Demystifying Group Audits: Key Definitions and Requirements
By Charles Hall | Auditing
SAS No. 149, Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors and Audits of Referred-to Auditors) defines what firms must do in group audits.
Sometimes, auditors have a group audit but don’t know it (as Michael Westervelt pointed out in his JOA article), or they are aware that a group audit is in play but don’t know the requirements. Either way, if your firm doesn’t comply with group audit standards and your peer reviewer notices, you’ve got a problem—sometimes a big one.
Group audits raise questions such as who is responsible for what. Below, I explain the responsibilities of the following:
- Group auditor,
- Group engagement partner,
- Component auditor and
- Referred-to auditor.
I also provide key group audit definitions and communication and documentation requirements.
I will use a question-and-answer format to explain the following:
- Group audits
- Group auditor
- Group audit partner
- Component auditor
- Components
- Component performance materiality
- Aggregation risk
- Referred-to auditor
- Number of audit firms
- Group audit documentation
Group Audits
What is a group audit?
It’s an audit of group financial statements.
But what are group financial statements? They are financial statements that include multiple entities or business units or the aggregation of financial information from entities or business units such as branches or divisions. Group financial statements include aggregating financial information from business units with separate locations, management, or information systems. (See A4 and A5 of SAS 149 for additional information.)
Here are examples of group financial statements:
- Consolidated financial statements (e.g., a parent company owns another company)
- Combined financial statements (e.g., two companies owned by the same person are combined)
- Equity method investment (a company reports an equity method investment on its balance sheet)
- Joint venture
- A government with a discretely presented component unit
- An entity organized by geography (e.g., an entity comprised of American, Mexican, and Canadian operations managed by three national management teams; each national reporting center has its own general ledger)
If you are auditing one of these, you are conducting a group audit, and specific audit requirements apply. If you are directing the audit, you are the group auditor; in some cases, other audit firms might participate.
Group Auditor
So, what is a group auditor?
It’s the group engagement partner and engagement team members other than component auditors (see component auditor definition below).
The group auditor performs duties including the following:
- Establishes the group audit strategy
- Develops the group audit plan
- Determines components to audit
- Gains an understanding of the group and its environment, reporting framework, and system of internal controls
- Takes responsibility for assessing group financial statement risks of material misstatement
- Takes responsibility for the performance of further audit procedures, including the work of component auditors and work related to the consolidation process
- Determines the resources needed to perform the audit, including any component auditors (see below)
- Determines the component performance materiality (see below) to address aggregation risk (see below)
- Directs and supervises component auditors and reviews their work
- Makes decisions about referencing the audit of a referred-to auditor (see below)
- Evaluates the conclusions based on audit evidence as a basis for the group audit opinion
- Evaluates whether sufficient appropriate evidential matter is present to support the group audit opinion (including the work of component auditors or through reference to a referred-to auditor’s opinion)
- Forms an opinion on the group financial statements based on the audit evidence obtained
- Communicates with those charged with governance (and management, when appropriate) about audit matters including:
- an overview of the component auditor’s work
- decisions to make reference to audits of referred-to auditors
- any scope limitations
- fraud or suspected fraud
- internal control deficiencies
- Evaluates whether the audit documentation is sufficient to enable an experienced auditor (one with no previous connection with the engagement) to understand the following:
- Nature, timing, and extent of audit procedures
- Audit evidence
- Conclusions about significant matters
When component auditors are in use, the group auditor has specific responsibilities, including the following:
- Evaluating the adequacy of component auditor communications for the group auditor’s purposes
- Determining the nature, timing, and extent of the component auditor’s involvement
- Being sufficiently and appropriately involved in the component auditor’s work
- Confirming that the component auditor understands and will comply with the ethical requirements
- Determining the component performance materiality (see below) to lessen aggregation risk (see below)
- Determining the appropriateness of the further audit procedures performed by the component auditor
- Reviewing component auditor documentation while taking into account the group financial statement risks of material misstatement and significant risks
- Evaluating the sufficiency and appropriateness of the audit evidence obtained from all components, including evidence provided by component auditors
The group auditor should communicate the following to component auditors:
- The component auditor’s responsibilities
- The relevant ethical requirements
- Requesting the component auditor to confirm that they will cooperate with the group auditor
- The need for timely communication during the engagement
- Risk assessment matters that affect the risk assessment procedures to be performed by the component auditor
- Matters affecting planned further audit procedures in response to group financial statement risks of material misstatement
- Significant risks of the group financial statements that have a bearing on the component audit procedures
- Related party relationships and transactions affecting the component
- Any events or conditions that may raise substantial doubt about the group’s ability to continue as a going concern (as related to the component auditor’s work)
Group Engagement Partner
Who is the group engagement partner?
The auditor responsible for the group audit.
The group engagement partner’s responsibilities include:
- Deciding that sufficient appropriate audit evidence can be obtained (including the use of component auditors and referred-to auditors) before accepting the engagement or making the decision to continue providing audit services
- Being sufficiently and appropriately involved in the group audit, including the work of component auditors
- Determining that the component auditor has appropriate competence and capabilities
- Determining the nature, timing, and extent of the component auditor’s involvement in the group audit
- Accountability for the group audit and compliance with standards
- Determining the appropriateness of significant judgments and conclusions
- Taking responsibility for directing, supervising, and reviewing the work of component auditors
Here are examples of different ways the group engagement partner can direct and supervise component auditors:
- Have meetings with or make phone calls to the component auditors about risk assessment, findings, or other issues
- Review the component auditor’s documentation
- Be a part of the component auditor’s meetings with component management
Component Auditor
What is a component auditor?
An auditor that audits a group audit component, such as a business subsidiary.
A component auditor (working with the group auditor) is a part of the audit team.
Component auditors can include:
- Auditors from a firm network,
- An audit firm that is not a network firm, or
- The group auditor’s firm (e.g., another office in the firm of the group auditor)
It is possible that all component auditors are from the group audit firm. It is also possible that component auditors include the group audit firm and audit firms external to the group audit firm.
The group auditor should ask the component auditor to communicate certain component matters, including the following:
- Matters that might affect the identification and assessment of the risk of material misstatement at the group financial statement level
- Related party relationships or transactions not previously communicated by the group auditor
- Identification of the information audited by the component auditor
- Whether the component auditor performed the requested work
- Noncompliance with laws and regulations
- Whether the component auditor complied with ethical requirements
- Corrected and uncorrected misstatements
- Possible management bias
- Deficiencies in the system of internal control
- Fraud or suspected fraud
- Any events or conditions that might affect the group’s ability to continue as a going concern for a reasonable period of time
- Any other significant matters communicated to the component’s management or those charged with governance
- Overall findings and conclusions of the component auditor
The group audit report should not reference any component auditors when component auditors participate in the group audit.
Components
What are components?
A component is an:
- Entity
- Business unit
- Function
- Business activity, or
- Some combination thereof
The group auditor determines how components relate to one another for planning and performing audit procedures.
For instance, the group auditor might decide that the group audit firm will audit entities A, B, and C, and another firm (a component auditor) will audit entity D. In this example, the group audit firm and the component audit firm comprise the audit team.
In another example, the group auditor might decide that the group audit firm will audit entities A, B, and C and reference the audit report of entity D performed by another firm (called the referred-to auditor). The referred-to auditor is not a part of the audit team.
A component auditor needs to know what the component materiality is.
Component Performance Materiality
What is component performance materiality?
It’s the amount the group auditor sets to reduce aggregation risk (see below) to an appropriate level. The component performance materiality must be less than the group performance materiality.
Additionally, the component auditor must communicate any misstatements above a certain amount (component threshold) to the group auditor. The group auditor specifies this component threshold, and it should not exceed the trivial amount in the group financial statement.
For example, the trivial misstatement amount for the ABC Consolidated financial statements might be $75,000 (as set by Cole CPA firm), and the component threshold could be $25,000 for entity B, a component audited by the Gee Whiz CPA firm. If Gee Whiz identifies one misstatement of $15,000 and another for $55,000, it must communicate the second misstatement to Cole CPA firm, the group audit firm.
One unique risk in group audits is aggregation risk.
Aggregation Risk
What is aggregation risk?
It’s the risk that aggregate uncorrected and undetected misstatements might exceed the financial statements’ materiality.
Suppose the group auditor audits companies A and B, and a component auditor audits company C. And say the group audit materiality is $750,000. If company A has a passed adjustment of $300,000 in accounts receivable (an overstatement) and company C has an undetected misstatement in accounts receivable of $600,000 (also an overstatement), the aggregate uncorrected and undetected misstatements is material.
So, the group auditor needs to plan the engagement to keep aggregation risk at an appropriate level. One way to do so is to lower the materiality thresholds for the various components.
Sometimes, another auditor audits a component and issues an opinion on the entity. When this occurs, the group auditor can elect to reference the other auditor’s opinion.
Referred-to Auditor
What is a referred-to auditor?
An auditor who audits an entity that the group audit report references.
The group engagement partner can only make reference when the referred-to auditor issues an audit report on a component that is not restricted as to use.
A referred-to auditor is not part of the audit team or a component auditor.
Should the group auditor direct the referred-to auditor’s work? No, the group auditor does not direct or supervise the referred-to auditor or review their work. Even so, the group engagement partner should determine whether the referred-to auditor followed generally accepted auditing standards (GAAS) or the PCAOB standards. Additionally, the group auditor should read the component’s financial statements and the referred-to audit report to see if there are any significant matters.
Referred-to Auditor Example
For example, Big CPA firm might audit ABC Company and XYZ Company. Little CPA firm audits DEF Company and issues an audit opinion on it. Big CPA’s audit report can reference Little CPA’s audit (provided specific requirements are met; see below). Illustration 2 in SAS 149 provides a sample report for this situation.
Here’s a sample referred-to paragraph that would follow the Big CPA firm’s opinion paragraph:
We did not audit the financial statements of DEF Company, a wholly owned subsidiary, whose statements reflect total assets constituting 15 percent and 20 percent, respectively, of consolidated total assets on December 31, 20X1 and 20X0, and total revenues constituting 14 percent and 17 percent, respectively, of consolidated total revenues for the years then ended. Those statements were audited by other auditors, whose report has been furnished to us, and our opinion, insofar as it relates to the amounts included for DEF Company, is based solely on the report of the other auditors.
(Note – I bolded some words to highlight the language in this example paragraph. Standard audit opinions do not bold such wording.)
The purposes of this referred-to paragraph are to communicate:
- that the group auditor was not involved in the referred-to auditor’s audit, and
- the source of the audit evidence for the referred-to components
The group auditor can provide the magnitude of the referred-to auditor’s work in percentages or dollar amounts. (The example above uses percentages.)
The group auditor does not direct the audit of the referred-to auditor’s work, so the group auditor says its opinion (concerning that portion of the group financial statements) is based solely on the referred-to auditor’s report.
Referred-to Auditor Communications
What communications should occur between the group auditor and the referred-to auditor?
The group auditor should communicate the related party relationships identified by group management, any other related party, and any related party transactions (that affect the referred-t0 auditor’s work) to the referred-to auditor.
Moreover, the group engagement partner should do the following:
- Make the referred-to auditor aware of relevant ethical requirements
- Confirm whether the referred-to auditor complied with the ethical requirements
- Determine whether the referred-to auditor has appropriate competence and capabilities
Referencing the referred-to auditor’s report may not be suitable if the group auditor believes the referred-to auditor lacks appropriate competence and capabilities or has not complied with ethical requirements.
The group auditor should request the following from the referred-to auditor:
- Identification of the component financial information on which the referred-to auditor issues a report
- Confirmation that the referred-to auditor will cooperate with the group auditor
- Related party relationships not previously identified by the group auditor or group management
- The auditor’s report of the referred-to auditor
Number of Audit Firms
So, do group audits always include more than one audit firm?
No, not necessarily. One firm can audit all entities in group audit financial statements. Alternatively, one or more component auditors from other audit firms can audit one or more components.
Here are examples of group audits:
- One firm audits all components comprising a consolidated financial statement
- One firm audits five entities comprising a consolidated financial statement, and another firm audits two entities included in that same consolidated financial statement
- For a governmental audit:
- Audit firm A audits seven opinion units
- Audit firm B audits a discretely presented component unit (one opinion unit)
- One firm audits a company that owns an equity method investment, and another firm audits the equity method investment company
- One firm audits all operations of a company in the United States, and another firm audits all operations in England (the company’s financial statements include all operations)
Exhibit A of SAS 149 (titled Relevancy of Requirements in Various Group Audit Scenarios) outlines the paragraphs in this standard that are relevant to various scenarios. The scenarios include the following:
- Group auditor – the group auditor carries out the audit, and no component auditors participate
- Group auditor and component auditors – component auditors are involved in the group audit
- Group auditor and referred-to auditors – the group auditor, in its audit opinion, makes reference to the referred-to auditor’s report, and no component auditor is involved
- Group auditor, component auditors, and referred-to auditor – the group auditor, in its audit opinion, makes reference to the referred-to auditor’s report, and component auditors are involved
So, see exhibit A for the pertinent SAS 149 paragraphs when performing a group audit.
Group Audit Documentation
What group audit documentation do you need?
Group audit documentation includes the following (this is not a comprehensive list):
- The basis for component determinations and how those were used in planning and performing the group audit
- The basis of component performance materiality and component thresholds for communication
- Your understanding of the group’s system of internal control
- The basis for your determination that component auditors possess sufficient competence and capabilities
- Evidence of the group auditor’s direction and supervision of the component auditor and the review of their work
- Communications with component auditors, including matters such as fraud, significant matters, or going concern
- For referred-to auditors:
- Financial statements of the component
- Referred-to auditor’s report
- The basis for your determination that the referred-to auditors possess sufficient competence and capabilities
- The group auditor’s evaluation of, and actions taken in response to, findings or conclusions from component auditors or referred-to auditors regarding issues that could materially impact the group financial statements
Group Audit Summary
Here are summary points from the above:
- The group audit standards are often relevant when you audit an entity with multiple entities, divisions, or opinion units (governments).
- The group auditor (including the group engagement partner) directs a group audit, including a component auditor’s work.
- The group auditor does not direct the work of a referred-to auditor; a referred-to auditor is not a part of the audit team.
SAS 149 Effective Date
SAS 149 is effective for audits of group financial statements for periods ending on or after December 15, 2026.