To assist firms with enhancing their system of quality management and its annual evaluation, Lee Eagling and Gavin Leake share their top tips.
There are many learning opportunities for firms that are considering an annual review of their System of Quality Management (SoQM). Since the International Standard on Quality Management, ISQM 1, became effective on 15 December 2022, the UK’s Financial Reporting Council and ICAEW’s Quality Assurance Department have reviewed implementation by audit firms, then shared examples of good practices and key concerns (links to these and other QM resources follow this article).
Working with audit firms – of varying sizes – to assist with their initial SoQM implementations and ongoing monitoring activities, has also given specialist providers of training and support services some valuable insights. In this article we collate our 10 top tips to help firms enhance their approach to quality management and the annual SoQM appraisal.
1. Understand the requirements
Although this may seem obvious, we continue to see instances of many firms struggling to fully comprehend the ISQM 1 requirements. It seems as if some firms thought that merely identifying and assessing quality risks was sufficient to transition from ISQC 1 to ISQM 1. However, while it is risk-based, ISQM 1 goes beyond risk identification in isolation. Firms are required to evaluate their SoQM at least annually, at a specific point in time, using information obtained through their monitoring and remediation processes to reach one of three conclusions:
- The SoQM provides reasonable assurance that quality objectives are being met;
- The SoQM provides reasonable assurance, except for severe but not pervasive deficiencies; or
- The SoQM does not provide reasonable assurance.
This process results in a clear, documented conclusion that is essential to demonstrate compliance.
2. Assign roles and responsibilities
Assigning roles in the SoQM system is critical. Smaller firms may assign both ultimate and operational responsibility to one person but, where possible, splitting these roles can yield better outcomes. Clear segregation of roles and responsibilities can, for instance, promote accountability, objective assessments and clearer oversight.
In assigning ultimate and operational responsibilities for the SoQM, paragraph 21 of ISQM 1 states that firms shall ensure that each individual:
- has the appropriate experience, knowledge, influence and authority within the firm, and sufficient time, to fulfil their assigned responsibility; and
- understands their assigned roles and that they are accountable for fulfilling them.
ISQM 1 also requires the firm to undertake periodic performance evaluations of the individual(s) assigned ultimate responsibility and accountability for the firm’s SoQM and individual(s) assigned operational responsibility for the SoQM. Smaller firms may need external support to ensure objective assessments in this area.
3. Foster a quality culture
ISQM 1 emphasises a commitment to quality through leadership, which must be reflected in actions, behaviours and decisions. The leadership team should ensure that the SoQM is embedded in the firm’s culture and goes beyond just increased documentation, as highlighted, for example, in paragraphs 33 (b) and 33 (c)(ii) of ISQM 1.
Employees at all levels should be engaged in quality initiatives, fostering a sense of ownership. Historically, firms have tended towards a ‘carrot and stick’ approach to quality management, rewarding good performance but also addressing issues harshly. There is much to recommend a more supportive and consultative approach, where mistakes become learning opportunities, encouraging open discussions about potential barriers to achieving quality objectives.
ISQM 1 emphasises a commitment to quality through leadership, which must be reflected in actions, behaviours and decisions
4. Tailor responses to quality objectives
Responses to quality objectives should be tailored to each firm’s specific needs. While off-the-shelf manuals are useful to provide firms with a framework to work within, these require careful tailoring to avoid implementation of generic policies that do not suit a firm’s practice. For example, many firms have generic whistleblowing procedures that are not sufficiently tailored to a particular firm’s unique circumstances to be effective.
Firms should remember that ISQM 1 sets out a number of specified responses, which must be included when designing and implementing their responses, even though some of these do still require firms to tailor how they are incorporated into their policies and procedures.
Due to the need for tailoring their responses, smaller firms will often be reliant on service providers for certain aspects of their SoQM. Firms should ensure they have detailed the service providers they use and continually assess whether they are appropriate for use in their SoQMs and are thereby contributing to the achievement of their quality objectives.
Resources highlighted at the end of this article offer useful insights and best practice tips on service provider assessments.
5. Implement robust monitoring mechanisms
Monitoring and remediation processes should be in place to evaluate the design, implementation and operation of the SoQM. Cold file reviews, as mandated by ISQM 1, are a key component of monitoring and remediation. These reviews should be flexible, as there is not a ‘one-size-fits-all’ approach.
Some firms may be able to operate on a two to three-year cycle to cover all responsible individuals (RIs), depending on the extent of other monitoring activity in place. Others may need more frequent reviews, depending on factors such as the experience of RIs, the nature of engagements or previous monitoring findings.
Additionally, root cause analysis (RCA) should be embedded as an output of the monitoring activity to drive an effective remediation process. Effective RCA will do what its name implies – get to the underlying cause (or causes). All too often we see that firms do not appear to have dug deep enough when investigating causal factors. In turn this can lead to ineffective remedial actions, often with a false assumption that general update training will be sufficient alone.
Resources highlighted at the end of this article offer best practice tips on performing ISQM 1 root cause analysis.
All too often we see that firms do not appear to have dug deep enough when investigating causal factors
6. Enhance communication and training
Communication is vital in ensuring the success of a firm’s SoQM. Firms should implement feedback mechanisms that allow staff to provide input on the quality management system and suggest improvements. Conducting surveys to gather feedback, particularly on factors that impact quality, is encouraged. This feedback, combined with the output of monitoring activities, should be used to deliver focused training and feedback to individuals in areas needing improvement.
7. Proactively manage resource allocation
A balanced portfolio of clients among RIs and managers is crucial to preventing audit quality issues due to uneven workload distribution. Firms should also ensure that staff with responsibilities across different service lines have sufficient time and experience dedicated to audit work to maintain quality. Proper resource allocation is essential to avoid compromising quality due to overburdening key individuals.
8. Learn from undesirable outcomes
Adverse conclusions should be the exception to the rule and should not be seen as a common feature of ISQM 1 implementation, but they do offer valuable learning opportunities.
It is essential to acknowledge issues in the quality management system rather than glossing over them. Firms should be transparent about their shortcomings and reach the appropriate conclusion. Where this is adverse, firms should proactively address them through root cause analysis and appropriate remedial actions, even in scenarios where these actions may not be fully implementable in the short term. In cases where long-term remedial work is required, firms should implement mitigating responses to quality risks in the interim.
This approach will be viewed positively by monitoring bodies, as it demonstrates the proactive and risk-based nature of ISQM 1 in action.
It is essential to acknowledge issues in the quality management system rather than glossing over them
9. Focus on the positive
While it is important to address weaknesses identified through monitoring, it is recommended that firms should also acknowledge and build on positive aspects of their quality management systems. Highlighting successes and providing an opportunity to learn from them can motivate staff and offer useful comparisons between successful and problematic engagements. This positive reinforcement can help firms identify what works well, and applying these lessons to areas needing improvement may help to prevent findings that might lead to future deficiencies. This approach may also help to entrench a culture of quality and open communication within the firm.
10. Revisit the risk assessment
ISQM 1 is not a one-time compliance exercise; it requires ongoing attention and a commitment to the proactive and continual improvement of engagement quality and the SoQM. As part of the monitoring and remediation processes, firms should revisit their original risk assessment, identifying opportunities to reconsider their quality objectives and responses and enhance their policies and procedures. Circumstances change over time, and firms need to respond accordingly to ensure that their SoQM remains relevant and effective.
In summary
These tips emphasise the importance of a proactive, tailored, open and responsive approach to quality management. Firms should continuously engage in monitoring and remediation, assessing and enhancing aspects of their SoQM, while fostering a culture of quality throughout the organisation. Leadership commitment, resource allocation, effective communication and ongoing assessment of risks and responsibilities are essential components of successful ISQM 1 implementation. Taking these steps can help firms to comply with regulatory standards, serve the public interest (as envisioned in ISQM 1, paragraph 15), and maintain and enhance audit quality in the long term.
Lee Eagling, senior manager, Mercia, and member of ICAEW’s Technical and Practical Auditing Committee, and Gavin Leake, technical consultant, Mercia.
Quality management resources
- ISQM 1: relying on service providers and network resources – good practices and key concerns to help audit firms enhance their SoQM.
- ISQM 1: Use of resources obtained from service providers – an Audit & Assurance Faculty guide.
- Learning from annual SoQM appraisals – opportunities to adopt good practices and avoid pitfalls.
- ISQM 1: early findings from quality assurance monitoring – highlighting what ICAEW’s QAD has seen and will be looking for.
- Quality management in audit firms – a hub of resources from ICAEW and from UK and international standard setters and regulators.
- A thematic review of ISQM (UK) 1 root cause analysis – insights and best practice tips based on analysis of how UK firms are implementing ISQM 1.
- ISQM (UK) 1 Annual evaluation - a technical helpsheet offering guidance on complying with documentation requirements.