How it works
Most group audit files that attract inspection findings share the same root cause: the group engagement team (GET) scoped work by component size rather than by risk. Under the previous ISA 600 , that approach was standard. Teams identified significant components using size thresholds and applied a bottom-up assessment to vary the work accordingly. ISA 600 (Revised) replaces this entirely with a top-down risk assessment. Instead of defaulting to size-based scoping, the GET identifies risks of material misstatement in the group financial statements, determines where relevant financial information sits across components, designs responses at the assertion level, and allocates work accordingly.
Once risks are assessed at the group level, the GET determines what work each component requires. A small component carrying a large, unusual transaction may need more procedures than a large component with straightforward recurring balances. Work has to be responsive to assessed risks of material misstatement of the group financial statements, not proportional to component revenue.
Responsibility under ISA 600 (Revised) is direct. Whether or not component auditors perform some of the work, the engagement partner (EP) is responsible for direction, supervision, and review of the group audit. Delegation does not transfer responsibility. This is the finding that generates the most review notes on group files we have seen.
Key Points
- ISA 600 (Revised) places direct responsibility on the EP for the entire audit, including work performed by component auditors.
- Scoping is risk-based and top-down, driven by the GET's risk assessment rather than by component size alone.
- Under the revised standard, "significant" and "non-significant" component classification no longer exists.
- Communication with component auditors must be two-directional and documented throughout the engagement.
Worked example: Groupe Vaucluse Ingénierie S.A.
Client: French engineering group, FY2024, consolidated revenue €280M, IFRS reporter. Four subsidiaries: two in France (€140M and €65M revenue), one in Germany (€50M), one in Morocco (€25M).
Based in Lyon, the GET performs the risk assessment at the group level. Two significant risks emerge: revenue recognition on long-term construction contracts ( IFRS 15 over-time recognition) and goodwill impairment at the German subsidiary (acquired 18 months ago, performance below acquisition business case).
Determine work on each component
No significant risks attach to the Moroccan subsidiary (€25M, 9% of group revenue) at the group level. Analytical procedures at the group level are sufficient. By contrast, the German subsidiary requires a full-scope audit of revenue and a specific risk response on goodwill impairment.
Engage the component auditor in Frankfurt
Issue group instructions covering the identified risks, component materiality (set by the GET), procedures required for revenue and goodwill, reporting deadlines, and communication requirements.
Review the component auditor's reporting
Frankfurt's component auditor identifies a goodwill impairment trigger: the subsidiary missed its Q4 revenue target by 22%. Evaluate the implications at the group level. Determine whether the impairment analysis is sufficient and whether additional procedures are needed.
Result: the group audit plan was driven by group-level risks, not by component size. Morocco (9% of revenue) received less work than Germany (18% of revenue) because the risk profile, not the percentage, determined the scope. We think this is the single most important shift in the revised standard: it forces teams to justify their scoping decisions with risk analysis rather than defaulting to revenue thresholds.
What reviewers and practitioners get wrong
- In its 2023 inspection report, the FRC identified group audits as a persistent area of concern, focusing on insufficient GET involvement in component auditor work. Direction and supervision get emphasised in the revised standard precisely because this finding recurred year after year. Nobody enjoys adding another layer of review documentation, but skipping it is how files get flagged. In our experience, the firms that treat GET oversight as a tick box exercise are the ones regulators keep coming back to.
- A common transitional error is continuing to classify components as "significant" or "non-significant" under the revised standard. ISA 600 (Revised) does not use this classification. Teams that default to it are applying a SALY approach from the old framework and may scope work incorrectly, because a risk-based determination sometimes produces different results than a size-based one.
Group audit vs single-entity audit
| Dimension | Group audit | Single-entity audit |
|---|---|---|
| Governing standard | ISA 600 (Revised) in addition to all other ISAs | All other ISAs ( ISA 600 does not apply) |
| Engagement partner responsibility | Direct responsibility for all work, including component auditors' | Direct responsibility for all work performed |
| Risk assessment | Top-down at the group level, then allocated to components | Performed at the entity level |
| Use of other auditors | Component auditors may perform work under the GET's direction | Not applicable (unless using the work of an expert or service auditor) |
Key standard references
- ISA 600 (Revised): Effective for audits of group FS for periods beginning on or after December 15, 2023.
- ISA 600 (Revised).11: EP's direct responsibility for direction, supervision, and review.
- ISA 600 (Revised).29–30: Determining the nature, timing, and extent of work on component financial information.
Related terms
Related reading
Jurisdiction notes
ISA 600 (Revised) governs group audit engagements. In the United Kingdom, ISA (UK) 600 (Revised) requires the GET to determine component materiality below group materiality and to evaluate component auditor work. FRC inspections have repeatedly identified insufficient EP involvement in component auditor oversight as a major finding. In the Netherlands, NV COS 600 applies the revised standard. AFM inspectors expect clear documentation of the scoping rationale, including why particular components received the scope they did. In Australia, ASA 600 mirrors the revised ISA and ASIC inspections focus on the GET's evaluation of component auditor work, particularly for components in different regulatory jurisdictions.
In the United States, group audits follow AU-C 600 (SAS No. 149) for non-public entities and PCAOB AS 1206, Dividing Responsibility for the Audit with Another Accounting Firm, for SEC registrant audits. Under AS 1206, the principal auditor may reference the work of another auditor in the audit report (a "divided responsibility" approach), something ISA 600 (Revised) does not permit. For multi-location engagements, AS 2105.10 requires tolerable misstatement at individual locations to be set below group materiality. PCAOB inspection findings have cited insufficient oversight of component auditors in foreign jurisdictions and inadequate evaluation of the audit evidence those auditors obtained.
Frequently asked questions
Does ISA 600 (Revised) still use 'significant component' classification?
No. ISA 600 (Revised) removed the classification of components as 'significant' or 'non-significant.' The revised standard replaces this with a top-down risk assessment. The group engagement team identifies risks of material misstatement at the group level and determines what work each component requires based on that risk assessment, not on component size alone.
Who is responsible for work performed by component auditors?
The group engagement partner. ISA 600 (Revised) makes this responsibility direct: the partner is responsible for the direction, supervision, and review of the group audit, regardless of whether component auditors perform some of the work. Delegation does not transfer responsibility.