The transition to new quality management (QM) standards is a journey rather than a destination because the three new and revised QM standards introduce a new QM approach, which is focused on proactively identifying and responding to risks to quality.
ISQM 1 requires firms to design, implement and operate a system of quality management (SoQM) to manage their engagement quality. Firms are required to:
- establish quality objectives;
- identify and assess the risks that could threaten the achievement of those objectives; and
- design and implement (then eventually evaluate and improve, if necessary) responses to mitigate those risks.
Some ISQM 1 requirements may seem similar to the old ISQC 1, but there are significant differences. ISQM 1 expands requirements in areas including governance and leadership, and resources) and introduces new SoQM components, including a firm’s risk assessment process, information and communication, and remediation.
The biggest change is probably the change in mindset, says Gill Spaul, Director of Quality (Europe), at accountancy network Moore Global. Importantly, there is a shift to proactivity in terms of taking a risk-based approach to managing quality and to tailoring the firm’s QM
Spaul says: “You’ve got to be thinking about the nature and circumstances of your firm, your clients and your staff, to identify what particular risks might impact you and your firm.” And risks today may be very different from risks tomorrow, as the pandemic and the Russia-Ukraine conflict highlight
This may seem like a lot for sole practitioners and small practices to take on board and implement. So it is important for firms to see that benefits – beyond compliance – can come from such an approach.
Firm benefits of an SoQM
Both short-term and longer-term benefits may arise from adopting an SoQM. In an ICAEW Insights article Sarah Flint, Managing Director of Benee Consulting, a provider of audit engagements, audit consultancy, training and file review services, offers some examples.
“If you work on your highest risks to quality, the seriousness of those risks will reduce over time. If your audit work has a quality focus, that new approach and culture will trickle into other work automatically,” says Flint. This could impact positively on job satisfaction for staff and the firm’s reputation with clients.
As audits tend to involve much interaction with audited entities, they are likely to notice an enhanced focus on QM fairly quickly. Longer term, the benefits for firms may also be evident during visits from ICAEW’s Quality Assurance (QAD) and other external file reviews, because of a reduction in queries.
“Better-quality audits will also inevitably reduce the risks of actions against the firm,” suggests Flint. Individual firms may not be alone in feeling the benefits of taking an approach that focuses more keenly on QM. “If all firms are doing this, insurance premiums may even be lower,” she says, optimistically.
All this would be good news for firms. Transitioning from a reactive system of quality control to something more proactive and risk-based is not a minor undertaking – even for those with existing and ISQC 1 compliant systems for quality control. There is a lot to do.
Resources from service providers
Many firms may want to use resources from service providers, but this must be carefully considered. One of the key concepts underlying ISQM 1 is that a firm is solely responsible for the design, implementation and operation of its own SoQM, even where it obtains resources such as manuals, tools and training from third-party service providers.
ISQM specifically requires firms to establish a range of quality objectives in relation to resources, including those provided by service providers. Firms will need to consider whether resources from service providers are appropriate for use in their SoQM and performance of engagements and are likely to need information from their service providers to do this.
To assist firms, the faculty has produced a guide, ‘ISQM 1: Use of resources obtained from service providers’, that aims to help both audit firms and service providers understand what’s required by ISQM 1.
Louise Sharp, Technical Manager, Audit and Assurance, says: “The guide should act as a helpful aid to highlight the QM requirements and the types of information that may help audit firms be in a position to identify and assess quality risks in relation to the quality objectives in ISQM 1 and the use in their firms of resources from service providers.”
The guide walks firms through the kind of information they may need from providers to identify and assess any quality risks that may arise from using their services. It covers four types of resources: methodologies, training provision, software and audit quality support services such as file review/technical consultations.
QM resource hub
This new guide is just one of the many resources the faculty (and its volunteers) are creating and collating to help firms on their QM journey, at the ‘Quality management in audit firms’ hub.
The QM hub also includes resources from the Audit & Beyond special edition in February 2022, along with more recent QM articles and other resources, including the faculty’s (paid for) online event series ‘Implementing ISQMs - Supporting audit firms on the journey’.
The three standalone events focus on:
• undertaking a quality risk assessment;
• developing a QM strategy; and
• using root cause analysis (RCA) in QM.
The ‘Quality management in audit firms’ hub page also includes links to valuable external resources, such as guidance from the International Auditing and Assurance Standards Board and its QM hub pages. Examples of what’s on offer include practical first-time implementation guidance on ISQM 1 and ISQM 2 and a factsheet on the clarified and updated definition of an engagement team in ISA 220.
ICAEW Insights
Articles to assist firms with their transition to the new QM standards are also available in an ICAEW Insights ‘Quality management’ special at tinyurl.com/AB-QM-Insights. Among the resources you will find articles on:
- approaches that firms and staff can take to developing the skills for this new era of QM;
- adapting to changes and circumstances within the firm and iterating for improvement; and
- RCA for small practices.
Root cause analysis
In the RCA article, the faculty looks at five ways that sole practitioners and other smaller audit practices can embrace RCA, as it becomes a requirement later this year. Among other things, it demystifies the process of RCA and highlights some of its potential benefits.
RCA is one aspect of the new QM standards that can seem daunting for many sole practitioners and small firms. So it is worth emphasising that RCA can turn out to be less onerous and more beneficial than many auditors are anticipating.
“RCA involves looking at an outcome and identifying the true root cause of that outcome, positive or negative, rather than taking the first obvious and superficial cause as the reason something happened,” says Paul Winrow, Audit Quality Partner at Mazars UK. Many firms may find they have already been doing this – without calling it RCA
Many auditors will have already been involved in efforts to follow up deficiencies identified during file reviews – internally, by a training organisation, ‘peer review’ by another registered auditor, or even following a QAD visit – trying to identify the causes and to stop them reoccurring.
This is the essence of RCA and you may just need to document this as RCA before expanding on it as you become more familiar with it, and explore its potential benefits. RCA can focus on success and share examples of good practices in audit. Where an audit is recognised as good quality, RCA can be used to identify causal factors that can be shared more widely – to good effect.
Reasons to be cheerful
Flint highlights some home truths that she suggests firms keep in mind as they transition to the new QM standards and continue their journey.
It is not about adding tasks, it is about changing to achieve a higher-quality result.
It is not about overnight success, it is about having a culture of continual improvement in quality.
It is not about blame, it is about helping everyone to achieve a consistent quality outcome together.
“I encourage firms to make a start, however small, and make regular time in the diary to revisit and build on the start that they make,” Flint says. “Don’t leave it until closer to the deadline – start now.”
Ultimately, the new QM approach is about capitalising on what a firm is already doing well and putting in place targeted actions to improve quality where this is not the case.
Moving from ISQC to ISQM
The new QM standards were issued by the International Auditing and Assurance Standards Board (IAASB) in 2020 and the Financial Reporting Council issued UK versions in July 2021. The new and revised QM standards for an audit firm’s responsibilities to design, implement and operate a system of QM are:
- International Standard on Quality Management 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements or Other Assurance or Related Services Engagements (ISQM 1);
- ISQM 2 Engagement Quality Reviews; and
- a revised ISA 220 Quality Management for an Audit of Financial Statements.
ISQM 1 requires a firm to have its SoQM designed and implemented by 15 December 2022, and its evaluation performed annually thereafter.
Audit & Beyond
This article was first featured in the July/August 2022 edition of Audit & Beyond.