The new quality management standards ISQM 1 and ISQM 2 represent a step change in approach to quality considerations for firms that perform audits, reviews of financial statements, or other assurance or related services engagements. Moving away from the reactive ‘quality control’ approach to something proactive and risk-based may not seem like much of a step – but it is.
ISQM 1 requires firms to design, implement and operate a system of quality management (SoQM) to manage their engagement quality.
Firms are required to:
- establish quality objectives;
- identify and assess the risks that could threaten the achievement of those objectives; and
- design and implement (then eventually evaluate and improve, if necessary) responses to mitigate those risks.
Much of the material in ISQM 1 may feel familiar to the old ISQC 1, but do not be lulled into a false sense of security. ISQM 1 has expanded requirements in some areas (including governance and leadership, and resources) and introduces new SoQM components that were not addressed at all in ISQC 1 (including the firm’s risk assessment process, information and communication, and remediation).
On top of this, there is the shift to proactivity and, even more importantly, the fundamental concept that quality management must take place in the context of the nature and circumstances of the firm, and with regard to any events and conditions that are relevant. This is helpful for firms in that it facilitates scalability, but it will also be challenging to put into operation and deliver.
Every SoQM will require significant customisation in order to arrive at the best fit for a firm’s nature and circumstances.
Larger firms with many personnel, multi-layered operational structures and complex clients may have different quality challenges and face different quality risks than smaller firms with few personnel, flat organisational structures and less complex clients (even if they are both located in the same jurisdiction). One size definitely will not fit all. For this reason, designing and implementing an SoQM is a nuanced process that will require ongoing input from a firm, if it is to arrive at a solution that is both ISQM 1 compliant and fit for the specific conditions in the firm. This is not a small ask and, for many firms, it will require significant thought and planning and therefore significant time resources.
Firms may find their quality management journey during 2022 challenging, but hopefully it will also be rewarding. Quality management implementation offers firms opportunities to redesign and repurpose existing quality activities to make them more efficient and effective, and to appropriately mitigate the risks to quality that each individual firm faces. The end result should be improved engagement quality. But every firm will need to take its own journey, and if it is not already under way, I would encourage you to start now. Waiting until the eleventh hour is unlikely to be the best course of action.
When are the new standards effective?
International Standard on Quality Management (ISQM) 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements requires each audit firm to have a system of quality management designed and implemented by 15 December 2022.
ISQM 2 Engagement Quality Reviews is effective for audits of financial statements for periods beginning on or after 15 December 2022.
About the author
Gill Spaul, Chair of ICAEW’s quality management working group and Director of Quality (Europe), Moore Global
Audit & Beyond
This article was first featured in the February 2022 edition of Audit & Beyond.