It was, at one point, a rising star. NMC Health, born in the oil-lit prosperity of the Gulf, headquartered in Abu Dhabi and listed on the London Stock Exchange, presented itself as a gleaming symbol of modern healthcare enterprise: expanding fast, acquiring widely, and whispering promises of precision and profit in equal measure.

Behind the scenes, however, something older and sadder was unfolding. Familiar in corporate history, though always particular in form: a group structure expanding faster than control could follow, and a financial narrative that slowly detached itself from reality.

When NMC finally came crashing down in 2020, it wasn’t a quiet fall, it hit the ground under the weight of more than $4 billion in undisclosed debt, top brass walking out the door, and the company tumbling straight into administration.

muddywaters report

The collapse started after a short-seller named Muddy Waters published a report in December 2019, raising queries about the group’s financial performance and accounts.

Now, five years on, that collapse has moved into the courtroom. Ernst & Young (EY), NMC’s auditor during its years of artificial bloom, is facing a £2 billion negligence claim from the company’s administrators, Alvarez & Marsal. The accusation is clear: that EY, as group auditor, failed in its duty to detect the fraud that was quietly metastasising across NMC’s subsidiaries, and in doing so, signed off on financial statements that bore only a passing resemblance to the truth.

A group audit, or a performance of one?

At the centre of the case lies a standard: ISA (UK) 600 – Special Considerations – Audits of Group Financial Statements. While the trial is, technically speaking, a legal dispute, it has also become an implicit examination of how a group audit should be conducted, and what happens when its principles are followed in name, not in spirit.

To understand how it all fell apart, we need to look at how NMC was built. It wasn’t one tidy company, but a loose collection of over 200 businesses spread across different countries. Some ran hospitals, while others handled finances. Many were connected in ways that weren’t clear, through shared owners, off-the-books loans, and deals that didn’t always show up in the official figures.

Between 2012 and 2018, EY was responsible for auditing the group. But according to the lawsuit, it didn’t do enough to identify which parts of the business posed the biggest risks. Some subsidiaries were hiding huge debts off their balance sheets, and EY missed them. Transactions between companies inside the group, some involving debts that were never recorded, were either overlooked or wrongly accounted for.

It also came out in court that EY didn’t even know about some of the group’s major loans, amounting to hundreds of millions, at the time it signed off the accounts. That points to a serious disconnect between what the audit covered and what was really going on inside the business. To make matters worse, some of EY’s Middle East staff stayed on the job beyond the limits set by the UK’s ethical rules, raising doubts about whether their independence was properly protected. At the same time, component auditors may not have been sufficiently independent of the local management teams they were auditing, something that ISA 600 explicitly warns against.

And when NMC, in its final years, allegedly began threatening to terminate EY’s engagement, emails revealed that some senior EY partners considered whether to cave to client pressure. The audit, it seems, was no longer leading; it was following.

ISA 600 as a warning, not bureaucracy

This is not, in the end, just a story about missed files or misunderstood ledgers. It is a case about what a group audit is supposed to be.

ISA 600 doesn’t merely provide a checklist for multinational audits, it offers a philosophical lens: it warns that group structures can conceal as much as they reveal, and that unless auditors exercise judgment, scepticism, and coordination across the entire group, the financial picture will always be incomplete.

And yet, what happened at NMC reads like a list of ISA 600 principles turned on their head:

• Significant components with related-party transactions were not treated as high-risk.
• Work performed by component auditors wasn’t sufficiently directed or reviewed.
• The independence and ethical compliance of component auditors may not have been confirmed or enforced.
• The consolidation process lacked scrutiny, letting liabilities disappear into the fog of intercompany complexity.

And then, of course, there is the final irony. EY has claimed, in its defence, that it was the victim of a “pervasive and collusive fraud”. The NMC’s management deliberately misled the firm, concealed documents, and forged evidence. That much may be true. But the profession must ask: isn’t that exactly the scenario group audit standards were designed for?

A centre that did not hold

In the end, the most haunting part of this saga isn’t that a fraud happened. Frauds will always happen. It’s that the system of safeguards meant to catch it, cross-border oversight, ethical gatekeeping, professional scepticism, quietly gave way under the pressure of speed, deference, and perhaps, commercial convenience.

ISA 600, had it been followed not just procedurally but philosophically, might have told a different story. A story where components weren’t assumed to be compliant, but treated as suspects until proven otherwise. Where independence wasn’t a form signed, but a boundary enforced. Where the group auditor led with doubt, not comfort.

That story, however, was never written!

In Part 2, we’ll step inside ISA (UK) 600 itself, to explore what it says, what it demands, and how its guidance, when ignored, quietly made the collapse of NMC Health not just possible, but inevitable.