ISA 200 DEALS with the Independent Auditor’s overall responsibilities when conducting an ‘Audit‘ of Financial Statements in accordance with ISAs.
International Standards on Auditing
And the Conduct of an Audit in Accordance with International Standards on Auditing
What Is ISA 200?
ISA 200, titled “Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing,” is the foundational standard in the suite of International Standards on Auditing (ISAs) issued by the International Auditing and Assurance Standards Board (IAASB).
It establishes the purpose and scope of a financial statement audit, sets out the overarching objectives that the auditor must achieve, and explains how all other ISAs interrelate under a common framework. In short, ISA 200 is the cornerstone on which the entire ISA architecture rests.
The standard applies to audits of historical financial information and is effective for audits of financial statements for periods beginning on or after December 15, 2009. It has since been supplemented by revisions aligned with the IAASB’s Clarity Project and subsequent standard-setting activity.
“The purpose of an audit is to enhance the degree of confidence of intended users in the financial statements.” ISA 200, Para. 3
Overall Objectives of the Auditor
Under ISA 200, the auditor has two overarching objectives when conducting a financial statement audit:
The Auditor’s Two Primary Objectives
- Obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the statements are prepared, in all material respects, in accordance with an applicable financial reporting framework.
- Report on the financial statements and communicate as required by the ISAs, in accordance with the auditor’s findings.
These twin objectives guide every phase of the audit, from planning and risk assessment through evidence gathering and reporting. All other ISAs exist to help the auditor fulfil these two objectives in specific circumstances.
Key Definitions in ISA 200
ISA 200 introduces and defines several critical terms used consistently throughout the ISA framework. Understanding these definitions is essential for interpreting any ISA correctly.
The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.
A high, but not absolute, level of assurance obtained as the basis for the auditor’s opinion on financial statements.
A misstatement that, individually or in aggregate, could reasonably be expected to influence the economic decisions of users.
An attitude that includes a questioning mind and critical assessment of audit evidence, remaining alert to conditions that may indicate misstatement.
The application of relevant training, knowledge, and experience in making informed decisions about appropriate courses of action during an audit.
The financial reporting framework adopted by management in preparing financial statements (e.g., IFRS, local GAAP) that is acceptable given the nature of the entity.
Information used by the auditor in arriving at conclusions on which the auditor’s opinion is based, including records and other information.
The partner or other person in the firm who is responsible for the audit engagement and its performance, and for the auditor’s report issued on behalf of the firm.
Core Requirements of ISA 200
ISA 200 places a set of overarching requirements on the auditor. These requirements are not procedural checklists but rather principles that shape the auditor’s entire approach:
| Requirement | Description |
|---|---|
| Comply with Ethical Requirements | The auditor must comply with relevant ethical requirements, including those pertaining to independence, as set out in the IESBA Code of Ethics for Professional Accountants. |
| Maintain Professional Skepticism | The auditor must plan and perform the audit with professional skepticism, recognizing that circumstances may exist that cause financial statements to be materially misstated. |
| Exercise Professional Judgment | The auditor must exercise professional judgment in planning and performing an audit of financial statements. |
| Obtain Sufficient Appropriate Evidence | The auditor must obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level to draw reasonable conclusions as the basis for the opinion. |
| Comply with All Relevant ISAs | The auditor must comply with all ISAs relevant to the audit. An ISA is relevant when the circumstances addressed by the ISA exist and it is in effect for the audit. |
| Achieve Overall Objectives | The auditor must use the objectives stated in relevant ISAs to evaluate whether sufficient appropriate evidence has been obtained and whether further procedures are needed. |
Reasonable Assurance vs. Absolute Assurance
One of the most important concepts in ISA 200 and in auditing more broadly, is the distinction between reasonable assurance and absolute assurance.
Why Can’t Auditors Give Absolute Assurance?
ISA 200 explicitly acknowledges that an audit conducted in accordance with ISAs does not guarantee that the financial statements are free from all misstatements. Absolute assurance is unattainable due to:
The inherent limitations of an audit include the nature of financial reporting (which involves significant judgment and estimation), the nature of audit procedures (which are not exhaustive but sample-based), and the need for the audit to be conducted within reasonable time and cost constraints. Fraud involving sophisticated collusion or management override of internal controls can be particularly difficult to detect even with a well-designed audit.
What “Reasonable Assurance” Actually Means
Reasonable assurance is described in ISA 200 as a high level of assurance, not a moderate or limited level. The auditor achieves this through the rigorous application of the ISAs, gathering sufficient appropriate audit evidence, and applying professional skepticism throughout the engagement. When the auditor concludes that reasonable assurance has been obtained, the resulting audit opinion provides users with a high degree of confidence in the financial statements.
“Reasonable assurance is a high level of assurance. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk… to an acceptably low level.” ISA 200, Para. A28
Professional Skepticism & Judgment
ISA 200 places great emphasis on both professional skepticism and professional judgment, treating them as indispensable qualities of a competent auditor.
Professional Skepticism
Professional skepticism is not pessimism or suspicion of management – it is a mindset that involves questioning, critical evaluation, and an alertness to conditions that might indicate misstatement due to error or fraud. In practice, this means the auditor does not accept representations at face value but corroborates them with independent evidence, challenges assumptions, and remains alert to contradictory information.
ISA 200 makes clear that maintaining professional skepticism is especially important when evaluating the risk of fraud, assessing the reasonableness of accounting estimates, and considering the sufficiency and appropriateness of audit evidence.
Professional Judgment
Professional judgment underpins every significant decision made during an audit. It involves applying relevant training, knowledge, and experience to reach informed decisions about issues such as materiality levels, the nature and extent of audit procedures, whether sufficient evidence has been obtained, and the appropriateness of accounting policies. ISA 200 requires that the exercise of professional judgment be documented where it is significant to the engagement.
The Interplay Between the Two
Professional skepticism and professional judgment work together: skepticism ensures the auditor maintains a questioning approach, while judgment ensures that this questioning leads to informed, balanced conclusions rather than unwarranted suspicion. Together, they help the auditor navigate complex situations where the “right” answer is not always obvious.
The Audit Risk Model
ISA 200 introduces the audit risk model, which provides a conceptual framework for understanding how different types of risk combine to create the overall risk that the auditor expresses an inappropriate audit opinion.
Components of Audit Risk
Audit risk is a function of three components: Inherent Risk the susceptibility of an assertion to a misstatement that could be material, before consideration of any related controls; Control Risk the risk that a misstatement that could occur in an assertion and could be material will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control; and Detection Risk the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and could be material.
Applying the Model
Audit risk = Inherent Risk × Control Risk × Detection Risk. The auditor cannot control inherent or control risk, these are properties of the entity and its environment. However, the auditor can and must manage detection risk through the design and execution of audit procedures. Where inherent and control risks are assessed as higher, the auditor must reduce detection risk accordingly by obtaining more persuasive evidence.
“The risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting one resulting from error.” ISA 200, Para. A51
Ethical Requirements Under ISA 200
ISA 200 requires that the auditor comply with relevant ethical requirements as set out in the IESBA (International Ethics Standards Board for Accountants) Code of Ethics for Professional Accountants. These requirements are not peripheral to the audit, they are foundational.
Independence
Independence is central to the value of an audit. ISA 200 emphasizes that the auditor must be independent of the entity being audited, both in fact and in appearance. Independence protects the public interest and underpins the credibility of the audit opinion.
The Five Fundamental Principles
The IESBA Code, referenced in ISA 200, sets out five fundamental ethical principles for auditors: Integrity being straightforward and honest in all professional and business relationships; Objectivity not allowing bias, conflicts of interest, or undue influence to override professional judgments; Professional Competence and Due Care maintaining professional knowledge and skill and acting diligently; Confidentiality respecting the confidentiality of information acquired in a professional capacity; and Professional Behavior complying with relevant laws and regulations and avoiding actions that bring the profession into disrepute.
Practical Application of ISA 200
While ISA 200 is a principles-based standard rather than a procedural guide, its requirements have direct practical implications for how audits are conducted.
At the Planning Stage
During planning, the auditor uses the concepts from ISA 200 to establish overall audit strategy, determine materiality, and assess risks at the financial statement level. The auditor’s understanding of the applicable financial reporting framework (a key concept in ISA 200) directly shapes what assertions are relevant and what misstatements would be considered material.
During Fieldwork
The requirements for professional skepticism and sufficient appropriate evidence are most actively applied during evidence-gathering. Auditors challenge management’s estimates, seek corroborating documentation, and remain alert to red flags that might suggest fraud or error. Every significant judgment made during fieldwork should reflect the principles of ISA 200.
At the Reporting Stage
Before issuing the audit report, the auditor evaluates whether the overall objectives set out in ISA 200 have been met. Has sufficient appropriate evidence been gathered? Has audit risk been reduced to an acceptably low level? If the answer to either question is no, additional procedures are required before an opinion can be expressed.
Relationship with Other ISAs
ISA 200 is explicitly the “umbrella” standard. ISA 210 deals with agreeing audit engagement terms; ISA 220 covers quality control; ISAs 300–499 cover risk assessment and planning; ISAs 500–599 govern audit evidence; and ISAs 700–799 address reporting. All of these derive their purpose and context from the overarching objectives established in ISA 200.
Frequently Asked Questions
ISA 200 establishes the overall objectives of an independent auditor – to obtain reasonable assurance that financial statements are free from material misstatement and to report accordingly. It also sets out the overarching requirements that govern how an audit must be conducted under the ISA framework.
ISA 200 is issued by the International Auditing and Assurance Standards Board (IAASB), an independent standard-setting body that operates under the oversight of the International Federation of Accountants (IFAC). Many jurisdictions adopt the ISAs either directly or as the basis for their national auditing standards.
ISA 200 applies specifically to audits of historical financial information. It does not apply to review engagements, compilations, or other assurance engagements, which are governed by different sets of standards (ISREs and ISAEs respectively).
Audit risk is the risk that the auditor expresses an inappropriate opinion on financial statements that are materially misstated. Business risk is broader – it refers to risks arising from the entity’s operations, industry, or environment that might affect its ability to achieve its objectives. While business risk can lead to audit risk (e.g., if operational pressures incentivize management to misstate results), the two concepts are distinct, and ISA 200 focuses on audit risk.
Yes, provided those misstatements are not material – individually or in aggregate. ISA 200’s concept of reasonable assurance acknowledges that some misstatements may exist without causing the financial statements to be materially misstated. The auditor’s role is to determine whether misstatements, taken together, rise to the level of materiality that would affect users’ decisions.
ISA 200 highlights that the risk of not detecting a material misstatement from fraud is higher than the risk of not detecting one from error, due to the inherent nature of fraud which often involves concealment. The standard requires the auditor to maintain professional skepticism throughout the audit in recognition of this elevated risk. Detailed guidance on responding to fraud risk is provided in ISA 240.
(Qualified) Chartered Accountant – ICAP
Master of Commerce – HEC, Pakistan
Bachelor of Accounting (Honours) – AeU, Malaysia