “best knowledge and belief.” It is a confirmation of responsibility, not a statement of knowledge.
Completeness of information
ISA 580.11 requires representations that management has provided the auditor with all relevant information and access as agreed in the engagement terms, and that all transactions have been recorded and reflected in the financial statements.
This is, in my view, the single most important representation in the letter, because the auditor cannot independently verify that nothing has been withheld. Every other procedure assumes a population. This representation is the only evidence addressing whether the population is complete. What actually happens: the wording is boilerplate, and the team rarely pauses to consider whether the specific information requests they made during fieldwork are reflected in the completeness language.
Representations required by other ISAs
The representation letter collects confirmations from across the ISA suite. I count at least eight that are required in most engagements:
| ISA | What management represents |
|---|---|
| ISA 240 (Fraud) | Disclosure of known or suspected fraud affecting the entity, plus any allegations of fraud |
| ISA 250 (Laws and regulations) | Disclosure of all known or suspected non-compliance with laws and regulations |
| ISA 450 (Misstatements) | Confirmation that uncorrected misstatements are immaterial, individually and in aggregate |
| ISA 501 (Specific items) | Disclosure of all litigation and claims, plus completeness of inventory disclosures |
| ISA 540 (Estimates) | Reasonableness of significant assumptions used in accounting estimates |
| ISA 550 (Related parties) | Disclosure of all known related parties and related party transactions |
| ISA 560 (Subsequent events) | All events requiring adjustment or disclosure have been identified and addressed |
| ISA 570 (Going concern) | Disclosure of plans for future actions and their feasibility, plus completeness of going concern considerations |
What actually happens: teams paste last year’s table of representations into this year’s letter. They do not cross-check against the specific ISA paragraphs. I have seen files where the ISA 450 representation references last year’s uncorrected misstatements schedule rather than the current year’s. That is exactly the kind of carryforward error that regulators look for.
Additional representations
ISA 580.13 allows the auditor to request representations beyond those required by other ISAs, when the auditor determines they are necessary to support other audit evidence. This is where the standard shifts from box-ticking to professional judgement.
Common examples: representations about management’s intention to hold financial instruments to maturity, about the basis for a specific accounting treatment where judgement was involved, or about matters unique to the entity that no standard-form template would anticipate. I think more teams should use .13 than currently do, because a tailored representation about a specific risk area forces a conversation that a generic template letter never will.
Practical requirements
Who signs
Management, typically the CEO and CFO or equivalent. Where those charged with governance hold responsibilities separate from management (for example, directors who are responsible for fair presentation under certain frameworks), representations may also be required from them. What actually happens: the letter gets routed to whoever is available on signing day. On at least two engagements I have been involved with, the signatory was not the individual named in the engagement letter, and nobody noticed until the review.
When
The letter must be dated as near as practicable to, but not after, the date of the auditor’s report. It covers all financial statements and periods referred to in the report. What actually happens: the letter gets signed during fieldwork (sometimes weeks before the report date), creating an uncovered gap. If a subsequent event occurs in that gap, the representations are stale and the file has a hole.
What form
A written letter addressed to the auditor. Not an email from the CFO. Not a scanned WhatsApp message. Not a verbal confirmation followed by a file note. ISA 580.15 requires a formal signed letter.
The conversation matters more than the letter
I think the single biggest missed opportunity with ISA 580 is the walk-through discussion. Review the letter with management line by line rather than sending it for blind signature. Ask whether they understand each representation, whether anything has changed since the draft was prepared, and whether there are matters they considered disclosing but decided against. That conversation, properly documented, is sometimes more valuable than the letter itself. Appears reasonable. Waive further pursuit. That is the review note I have seen on too many rep letter WPs. But a 30-second conversation might have revealed something the file never captures.
When things go wrong
This is the section that most teams skip when preparing for the rep letter. It is also the section that determines whether you survive a regulatory inspection.
Representations that contradict other evidence
ISA 580.16 –17 addresses what happens when the auditor has concerns about management’s competence, integrity, ethical values, or diligence, or when the signed representations are inconsistent with other evidence already gathered. The standard requires the auditor to:
- Determine the effect on the reliability of all representations (oral and written) and audit evidence generally.
- Perform additional procedures to resolve any inconsistency between the representations and other evidence.
- Consider the implications for the audit opinion if the representations remain unreliable.
- Assess whether continuing the engagement is appropriate where integrity doubts exist.
What actually happens: the team gets the signed letter and files it. Nobody cross-checks the fraud representation against the ISA 240 discussion. Nobody compares the related party representation against the ISA 550 work. The letter lives in the completion section, disconnected from the substantive work it is supposed to support. That is how contradictions survive undetected.
Management refuses to sign
ISA 580.19 –20 handles refusal. The auditor must discuss the refusal with management, re-evaluate management’s integrity, and determine the effect on the opinion.
If management refuses other requested representations, the auditor must consider why. Sometimes the reason is legitimate. A CFO who says “I cannot represent that the provision is sufficient because our lawyers have not finalised their assessment” is giving you useful information. A CFO who says “I am not signing that paragraph because it makes the company look bad” is giving you a different kind of information. I think reasonable people can disagree about how aggressively to pursue a refusal of a non-mandatory representation, because the standard gives the auditor judgement about whether a qualification or disclaimer is warranted depending on the pervasiveness of the matter. But the refusal itself must always be documented, and the integrity reassessment must always be performed.
Worked example: De Groot Techniek B.V.
De Groot Techniek B.V. is a Dutch technical services company. Revenue: €25M. Employees: 140. Year-end: 31 December. The audit team has finished fieldwork and is preparing the management representation letter. During the review of draft representations, the CFO pushes back on one item.
Draft the tailored representation letter
The engagement team prepares a tailored representation letter incorporating standard representations under ISA 580.10 (responsibility for the financial statements under Dutch GAAP) and .11 (completeness of information provided). The letter also includes specific representations required by ISA 240 (fraud), ISA 550 (related parties), and ISA 570 (going concern).
Documentation note: file the draft in the completion section. Cross-reference to the engagement letter for consistency of management’s responsibilities description.
Add an entity-specific representation under ISA 580.13
The team adds a representation under ISA 580.13 about a €1.2M contract dispute with a former subcontractor, identified during substantive testing of provisions. The representation asks management to confirm that the €400K provision reflects its best estimate of the obligation under IAS 37 .
Documentation note: cross-reference to the ISA 501 litigation and claims WP. Record the basis for the specific representation and the corresponding evidence obtained.
Handle the CFO's pushback
The CFO reviews the letter and objects to the related party completeness representation. He states that the company’s transactions with a sister entity (owned by the same shareholder) are “clearly at arm’s length” and that a blanket representation about related party completeness is unnecessary.
This is where the engagement gets interesting. The CFO’s objection is not irrational, but it raises the question of whether he understands that the representation is about completeness of disclosure, not about the arm’s-length nature of the transactions. Those are different things.
Documentation note: record the CFO’s objection verbatim in the engagement completion memorandum. Document the discussion with the EP about the implications under ISA 580.19 .
Escalate to the engagement partner and resolve
The engagement partner meets with the CFO and the managing director. He explains that the related party representation is required by ISA 550 and cannot be omitted. After discussion, management agrees to sign but requests minor wording changes to clarify the scope. The team evaluates the revised wording and confirms it does not dilute the representation.
Documentation note: retain both the original and revised versions. Document the partner’s assessment that the revised wording still satisfies ISA 550.26 and ISA 580.13 .
Date and file the signed letter
The signed letter is dated 15 March 2026, the same date as the auditor’s report. The team confirms the letter covers all financial statements and periods referred to in the report.
Documentation note: verify the letter date against the report date per ISA 580.14 . File the signed original in the permanent completion section.
Why this file works. The file now tells a story. It contains a tailored letter addressing entity-specific risks, a documented resolution of management’s pushback, the EP’s assessment of integrity implications, and the rationale for accepting revised wording. A reviewer picks this up and sees that ISA 580 was treated as a real procedure. On most files, that reviewer sees a template and a signature. Nothing else.
Practical checklist
Common mistakes
- Sending a generic template letter without tailoring it to the engagement. The AFM has flagged files where representation letters were not adapted to entity-specific risks identified during the audit (AFM, Sector in Beeld 2025, Chapter 2/4). A letter that does not reflect the risks you actually found is weak evidence.
- Filing the signed letter without documenting the discussion with management. The FRC’s 2025 inspection cycle identified lack of professional scepticism as a recurring enforcement theme, including auditors who failed to challenge management’s representations on subjective areas (FRC Annual Enforcement Review 2024/2025). The conversation is part of that challenge.
- Dating the letter weeks before the auditor’s report date. This creates an uncovered period where events could invalidate the representations. Reviewers will question whether subsequent events procedures covered the gap.
- Failing to cross-check the letter against individual ISA WPs. I have seen files where the ISA 450 representation about uncorrected misstatements did not match the summary of uncorrected misstatements in the ISA 450 WP. That is a contradiction the file cannot survive.
Related content
- Written representations – Glossary entry covering what representations are under ISA 580 and the distinction between the responsibility acknowledgment and the completeness representation.
- ISA 570 going concern checklist – Going concern is one of the areas requiring a specific representation. This checklist helps verify the assessment that underpins the ISA 570.16 (e) representation.
- ISA 500 audit evidence guide – Representations are audit evidence, but they sit at the lower end of the reliability spectrum. This guide covers how to evaluate the sufficiency and appropriateness of different evidence types.
ISA 580 in your jurisdiction
Netherlands. COS 580 follows ISA 580 closely. Dutch practice requires the representation letter (bevestigingsbrief) to be signed by the management board (directie/bestuur). The AFM has highlighted files where representation letters were not tailored to the specific engagement, or were signed after the auditor’s report date.
Germany. IDW PS 580 adapts ISA 580 . The Vollständigkeitserklärung (completeness declaration) is well established in German audit practice. German law requires specific representations in certain contexts, and the letter is typically signed by the Geschäftsführung. The WPK’s inspections examine whether representations are consistent with audit findings.
United Kingdom. ISA (UK) 580 is substantively aligned with ISA 580 . UK practice typically requires the letter to be signed by the board of directors or by specific directors authorised by the board. For PIE audits, ISA (UK) 580 includes additional requirements related to the directors confirming they have disclosed all relevant information for the audit.
France. NEP 580 implements ISA 580 . The lettre d’affirmation is addressed to the commissaire aux comptes and signed by the dirigeants. French practice places particular importance on the letter covering conventions réglementées (regulated agreements) and the specific disclosure obligations under the Code de Commerce.
A second-order problem most teams miss
Here is something I rarely see discussed. The representation letter is evidence about management’s integrity. But it is also evidence about the auditor’s willingness to push back. If management signs a generic template without discussion and the auditor files it without comment, what has been proved? Only that both parties were comfortable with a formality. A regulator reviewing that file will draw the same conclusion.
So the second-order question is not “did management sign?” It is “did the auditor make management think before signing?” That is the difference between a file that survives inspection and one that does not.
Frequently asked questions
Can written representations replace other audit procedures?
No. ISA 580.4 is explicit: representations provide necessary audit evidence, but not sufficient audit evidence on their own. If the auditor could reasonably perform other procedures to obtain evidence, those procedures must be performed. The representation cannot substitute for them.
What if management adds qualifications to the letter?
If management qualifies or limits a representation (for example, “to the best of our knowledge, subject to...”), the auditor must evaluate whether the qualification is appropriate. If the qualification means the auditor cannot obtain the necessary assurance, it may constitute a refusal to provide the representation, with the corresponding opinion implications.
Does the letter need to be updated if facts change between signing and the report date?
The letter should be dated as near as practicable to the auditor’s report date to minimise this gap. If significant events occur between the letter date and the report date, the auditor should consider whether an updated letter or an additional representation is needed.
Is an email sufficient?
No. ISA 580.15 requires a written letter addressed to the auditor. A formal signed letter on entity letterhead is standard practice. Most firms require wet-ink or qualified electronic signatures.
Further reading and source references
- IAASB Handbook 2024: ISA 580 full text – the authoritative source including appendices with illustrative representation letters and cross-references to other ISAs requiring representations.
- ISA 210 : Agreeing the terms of audit engagements – establishes the responsibilities that management acknowledges in the representation letter.
- ISA 705 (Revised): Modifications to the opinion – applicable when representations are not provided or are unreliable.
This guide reflects the ISA 580 text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.
Related ciferi content
Related guides:
Put audit concepts into practice with these free tools: