Major revisions to the International Standard on Auditing ISA (UK) 600 Special considerations – Audits of group financial statements (Including the work of component auditors) are effective for accounting periods beginning on or after 15 December 2023. These will affect both group and component auditors, and the audit of simple groups as well as large, complex multinationals.

It’s important to start preparing now, given the nature of the changes and the need for communications between group and component auditors. This article summarises some of the key revisions to the standard.

Scoping and risk assessment

The concept of a ‘significant component’ has been removed from the revised standard. This means there is no longer a set quantitative threshold above which an audit must be performed on a component, and a more risk-based approach is needed. 

This may mean more difficult judgements for the group auditor in terms of the level of detailed work to be performed at each component and who will perform that work. There may therefore be changes to the work required from component auditors, compared to previous years. 

The group auditor will need to determine what factors will influence their scoping decisions. As well as familiar factors such as integrity, understanding and competence of component management, the revised standard identifies new concepts such as the level of disaggregation in the group. This means considering both the absolute number of components and the relative size of each component. 

Some of the information may need to come from the component auditor, so early engagement with them will be vital to the scoping process.

Component materiality

Under the revised standard, the group auditor is required to set component performance materiality. This will need to reflect factors including:

• the extent of disaggregation in the group, as explained above; and

• expectations about the nature, frequency and magnitude of misstatements. These could arise from factors including industry-specific matters, the presence of unusual or complex transactions, and the group auditor’s prior experience of the nature and extent of misstatements.

Definition of ‘engagement team’

Component auditors will have to be treated as part of the group engagement team, as they are specifically included in the definition. This means that the group audit partner will be responsible for the quality of the component auditors’ work.

It’s likely there will be more questions for component auditors early on, especially in the context of the recently introduced International Standard on Quality Management (ISQM) 1. There could be some challenges if the group auditor doesn’t think the component auditor has the right team or expertise.

There will also be more practical challenges, such as how to ensure that the component auditors attend the team meetings and discussions required by ISAs, such as the fraud discussion required by ISA (UK) 240.

Communication

All of this means robust two-way communication between group and component auditors will be particularly important. Early communication will be vital to deal with changes to scope, the potentially higher level of group auditor involvement and to identify any challenges to co-operation (whether in or out of management control), such as audit documentation which cannot be shared electronically or at all, or restrictions on travel to a country.

It’s also worth remembering that, for UK audits, component auditors have to comply with the independence requirements of the FRC’s Ethical Standard. These may be different from the component auditors’ jurisdictional requirements, so the group auditor will need to consider giving guidance on those differences as well as simply obtaining confirmation of compliance.

There is plenty of application guidance in the revised standard to help auditors with the sorts of factors they need to consider.

Controls and IT

Recent revisions to ISA (UK) 315 have placed a greater focus on the use of information technology (IT) as part of an organisation’s internal control system. In a group context, the group auditor needs to understand risks posed by the use of IT across all components, such as the level of integration of different IT systems, for example.

More broadly, the group auditor will need to consider the commonality of IT and manual internal controls, and whether design and implementation testing can be carried out on a group-wide basis. The group auditor should also consider whether any activities are centralised (at a shared service centre, for example) and whether this may constitute a separate component of the group. 

In summary

The changes to ISA (UK) 600 need to be considered carefully, and early enough to be able to plan necessary revisions to the approach. Where component auditors are involved, they will probably need to be brought in earlier than usual.

To give you practical support in implementing the new standard, ICAEW is revising its publication Auditing groups: a practical guide and will also be releasing further best practice practical tips.