Implementation of ISQM 1 may seem daunting, particularly for the very small practice. So to help get you started, and inspire you, sole practitioner Peter Hollis, of Sheffield-based Hollis and Co, outlines his approach with some useful step-by-step advice.
Like Hollis, you may have been putting off doing anything because you are busy and you hoped someone could offer a simple solution. Given the nature and objective of the standard, it is not possible to offer a ready-made solution that will work for all practices. Hollis has therefore rolled up his sleeves and come up with his own solution, which he is keen to share with others who are finding this a challenge.
“Once you get into it, it’s not that difficult and you will find that you are already doing most of the things you are required to do,” says Hollis, who is of the view that small firms are likely to need at least a day for this.
The overall approach taken by Hollis can be summarised in the following high-level steps.
- Read the requirements in the standard (paragraphs 1-60), putting the application material to one side. Hollis and Co is not in a network, so he ignored any references related to networks. This gave him an idea of the scope of the standard.
- Cut and paste the objectives into a Word document. Hollis ignored any requirements that weren’t applicable to his practice because of size or any other factors. He also reworded parts that he felt were difficult to understand, to ensure that the meaning was clear to him and his staff. The standard is supposed to be scalable and can be adapted to the nature and circumstances of the practice. This gave him his quality objectives.
- Complete the risk assessment. This involved making a list of threats that might mean that the quality objectives are not achieved. When Hollis did his initial risk assessment, he discounted threats that were low risk or improbable.
According to Hollis, the risk assessment is the most difficult part because the knee-jerk reaction is that anything the staff miss will then automatically be picked up by the sole practitioner. “You therefore need to pick this apart, listing what might go wrong or get missed,” he explains. How you mitigate these risks is set out in steps 4 and 5.
The types of risks that may be relevant are:
- The firm fails to comply with the requirements of International Standards on Auditing, the Financial Reporting Council’s Ethical Standard, ICAEW’s Guide to Professional Ethics and Company Law.
- The firm fails to anticipate future resource needs and as a result has inadequate resources to perform high-quality engagements.
- Client confidentiality is breached.
- Not all audit work completed by staff is recorded on the file in support of conclusions reached.
To give you an idea of scale, during his risk assessment Hollis identified 16 risks.
If the risk assessment is challenging, Louise Sharp, a Senior Technical Manager in the faculty, suggests that firms might want to start off by setting out key information about the nature and structure of their practice, the type of engagements performed and any future plans. This is also likely to be helpful to anyone seeking to understand or review the firm’s system of quality management.
“Don’t forget that the risk assessment also needs to include quality risks related to any services provided externally that are connected to your audit work,” Hollis explains. These might include cold file reviewers, IT suppliers, experts, component auditors (from firms not within the same network) or audit manual providers. He recorded any risks arising alongside the quality objectives. - Note the response alongside each risk. Hollis set out what he does or will do to address (mitigate) the risk. Although, as he highlights, it is not possible to eliminate all risk – and this is acceptable. Paragraph 34 of ISQM 1 provides a list of mandatory responses that are required so this step can also be done in conjunction with step 5 below.
- Consider if, and how, you meet the requirements of the standard. Print out the ISQM 1 standard (paragraphs 1-60) on A3 paper so that there is lots of white space around it to write on. Hollis went through each requirement and wrote down what he has done to satisfy it. Like him, you might find that the existing policies and procedures in your audit system and what you do at each year end as part of your Whole Firm Audit Review cover most of the responses needed. Hollis then cross referenced them.
He also made a list of additional policies and procedures that were needed to comply with the standard in a separate word document, then cross referenced the standard to this.
You may find that you need to revisit your list of risks or responses, either because of this exercise or, in future, as a result of a change in circumstances. That’s OK, because that is what ISQM 1 is all about – seeking to drive continuous improvement in audit quality. - Read ISA 220 (Revised), Quality Management for an Audit of Financial Statements. Hollis considered whether there was anything further to be added in relation to his risk assessment or response. There may be nothing to add.
- Read the application material to ISQM 1 and ISA 220 (Revised) and consider whether any changes are needed. Hollis notes that some of the application material is more relevant to the larger or more complex firms, and networks, so there may be little or nothing to add.
- Identify if ISQM 2 applies. Finally, Hollis also highlights that where there are no engagements performed by the firm that may merit an Engagement Quality Review, ISQM 2 won’t be relevant.
“That’s it,” he says. “The focus is not on perfection, but having a quality management system that can be built on and, where required, drives improvement.”
The ICAEW resource hub to help audit firms prepare for new quality management standards ISQM 1, ISQM 2 and ISA 220 (Revised).
Elevating QM standards
The new and revised standards comprise:
- ISQM 1 International Standard on Quality Management 1 Quality management for firms that perform audits or reviews of financial statements, or other assurance or related services engagements (ISQM 1) – which replaces ISQC 1;
- ISQM 2 Engagement Quality Reviews; and
- a revised ISA 220 Quality Management for an Audit of Financial Statements
Key changes:
- Increasing firm leadership responsibilities and accountability, and improvements to firm governance;
- a risk-based approach focused on achieving quality objectives;
- standards modernised to address technology, networks and use of external service providers;
- increasing focus on the continual flow of information and appropriate communication internally and externally;
- proactive monitoring of quality management systems and timely, effective remediation of deficiencies;
- enhancing the engagement partner’s responsibility for audit engagement leadership and audit quality; and
- clarifying and strengthening requirements for a more robust engagement quality review.
ISQM 1 requires audit firms to have designed and implemented a system of quality management (SoQM) by 15 December 2022 and to perform an evaluation of the SoQM within one year of this date. ISQM 2 and ISA 220 (Revised) are effective for audits of financial statements for periods beginning on or after 15 December 2022.
Audit & Beyond
This article was first featured in the November 2022 edition of Audit & Beyond.