Some firms have not found it easy to interpret the requirements of International Standard on Quality Management (UK) 1 (ISQM1) and scale them to fit. In this first article, we’ll look at how and what to monitor, the second will cover what you do with your monitoring findings (including root cause analysis), and the third will look at remedial action, assessing its effectiveness and annual evaluation.
We are grateful to the firms that took the time to share their experiences to help us produce these articles.
What does monitoring entail?
Safeguarding audit quality relies on a system of continuous improvement. This involves ongoing self-monitoring, taking action to fix problems, and checking that your actions are effective. Sounds sensible, but what does it mean in practice?
ISQM1 talks about the factors that may influence how a firm carries out its monitoring, but, other than requiring cold file reviews, leaves it to the firm to decide what to do. The benefit being that the firm is free to scale its activities to suit, although of course the other side of the coin is the challenge in deciding what to do.
The easier part – cold file and other engagement reviews
You will probably be most comfortable with cold file reviews as they have been required for many years. The firms we contacted had not made any significant changes to their approach to cold file reviews in the light of ISQM1, but some had given more thought about the timing.
ISQM1 talks about the need for information to be timely which might lead some firms to have a more continual or frequent cold file review process. Whether this works for you may depend on how many audits you have and what you already know about audit quality in your firm.
If previous reviews or regulatory visits have not shown any signs of a problem, an annual cold file review process may be fine. At least one firm explained that, while it had a fair number of audits, it preferred to do the cold file reviews annually in one go because of the ‘weight of evidence’ it provided. However, if you know there are some issues with audit quality, you may wish to consider more regular reviews to enable you to gauge improvement.
There are other types of engagement reviews that may provide useful and timely evidence about audit quality. For example, Engagement Quality Reviews (EQRs), other hot file reviews, thematic reviews (focusing on internally set hot topics) or perhaps ongoing manager or other inflight reviews.
Some of the firms we contacted are gathering and harnessing the results of these reviews, for example, through regular meetings to discuss common issues, with some form of reporting to those responsible for audit quality. The smallest firms with very few audits and a small team may not have such opportunities, but if you are putting in the effort to do these reviews, why not make the most of them?
What else?
In addition to cold file reviews, you should already (under ISQM1) have set out your firm’s quality objectives, the related risks, and mapped out the ‘arrangements’ (procedures and controls etc) you have in place to address them. This is the core of your System of Quality Management (SoQM) and the place to start.
The firms we contacted had used a spreadsheet to set all this out, with columns for objectives, risks and responses. You may have something similar, either designed by yourself, or provided by a third party. We’ll refer to it as the ‘SoQM document’.
Your monitoring should be capable of identifying deficiencies that may exist in those arrangements, and not just those arrangements directly relating to individual audits that you can check in your cold file reviews. If you are a very small firm, these arrangements should not be too complex and therefore the monitoring checks needed may be quite straightforward, but you still need to think how you know they are in place and working as intended. You may be close enough to know, or you may need to go and check or ask others to confirm. There may be information from various sources you can call on, for example any complaints or other problems in dealing with clients which could indicate an issue with audit quality.
Your cold file reviews will also provide a test check on the effectiveness of your procedures and controls as the findings could indicate additional risks or weaknesses in your whole firm procedures. For example, your cold file review findings may help you to assess whether audit training has been well-targeted and effective.
Why not add an extra column to your SoQM document to record your monitoring checks?
Evidence of your monitoring could be a simple ‘reviewed by’ in your monitoring column along with your initials and date, with brief details of your checks and a note of any action needed/taken. Or a cross-reference to these details would suffice. Some firms have done something along these lines to good effect, making the SoQM document a living and useful tool, rather than something they file away and do not actively use.
Monitoring that fits the bill
Different aspects will need different types of monitoring. Monitoring processes can be very straightforward – for example you might review a policy document, say on engagement quality reviews or complaints, to check it is still appropriate and up to date.
Some of the firms we contacted have technical or audit committees that oversee the operation of the audit function. They tend to meet regularly (eg, quarterly) and consider details about training, appraisals, audit procedures and templates, EQRs and perhaps information about cold file reviews. These meetings form part of their monitoring activities, and the minutes would provide evidence of them.
There is likely to be an overlap with your annual Audit Compliance Review (ACR). For example, if you have audit staff, your ACR should check that all relevant staff have completed independence declarations, a requirement of the Audit Regulations as well as being specified as required by ISQM1. Similarly, demonstrating competence through relevant training is required by the Audit Regulations and will be a key element in addressing risks under the resources heading in ISQM1. ISQM1 also focuses on ethics awareness, and with the new CPD rules requiring ethics training, it would seem appropriate for your monitoring to check everyone has done what they should. As mentioned above, your cold file review findings can do part of the job of monitoring the effectiveness of training.
If you carry out and document your ACR separately (as the firms we contacted were generally doing), a reference to the ACR in the monitoring column of your SoQM document for areas of overlap should work quite well and avoid duplication of effort. You may want to combine your ISQM1 monitoring and your ACR as the operation of your quality management evolves. We’ll come back to this topic in the third article in the series when we look at annual evaluation.
Depending on the size of the firm, there could be a very short, or longer list of things that could or should be monitored. You don’t have to check everything every year - it would be sensible to prioritise based on risk. One of the firms we met was thinking in terms of a three-year monitoring cycle to make sure nothing is missed.
It may sound circular, but you should also be checking that your monitoring activities are appropriate. This may be simpler than you think. Some firms have added a monitoring section to their SoQM document to set out the various monitoring activities they do. An annual review of the document would therefore include this.
An overall review of your entire SoQM document can be part of your monitoring. You could evidence this with a sign-off at the foot, and resave the document each year to retain the history. Keeping a record of your monitoring is important.
A little thought can go a long way
The good news is that you are probably doing most of what is required already, although you may not have thought of it as ‘monitoring’ in any formal sense. Several of the firms we spoke to said they found ISQM1 to be very helpful in providing more of a structure to organising their thoughts and their monitoring. Ask yourself if you can demonstrate what you’ve done. What will you show to a Quality Assurance reviewer when they knock on your door? It’s possible you can make the most of what you already do, make your documentation work for you and make this much more than just a compliance exercise.
Help and guidance
ICAEW has a range of resources available to help you with ISQM1 compliance, visit our hub or contact our Technical Advisory Team for help in this area.
