Key Points
- ISAs apply to audits of historical financial information and are binding in most EU/EEA countries through national adoption or endorsement.
- The suite currently contains 36 operative standards, numbered from ISA 200 through ISA 810 , plus two quality management standards.
- Non-compliance with a single ISA requirement (unless explicitly permitted by the standard's own conditional language) can result in a regulatory finding on the entire engagement.
- EU Regulation 537/2014, Article 26, requires statutory auditors of public-interest entities to conduct audits in accordance with ISAs as adopted by the Member State.
How ISAs govern every statutory audit
In the AFM's 2023 inspection of non-PIE firms, six of twelve reviewed engagements had findings tied to teams treating A-paragraphs as optional background reading rather than as guidance that shapes how "shall" requirements are applied. The standards weren't unclear. The teams just hadn't read them carefully enough to tell what was required from what was explanatory. That's the core problem ISAs are designed to solve: drawing a bright line between what auditors must do and what helps them do it well.
The IAASB (International Auditing and Assurance Standards Board) develops ISAs under a due-process that includes exposure drafts, public comment periods, PIOB oversight, and basis-for-conclusions documents. Each standard follows a drafting convention established by ISA 200.18 : requirements use "shall," and application material (the A-paragraphs) provides guidance on applying those requirements without creating additional obligations. A reviewer can cite a missing "shall" requirement as a deficiency. Departure from an A-paragraph requires only a documented rationale.
ISA 200.14 establishes the overarching objective: the auditor shall obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Every other ISA flows from that objective. ISA 200.22 -23 introduces relevant ethical requirements and links them to the quality management framework under ISQM 1.
European adoption varies. The Netherlands incorporates ISAs through NV COS (issued by the NBA), while Germany uses IDW Pruefungsstandards that follow ISA content but carry local numbering. The UK applies ISAs (UK) with limited supplements. In practice, a Dutch or German practitioner works with the ISA substance daily, even when the local wrapper differs.
Worked example: Rossi Alimentari S.p.A.
Client: Italian food production company, FY2025, revenue EUR 67M, IFRS reporter. The engagement team at a mid-tier Italian firm is planning the statutory audit.
Establish the applicable framework
Italy adopts ISAs through the ISA Italia series, published by the Ministry of Economy and Finance on recommendation of CONSOB and Assirevi. The engagement partner confirms that ISA Italia standards are substantively identical to IAASB-issued ISAs for this engagement, with supplementary Italian requirements on going concern disclosure.
Map ISA requirements to the engagement
The engagement manager prepares an ISA compliance matrix listing every "shall" requirement from the standards relevant to Rossi's circumstances. For a manufacturing IFRS reporter of this size, key standards include ISA 315 (Revised 2019) for risk assessment, ISA 330 for responses to assessed risks, ISA 540 for accounting estimates (particularly inventory provisions and revenue cut-off), ISA 570 for going concern, and ISA 700 for the auditor's report. Without the matrix, the team would be ticking and bashing through WPs with no way to confirm every requirement had been addressed.
Address conditional exemptions
ISA 200.24 permits departure from a requirement only when the requirement is conditional and the condition doesn't apply. The team identifies one relevant instance: ISA 505.7 requires external confirmations for receivables unless the auditor concludes that confirmations would be ineffective. Rossi's top ten receivables (totalling EUR 11.4M, representing 68% of the trade receivables balance) are with large retailers that historically don't respond to confirmation requests. The team documents the ineffectiveness conclusion and designs alternative procedures under ISA 505.12 .
Quality review against the ISA completion checklist
Before the audit report is signed, the engagement quality reviewer checks the ISA compliance matrix against the file. Two gaps surface: ISA 260.16 (a) requires communication of significant audit findings to those charged with governance, and the draft governance letter omitted the inventory provision sensitivity. The team updates the communication before signing.
Rossi's engagement file demonstrates ISA compliance through a documented compliance matrix paired with conditional departure rationale, plus a pre-issuance quality review that caught two omissions before the report was signed.
Where ISA compliance breaks down on real engagements
ISA 200 .A76 clarifies that application material is relevant to properly applying a requirement. Ignoring it weakens the basis for concluding the requirement was met. Nobody enjoys going through A-paragraphs line by line, but skipping them is how files get flagged. We've seen this on about half the first-year engagements we've reviewed: the team reads the "shall" paragraphs, treats the A-material as nice-to-have, and then can't explain to the inspector why a particular procedure was scoped the way it was.
Teams at smaller firms often skip an explicit ISA compliance assessment at planning, relying instead on their audit software's embedded workflow to ensure coverage. ISA 300.7 requires the auditor to develop an audit plan that includes the nature, timing, and extent of planned procedures. A software workflow is a tool, not a substitute for the auditor's own assessment of which ISA requirements apply given the entity's circumstances. When the software covers it and the auditor signs off without checking, the result reads like "Appears reasonable. Waive further pursuit." That's not compliance.
ISAs vs. ISAEs
| Dimension | ISAs (200-810) | ISAEs (3000, 3402, 3410) |
|---|---|---|
| Scope | Audits of historical financial information | Assurance engagements on subject matters other than historical financial statements |
| Assurance level | Reasonable assurance (positive opinion) | Reasonable or limited assurance, depending on the engagement |
| Output | Auditor's report expressing an opinion on the financial statements | Assurance report expressing a conclusion on the subject matter (e.g., internal controls at a service organisation, greenhouse gas statements) |
| Typical engagement | Statutory audit, group audit | ISAE 3402 Type II report, sustainability assurance under ISAE 3410 |
| Regulatory driver | Audit Directive, national audit law | Contractual (ISAE 3402) or regulatory (CSRD sustainability assurance) |
Engagement teams sometimes apply ISA procedures to an ISAE engagement or vice versa. ISA requirements around sampling, materiality, and audit evidence don't automatically carry over when the engagement falls under ISAE 3000. Identify the correct standard series at acceptance and scope the work from there.
Related terms
Related reading
Frequently asked questions
Are ISAs legally binding in the EU?
ISAs become binding when adopted by a Member State or through EU regulation. EU Regulation 537/2014 requires PIE audits to follow adopted ISAs. For non-PIE statutory audits, the Audit Directive (2006/43/EC, as amended) permits Member States to adopt ISAs, and most have done so. The legal force comes from the national adoption instrument, not from the IAASB directly.
What happens if I cannot comply with a specific ISA requirement?
ISA 200.24 permits departure only when a requirement is conditional and the condition does not apply to the engagement. For unconditional "shall" requirements, departure is not permitted. If compliance is impossible in rare circumstances, ISA 200.23 requires the auditor to perform alternative procedures to achieve the objective of that requirement and document the reasons for the departure.
Do ISAs apply to review engagements or agreed-upon procedures?
No. ISAs apply only to audits of historical financial information. Review engagements fall under ISRE 2400, and agreed-upon procedures fall under ISRS 4400 (Revised). Both are issued by the IAASB but form separate standard series with different objectives and assurance levels.