Group audits and component auditors: the SA 600 play in multi-entity structures
When the holding company has 12 subsidiaries across 5 cities and 2 tax havens, the consolidated audit relies on component auditors. SA 600 says how. NFRA has been increasingly unforgiving when it doesn't happen properly.
Group audits are where consolidation accounting meets multi-firm coordination, and where the most expensive audit failures in Indian corporate history have happened. The structure is mechanically straightforward: the holding company's auditor — the principal auditor — issues an opinion on the consolidated financial statements, relying on component auditors who audited the individual subsidiaries.
What sounds straightforward is not. The principal auditor signs the consolidated opinion but cannot directly perform the work on every subsidiary. The component auditor signs the subsidiary's opinion but is not responsible for the consolidated statements. The space between those two positions is where things go wrong.
SA 600 — Using the Work of Another Auditor — governs this relationship in India. The standard has been under review by NFRA, with a proposed convergence toward the international ISA 600 (revised) framework. Until that revision is notified, SA 600 in its current form is what applies.
The basic architecture
A group audit has three actors. The group, which is the holding company and its subsidiaries, associates, and joint ventures included in consolidation. The principal auditor, who is the audit firm appointed by the holding company and responsible for the consolidated audit opinion. The component auditor, who is the audit firm responsible for auditing a specific subsidiary or component.
The principal auditor is not always the largest firm in the engagement. A Big Four firm auditing the parent of a group may be the principal auditor even if the larger subsidiaries are audited by smaller firms. Conversely, a mid-tier Indian firm may be the principal auditor on a private group where the foreign subsidiaries are audited by larger international affiliates.
The principal auditor's responsibility is broader than the audit of the holding company alone. Under SA 600, the principal auditor must determine which components are significant, plan the group audit, instruct the component auditors, review the work performed, and conclude on the consolidated statements.
Defining a significant component
SA 600 does not define 'significant component' with a precise quantitative threshold. In practice, Indian firms use a benchmark of 15% or more of consolidated revenue, assets, or profit. Components above that threshold are significant and receive full audit attention from the principal auditor's perspective. Components below that threshold receive a different level of attention — analytical procedures or limited reviews rather than full audits at the group level.
There is a second category of significance — components that are individually below the quantitative threshold but carry risks that matter for the consolidated statements. A small subsidiary in a tax haven with substantial intercompany loans. A joint venture with a complex revenue arrangement. A loss-making subsidiary with going-concern issues. These get treated as significant even at low aggregate numbers.
Where Indian group audits get under-staffed
Three patterns recur in our experience reviewing group audit files.
Subsidiaries in smaller cities get under-audited. A group with a holding company in Bengaluru, a manufacturing subsidiary in Indore, and a marketing subsidiary in Kolkata often appoints the same Bengaluru audit firm for all three. The Bengaluru firm sub-contracts the Indore and Kolkata audits to local CA firms with limited group-audit experience. The component auditors do clean local audits. They do not necessarily anticipate the issues that matter for consolidation — transfer pricing, intercompany margins, intra-group eliminations, fair-value adjustments on acquisition accounting.
Subsidiaries in tax-friendly jurisdictions get superficial audits. A Mauritius holdco or a Singapore subsidiary is often audited by a local firm whose primary work is corporate-services administration. The audit is clean. The substance behind the financial statements — particularly the intercompany transactions and the management-fee allocations — is not deeply tested. When the principal auditor later relies on that work for the consolidated opinion, the file at the group level has gaps.
Component auditors are not formally instructed. SA 600 paragraph 11 requires the principal auditor to communicate instructions to component auditors covering matters such as significant risks identified at the group level, the scope of work to be performed, and the form and content of reporting back. We see audits where the only communication is a one-line email asking the component auditor to send the signed report when ready. That is not SA 600 compliance. That is an introduction.
What the principal auditor must actually do
SA 600 paragraph 13 onward sets out the principal auditor's responsibilities.
Determine the type of work needed. For each significant component, decide whether a full audit is required, or whether analytical procedures and review will suffice. Document the decision.
Instruct the component auditor. Send written instructions before the component audit begins. Cover materiality at the group level (often lower than the component's standalone materiality), significant risks identified at the group level (which the component auditor may not have on their radar), accounting policy alignment, intercompany reconciliations, and reporting deliverables.
Review the component auditor's work. The principal auditor should obtain and review the component auditor's working papers for significant components, at least at a level sufficient to confirm the work was performed in accordance with the instructions and the conclusions are supported by the evidence.
Communicate findings back. Where the principal auditor identifies issues during their review of the component auditor's work, those issues must be communicated to the component auditor for resolution before the consolidated audit is signed off.
NFRA's enforcement on SA 600
NFRA has issued multiple orders against Big Four firms over group-audit lapses. The IL&FS case is the most visible. In its orders against the audit firms involved, NFRA noted that the principal auditor relied on component auditors' work for the IL&FS subsidiaries without adequate review of the underlying procedures, without proper instructions on group-level risks, and without independent verification of significant balances.
The orders did not say the component audits were necessarily wrong. They said the principal auditor's reliance was not documented to SA 600 standards. The penalties — multi-crore fines and individual debarments for the responsible partners — were on the principal auditor.
The takeaway for groups is direct. Your principal auditor's quality is only as good as their group-audit methodology. If the principal auditor cannot show you, in writing, how they planned and reviewed the component auditors' work, the audit file is exposed to the same kind of finding NFRA made in IL&FS.
The revised ISA 600 framework
The international standard, ISA 600 (revised), tightens the principal auditor's responsibilities significantly. The revised standard treats the principal auditor as fully responsible for the audit of the group financial statements, with component auditors operating under the principal auditor's direction and supervision rather than as independent reliance partners. The component auditor's report on the subsidiary is a separate matter; for group purposes, the principal auditor designs the work and the component auditor executes it as part of the group audit team.
NFRA has indicated it will move SA 600 in this direction. When that happens, the principal auditor's effort on group audits will increase materially. Fees will follow. Groups should anticipate this in audit planning conversations.
What groups should ask their principal auditor
If your company is a holding company with three or more material subsidiaries, ask the audit committee to have a specific conversation with the principal audit partner about the group-audit methodology. The conversation should cover:
Which components have been identified as significant and on what basis.
What instructions have been sent to component auditors, in writing.
How component auditor work will be reviewed and by whom.
What the group-level materiality is and how it compares to the standalone materialities at each component.
How intercompany reconciliations and eliminations will be tested.
How the timetable accommodates the component auditors' completion and the principal auditor's review.
If the principal auditor cannot answer these in detail, the group-audit methodology is thin. Fix it before fieldwork starts.
The smaller subsidiaries problem
A common temptation in fast-growing groups is to appoint different audit firms for each subsidiary based on cost or location convenience. From a consolidation perspective, this multiplies the principal auditor's review burden. Where possible, consolidating to two or three firms across the group simplifies the SA 600 work. Where multiple firms are necessary, the principal auditor's group-audit team must include resources dedicated to component coordination — not a partner managing it as a side responsibility.
Group audits are coordination problems disguised as accounting problems. The accounting standards on consolidation — Ind-AS 110, 111, 28 — are well-defined. The audit standard that ties them together at the group opinion level is where the work is done. Most groups underestimate the time, effort, and fee that a proper SA 600 group audit requires. The ones that underestimate worst are the ones that read about themselves in NFRA orders five years later.
References
