What are group audit instructions?

A partner in Paris signs off on a group audit of a EUR 320M engineering conglomerate. Subsidiaries across three countries each have a local auditor. Without a written set of instructions specifying exactly what work to perform, what materiality to apply, what risks to address, and what format to report back in, those three component auditors are guessing. We've seen this on about half the cross-border engagements that come in for quality review: the instructions were either too vague or arrived too late for the component auditor (CA) to plan properly.

Group audit instructions are the formal communication from the group engagement team (GET) to each CA, specifying the scope of work, the component materiality, identified risks, and the reporting format and deadline. ISA 600 (Revised) requires these instructions to be specific enough that the CA can plan and perform the work without having to infer what the GET expects.

Under the revised standard, the communication obligation runs in both directions. ISA 600 (Revised) requires the GET to request that the CA communicate matters relevant to the group conclusion. The CA reports back on misstatements identified, indicators of management bias, control deficiencies relevant to the group audit, and any other matters the instructions specified. This is not a courtesy update. The GET needs this information to evaluate whether the evidence from the component is sufficient for the group audit opinion.

Key Points

  • Group audit instructions tell the component auditor what to do and at what materiality.
  • The group engagement team issues them; the component auditor cannot set their own scope independently.
  • The revised standard requires ongoing two-way communication, not just initial instructions.
  • Incomplete or late instructions are among the most common causes of group audit file deficiencies.

Worked example: Duval Ingénierie S.A.

Client: French engineering group, FY2024, consolidated revenue €320M, IFRS reporter, with subsidiaries in Germany and Italy and a joint venture in Morocco. The group auditor's firm in Paris appoints CAs in Munich and Casablanca. The Italian subsidiary is audited directly by the GET.

Munich CA

Duval Technik GmbH (revenue €88M, 28% of consolidated) has specific risks in revenue recognition (long-term construction contracts under IFRS 15 ) and in the valuation of a €14M intangible asset from a 2022 acquisition. Component materiality is set at €1.28M (40% of group materiality of €3.2M).

Instructions cover: targeted procedures on IFRS 15 revenue (percentage-of-completion on contracts exceeding €5M), valuation testing of the intangible asset (€14M carrying amount, amortisation period review), component materiality of €1.28M, and the reporting deadline and communication format.

Casablanca CA

Duval Maroc S.A.R.L. (revenue €19M, 6% of consolidated) has lower individual significance but specific risks in foreign currency translation and in a local tax dispute (estimated exposure €1.2M). Component materiality is set at €960K (30% of group materiality). The lower percentage reflects the cross-border nature of the component and limited direct oversight.

Report back and evaluation

The Munich CA reports one unadjusted misstatement of €210K in revenue recognition (percentage-of-completion adjustment) and no issues with the intangible asset valuation. The Casablanca CA reports that the tax dispute provision appears reasonable based on legal counsel's assessment but flags a €95K foreign currency translation difference. The GET aggregates both misstatements with findings from the Italian subsidiary and group-level consolidation procedures.

The instructions specified the work and the materiality for each CA, along with the expected reporting format. Because the two-way communication produced actual evidence (not a generic confirmation that "procedures were performed"), the GET could evaluate whether the work addressed the identified risks.

What reviewers and practitioners get wrong

Instructions issued too late for the CA to plan the work properly are a persistent problem. When the GET finalises its risk assessment in February but the CA's reporting deadline is March, the CA has to compress planning into weeks. ISA 600 (Revised) does not specify a timeline, but the requirement that the CA can plan and perform the work implies instructions must be timely. Regulators view compressed timelines as an indicator of insufficient group audit planning.

Some GETs issue generic instructions that apply identically to every CA. In practice, teams just roll it forward from the prior year, swap the entity name and materiality number, and send it out. It is SALY with a methodology shield (same-as-last-year dressed up in current-year formatting). The standard requires the instructions to be tailored to each component's risk profile and component materiality. If the risk areas and the procedures requested are identical across components with different risk profiles, the instructions do not meet the requirement.

Nobody enjoys writing bespoke instructions for eight component auditors in six countries when the deadline is already tight. But vague instructions produce vague evidence, and vague evidence produces inspection findings.

Key standard references

  • ISA 600 (Revised) sets out the requirements for the content of group audit instructions issued to CAs and establishes two-way communication requirements between the GET and CAs throughout the engagement.
  • ISA 210 draws the distinction between the engagement letter (terms of the audit) and group audit instructions (direction of component work).

Related terms

Component AuditorGroup Engagement TeamComponent MaterialityGroup Engagement PartnerSignificant Component

Related reading

Component Materiality in Group Audits (ISA 600)
Blog guide

Frequently asked questions

What must group audit instructions contain?

At minimum: the work the component auditor should perform, the component materiality set by the group engagement team, identified risks relevant to the component, the form of the component auditor's communication back to the group engagement team, and requirements to communicate fraud indicators and instances of non-compliance. The instructions must be specific enough that the component auditor can plan and perform the work without inferring what the group engagement team expects.

Can the same template be used for every component auditor?

Templates are a starting point, but ISA 600 (Revised) requires the instructions to be tailored to each component's risk profile and component materiality. A single template with blanks filled in for the entity name and materiality number does not meet the requirement if the risk areas and the procedures requested are identical across components with different risk profiles. FRC inspection findings consistently flag this as a deficiency.

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: · Standards version: IAASB 2024 Handbook