How it works
ISA 600 (Revised) restructures the group engagement partner's responsibilities. Under the previous ISA 600, groups identified significant components and applied a largely bottom-up approach: teams assessed each component for significance and varied the work accordingly. The revised standard replaces this with a top-down risk assessment. The group engagement team identifies risks of material misstatement in the group financial statements and determines where the relevant financial information sits across components. It then designs responses at the assertion level, allocating work to components based on that risk assessment.
ISA 600 (Revised) requires the group engagement team to determine the nature, timing, and extent of work to be performed on the financial information of components. This work must be responsive to the assessed risks of material misstatement of the group financial statements. A small component with a large, unusual transaction may require more work than a large component with straightforward, recurring balances.
The group engagement partner's responsibility under ISA 600 (Revised) is direct: the partner is responsible for the direction, supervision, and review of the group audit, regardless of whether component auditors perform some of the work. Delegation does not transfer responsibility.
Key Points
- ISA 600 (Revised) places direct responsibility on the group engagement partner for the entire audit, including work performed by component auditors.
- The revised standard removes the old classification of "significant" and "non-significant" components.
- Scoping is now risk-based and top-down, driven by the group engagement team's risk assessment rather than by component size alone.
- Communication with component auditors must be two-directional and documented throughout the engagement.
Worked example: Groupe Vaucluse Ingénierie S.A.
Client: French engineering group, FY2024, consolidated revenue €280M, IFRS reporter. Four subsidiaries: two in France (€140M and €65M revenue), one in Germany (€50M), one in Morocco (€25M).
The group engagement team (based in Lyon) performs the risk assessment at the group level. The team identifies two significant risks: revenue recognition on long-term construction contracts (IFRS 15 over-time recognition) and goodwill impairment at the German subsidiary (acquired 18 months ago, performance below acquisition business case).
Determine work on each component. The group engagement team identifies no significant risks at the group level for the Moroccan subsidiary (€25M, 9% of group revenue). Analytical procedures at the group level are sufficient. The German subsidiary requires a full-scope audit of revenue and a specific risk response on goodwill impairment.
Engage the component auditor in Frankfurt. Issue group instructions covering: the identified risks, the materiality for the component (set by the group engagement team), the procedures required for revenue and goodwill, the reporting deadlines, and the communication requirements.
Review the component auditor's reporting. The German component auditor identifies a goodwill impairment trigger (the subsidiary missed its Q4 revenue target by 22%). Evaluate the implications at the group level. Determine whether the impairment analysis is sufficient and whether additional procedures are needed.
Conclusion: the group audit plan was driven by group-level risks, not by component size. The Moroccan subsidiary (9% of revenue) received less work than the German subsidiary (18% of revenue) because the risk profile, not the percentage, determined the scope.
What reviewers and practitioners get wrong
- The FRC's 2023 inspection report identified group audits as a persistent area of concern, with particular focus on insufficient involvement of the group engagement team in the work of component auditors. The revised standard's emphasis on direction and supervision exists precisely because this finding recurred year after year.
- A common transitional error is continuing to classify components as "significant" or "non-significant" under the revised standard. ISA 600 (Revised) does not use this classification. Teams that default to it are applying the old framework and may scope work incorrectly because a risk-based determination sometimes produces different results than a size-based one.
Group audit vs single-entity audit
| Dimension | Group audit | Single-entity audit |
|---|---|---|
| Governing standard | ISA 600 (Revised) in addition to all other ISAs | All other ISAs (ISA 600 does not apply) |
| Engagement partner responsibility | Direct responsibility for all work, including component auditors' | Direct responsibility for all work performed |
| Risk assessment | Top-down at the group level, then allocated to components | Performed at the entity level |
| Use of other auditors | Component auditors may perform work under the group engagement team's direction | Not applicable (unless using the work of an expert or service auditor) |
Key standard references
- ISA 600 (Revised): Effective for audits of group financial statements for periods beginning on or after December 15, 2023.
- ISA 600 (Revised).11: The group engagement partner's direct responsibility for direction, supervision, and review.
- ISA 600 (Revised).29–30: Determining the nature, timing, and extent of work on component financial information.
Related terms
Related reading
Frequently asked questions
Does ISA 600 (Revised) still use 'significant component' classification?
No. ISA 600 (Revised) removed the classification of components as 'significant' or 'non-significant.' The revised standard replaces this with a top-down risk assessment. The group engagement team identifies risks of material misstatement at the group level and determines what work each component requires based on that risk assessment, not on component size alone.
Who is responsible for work performed by component auditors?
The group engagement partner. ISA 600 (Revised) makes this responsibility direct: the partner is responsible for the direction, supervision, and review of the group audit, regardless of whether component auditors perform some of the work. Delegation does not transfer responsibility.