ICAEW.com works better with JavaScript enabled.
Exclusive

Audit & Beyond

Learning from annual SoQM appraisals

Author: Andrew Jarvis

Published: 12 Jul 2024

Exclusive content
Access to our exclusive resources is for specific groups of students, subscribers, users and members.
silver marble sitting on a wooden board maze game between two holes on a blue line

Annual appraisals of systems of quality management offer opportunities to adopt good practices and avoid pitfalls. Andrew Jarvis shares some insights and tips for small and mid-sized firms.

The International Standard on Quality Management (ISQM (UK) 1) requires (in paragraph 53) that the individual(s) assigned ultimate responsibility and accountability for a firm’s system of quality management (SoQM) evaluate this on behalf of the firm. This SoQM evaluation should be undertaken as of a point in time, and at least annually.

As ISQM (UK) 1 became effective on 15 December 2022, all firms should now have performed an assessment of their SoQM at least once. However, when visiting firms, I am finding that many firms have not formally documented this annual SoQM evaluation, which is a fundamental requirement of the standard.

Many firms have not formally documented the annual SoQM evaluation, which is a fundamental requirement of the standard

What does ISQM (UK) 1 require?

As explained below, the standard provides a clear framework on the conclusions which can be reached. However, it does not set out the process required in reaching this conclusion except to note that:

  • the individual assigned ultimate responsibility can be assisted by others in reaching their conclusion (but the conclusion is their responsibility alone); and
  • the information used to reach this conclusion will vary but will be based on the monitoring activities put in place under the firm’s SoQM. 

The amount of additional documentation that is required will vary depending on a number of factors such as, for example, the size and structure of a firm and the person with ultimate responsibility for the SoQM. In some scenarios, this person may also be the firm’s Audit Compliance Principal, and if they are closely involved with all aspects of the design and operation of the system, the amount of additional documentation required may not be significant. 

Why are firms not performing and evidencing their review? 

In the same way that ISQM (UK) 1 requires root cause analysis on deficiencies identified within the SoQM it is worth asking why the formal evaluation is not being effectively performed or documented. In my experience, while speaking with a range of firms, the following reasons are provided:

  • lack of understanding of the requirement – many firms were understandably focused on identifying their quality risks and implementing suitable responses at the commencement of their ISQM (UK) 1 project; less attention was given to understanding the final step of the annual cycle;
  •  loss of momentum – I have seen several firms fail to embed ISQM (UK) 1 into their cycle of compliance activities. Sometimes tasks such as monitoring and root cause analysis on identified deficiencies are inconsistently performed or not performed at all, and the same applies to the annual SoQM review; 
  • uncertainty over what is required by the standard resulting in procrastination by firms; and
  • lack of understanding of when the conclusion should be documented. 

How and when should the review be performed? 

In larger firms it may be necessary for a detailed collation of information to allow the individual with ultimate responsibility for the SoQM to review this and document their conclusion. However, in a smaller firm, information for the SoQM may be more readily available. Some of the information necessary for an SoQM evaluation will arise from the firm’s existing audit compliance review, which is required at least annually by (reg 3.20 of) the UK Audit Regulations

In performing the SoQM review I would expect the person with ultimate responsibility to evidence consideration of each element of the firm’s SoQM including:

  • the firm’s risk assessment (including how this has been updated);
  • the responses to mitigate identified risks, including the progress of these actions; 
  • a review of the firm’s SoQM policies and procedures; 
  • the outcomes of monitoring activities, for example internal and external cold file reviews performed in the period, and any visit from ICAEW’s Quality Assurance Department; and
  • the outcome(s) of root cause analysis performed and how this has fed into the revision to the firm’s risk assessment, responses and monitoring procedures. 

In many smaller firms, the person with ultimate responsibility is likely to have been involved in, or at least reviewed, each of these processes already. If they have not, or the documentation prepared by a larger firm is extensive, it may be necessary for summaries of these processes to be prepared. 

The process described above also answers the ‘when’ question. The logical time to conduct an annual SoQM review is at the end of your annual compliance cycle, once the detailed audit compliance review has been undertaken. 

The logical time to conduct an annual SoQM review is at the end of your annual compliance cycle, once the detailed audit compliance review has been undertaken

What conclusion should be reached?

ISQM (UK) 1 provides clear guidance here as it sets out only three possible conclusions to be reached, as below.

A The SoQM provides the firm with reasonable assurance that the objectives of the SoQM are being achieved. 
B  Except for matters related to identified deficiencies that have a severe but not pervasive effect on the design, implementation and operation of the SoQM, the system provides the firm with reasonable assurance that the objectives of the SoQM are being achieved.
C  The SoQM does not provide the firm with reasonable assurance that the objectives of the SoQM are being achieved.

There is an adage that on a multiple-choice question, the middle answer is often correct. I would expect the same to apply here as many firms will conclude that they fall into category B. The assessment must be based on the conclusions reached at the point the assessment is made, rather than for the whole of the previous period, but often deficiencies will exist, for example the identification of a recurring weakness from cold file reviews, or problems in the implementation of previously agreed action plan identified from the firm’s annual audit compliance review. 

My view is that unless recommendations stemming from the audit compliance review are minor in nature, a category A conclusion will not be appropriate. Clearly if conclusion C is reached a detailed understanding of the reason for this and the remediation required must be documented. I would expect conclusion C to be most likely if significant quality management issues are found following, for example, a significant loss of key personnel resulting in a substantial drop in audit quality, or following purchase of another firm, block of fees and/or clients, where pervasive quality management concerns are identified.

Where conclusion B or C is reached, a clear action plan must be drawn up. Again, this may not be onerous, as most actions will have been identified within the annual compliance review itself.

How should the conclusion be documented? 

For many firms, the level of documentation should be relatively simple. I would recommend that the following is evidenced: 

  • review of the information feeding into the SoQM assessment;
  • the conclusion (A, B, C) as outlined above;
  • brief justification of this conclusion; and
  • a summary of changes required to the ISQM (UK) 1 risk assessment and SoQM as a result of the review. 

Documentation matters

Documenting your annual assessment is a fundamental requirement of ISQM (UK) 1. If you have successfully implemented the other requirements of the standard, evidencing this assessment should be relatively quick and simple and allow a clear understanding of future improvements to your SoQM. If more pervasive deficiencies exist, the review is necessary to identify more significant changes and to develop an appropriate action plan. 

Andrew Jarvis, Managing Director, HAT Group 

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250