Picture the scene. A partner opens the H2A inspection report for a mid-tier group mandate. The finding is two sentences long: insufficient justification for the scope of work at component level, and no documented link between the group-level risk assessment and the procedures assigned to the German subsidiary. The partner had used the same scoping template for six consecutive years. It had always passed review. It did not pass inspection.
The H2A’s 2023 inspection programme reviewed group audit procedures across 145 mandates. In 57% of them, inspectors found deficiencies in how auditors handled component work under NEP 600 (H2A, Synthese du programme de controle 2023, Part 2 pp. 47-52). That is not a rounding error. It is a systemic failure. ISA 600 (Revised), effective for periods beginning on or after 15 December 2023, was supposed to fix the structural problem behind those findings. I think it can, but only if auditors stop treating it as an update to their templates and start treating it as a different way of thinking about group risk.
The revised standard requires the group auditor to work top-down from the consolidated financial statements, treat component auditors as members of the engagement team, and set component materiality lower than group performance materiality to manage aggregation risk. None of that works if the partner’s first instinct is still to open a component list and ask “which ones are significant?”
Key takeaways
- ISA 600 (Revised) applies to periods beginning on or after 15 December 2023. For calendar year-end entities, first application was 31 December 2024.
- The standard replaces the old bottom-up model (classify components as “significant” or “non-significant,” assign default procedures) with a top-down, risk-based approach. The group auditor identifies risks at the group financial statement level first, then determines what work each component needs.
- The concept of “significant component” is gone. Scoping decisions follow from the risk assessment, not from a size classification.
- Component auditors are now formally part of the engagement team under ISA 220 (Revised). The group engagement partner is directly responsible for directing, supervising, and reviewing their work.
- Aggregation risk is a defined concept: the probability that individually immaterial misstatements across components exceed group materiality when combined. Component performance materiality must be set below group performance materiality to control this.
- Two-way communication between group and component auditors is required at planning, execution, and completion. A single instruction letter at the start and a single report at the end no longer satisfy the standard.
- Desktop reviews are dead. The group auditor must always perform or direct audit procedures for components where work is performed. Reviewing financial information alone is not enough.
What actually changed (and what did not)
Under the old ISA 600 , the question was simple: is this component significant? If yes, full audit. If borderline, specified procedures. If no, analytical review or nothing. That model was easy to apply. It was also easy to apply badly, because it turned group audit scoping into a classification exercise rather than a judgment about risk.
What actually happened on most engagements was this: the team would rank components by revenue or total assets, draw a line at some percentage (often 15% of group revenue), label everything above it “significant,” and assign full audits. Everything below got analytical procedures or a desktop review. The risk assessment existed in the planning memo, but it did not drive the scoping. The scoping drove itself.
ISA 600 (Revised) removes the classification and replaces it with a question that is harder to answer: given the risks of material misstatement in the group financial statements, what work is needed at which components? That question cannot be answered by sorting a spreadsheet. It requires the group auditor to understand consolidation adjustments, intercompany flows, the specific assertions where risk concentrates, and which components contribute to those assertions.
| Area | Previous ISA 600 | ISA 600 (Revised) |
|---|---|---|
| Approach | Bottom-up, component-driven | Top-down, risk-based |
| Components | “Significant” vs. “non-significant” classification | No classification. Work driven by assessed risks. |
| Component auditors | Separate from engagement team | Part of the engagement team |
| Scoping | Significant components get full audit; others get analytical or nothing | Procedures determined by risk assessment; no default categories |
| Communication | Instructions sent; results received | Required two-way communication throughout |
| Documentation | Component files could be separate | Access to component files required; group file must stand alone |
| Desktop reviews | Permitted | Eliminated. Audit procedures always required. |
I want to be direct about something. The table above makes it look like a clean break. It is not. In my experience, most firms updated their templates and kept their habits. The scoping schedule looks different. The underlying thinking often has not changed.
How the top-down risk approach works
Understanding the group before scoping it
Before any scoping decisions, the group auditor needs to understand the group’s structure, the consolidation process, commonality of controls across entities, and the group’s information systems. This is not a one-page summary. It means knowing how intercompany transactions flow, where management applies judgment in consolidation adjustments, and which entities share (or do not share) ERP systems.
What actually happens on many engagements is that the understanding of the group is copied from the prior year with minor updates. The standard assumes the group auditor has formed a current-year view of where risks concentrate. If the understanding is stale, every scoping decision that follows from it is unreliable.
Identifying risks at the group level
The group auditor identifies and assesses the risks of material misstatement of the group financial statements, including risks arising from the consolidation process itself ( ISA 600 .26-27). This is a top-down exercise. The group auditor looks at the consolidated financial statements and asks where the material risks sit. Not which components are big enough to audit.
So a component contributing 8% of group revenue might need extensive work on a single account balance where risk concentrates, while a component contributing 30% might need only targeted procedures because its operations are straightforward and its internal controls are strong. The old standard would never have produced that outcome. The revised one can, if the auditor actually uses the risk assessment to drive scoping.
Scoping work at components
Based on those assessed risks, the group auditor determines at which components to perform procedures, and what those procedures should be. The options include full audits, audits of specific account balances or transaction classes, specified procedures on particular items, or analytical procedures at the group level. The standard does not prescribe which approach to use for which size of component. Professional judgment, linked to the risk assessment, determines the scope.
Consolidation procedures
The group auditor always performs procedures on the consolidation process directly: intercompany eliminations, consolidation adjustments, reclassifications, and consistency of accounting policies across the group. This is not delegable. I have seen group audit files where the consolidation section was essentially a printout from the client’s consolidation software with a tick mark. That is ticking and bashing at its worst. The standard expects the group auditor to understand the entries, not just agree them to a system output.
Aggregation risk and component materiality
Why aggregation risk matters
Here is the scenario every group auditor should worry about. Each component has a few misstatements sitting just below component materiality. None of them get corrected because individually they are immaterial. But when you add them up across eight or twelve components, the total blows through group materiality. That is aggregation risk: the probability that individually tolerable misstatements become material in aggregate.
Before 2023, this concept had no name. ISA 600 (Revised) defines it and requires the group auditor to address it through the component materiality allocation.
Setting component performance materiality
To control aggregation risk, the group auditor sets component performance materiality lower than group performance materiality. IFAC guidance suggests ranges of roughly 60% to 85% of group performance materiality, depending on the risk assessment, but the standard does not prescribe a formula.
A separate threshold determines which component-level misstatements must be reported to the group team. This threshold is typically well below component materiality (often 5% of group materiality) to ensure the group auditor has visibility into the accumulation of misstatements across the group.
Component auditors are part of the engagement team
This is not a rhetorical change. Under the old standard, component auditors were effectively external parties whose work the group auditor “relied upon.” Under ISA 600 (Revised), they are formally part of the engagement team as defined by ISA 220 (Revised). That distinction has real consequences.
The group engagement partner is directly responsible for directing component auditors (communicating strategy, risk assessments, required procedures, and materiality levels), supervising their work during execution, and reviewing their documentation at completion. We are not talking about reading a summary memo. We are talking about access to working papers, real-time communication when issues arise, and documented evidence of review.
The group auditor must also evaluate whether the component auditor has the right competence and capabilities, satisfies independence requirements, and operates within an adequate quality management environment. What actually happens on many cross-border engagements is that the group partner relies on the fact that the component firm is a member of the same network and skips the evaluation. The standard does not allow that shortcut. Network membership does not substitute for the assessment required by ISA 600 .19-20.
Two-way communication is not optional
I think this is the area where most group audits still fall short. The old model was a one-directional flow: the group team sent instructions, the component auditor sent back a completion report. The revised standard requires communication in both directions at every stage.
At planning, the group auditor communicates risk assessments, materiality levels, fraud risks, related party information, and specific procedures. During execution, the component auditor reports misstatements above the communication threshold, indicators of management bias, suspected fraud, and significant control deficiencies as they are identified (not at the end of fieldwork). At completion, the component auditor provides a final summary, and the group auditor confirms whether the work performed is sufficient.
Look, the standard says “timely.” What that means in practice is that the group team cannot wait until the completion call to learn about a revenue cut-off misstatement identified six weeks earlier. The FRC’s 2025 inspection findings identified insufficient involvement in component auditor work and inadequate review of component documentation as persistent concerns across the firms they inspected (FRC Annual Review of Audit Quality 2025, pp. 16-17). Timely communication is the mechanism that makes involvement possible.
When access is restricted
ISA 600 (Revised) addresses a problem that every cross-border group audit encounters eventually: restrictions on access to people, information, or documentation at a component. Local laws, client politics, network dynamics. The causes vary. The standard’s response does not.
First, try to overcome the restriction through management, group governance, or alternative procedures. If that fails, the group auditor determines the effect on the group audit opinion. Depending on the significance of the component and the nature of the restriction, the consequence might be a qualified opinion or a disclaimer. There is no workaround that lets the group auditor issue an unmodified opinion while lacking sufficient evidence from a component.
Worked example: Van Bergen Holding N.V.
Van Bergen Holding N.V. is a Dutch holding company. Consolidated revenue of €120M. Four subsidiaries: two in the Netherlands, one in Germany, one in Belgium. 31 December year-end. The group engagement partner’s firm audits the parent and both Dutch subsidiaries. A German firm audits the German subsidiary (€35M revenue). A Belgian firm audits the Belgian subsidiary (€18M revenue).
Under the old standard, the German subsidiary would be classified as a significant component (29% of group revenue) and assigned a full audit. The Belgian subsidiary might get specified procedures or analytical review. The two Dutch subsidiaries, combined at €67M, would get full audits because the firm already does them. That scoping would be done before anyone looked at where the risks actually sit.
Step 1: group-level risk assessment
The group engagement partner identifies risks at the group financial statement level. Revenue recognition at the German manufacturing subsidiary is flagged as a significant risk because of complex long-term contracts with percentage-of-completion recognition. Intercompany eliminations (€22M in intragroup sales) require specific consolidation procedures. Group materiality is set at €1.8M (1.5% of consolidated revenue). Group performance materiality is €1.35M.
Step 2: component materiality allocation
The German subsidiary receives component performance materiality of €810K (60% of group performance materiality) because of the significant revenue risk. The Belgian subsidiary receives €1.08M (80%) given its lower risk profile. Each Dutch subsidiary receives €945K (70%). The communication threshold for misstatements is €90K (5% of group materiality).
The partner also tests the allocation in reverse. If each component had undetected misstatements equal to its component performance materiality, the total would be €3.78M, well above group materiality of €1.8M. So detection risk at each component must be managed tightly, and the aggregation risk assessment must explain why the auditor expects actual misstatements to fall well below the theoretical maximum. This is the part most files skip.
Step 3: instructions to component auditors
The German firm receives detailed instructions on revenue recognition testing for long-term contracts: the group’s accounting policy, the fraud risk assessment, identified related parties, and the requirement to report all misstatements above €90K. The Belgian firm receives instructions focused on inventory valuation and intercompany balances. Both sets of instructions include the group audit timeline, the two-way communication protocol, and materiality levels.
Step 4: execution (where things get complicated)
Six weeks into fieldwork, the German component auditor identifies a €180K revenue cut-off misstatement. Standard procedure: communicate it to the group team within the agreed timeframe. But the component auditor also discovers an undisclosed related party transaction. The management of the German subsidiary had entered into a consulting arrangement with a company owned by a board member’s spouse. This was not in the related party information provided by group management.
The group team now has a problem that goes beyond the component. The related party was not disclosed to the group auditor during planning, which raises questions about group management’s completeness representations. The group team performs additional inquiries of group management, evaluates whether the omission was intentional, and determines that the transaction requires disclosure in the consolidated financial statements. This is the kind of complication that a desktop review would never have caught. It required a component auditor who understood the local environment and had instructions to report matters beyond just misstatements.
Step 5: completion and the group file
The group engagement partner reviews the German component auditor’s working papers on revenue recognition (not just a summary memo). The Belgian component auditor’s summary memorandum is reviewed, but because inventory valuation was not a significant risk area, the partner does not review all underlying working papers for that component. The group team performs consolidation procedures on all intercompany eliminations, verifies accounting policy consistency across all four subsidiaries, and evaluates the aggregate effect of identified misstatements (€180K cut-off plus €45K from other components, totalling €225K) against group materiality of €1.8M.
The file should tell a story. A reviewer opening this group audit file should be able to trace a line from the group-level risk assessment, through the scoping decisions, through the component materiality allocations, through the two-way communications, to the completion evaluation of aggregate misstatements. Each step should explain why, not just what. If the file reads like a compliance checklist with no connecting logic, the standard has been followed in form but missed in substance.
Practical checklist
Start from the consolidated financial statements
Start group audit planning with the consolidated financial statements, not the component list. Identify significant classes of transactions and account balances at the group level before determining which components need work ( ISA 600 .26-27).
Set component performance materiality below group PM
Set component performance materiality lower than group performance materiality, with percentages reflecting each component’s risk profile. Document why each allocation differs and test the aggregation risk in reverse ( ISA 600 .A66-A69).
Issue detailed written instructions to component auditors
Issue detailed written instructions to all component auditors covering risk assessments, materiality levels, fraud risks, related parties, the misstatement communication threshold, and the two-way communication protocol. Keep copies in the group audit file ( ISA 600 .40-41).
Require timely communication during execution
Require component auditors to communicate identified misstatements, fraud indicators, and significant control deficiencies on a timely basis during execution. Document the group team’s response to each communication ( ISA 600 .44).
Review component working papers for significant risks
Review component auditor working papers for areas of significant risk. A summary memorandum alone is not sufficient for high-risk areas ( ISA 600 .45).
Perform consolidation procedures directly
Perform consolidation procedures directly: intercompany eliminations, accounting policy consistency, and evaluation of aggregate uncorrected misstatements across all components against group materiality.
Where group audits still fail
Some of these are obvious, and some are not. I want to separate the mechanical errors from the judgment failures, because they require different fixes.
Mechanical errors
Applying a single fixed percentage for component materiality across all subsidiaries without adjusting for risk. The H2A found this in a majority of reviewed mandates. It is the easiest deficiency to avoid and the most common one inspectors flag. Using the same 75% for a dormant holding company and an operating subsidiary with revenue recognition risk is not a judgment call. It is the absence of one.
Treating component auditor instructions as a one-time communication at planning stage. The standard requires two-way communication at every phase. A single instruction letter plus a single completion report does not comply.
Judgment failures
Accepting a component auditor’s summary memorandum without reviewing the underlying papers for significant risk areas. This is harder to fix because it requires the group partner to have enough understanding of the component to know which papers to request. Under the revised standard, desktop reviews of financial information are eliminated. Audit procedures are always required.
We should probably acknowledge a legitimate disagreement here. Some experienced group auditors argue that requiring the group engagement partner to review working papers from every component on every significant risk area is impractical for groups with twenty or thirty components in different jurisdictions and languages. I understand that view. But the standard’s position is that practicality does not reduce the group engagement partner’s responsibility. If the volume of review work is unmanageable, the group auditor needs either more resources or a different firm structure for the engagement. That is a hard conversation to have with firm management, but the alternative is an inspection finding.
ISA 600 (Revised) in your jurisdiction
Netherlands. COS 600 (Revised) follows ISA 600 (Revised). For Dutch-headquartered multinationals, the shift is significant. The AFM has said that group auditors must justify every scoping decision and cannot rely on historical approaches. Where overseas component auditors operate in jurisdictions with different documentation standards or language barriers, the group auditor may need full access to working papers or may need to replicate work. That last point catches firms off guard more than any other.
Germany. IDW PS 600 adapts the revised standard. German group structures (Konzern) frequently involve complex holding arrangements, profit transfer agreements (Ergebnisabführungsverträge), and statutory audits at each subsidiary level. The integration of component auditors into the engagement team aligns with the WPK’s longstanding emphasis on the group auditor’s Gesamtverantwortung (overall responsibility).
United Kingdom. ISA (UK) 600 (Revised September 2022) is substantively aligned with ISA 600 (Revised). The FRC has treated group audits as a persistent area of concern, with recurring findings about insufficient partner involvement in component work, inadequate evaluation of component auditor competence, and insufficient review of component documentation.
France. NEP 600 implements the revised standard within France’s statutory framework, where each subsidiary may have its own commissaire aux comptes. Coordination between the group auditor (commissaire aux comptes du groupe) and component auditors has specific legal dimensions under French company law, including obligations through the co-commissariat system where applicable.
The second-order problem nobody discusses
Here is what I think gets lost in the standard-by-standard analysis. ISA 600 (Revised) assumes the group engagement partner has time to do the thinking it requires. A genuine top-down risk assessment for a group with fifteen components across four jurisdictions takes days, not hours. Reviewing component auditor working papers in German, French, and Dutch for significant risk areas takes more days. Two-way communication throughout fieldwork takes sustained attention across weeks.
In practice, ISA 600 (Revised) has quietly increased the cost of group audits, because the work it requires cannot be delegated to staff who lack the judgment to perform it. Partners and senior managers must spend more time on group audit coordination than they did under the old standard. Whether firms have adjusted their fee structures and resourcing models to reflect this is a separate question, and in my observation, most have not.
That matters because an under-resourced group audit will produce exactly the kind of deficiencies the H2A found: template-driven scoping, mechanical materiality allocation, insufficient communication, and a group file that documents compliance rather than judgment. The standard changed. Whether the economics of group auditing changed with it is still an open question.
Frequently asked questions
Does ISA 600 (Revised) apply to simple groups?
Yes, but it scales. For a parent with two wholly-owned subsidiaries, all audited by the same firm in the same jurisdiction, the requirements relating to component auditor communication and access restrictions will be straightforward or not applicable. The group auditor still needs to assess risks at the group level and perform consolidation procedures, but the effort involved is proportionate to the group’s complexity.
Can the group auditor still perform a “desktop review”?
No. Under the revised standard, audit procedures are always required for components where work is performed. Reviewing financial information without performing audit procedures does not satisfy the standard. The nature of the procedures may vary (from full audits to specified procedures on particular items), but some form of audit procedure is always required.
What is the difference between a component audit and specified procedures?
A full component audit means the component auditor performs a complete audit using ISAs and component materiality. Specified procedures are targeted at specific risks identified by the group auditor and focus on particular account balances, transaction classes, or assertions. They are not a complete audit. Under the revised standard, the distinction matters less than it used to, because the group auditor selects whichever approach (or combination) best responds to the assessed risks at the group level.
How should component materiality be allocated?
There is no prescribed formula. The group auditor uses professional judgment, considering the risk profile of each component and the need to keep aggregation risk at an acceptably low level. Many firms use a range of 60 to 85% of group performance materiality, adjusted for component-specific risk factors. The allocation should also be tested in reverse: if every component had undetected misstatements up to its component performance materiality, would the total exceed group materiality? If yes, the allocations need to come down or the auditor needs to explain why actual misstatements are expected to be well below the theoretical maximum.
Further reading and source references
- IAASB Handbook 2024: ISA 600 (Revised) full text, including appendices with examples.
- ISA 220 (Revised): Quality Management for an Audit. Governs the group engagement partner’s responsibilities for directing and supervising component auditors.
- ISA 315 (Revised 2019): Risk assessment. The group auditor’s identification and assessment of risks follows this standard.
- ISA 320 : Materiality. The basis for determining group and component materiality.
- H2A, Synthese du programme de controle 2023, Part 2 pp. 47-52.
- FRC Annual Review of Audit Quality 2025, pp. 16-17.
This guide reflects the ISA 600 (Revised) text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard (COS 600 in the Netherlands, ISA (UK) 600 in the UK, IDW PS 600 in Germany, NEP 600 in France) alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.
Related ciferi content
ISA 600 deep dives:
Related ISA guides:
Put audit concepts into practice with these free tools: