ISA 600: A New Era for Group Audits

ISA 600 (Revised): A Proactive, Risk-Based Approach to Group Audits

Download the presentation on the revised ISA 600 Download

The Financial Reporting Council issued the revised ISA 600, Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors) in September 2022. This revised standard, effective for group audits for periods commencing on or after December 15, 2023, introduces significant changes to enhance the quality and effectiveness of group audits. The main changes center around a proactive, risk-based approach, revised component definitions, and strengthened communication requirements.

Proactive Risk-Based Approach

A significant change is the introduction of a proactive risk-based approach. Now, group auditors must emphasize:

Identifying and assessing risks of material misstatement at the group level.
Planning the group audit based on these assessed risks.
Performing audit procedures that respond to the assessed risks, regardless of location within the group.

This shift requires a deeper understanding of the group’s operations. Auditors must focus on where the risks reside, rather than the size or financial significance of individual components.

Clarification of ISA 220 (Revised) Requirements

The revised ISA 600 clarifies how the requirements of ISA 220 (Revised), Quality Management for an Audit of Financial Statements apply to group audits. This includes focusing on:

The resources needed for the engagement.
The direction, supervision, and review of the engagement team’s work.
Explicitly including component auditors within the ‘engagement team’.

Revised Definition of a Component

The definition of a component has been revised for clarity and flexibility.

Old Definition: Previously, a component was an entity or business activity for which group or component management prepared financial information to include in the group financial statements. Components were often determined by size, with audit procedures focused on the component itself. Some procedures had a group focus.

New Definition: Now, a component is an entity, business unit, function or business activity (or combination thereof). The group auditor determines this for planning and performing audit procedures in a group audit. Furthermore, the group auditor must perform a group risk assessment to find where the risks are within the group. The audit work then follows those identified risks, regardless of which component they reside in.

Key Changes:

The concepts of “significant component” and “financially significant component” are removed.
The updated definition offers flexibility and applies to branches, divisions, shared service centers, and non-controlled entities.
There is now an emphasis on considering the nature of events or conditions that may give rise to risks of material misstatement.
Auditors can choose the scope of work for targeted testing at each component based on risk assessment and significant accounts.

Examples of components:

A single legal entity may have more than one business unit (e.g., a bank with branches) where financial information is aggregated.
A group may have three legal entities with similar characteristics, operating in the same location, under the same management, and using a common system of internal control. In these cases, the group auditor may treat these entities as one component.
A group may centralize activities through a shared service center. If these activities are relevant to the group’s financial reporting, the group auditor may determine that the shared service center is a component.

Robust Two-Way Communication