The H2A’s 2023 inspection programme reviewed group audit procedures across 145 mandates and flagged deficiencies in how auditors handled component auditors under NEP 600. In 57% of reviewed mandates, inspectors found issues with the statutory auditor’s approach at group level. ISA 600 (Revised) was supposed to fix the structural problems behind those findings. Two years into its effective period, the same patterns keep appearing.

ISA 600 (Revised), effective for periods beginning on or after 15 December 2023, requires the group auditor to apply a top-down, risk-based approach to group audits, treating component auditors as part of the engagement team and setting component materiality lower than group performance materiality to manage aggregation risk.

Key Takeaways

  • ISA 600 (Revised), effective for periods beginning on or after 15 December 2023, is a substantially revised standard that fundamentally changes the approach to group audits. The first application for calendar year-end entities is 31 December 2024.
  • The standard adopts a top-down, risk-based approach: the group auditor identifies and assesses risks of material misstatement at the group financial statement level, then determines the nature, timing, and extent of work at each component to respond to those risks. This replaces the previous bottom-up approach based on “significant” vs. “non-significant” components.
  • The definition of “significant component” has been removed. Instead, the group auditor determines which components require work based on the assessed risks and the significant classes of transactions, account balances, and disclosures in the group financial statements.
  • Component auditors are now part of the engagement team, not external parties whose work is merely relied upon. This means the group engagement partner has direct responsibility for their direction, supervision, and review under ISA 220 (Revised).
  • Aggregation risk is a new defined concept: the probability that the aggregate of uncorrected and undetected misstatements across components exceeds group materiality. Component performance materiality must be set lower than group performance materiality to reduce this risk.
  • Two-way communication between group and component auditors is significantly strengthened, with specific required communications at planning, execution, and completion stages.
  • Access to component auditor documentation is now required as part of the group audit file. “Desktop reviews” or reviews of financial information alone are no longer acceptable. Audit procedures are always required.

What is ISA 600 (Revised)?

ISA 600 (Revised), titled “Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors),” governs how auditors approach the audit of consolidated or combined financial statements that include the financial information of more than one entity or business unit.

Group audits are inherently complex. Multiple entities across different jurisdictions, audited by different teams, using different systems, sometimes applying different accounting policies. All of this consolidates into a single set of financial statements on which the group auditor provides a single opinion. The 2022 revision addresses persistent quality concerns by making the group auditor’s role more proactive, more risk-focused, and more directly responsible for the work performed across the group.

Key changes from the previous standard

Area Previous ISA 600 ISA 600 (Revised)
Approach Bottom-up, component-driven Top-down, risk-based
Components “Significant” vs. “non-significant” classification No classification — work driven by assessed risks
Component auditors Separate from engagement team Part of the engagement team
Scoping Significant components get full audit; others get analytical or nothing Procedures determined by risk assessment; no default categories
Communication Instructions sent; results received Required two-way communication throughout
Documentation Component files could be separate Access to component files required; group file standalone
Review options Desktop review permitted Audit procedures always required

The risk-based approach

Understanding the group

The group auditor must understand the group’s structure, the consolidation process, the nature and extent of commonality of controls across entities, and the group’s information system. This understanding informs the identification and assessment of risks at the group level.

Identifying and assessing risks at the group level

The group auditor takes responsibility for identifying and assessing the risks of material misstatement of the group financial statements, including risks arising from the consolidation process. This is a top-down exercise: the group auditor looks at the group financial statements and determines where the material risks are, not simply which components are “big enough” to audit.

Determining scope of work at components

Based on the assessed risks, the group auditor determines at which components to perform audit procedures, and the nature, timing, and extent of work to be performed. This may include full audits, audits of specific account balances or classes of transactions, or specified procedures. The scope is determined by what is needed to respond to the assessed risks, not by arbitrary size thresholds.

Consolidation procedures

The group auditor must always perform procedures on the consolidation process, including intercompany eliminations, consolidation adjustments, reclassifications, and the consistency of accounting policies across the group.

Aggregation risk and component materiality

What is aggregation risk

A key new concept: in a group audit, misstatements may be individually immaterial at each component but material in aggregate when combined at the group level. Aggregation risk is the probability that this aggregate exceeds group materiality.

Component performance materiality levels

To manage aggregation risk, the group auditor sets component performance materiality that is lower than group performance materiality. The amount is a matter of professional judgment. IFAC guidance suggests ranges of approximately 60% to 85% of group performance materiality, depending on the risk assessment, but the standard does not prescribe a specific percentage.

The group auditor also determines the threshold above which misstatements identified at the component level must be communicated to the group auditor.

### Aggregation risk is not just a formula to apply

Regulators have identified mechanical allocation of component materiality as a deficiency. Simply dividing group materiality by the number of components, or applying a fixed percentage, misses the point. The allocation should reflect the risk profile of each component: a component with higher risk of misstatement should receive a lower component materiality. The group auditor should also consider whether the sum of allocated component materialities creates an acceptable level of aggregation risk when evaluated against group materiality.

Component auditors as part of the engagement team

Under ISA 600 (Revised), component auditors are formally part of the engagement team as defined by ISA 220 (Revised). This means the group engagement partner has direct responsibility for:

The group engagement partner directs the component auditor by communicating the group audit strategy, risk assessments, required procedures, and materiality levels. Supervision involves monitoring the progress and quality of the component auditor’s work throughout the engagement. The group engagement partner also reviews the component auditor’s work and documentation, including access to working papers.

The group auditor must also evaluate whether the component auditor has the appropriate competence and capabilities and complies with relevant ethical requirements (including independence). The group auditor should also confirm that the component auditor operates within an environment of appropriate quality management.

Two-way communication

ISA 600 (Revised) requires structured two-way communication between group and component auditors:

The group auditor communicates risk assessments, materiality levels, required procedures, identified fraud risks, related party information, significant group-level risks, and specific instructions to the component auditor.

The component auditor reports back on whether the work was performed as requested, misstatements identified (above the communication threshold), indicators of management bias, identified fraud or suspected fraud, significant deficiencies in internal control, and any other matters relevant to the group audit conclusion.

This communication must be timely. It occurs at planning, during execution, and at completion, not just in a single instruction letter at the start and a single report at the end.

Restrictions on access

ISA 600 (Revised) provides guidance on dealing with restrictions on access to people, information, or documentation at components. If restrictions exist:

  • The group auditor must first attempt to overcome the restriction (e.g., through management, through group governance, through alternative procedures).
  • If the restriction cannot be overcome, the group auditor must determine the effect on the group audit. This may result in a qualified opinion or disclaimer if sufficient appropriate evidence cannot be obtained.

Worked example: Van Bergen Holding N.V.

Van Bergen Holding N.V. is a Dutch holding company with consolidated revenue of €120M, four subsidiaries (two in the Netherlands, one in Germany, one in Belgium), and a 31 December year-end. The group engagement partner’s firm audits the parent and both Dutch subsidiaries. A German firm audits the German subsidiary (€35M revenue), and a Belgian firm audits the Belgian subsidiary (€18M revenue).

  1. The group engagement partner identifies risks of material misstatement at the group financial statement level. Revenue recognition across the German manufacturing subsidiary is flagged as a significant risk due to complex long-term contracts. Intercompany eliminations (€22M in intragroup sales) are identified as requiring specific consolidation procedures. The group engagement partner sets group materiality at €1.8M (1.5% of consolidated revenue) and group performance materiality at €1.35M.

Documentation note: record the risk assessment in the group audit planning memorandum. Document the basis for group materiality and the link between identified risks and planned component-level work.

  1. Component performance materiality is set for each subsidiary based on its risk profile. The German subsidiary receives €810K (60% of group performance materiality) due to the significant revenue recognition risk. The Belgian subsidiary receives €1.08M (80% of group performance materiality) given its lower risk profile. Dutch subsidiaries receive €945K (70%) each. The communication threshold for misstatements is set at €90K (5% of group materiality).

Documentation note: file the component materiality allocation schedule with the rationale for each percentage. Use the materiality calculator to verify the arithmetic and document the aggregation risk assessment.

  1. The group engagement partner sends detailed instructions to both component auditors. The German firm receives specific instructions on revenue recognition testing for long-term contracts, including the group’s accounting policy, the fraud risk assessment, identified related parties, and the requirement to report all misstatements above €90K. The Belgian firm receives instructions focused on its primary risk areas (inventory valuation and intercompany balances).

Documentation note: retain copies of all instructions sent to component auditors. Document the two-way communication requirements at planning stage per ISA 600.40–41.

  1. During execution, the German component auditor identifies a €180K revenue cut-off misstatement and a potential related party transaction not previously disclosed. The component auditor communicates both to the group engagement team within two weeks of identification. The group team performs additional inquiries of group management about the related party matter and determines it requires disclosure in the consolidated financial statements.

Documentation note: record the component auditor’s communication, the group team’s response, and the resolution. Cross-reference to the group-level ISA 550 related party working paper.

  1. At completion, the group engagement partner reviews the German component auditor’s working papers for revenue recognition testing, evaluates whether the work performed responds to the assessed risks, and reviews the Belgian component auditor’s summary memorandum. The group team performs consolidation procedures on all intercompany eliminations, verifies the consistency of accounting policies across all four subsidiaries, and evaluates the aggregate effect of identified misstatements (€180K cut-off plus €45K from other components) against group materiality.

Documentation note: document the group engagement partner’s review of component auditor working papers, including the specific files reviewed and conclusions reached. File the consolidation procedures working paper separately.

The group audit file shows a risk-driven scoping decision at each component, component materiality allocations that reflect individual risk profiles rather than a mechanical split, documented two-way communication throughout the engagement, and a completion review that evaluates aggregate misstatements against group materiality. A reviewer would see that ISA 600 (Revised) was applied as a risk-based framework, not as a component classification exercise.

Practical checklist

  1. Start the group audit planning with a top-down risk assessment at the group financial statement level. Identify significant classes of transactions and account balances in the consolidated statements before determining which components need work (ISA 600.26–27).
  2. Set component performance materiality lower than group performance materiality, with the percentage reflecting each component’s risk profile. Document the rationale for each allocation and the resulting aggregation risk assessment (ISA 600.A66–A69).
  3. Issue detailed written instructions to all component auditors covering risk assessments, materiality levels, fraud risks, related parties, and the misstatement communication threshold. Retain copies in the group audit file (ISA 600.40–41).
  4. Require component auditors to communicate identified misstatements, fraud indicators, and significant internal control deficiencies on a timely basis during execution (not only at completion). Document these communications and the group team’s responses (ISA 600.44).
  5. Review component auditor working papers for areas of significant risk. A summary memorandum alone is insufficient for high-risk areas under ISA 600 (Revised) (ISA 600.45).
  6. Perform consolidation procedures directly, including intercompany eliminations, accounting policy consistency, and evaluation of whether the aggregate of uncorrected misstatements across all components exceeds group materiality.

Common mistakes

  • Applying a single fixed percentage to allocate component materiality across all subsidiaries without adjusting for risk. The H2A’s 2023 inspection programme found group audit deficiencies in 57% of reviewed mandates, including weaknesses in how auditors determined the scope of work at component level (H2A, Synthese du programme de controle 2023, Part 2 pp. 47-52). Mechanical allocation fails the ISA 600 requirement to consider component-specific risk.
  • Treating component auditor instructions as a one-time communication at planning stage. ISA 600 (Revised) requires two-way communication at planning, execution, and completion. The FRC’s 2025 inspection findings highlighted insufficient involvement in the work of component auditors and inadequate review of component auditor documentation as persistent group audit concerns (FRC Annual Review of Audit Quality 2025, pp. 16-17).
  • Accepting a component auditor’s summary memorandum without reviewing underlying working papers for significant risk areas. Under ISA 600 (Revised), desktop reviews of financial information alone are no longer acceptable. Audit procedures are always required for components where work is performed.

Related content

  • Component materiality — Glossary entry explaining how component materiality relates to group materiality and why it must be set lower than group performance materiality to manage aggregation risk.
  • Materiality calculator — Use this tool to calculate group materiality and test different component materiality allocations based on the benchmark and percentage you select.
  • ISA 315: Risk assessment guide — The group auditor’s identification of risks at the group level follows ISA 315 (Revised 2019). This guide covers how to structure the risk assessment that drives the group audit scope.

ISA 600 (Revised) in your jurisdiction

Netherlands. COS 600 (Revised) follows ISA 600 (Revised). For Dutch-headquartered multinationals, the shift from bottom-up to top-down group auditing is significant. The AFM has emphasised that group auditors must justify every scoping decision and cannot rely on historical approaches. Particular attention is required where overseas component auditors operate in jurisdictions with different documentation standards or language barriers — the group auditor may need full access to working papers or may need to replicate work.

Germany. IDW PS 600 adapts ISA 600 (Revised). German group structures (Konzern) frequently involve complex holding structures, profit transfer agreements (Ergebnisabführungsverträge), and statutory audits at each subsidiary level. The integration of component auditors into the engagement team aligns with the WPK’s emphasis on the group auditor’s ultimate responsibility (Gesamtverantwortung).

United Kingdom. ISA (UK) 600 (Revised September 2022) is substantively aligned with ISA 600 (Revised). The FRC has highlighted group audits as a persistent area of audit quality concern, particularly insufficient involvement in the work of component auditors, inadequate evaluation of component auditor competence, and insufficient review of component auditor documentation.

France. NEP 600 implements ISA 600 (Revised). French group audit practice operates within the statutory framework where each subsidiary may have its own commissaire aux comptes. The coordination between the group auditor (commissaire aux comptes du groupe) and component auditors has specific legal dimensions under French company law, including the obligation to communicate specific findings through the co-commissariat system where applicable.

Frequently asked questions

Does ISA 600 (Revised) apply to simple groups?

Yes, but it is designed to be scalable. For a simple group (e.g., a parent with one or two subsidiaries, all audited by the same firm), many of the requirements relating to component auditor communication, access restrictions, and complex scoping will be straightforward or not applicable. The group auditor still needs to assess risks at the group level and perform consolidation procedures.

Can the group auditor still perform a “desktop review”?

No. Under ISA 600 (Revised), audit procedures are always required for components where work is to be performed. Simply reviewing financial information without performing audit procedures is no longer acceptable. The nature of the procedures may vary (from full audits to specified procedures) but some form of audit procedure is always needed.

What is the difference between a component audit and specified procedures?

A full component audit means the component auditor performs a complete audit in accordance with ISAs, using component materiality. Specified procedures are targeted audit procedures designed to address specific risks identified by the group auditor. They are not a complete audit but are focused on particular account balances, classes of transactions, or assertions.

How should component materiality be allocated?

There is no prescribed formula. The group auditor uses professional judgment, considering the risk profile of each component, the significance of each component to the group, and the need to keep aggregation risk at an acceptably low level. As a practical starting point, many firms use a range of 60–85% of group performance materiality, adjusted for component-specific risk factors.

Further reading and source references

  • IAASB Handbook 2024: ISA 600 (Revised) full text — The authoritative source including appendices with examples.
  • ISA 220 (Revised): Quality Management for an Audit — governs the group engagement partner’s responsibilities for engagement quality, including direction and supervision of component auditors.
  • ISA 315 (Revised 2019): Risk assessment — the group auditor’s identification and assessment of risks is based on this standard.
  • ISA 320: Materiality — the basis for determining group and component materiality.

This guide reflects the ISA 600 (Revised) text as published in the IAASB 2024 Handbook. National implementations may include additional requirements — always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Related products

ISAE 3402 Workbook → · ISA 240 Toolkit →

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

No spam — we're auditors, not marketers.

Related Ciferi Content

Related guides:

ISA 220: Quality Management for an Audit
Engagement-level quality management that applies within the group audit
ISA 315: Identifying and Assessing the Risks of Material Misstatement
The risk assessment framework that drives the group audit approach
ISA 330: The Auditor's Responses to Assessed Risks
Designing audit responses that component auditors execute
ISA 320: Materiality in Planning and Performing an Audit
Determines group materiality from which component materiality is derived

Put audit concepts into practice with these free tools:

Materiality Calculator
ISA 320
Analytical Review Tool
ISA 520
Transfer Pricing Tool
OECD Guidelines
Materiality Calculator
ISA 320
Sampling Calculator
ISA 530
Going Concern Checklist
ISA 570
ECL Calculator
IFRS 9