In December 2022, the new International Standard on Quality Management (ISQM) 1 Quality management for firms that perform audits or reviews of financial statements, or other assurance or related services engagements becomes effective. Firms are required to design, implement and be operating an ISQM 1-compliant system of quality management (SoQM) by 15 December and to evaluate it during the year following this date.
What QAD expects
The ICAEW Quality Assurance Department (QAD) has no predetermined view on how a firm should approach ISQM 1, or precise detail of documentation. But from 15 December 2022 it will want all audit firms to be able to:
- show QAD reviewers the key matters identified in the firm’s risk assessment, with reference to the nature of the firm, its audit partners, staff and audit clients; and
- explain what impact these have on quality objectives and how these are addressed in the firm’s responses to those quality objectives.
Making progress
Some small firms are still at the early stages of implementation; others are more advanced and have insights to share (see pages 14-15 and tinyurl.com/AB-ISQM1-Practice).
To those who have yet to embark on this journey, Rachel Davis from 14-person firm Just Audit says: “Make sure you immerse yourself in understanding it before you get started. There are plenty of good webinars to get a feel for it before diving in.”
It’s also a good idea, she says, to prepare for a future where your SoQM and compliance with the ISQMs are iterative processes: “You’re never going to get it perfect from the word go. Pick up your pen and do something.” Also, she advises regularly dedicating some time to your ISQM implementation, if appropriate, with other members of your senior management team.
Help for smallest firms
To assist very small firms with their ISQM 1 preparations, the faculty has information, tips and a resource list. This aid can also be found along with other practical insights and implementation guidance at our ‘Quality management in audit firms’ hub.
The length of your ISQM 1 ‘To Do’ list and how easily you can address these things will vary between firms, but if you have consistently received good results for audit quality inspections and for hot or cold file reviews, then you may have cause for optimism. “If your established ISQC 1 procedures are fit for purpose, much of what you do currently will probably still be relevant,” says Louise Sharp, Senior Technical Manager, Audit and Assurance.
It is highly likely that some changes will be necessary. With some risks to quality, your existing responses (policies and procedures) will still be fit for purpose, but some responses will need adjusting and, for some scenarios, new responses will probably be necessary. ISQM 1 requires you to be much more proactive than the ‘reactive’ ISQC 1 that firms are used to and to take a tailored approach to risks to quality management.
Risk-based approach
ISQM 1 requires firms to consider the nature and circumstances of their own practices and to adopt a proactive, risk-based approach to managing audit quality. This is similar to the risk-based approach taken to audit engagements, so it should not be unfamiliar. As experienced financial statement auditors, you will already possess the necessary skills; you know how risk assessments work and you know your firm.
The tips and other resources from the faculty (at tinyurl.com/AB-ISQM1-Help) include:
- an outline of components to address in an SoQM; and
- an approach to designing an SoQM.
The list of potentially helpful resources suggested by the faculty is comprehensive and includes articles, webinars and various types of guidance from ICAEW and other trusted sources, such as the International Auditing and Assurance Standards Board.
The emphasis is on material that will be of most assistance to the smallest audit firms. There is plenty of practical information and tips. If you diligently work your way through the list of resources suggested by the faculty, you should be well on your way to grasping many of the basics, such as how to:
- identify, articulate and establish your quality objectives;
- determine whether your firm needs additional quality objectives on top of the mandatory ones in the standard;
- undertake a quality risk assessment – identifying, articulating and assessing the risks that threaten those objectives;
- identify opportunities to scale ISQM 1 to fit your firm’s nature and circumstances;
- use root cause analysis in quality management (it’s something you may be doing already, without realising it);
- factor ISQM 1 requirements into your firm’s decisions on and use of resources obtained from external service providers; and
- monitor and revisit your SoQM in the year following its 15 December 2022 implementation deadline – and beyond.
Quality and efficiency
For some of the smallest firms with few audit clients, the transition to ISQMs can seem daunting, particularly as this is not the only area where they will need to adopt and adapt to some major changes from 15 December 2022.
There is, however, cause for optimism. Development of the SoQM for these smaller firms will certainly be much easier compared with a larger and more complex firm. However, as QAD observed in a recent article on ISQM 1: “Firms of two or three principals, and particularly sole practitioners, will need to ask themselves some potentially difficult questions about their firm and the position of audit within the firm.”
How do we ensure that we keep up to date with changing auditing and ethical standards, and simply maintain our core audit competence when acting for just one or two audit clients?
How do we devote sufficient time and resources to high-quality audit work, when fees are just 10%, 5% or less of total firm revenue/activity?
Driving future improvements
In the longer term, a proactive risk management approach may create efficiencies in your practice by targeting responses that address the specific risks your firm faces, rather than focusing on responses that are less relevant to your own firm’s nature and circumstances.
So, although it may sometimes seem as if there is a great deal to understand and do before and after the 15 December implementation deadline, which could well be the case, the journey is not necessarily as long or as complicated as you may expect and the results may be much more beneficial than you are expecting, too.
Positively better
As you implement ISQM 1, the move from a reactive to a proactive and risk-based system of quality management won’t just change your systems and processes, it may also change your mindset – and for the better.
Comments from auditors include:
“The new quality management standard makes you put procedures in place that you probably ought to have had in any case.”
“It makes you think harder about all sorts of different things.”
“We ask our audit clients what are their risks. Why haven’t we done it ourselves?”
“It helps to structure and stimulate conversations about potential areas of risk. The size and nature of your team, your clients, the software that you use…”
Components to address in an SoQM
ISQM 1 identifies eight components to address in an SoQM:
- The firm’s risk assessment process
- Governance and leadership
- Relevant ethical requirements
- Acceptance and continuance of client relationships and specific engagements
- Engagement performance
- Resources
- Information and communication
- The monitoring and remediation process
ISQM 1 includes mandatory quality objectives for six of the eight components (paragraphs 28-33 of ISQM 1). There are no mandatory objectives for risk assessment or monitoring and remediation.
Audit & Beyond
This article was first featured in the November 2022 edition of Audit & Beyond.