The revised group audit standard became effective for periods beginning on or after 15 December 2023. It fundamentally reshapes how auditors approach scoping, supervision, communication, and documentation in multi-component engagements. This guide provides a practitioner-focused overview of the most significant changes and their practical consequences for group and component auditors.
Risk-Based Group Audit Approach
Core Change
The standard introduces a top-down, risk-based approach led by the group auditor. The engagement is planned around where risks of material misstatement exist at the group level. Audit work follows these risks, regardless of component size or location.
Traditional Approach vs. New Approach
The old method started with identifying ‘significant’ versus ‘non-significant’ components. The new method eliminates this distinction. Instead, it focuses on risk assessment at the group level.
This aligns HKSA 600 with HKSA 315 (Revised 2019), HKSA 330, and HKSA 220 (Revised).
Practical Implications
- Scoping is risk-driven, not threshold-driven. Audit focus can target small units if they carry higher qualitative risks.
- Examples include treasury functions, shared service centers, or branches.
- Component auditors participate across all audit phases. This includes risk assessment, fieldwork, and completion procedures.
Definitions and Scope Changes
Component Redefined
A component may be an entity, business unit, function, or business activity. The group auditor determines components based on planning and performing procedures. The ‘significant component’ label no longer exists.
Expanded Applicability
The standard applies to branches, divisions, shared service centers, and non-controlled entities when relevant to consolidation. Group risks determine where and how work is performed.
Hong Kong Adoption
HKSA 600 (Revised) mirrors ISA 600 (Revised) with the same effective date. The HKICPA emphasizes alignment with HKSQM 1, HKSA 220 (Revised), and HKSA 315 (Revised 2019).
Engagement Quality and Team Structure
Component Auditors as Team Members
The standard explicitly treats component auditors as part of the engagement team. The group engagement partner is responsible for direction, supervision, and review across the group.
Key Responsibilities
- Evaluate competence and capabilities of component auditors
- Ensure sufficient and appropriate resources to achieve quality
- Maintain strong two-way communication between group and component auditors
Regulatory Expectations
Regulators emphasize sufficient and appropriate involvement throughout the audit. This includes scoping, timing, evaluating results, and concluding on evidence sufficiency.
Materiality and Aggregation Risk
Aggregation Risk Defined
Aggregation risk is the probability that the aggregate of uncorrected and undetected misstatements exceeds group materiality. The standard clarifies how this applies in group audits.
Component Performance Materiality
The group auditor sets component performance materiality to drive the extent of work. This considers group-level aggregation risk and assessed risks of material misstatement.
Practical Results
- More tailored performance materiality at components
- Targeted procedures on assertions with heightened risk, even in previously ‘immaterial’ components
Access Restrictions
Recognition of Barriers
The standard acknowledges restrictions on access to people, information, or component auditors. Barriers may be legal, regulatory, or confidentiality-based.
Overcoming Restrictions
- Negotiate access early in the engagement
- Perform alternative procedures when direct access is unavailable
- Document restrictions, alternatives used, and evaluation of evidence sufficiency
Regulatory Focus
Regulators expect clear documentation of what was restricted, what alternatives were used, and how evidence sufficiency was evaluated.
Enhanced Documentation Requirements
Stronger Expectations
Documentation requirements are more granular and explicit. The linkage to HKSA 230 is clear. The group auditor must demonstrate several key elements.
Required Documentation
- Acceptance and continuance conclusions showing sufficient appropriate evidence can be obtained
- Risk assessment and responses at the group level
- Involvement in component work, including communications, instructions, and review of results
- Competence and independence evaluation of component auditors
- Professional skepticism exercised throughout the engagement
- Materiality decisions and aggregation risk considerations
What Group Auditors Now Request from Components Auditors
Based on early application experience, group auditors commonly request specific information and documentation from component auditors.
Early Risk Insights
- Narrative and data on where risks exist (complex estimates, IT dependencies, cut-off risks)
- Process-level information (consolidation journals, intercompany reconciliations, IFRS conversion controls)
Competence and Independence Evidence
- Evidence of relevant industry experience
- Confirmation of ethical standards compliance
Materiality Agreement
- Agreement on component performance materiality and clearly scoped assertions linked to group risks
Communication Artifacts
- Formal instructions and timelines
- Status updates aligned with group milestones
- Work-paper availability or agreed alternatives for restricted access
Documentation of Skepticism
- Evidence of how exceptions were evaluated against group aggregation risk
Changes in Practice
Earlier Involvement and Integration
Group auditors engage with component teams earlier, typically at the risk assessment phase. They align testing plans to group-level risks. They schedule milestone communications to avoid late issues.
Shift from Bottom-Up to Group-Led
Engagement strategy is framed centrally. The group auditor defines components, sets performance materiality, and orchestrates procedures by assertion and risk. Traditional scoping by size is giving way to qualitative risk scoping.
Documentation Volume Increased
Records must show the chain of reasoning from group risks to component scoping to instructions to results to conclusions. Clear evidence of direction, supervision, and review is required across all team members.
Access Planning Upfront
Teams plan access strategies at acceptance and continuance. They document fallback procedures when full access cannot be achieved. This includes data rooms, confidentiality obstacles, or jurisdictional limits.
Consolidation and IT Focus
Understanding and testing consolidation processes occurs earlier in the timeline. This includes intercompany elimination controls and group-wide IT dependencies. Component teams that process or feed consolidation data are involved in targeted procedures.
Specific Documentation Impacts
Acceptance and Continuance Memos
Explicit conclusion that sufficient appropriate audit evidence can be obtained at the group level. This includes component work and consolidation, with identified access constraints and mitigation.
Group Risk Assessment Files
Mapping of inherent risk factors and IT considerations to assertions in the group financial statements. Explicit linkage to component-level procedures.
Component Instruction Letters
Risk-anchored instructions, performance materiality, sampling expectations, reporting templates, and work-paper access protocols.
Communication Logs
Two-way communication evidence including requests, clarifications, and status updates. Milestone reviews and evaluation of component results. Documentation of how exceptions were escalated and resolved at group level.
Conclusion Memos
A consolidated sufficiency and appropriateness evaluation. This integrates component evidence and addresses aggregation risk.
Implications for Finance Teams and Audit Committees
Detailed Planning Requests
Group auditors will request earlier access to consolidation models, intercompany elimination processes, and data lineage. This includes IT controls.
Greater Orchestration Effort
Coordination across jurisdictions is more intensive. This includes independence checks, competence assessments, and calendar alignment. Component auditors function as one engagement team under the group partner’s leadership.
Re-Scoped Component Work
Previously ‘immaterial’ locations may now be scoped-in for targeted procedures on high-risk assertions. Conversely, some large components may see refocused work if their risks are lower.
Audit Committee Oversight
Audit committees should expect clear articulation of group risks and planned responses. This includes access constraints and how the group team oversees component work. Evidence of professional skepticism is essential.
Five Action Points for Group Auditors
- Redesign Planning to Be Risk-First
Start with group-level risks of material misstatement and assertions. Then define components, materiality, and procedures accordingly. Embed this flow in planning and instruction templates.
- Treat Component Auditors as Engagement Team
Formalize competence evaluations and independence confirmations. Establish clear lines of direction, supervision, and review.
- Lock in Access and Alternatives Early
Document anticipated constraints and agreed solutions. This includes secure access, redactions, or summaries. Reflect these in acceptance, continuance, and timeline planning.
- Elevate Consolidation and IT Focus
Bring specialists into early planning where needed. Tie control testing to the consolidation process and group systems.
- Upgrade Documentation Discipline
Use appropriate templates to evidence the risk-response-result-conclusion chain. Document how aggregation risk was considered and how skepticism was exercised.
Hong Kong Effective Date
HKSA 600 (Revised) is effective in Hong Kong for audits of financial statements for periods beginning on or after 15 December 2023. For many 31 December 2024 year-ends, this is the first cycle under the revised requirements.
Conclusion
HKSA 600 (Revised) transforms group audits into a single, risk-orchestrated engagement. The group auditor must own planning, direction, supervision, and review across all components.
Teams should expect earlier involvement, deeper integration, stronger documentation, and clearer accountability. The standard requires sufficient evidence to support the group opinion.
Teams that embrace the shift from a component-ledger view to a consolidated, risk-centric mindset will find the standard scalable and practical. They will be better positioned for regulatory inspection and stakeholder confidence.
References
This guide draws on guidance from:
- Hong Kong Institute of Certified Public Accountants (HKICPA)
- International Auditing and Assurance Standards Board (IAASB)
- Institute of Chartered Accountants in England and Wales (ICAEW)
- European Commission guidance on group audits
- Various professional accounting firms and regulatory bodies