ISQM 1 implementation may seem daunting, particularly for the very small practice. So, to help get you started, and inspire you, Peter Hollis, a sole practitioner based in Sheffield, outlines his approach with some useful step-by-step advice.
Like Peter you may have been putting off doing anything because you are busy and you hoped someone could offer a simple solution. Given the nature and objective of the standard, it is not possible to offer a ready-made solution that will work for all practices. Peter has therefore rolled up his sleeves and come up with his own solution, which he is keen to share with others who are finding this a challenge.
“Once you get into it it’s not that difficult and you will find that you are already doing most of the things you are required to do,” says Peter, who is of the view that small firms are likely to need at least a day for this.
Peter’s overall approach can be summarised in the following high-level steps:
1. Read the requirements in the standard (paragraphs 1-60), putting the application material to one side. Peter’s firm is not in a network, so he ignored any references related to networks. This gave him an idea of the scope of the standard.
2. Cut and paste the objectives into a word document. Peter ignored any requirements that weren’t applicable to his practice because of size or any other factors. He also reworded parts that he felt were difficult to understand to ensure that the meaning was clear to him and his staff. The standard is supposed to be scalable and can be adapted to the nature and circumstances of the practice. This gave him his quality objectives.
3. Complete the risk assessment. This involved making a list of threats that might mean that the quality objectives are not achieved. When Peter did his initial risk assessment, he discounted threats that were low risk or improbable.
According to Peter, the risk assessment is the most difficult part, because the knee- jerk reaction is that anything the staff miss will automatically be picked up by the sole practitioner. “You therefore need to pick this apart, listing what might go wrong or get missed,” explains Peter. How you mitigate these risks is set out in steps 4 and 5. The following types of risks may be relevant.
- The firm fails to comply with the requirements of ISAs, FRC Ethical Standards, ICAEW Guide to Professional Ethics and Company Law.
- The firm fails to anticipate future resource needs and as a result has inadequate resources to perform high quality engagements.
- Client confidentiality is breached.
- Not all audit work completed by staff is recorded on the file in support of conclusions reached.
To give an idea of scale, Peter identified 16 risks.
If the risk assessment is challenging, Louise Sharp, Senior Technical Manager in ICAEW’s Audit and Assurance Faculty, suggests that firms might want to start off by setting out key information about the nature and structure of your practice, the type of engagements performed and any future plans. This is also likely to be helpful to anyone seeking to understand or review the firm’s SoQM.
“Don’t forget that the risk assessment also needs to include quality risks related to any services provided externally that are connected to your audit work,” Peter explains. These might include cold file reviewers, IT suppliers, experts, component auditors (from firms not within the same network) or audit manual providers. He recorded any risks arising alongside the quality objectives.
4. Note the response alongside each risk. Peter set out what he does or will do to address (mitigate) the risk. Peter highlights that it is not possible to eliminate all risk and this is acceptable. Paragraph 34 of ISQM 1 provides a list of mandatory responses that are required so this step can also be done in conjunction with step 5 below.
5. Consider if, and how, you meet the requirements of the standard. Print out the ISQM 1 standard (paragraphs 1-60) on A3 paper so that there is lots of white space around it to write on. Peter went through each requirement and wrote down what he has done to satisfy it. Like Peter, you might find that the existing policies and procedures in your audit system and what you do at each year end as part of your Whole Firm Audit Review cover most of the responses needed. Peter then cross referenced them.
Peter also made a list of additional policies and procedures that were needed to comply with the standard in a separate word document and then cross referenced the standard to this.
You may find that you need to revisit your list of risks or responses, either because of this exercise or, in future, as a result of a change in circumstances. That’s ok because that is what ISQM 1 is all about – it is seeking to drive continuous improvement in audit quality.
6. Read ISA 220 (Revised), Quality Management for an Audit of Financial Statements. Peter considered whether there was anything further to be added in relation to his risk assessment or response. There may be nothing to add.
7. Read the application material to ISQM 1 and ISA 220 (Revised) and consider whether any changes are needed. Peter notes that some of the application material is more relevant to the larger or more complex firms, and networks, so there may be little or nothing to add.
8. Identify if ISQM 2 applies. Finally, Peter also highlights that where there are no engagements performed by the firm that may merit an Engagement Quality Review, ISQM 2 won’t be relevant.
“That’s it. The focus is not on perfection but having a quality management system that can be built on and, where required, drives improvement,” says Peter.
Quality management
With new quality management standards for audit on the horizon, there is an opportunity for firms of all sizes to supercharge their audits and reap significant knock-on benefits that go beyond ticking the regulatory box