Key Takeaways
- ISA 600 (Revised) is effective for audits of group financial statements for periods beginning on or after 15 December 2023 — aligning with the broader suite of revised quality management and risk assessment standards.
- The revised standard replaces the previous component-classification model with a top-down, risk-based approach — the group engagement team identifies and assesses risks of material misstatement at the group level first, then determines the work needed at components.
- The concept of "significant component" has been removed. Scoping decisions are no longer driven by whether a component crosses a size threshold, but by the assessed risks of material misstatement at the group financial statement level.
- Component auditors are now explicitly part of the engagement team. The group engagement partner has the same direction, supervision, and review responsibilities over component auditors as over any other team member.
- The standard introduces aggregation risk as a new concept — the risk that the aggregate of individually immaterial misstatements across components could cause the group financial statements to be materially misstated.
- Two-way communication between the group engagement team and component auditors must be timely and occur throughout the engagement, not only at the start and conclusion.
- The group engagement team must have access to audit documentation of component auditors, including for purposes of the engagement quality review. Restrictions on access have direct implications for the group audit opinion.
What is ISA 600 (Revised)?
ISA 600 (Revised), titled "Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors)," establishes the group engagement partner's responsibilities when conducting an audit of group financial statements. A group audit exists whenever the financial statements include the financial information of more than one component — whether subsidiaries, divisions, branches, joint ventures, or associates accounted for under the equity method.
Group audits are inherently more complex than single-entity audits. The group engagement team must coordinate work across multiple locations, potentially involving component auditors in different jurisdictions with different regulatory environments, languages, and accounting practices. The previous version of ISA 600 (issued in 2009) used a component-classification model that, in practice, led to mechanical scoping decisions and insufficient attention to risks that cut across the group.
Regulatory inspections consistently identified quality concerns in group audits — insufficient involvement by the group engagement partner, inadequate communication with component auditors, over-reliance on component auditors without adequate oversight, and failure to consider aggregation risk. The IAASB's comprehensive revision addresses these concerns through a fundamentally restructured approach.
Key Changes from the Previous Standard
The following table summarises the most significant changes between the previous ISA 600 and the revised standard:
| Area | Previous ISA 600 | ISA 600 (Revised) |
|---|---|---|
| Approach | Bottom-up: classify components, then determine work | Top-down: assess group-level risks, then determine work at components |
| Components | "Significant" vs "non-significant" based on size or risk | No classification by significance; component definition broadened to any entity or business activity |
| Component auditors | Separate from the engagement team; reliance-based model | Explicitly part of the engagement team; subject to direction, supervision, and review |
| Scoping | Full audit, specified procedures, or analytical review by component category | Nature, timing, and extent of work driven by assessed risks at group level |
| Communication | Group engagement team issues instructions to component auditors | Two-way communication throughout the engagement; component auditors communicate back |
| Documentation | Document instructions sent and reports received | Enhanced documentation of risk assessment, scoping rationale, aggregation risk, and component auditor oversight |
| Review options | Desktop review of non-significant components | No prescribed review categories; analytical procedures at group level may serve a similar function, but driven by risk assessment |
The Risk-Based Approach
The fundamental shift in ISA 600 (Revised) is from a bottom-up, component-driven model to a top-down, risk-driven model. The group engagement team follows four interconnected steps:
Step 1: Understanding the group and its environment
The group engagement team must obtain an understanding of the group, its components, and their environments — including the group's organisational structure, the nature of the components (subsidiaries, joint ventures, equity-method investees), the consolidation process, and the applicable financial reporting framework. This understanding must be sufficient to identify and assess risks of material misstatement at the group financial statement level.
For a multinational group, this means understanding how intercompany transactions are processed, how management allocates goodwill and other assets across cash-generating units, where significant accounting estimates arise, and how consolidation adjustments are determined. For a simpler group, the understanding may focus on the consolidation journal entries and the elimination of intercompany balances.
Step 2: Identifying and assessing risks at the group level
Applying the principles of ISA 315 (Revised 2019), the group engagement team identifies and assesses risks of material misstatement at the group financial statement level. These risks may arise from the financial information of individual components, from the consolidation process itself, or from transactions or events that span multiple components.
The risk assessment is performed at the group level, not component by component. A risk that is individually immaterial at each component may be significant in aggregate — this is where the concept of aggregation risk becomes critical.
Step 3: Determining the scope of work at components
Based on the group-level risk assessment, the group engagement team determines what work needs to be performed on the financial information of components. This is no longer a mechanical exercise of classifying components as "significant" or "not significant." Instead, the team asks: what work, performed where, and by whom, will provide sufficient appropriate audit evidence to address the assessed risks at the group level?
The work might include a full audit of a component's financial information, an audit of specific account balances or transaction classes, specified audit procedures on particular items, or analytical procedures performed at the group level. The group engagement team may also perform centralised procedures across multiple components — for example, testing revenue recognition controls that operate group-wide.
Step 4: Consolidation procedures
The group engagement team must design and perform audit procedures on the consolidation process. This includes evaluating whether the consolidation adjustments are appropriate (elimination of intercompany transactions and balances, foreign currency translation, fair value adjustments on acquisition), and whether the classification and presentation of the group financial statements comply with the applicable financial reporting framework.
Aggregation Risk and Component Materiality
Aggregation risk
Aggregation risk is one of the most important new concepts in ISA 600 (Revised). It is the risk that the aggregate of individually immaterial misstatements across components, together with misstatements in the consolidation process, may cause the group financial statements to be materially misstated.
Consider a group with 20 components. If each component has a misstatement of 4% of group materiality, the aggregate misstatement is 80% of group materiality — dangerously close to the threshold. The previous standard did not explicitly require the group engagement team to consider this risk. The revised standard does.
The group engagement team must consider aggregation risk when determining component materiality, when deciding the nature and extent of work at components, and when evaluating the sufficiency of audit evidence obtained across the group.
Component performance materiality
For components where an audit of the financial information will be performed by a component auditor, the group engagement team must determine component materiality. This must be lower than group materiality. In practice, many firms set component materiality at 60–85% of group materiality, with the exact percentage depending on:
- The number of components in the group
- The degree of aggregation risk
- The relative significance of the component to the group
- Whether the component has been identified as giving rise to significant risks
Performance materiality at the component level is then set below component materiality, applying the same principles as under ISA 320. The lower the component materiality, the more audit work is performed — which is why aggregation risk directly drives the cost and effort of a group audit.
Aggregation risk is not just a formula
Some firms attempt to address aggregation risk purely through a mathematical allocation of materiality across components. While allocation models can be useful starting points, aggregation risk requires professional judgment. A group with 5 components in one jurisdiction, using one ERP system and one set of accounting policies, poses a very different aggregation risk than a group with 50 components across 15 jurisdictions, with decentralised accounting and multiple ERPs. The group engagement team must consider the nature and likelihood of misstatements at each component — not just the number of components — when assessing aggregation risk.
Component Auditors as Part of the Engagement Team
One of the most consequential changes in ISA 600 (Revised) is the explicit inclusion of component auditors within the engagement team. Under the previous standard, component auditors were treated as separate professionals on whom the group engagement team "relied." The revised standard abandons this reliance model.
Direction: The group engagement team must direct component auditors — providing them with an understanding of the group engagement, the risks of material misstatement relevant to their work, the component materiality to be applied, and the specific procedures to be performed. The days of sending a generic instruction letter and hoping for the best are over.
Supervision: The group engagement team must supervise component auditors' work during the engagement. This means monitoring progress, discussing significant matters as they arise, and being available to address questions and concerns. For critical components, this may involve the group engagement team attending key meetings or reviewing work in real time.
Review: The group engagement team must review the component auditor's work, evaluating whether it provides sufficient appropriate audit evidence for the group audit. This includes reviewing the component auditor's documentation, assessing the adequacy of the work performed, and evaluating the component auditor's conclusions.
The group engagement partner must also evaluate each component auditor's competence, capabilities, and ethical compliance — including whether the component auditor understands and will comply with the ethical requirements relevant to the group audit, and whether the component auditor's firm has an appropriate system of quality management.
Two-Way Communication
The previous standard focused primarily on communication from the group engagement team to component auditors (through instruction letters). ISA 600 (Revised) establishes robust two-way communication requirements.
From the group engagement team to component auditors
The group engagement team must communicate, at minimum: the scope and timing of work to be performed; component materiality and the threshold for reporting identified misstatements; identified risks of material misstatement relevant to the component; ethical requirements applicable to the group audit, including independence requirements; and any other matters the group engagement team considers relevant.
From component auditors to the group engagement team
Component auditors must communicate back: matters relevant to the group engagement team's conclusion regarding the group audit, including identified misstatements (even if corrected); indicators of management bias; identified or suspected fraud; significant deficiencies in internal control; and any other matters that may be relevant to the group audit, including exceptions noted in written representations from component management.
Critically, this communication must occur on a timely basis throughout the engagement — not only at the start when instructions are issued and at the end when reports are submitted. If a component auditor identifies a significant issue during fieldwork, the group engagement team needs to know immediately, not six weeks later in a summary report.
Restrictions on Access
ISA 600 (Revised) addresses the practical reality that group engagement teams sometimes face restrictions on access — whether to component management, to component auditor documentation, or to the component entity itself. Restrictions may arise from legal or regulatory barriers, commercial sensitivity, or practical obstacles such as political instability.
When restrictions are identified, the group engagement team must first determine whether they can be overcome — for example, by obtaining the necessary permissions, using alternative procedures, or adjusting the audit approach. If the restrictions cannot be overcome and the group engagement team cannot obtain sufficient appropriate audit evidence, the implications for the group audit opinion must be considered.
In severe cases, restrictions on access may result in a qualification or disclaimer of opinion on the group financial statements. The group engagement team cannot simply accept restrictions without evaluating their impact on the ability to form an opinion. This is particularly relevant in jurisdictions with data privacy laws that may limit the transfer of audit documentation across borders.
ISA 600 in Your Jurisdiction
Netherlands. COS 600 (Revised) follows ISA 600 closely. The AFM has identified group audit quality as a priority inspection area, particularly regarding the group engagement partner's oversight of component auditors and the adequacy of two-way communication. For Dutch OOB engagements involving international components, the AFM pays close attention to how aggregation risk is assessed and documented.
Germany. The Konzernabschlussprüfung (group audit) follows the WPK's adoption of ISA 600 (Revised). German practice has traditionally placed strong emphasis on the Konzernabschlussprüfer's personal responsibility for the group opinion, which aligns well with the revised standard's strengthened role for the group engagement partner. However, the shift from the significant-component model to a risk-based scoping approach represents a practical change for many German firms.
United Kingdom. ISA (UK) 600 (Revised) is substantively aligned with the international standard. The FRC has been particularly vocal about group audit quality, with inspection findings repeatedly highlighting insufficient oversight of component auditors and inadequate consideration of aggregation risk. The FRC expects group engagement partners to demonstrate active involvement in the direction and supervision of component auditors — not merely administrative coordination.
France. Adopted through NEP standards under H3C supervision. The French joint-audit system creates unique considerations for group audits — the allocation of components between joint auditors must be clearly defined, and communication between the two group engagement teams adds an additional layer of coordination that must be managed within the ISA 600 framework.
Related Ciferi Content
Continue building your understanding of the ISA framework:
Put audit concepts into practice with these free tools:
Frequently Asked Questions
Does ISA 600 (Revised) apply to simple groups with only a few subsidiaries?
Yes. ISA 600 (Revised) applies to all group audits, regardless of the number of components. However, the standard is scalable. For a simple group with two or three wholly-owned subsidiaries operating in the same jurisdiction, using the same accounting framework, and audited by the same firm, the group engagement partner's procedures will be far less extensive than for a multinational group with dozens of components across multiple jurisdictions. The key is that the risk-based approach drives the nature and extent of work — not the label "group audit" itself.
Is the "desktop review" still allowed under the revised standard?
The revised standard does not use the term "desktop review." Under ISA 600 (Revised), work performed on the financial information of components is driven by the group engagement team's risk assessment, not by pre-set categories such as "significant component — full audit," "significant component — specified procedures," or "remaining component — desktop review." The group engagement team determines what work is needed at each component based on the assessed risks of material misstatement at the group level. In practice, analytical procedures at the group level over non-significant components may resemble what was previously called a desktop review, but the conceptual basis is fundamentally different.
What is the difference between a component audit and specified procedures?
Under the revised standard, this distinction is less relevant. The group engagement team determines the nature, timing, and extent of work to be performed on the financial information of components based on the assessed risks at the group level. This work might include a full audit of a component's financial information, an audit of specific account balances or classes of transactions, specified audit procedures on particular items, or analytical procedures performed at the group level. The group engagement team selects whichever approach — or combination of approaches — is most effective in responding to the assessed risks of material misstatement at the group financial statement level.
How should component materiality be allocated?
ISA 600 (Revised) requires the group engagement team to determine component materiality for those components where an audit or review of the component's financial information will be performed. Component materiality must be lower than group materiality. In practice, many firms set component materiality at 60–85% of group materiality, with the exact percentage depending on the number of components, the degree of aggregation risk, and the significance of the component to the group. Performance materiality at the component level is then set below component materiality, just as at the group level. The standard does not prescribe a formula — professional judgment is required.
Further Reading and Source References
- IAASB Handbook 2024 — The authoritative source for the complete ISA 600 (Revised) text, including all application material.
- ISA 600 (Revised) Implementation Guide (IAASB) — Practical guidance for firms transitioning from the previous standard, including worked examples of the risk-based scoping approach.
- ISA 315 (Revised 2019) — Identifying and Assessing the Risks of Material Misstatement — the risk assessment standard that underpins the group audit approach.
- ISA 220 (Revised) — Quality Management for an Audit — engagement-level quality management responsibilities that apply to the group engagement partner and team.