What is a Group Auditor?
ISA 600 (Revised) places responsibility for the group audit squarely on the group engagement partner. That responsibility starts before any component work begins. The group auditor must understand the group structure, identify which entities and business units are components, determine which components are significant, and decide the scope of work for each component.
Risk assessment belongs to the group engagement team even when a component auditor has better local knowledge. The group auditor uses component auditor input to inform the group-level risk assessment, but the assessment itself is the group team's responsibility. The group auditor cannot delegate the risk assessment to the component auditor and accept the result without performing their own evaluation.
After component work is complete, the group auditor must evaluate whether the evidence obtained from all sources, including component auditors, the group team's own procedures, and the consolidation process, is sufficient and appropriate to form the group opinion. Receiving component deliverables is not the same as evaluating them.
Key Points
- The group auditor bears full responsibility for the group opinion and cannot reduce that responsibility by referencing component auditor work.
- Risk assessment at group level is the group team's responsibility, even where component auditors have local expertise.
- Evidence evaluation requires active review, not passive receipt of component deliverables.
- ISA 600 (Revised) requires demonstrated involvement in significant component risk assessments.
Why it matters in practice
AFM inspection reports have found that group engagement teams do not consistently demonstrate sufficient involvement in significant component risk assessments. The file shows the group team received the component auditor's risk assessment and the component deliverables, but it does not show what the group team did to evaluate whether those assessments were appropriate given the group team's own understanding of the component.
Mid-tier group auditors in particular treat component auditor summaries as sufficient evidence without performing their own evaluation. ISA 600 (Revised) requires evaluation, not just receipt. The group auditor must document what they considered, what questions they raised, and how they concluded that the component evidence was sufficient for the group audit.
Key standard references
- ISA 600 (Revised): Full responsibility of the group engagement partner for the group audit opinion.
- ISA 600 (Revised): Requirement to understand the group structure and identify components.
- ISA 600 (Revised): Group-level risk assessment responsibilities.
- ISA 600 (Revised): Evaluation of sufficiency and appropriateness of evidence obtained from all sources.
Related terms
Related reading
Frequently asked questions
Can the group auditor reduce responsibility by referring to a component auditor?
No. ISA 600 (Revised) does not allow the group auditor to reduce responsibility by referencing component auditor work in the group auditor's report. The group auditor signs the opinion and bears full responsibility.
What must the group auditor do beyond reviewing component deliverables?
The group auditor must understand the group structure, identify components, determine significance, decide scope for each component, assess risks at group level, issue instructions, and evaluate sufficiency of all evidence before forming the group opinion.