How it works
ISA 600 (Revised) requires the group engagement team to identify and assess risks of material misstatement of the group financial statements, then design responses to those risks. Scoping is how those responses translate to work on specific components. The group engagement team considers the significance of each component (both quantitative and qualitative) alongside the risks of material misstatement identified at each component, the complexity of the component's financial information, and any recent changes in the component's business.
The distinction between financial significance and risk significance is critical. A small subsidiary with a complex related-party transaction may warrant targeted procedures even though its revenue contribution is immaterial. ISA 600 (Revised) explicitly requires the group engagement team to look beyond size when scoping.
ISA 600 (Revised) requires the group engagement team to determine its involvement in the work performed by component auditors. This means scoping is not a one-time decision at planning. If a component auditor identifies unexpected risks during fieldwork, the group engagement team must reassess whether the scoped work remains sufficient.
Key Points
- Scoping determines what work happens at which component, not just whether a component is "in" or "out."
- A component's financial size alone does not determine its scope; identified risks at that component matter equally.
- Scoping must be reassessed if conditions change during the audit (new risks identified, unexpected component results).
- Under-scoping non-significant components is one of the most common group audit inspection findings.
Worked example: Brenner Bau Gruppe AG
Client: Austrian construction group, FY2024, consolidated revenue €145M, IFRS reporter. Five subsidiaries: Austria (parent and main operations, €82M), Germany (€31M), Czech Republic (€18M), Slovakia (€9M), and Hungary (€5M).
Classifying components by significance and risk
Austria (57% of group revenue, all major contract disputes, largest PPE base) receives a full scope audit. Germany (21% of revenue, no individually significant risks beyond revenue cut-off) receives specified procedures on revenue recognition and receivables. Czech Republic (12% of revenue) also receives specified procedures, specifically on contract accounting under IFRS 15, because a new long-term construction contract was signed in FY2024. Slovakia and Hungary (combined 10%) receive analytical procedures at group level.
Communicating instructions
The group engagement team issues full scope instructions to the Austrian component auditor, including component materiality (€500K against group materiality of €1.45M), the group risk assessment, the clearly trivial threshold of €73K, and the required reporting deadlines. For Germany and Czech Republic, the team issues specified procedure instructions identifying the exact assertions, sample sizes, materiality thresholds, and reporting requirements.
Reassessing scope mid-audit
The Czech component auditor identifies that the new construction contract includes a variable consideration clause with material estimation uncertainty. The group engagement team reassesses scope and adds further specified procedures: test management's estimate of the variable consideration, verify the constraint applied under IFRS 15.56, examine the disclosures under IFRS 15.126, and evaluate the effect on the contract's transaction price allocation. The group engagement partner approves the scope change.
The scoping documentation covers initial classification, the risk-based rationale for each work type, the mid-audit revision triggered by the Czech Republic finding, and the group engagement partner's approval of the scope change. Every scoping decision links to either financial significance or an identified risk.
What reviewers and practitioners get wrong
The FRC's thematic review of group audits found that scoping decisions were frequently based on financial significance alone, without documented consideration of component-specific risks. ISA 600 requires both inputs. A component contributing 4% of revenue but holding the group's only complex financial instrument still requires targeted work on that instrument.
Teams also treat scoping as a planning-stage exercise and do not revisit it when conditions change. Both the AFM and FRC have flagged files where new risks were identified at a component during fieldwork but the scoping documentation was not updated. The group audit strategy should reflect the audit as it was actually performed, not as it was planned.
Key standard references
- ISA 600 (Revised) paragraphs 29–38: Requirements for identifying significant components, determining the type of work, and the group engagement team's involvement.
- ISA 600 (Revised) paragraph 38: Requirement to determine involvement in the work of component auditors, responsive to assessed risks.
Related terms
Related reading
Frequently asked questions
Is scoping a one-time planning decision?
No. ISA 600 (Revised) requires the group engagement team to reassess scoping if conditions change during the audit. If a component auditor identifies unexpected risks during fieldwork, the scoped work must be revisited. Both the AFM and FRC have flagged files where new risks were identified but scoping documentation was not updated.
Can a financially insignificant component still require specified procedures?
Yes. A small subsidiary with a complex related-party transaction or a significant legal provision may warrant targeted procedures even though its revenue contribution is immaterial. ISA 600 (Revised) explicitly requires the group engagement team to look beyond financial size when scoping.