What the role requires
On about half the group audit files we have seen reviewed by regulators, the same gap appears: the engagement partner treated component deliverables as finished evidence rather than as input requiring evaluation. ISA 600 (Revised) exists to close that gap. It places responsibility for the group audit squarely on the group engagement partner (EP), and that responsibility starts before any component work begins.
Before scoping component work, the EP must understand the group structure, identify which entities and business units are components, determine what risk each component carries, and decide the scope of work for each one. Risk assessment belongs to the group engagement team (GET) even when a component auditor has better local knowledge. Component auditor input informs the group-level risk assessment, but the assessment itself is the GET's responsibility. Delegating the risk assessment to a component auditor and accepting the result without independent evaluation does not satisfy the standard. Rolling forward last year's scoping decisions (a SALY approach) without reassessing current-year risks is equally insufficient.
After component work is complete, the EP evaluates whether the evidence obtained from all sources (component auditors, the GET's own procedures, the consolidation process, and management representations) is sufficient and appropriate to form the group opinion. Receiving component deliverables is not the same as evaluating them.
Key Points
- Full responsibility for the group opinion sits with the EP, and referencing component auditor work does not reduce it.
- Risk assessment at group level is the GET's responsibility, even where component auditors have local expertise.
- Evidence evaluation requires active review, not passive receipt of component deliverables.
- ISA 600 (Revised) requires demonstrated involvement in component risk assessments, not just receipt of summaries.
Why it matters in practice
AFM inspection reports have found that GETs do not consistently demonstrate sufficient involvement in component risk assessments. In too many files, the evidence shows the GET received the component auditor's risk assessment and deliverables, but nothing shows what the GET did to evaluate whether those assessments were appropriate. A well-documented file tells a story of active evaluation, not passive receipt.
We have seen this pattern especially at mid-tier firms, where component auditor summaries get treated as sufficient evidence without independent evaluation. ISA 600 (Revised) requires evaluation, not just receipt. What did the EP consider? What questions were raised? How did the team conclude that component evidence was sufficient for the group audit? When those answers are missing from the file, it becomes a tick box exercise and inspectors notice immediately. We think this is the weakest area in most group audit files today, and it is where firms should concentrate their quality improvement effort.
Key standard references
- ISA 600 (Revised): Full responsibility of the group engagement partner for the group audit opinion.
- ISA 600 (Revised): Requirement to understand the group structure and identify components.
- ISA 600 (Revised): Group-level risk assessment responsibilities.
- ISA 600 (Revised): Evaluation of sufficiency and appropriateness of evidence obtained from all sources.
Related terms
Related reading
Frequently asked questions
Can the group auditor reduce responsibility by referring to a component auditor?
No. ISA 600 (Revised) does not allow the group auditor to reduce responsibility by referencing component auditor work in the group auditor's report. Signing the opinion means bearing full responsibility, regardless of how much work was delegated.
What must the group auditor do beyond reviewing component deliverables?
Beyond reviewing deliverables, the group auditor must understand the group structure, identify components, decide the scope of work for each one, assess risks at the group level, issue instructions, and evaluate sufficiency of all evidence before forming the group opinion.