If you haven’t already started preparing for the introduction of the new quality management standards, which come into force this December, then you’re already behind the game.
Last summer, the Financial Reporting Council (FRC) unveiled its revised quality management standards for audit firms’ responsibilities to design, implement and operate a system of quality management. The change marks a huge shift in approach and mindset.
The new FRC standards, ISQM 1, ISQM 2 and ISA 220 introduce a new requirement for firms to proactively identify and respond to risks to quality. This new approach requires a firm to customise the design, implementation and operation of its system of quality management based on their own specific nature and circumstances. To do so, firms must apply an integrated approach that reflects on the quality management system as a whole.
Effective for audits of financial statements for periods beginning on or after 15 December 2022, the FRC “strongly” recommends early adoption.
The change is based on a shift from a reactive quality control mindset to a proactive approach to quality management to reflect the structural changes in business. The previous standardised ISQC 1 became effective in 2005. Despite subsequent revisions, the standards have been deemed outdated due to changes in the audit environment.
“The previous standard has been around for a long time. The quality management standards move from a reactive approach to a risk-based proactive managing approach to quality. The biggest change is probably the change in mindset,” says Gill Spaul, Director of Quality (Europe) at accountancy network Moore Global.
Spaul says the most important concept in ISQM 1 is the idea of tailoring quality management to an individual firm’s nature and circumstances. “You’ve got to be thinking about the nature and circumstances of your firm, your clients, your staff … to identify what particular risks might impact you and your firm. And risks can change over time – today’s risks may very well be different risks to those that impact the firm down the road. And that’s really important.”
Another huge change in concept relates to ‘events and conditions’, which are more relevant to the world that firms can’t control, such as a global pandemic or the Russia-Ukraine conflict.
Although standards experts acknowledge the reform will involve huge amounts of work for firms, ultimately it will improve quality frameworks for audit and assurance firms because the new standards aim to result in a more bespoke quality control management system.
“Once up and running, the quality system should not be static but should be continually reviewed and enhanced. If you do the risk assessment properly you will have a more focused risk profile specific to your firm,” says Paul Winrow, Audit Quality Partner at Mazars.
The standards include some mandatory objectives, but the standard-setters’ aim is for firms to take those mandatory objectives and tailor them to one’s own firm, which could involve adding extra granularity or combining some objectives together.
Winrow cautions against waiting for external service providers to issue a quality manual as in the past, because the new regime is not a one-size-fits-all approach. Moreover, it should be a dynamic, evolving approach, as risks change due to internal and external circumstances.
“People will see a mindset shift to that of more proactive quality management with great benefits. This is not just a compliance exercise. Firms should see more streamlined operations, improved quality and more targeted actions,” Winrow says.
Are you ready?
Unfortunately, there is no shortcut. The IAASB has published first-time implementation guides on ISQM 1 and ISQM 2 to help firms apply the standards, and ICAEW presented an introductory webinar last year, Quality management in audit firms, with further events planned.
It is advisable to break down the requirements into bite-sized chunks and allocate sections that can be progressed now as well as putting a partner in charge of the overall implementation process.
Experts advise against retrofitting the new standards to an existing regime as it could result in more complexities because the two approaches are so different.
Root cause analysis
The new standards require firms to perform root cause analysis, or a similar approach, on all deficiencies. Deficiencies are defined as a missing objective, unidentified risk, or an incorrect response to a risk.
Winrow says: “There’s not a generic risk that binds every audit firm, but this is my risk and this is my response to my risk rather than just a generic response to risks. The same applies with root cause analysis. If you identify the right root cause you can then take the right action rather than just taking the action that you think is right, without doing the analysis.”
During the first year of implementation, it’s expected that the FRC will work closely with firms to correct any unintended mistakes without any penalty.
Spaul says: “I’m hoping that people will recognise that this is a journey.”
ICAEW Know-How from the Audit and Assurance Faculty
This guidance is created by the Audit and Assurance Faculty – recognised internationally as a leading authority and source of expertise and know-how on audit and assurance matters. Join the Faculty to connect with like-minded professionals and gain access to essential guidance and technical advice.