The brave new world of quality management in auditby
If you’re an auditor, you may have been quite busy since the start of the year and missed the International Standards on Quality Management (ISQM) 1 and 2. Julia Penny outlines the key considerations.
Now is a good time to start thinking about the work that will be necessary to implement these two new standards and the related ISA 220 Revised.
The FRC has issued these documents as consultations taking all of the requirements of the IAASB versions of the standards, but adding in existing UK pluses. The effective date is not until 15 December 2022, but don’t let that lull you into a false sense of security.
These are fundamentally different standards focussing on a risk-based approach to managing quality in audit and certain other reviews (See paragraph 5 of the consultation on ISQM 1).
The new standards
ISQM 1 deals with Quality Management for firms and will be the most onerous of the new standards to implement and therefore the one this article primarily discusses.
The requirements for Engagement Quality Control Reviews, now renamed Engagement Quality Reviews, are dealt with in ISQM 2. This sets out more detailed requirements for eligibility of the engagement quality reviewer and the work that must be done as part of such a review.
ISA 220, as now, deals with the requirements for maintaining quality on an individual audit engagement.
If we look at what is needed for ISQM 1, the first thing to note is that the standard requires firms to set out:
- Quality objectives (mostly specified in the standard)
- Quality risks ( these must be related to the firm’s circumstances and are the threats to achieving the objectives)
- Risk responses (a few of these are specified in the standard, largely replicating previous requirements in ISQC 1, but others must be generated by the firm).
This is a logical approach to risk management, as it should be responsive to the specific risks that each firm faces. But don’t underestimate how long it will take to establish and link the objectives, risks and responses.
ISQM 1 objectives
ISQM 1 tells us that the elements of a firm’s System of Quality Management (SOQM) address the following components:
- The firm’s risk assessment process
- Governance and leadership
- Relevant ethical requirements
- Acceptance and continuance of client relationships and specific engagements
- Engagement performance
- Information and communication and
- Monitoring and remediation process.
The standard also sets out almost 40 quality objectives (depending on how you separate the requirements) which firms must establish, as well as a requirement to consider if any other objectives are needed.
Having established the necessary quality objectives firms need to consider what the risks are to achieving them. The standard sets out certain factors that must be considered as part of the risk assessment, such as the circumstances of the firm and its engagements, but these do not all relate easily back to the objectives.
Firms will therefore need to consider all the quality objectives and all the factors as required in the risk assessment to establish where things might go wrong (ie the quality risks). Once they have established that a risk exists, firms need to establish a suitable response, which takes account of, for example, the impact and probability of the risk occurring.
As you can imagine, there is a lot more detail in the standard, but to give you an idea of the workload, so that you can start to plan your implementation, here is a quick list of some of the key to do items:
- Establish quality objectives;
- Undertake a risk assessment process to identify quality risks;
- Establish policies, procedures or other actions that will mitigate the risks (ie risk responses);
- Link the risk responses to the risks and the related quality objective(s);
- Write new:
- Quality management policies/procedures;
- Risk assessment procedures;
- Procedures for the use of network/service providers products and services;
- Engagement Quality Review procedures;
- Monitoring and remediation procedures including:
- new review questionnaires, if these are created in-house;
- root cause analysis procedures (RCA is mandatory for any deficiencies found).
- Train partners and staff in the new requirements.
This is going to be a time-consuming and iterative process and it will not be something where you can just buy a product off the shelf.
The core requirements of the standard mean that you will have to tailor any standard product to your circumstances. You also need to be able to demonstrate that any service providers and their products and services (such as ISQM 1 documentation) are appropriate for your needs, so don’t jump to buy something off the shelf without considering its suitability and quality.
You might also be interested in
Julia Penny is the principal of JS Penny Ltd which provides technical and training consulting on anti-money laundering procedures, auditing and financial reporting. Julia is a member of ICAEW Board and Council, chair of the ICAEW Ethics Advisory Committee and past chair of the ICAEW...