Firms of all shapes and sizes that conduct audits, reviews of financial statements or other assurance or related services engagements, will be aware of the need for their system of quality management (SoQM) to consider the firm’s use and evaluation of service providers and network resources, when complying with the International Standard on Quality Management, ISQM 1. 

Following the first year of implementation, the UK Financial Reporting Council (FRC) conducted an audit thematic review of how audit firms identify, categorise and assess network resources and service providers under ISQM (UK) 1, the UK version of the standard. The report shares examples of good practices and concerns from the biggest network firms and the FRC expects the findings will be useful to all audit firms.

The thematic review considers policies, processes, and procedures that firms have in place to: 

• identify service providers and network resources they rely on; 
• categorise and risk rate the service providers and network resources identified, if applicable (the standard does not require firms to rate network resources or service providers identified by significance or risk); 
• assess service providers and network resources that are relied on, including by reviewing the reporting and testing from networks and service providers; and 
• monitor the appropriateness of service providers and network resources on an ongoing basis.

The 40-page report also offers reminders on related ISQM (UK) 1 requirements, types of network resources and service providers, and shares some detailed observations on firms’ SoQMs. 

Identification of service providers and network resources

Firms should ensure that they identify all the service providers and network resources that are relied on by their SoQM, so that these can be understood and assessed.

☆ One good practice seen by the FRC is to use lists of service providers obtained from the firm’s procurement or accounts payable function to ensure that all service providers relied on by the firms SoQM are identified; another good practice is to obtain a list of invoices and payments for reconciliation.

Firms may want to check that their processes for identifying service providers and network resources include component auditors. 

⚠ Some firms do not include non-network component auditors as service providers, despite para A28 of the standard explicitly stating that this should be done. Nor are all network firms including network component auditors as network resources, despite para A175 of the standard explicitly using this as an example of network services.

Assessment of service providers

For firms to conclude whether a service provider and their resources are appropriate for use in a firm’s SoQM, they need to be assessed on an ongoing basis, this assessment needs to include the provider’s compliance with any relevant ethical and independence requirements.

☆ Using a combination of assessment approaches and evidencing review of a wide range of information to justify assessment of service providers are good practices. Using KPIs, standardised reports and historic performance, for instance, and tailoring (based on the provider) the types of information considered.

⚠ In some instances firms provide no evidence of how reports – such as Systems and Organisation Controls (SOC) reports from service providers – have been reviewed. 

⚠ Some firms do not justify how their assessment approaches provide sufficient assurance, which is based on how service providers are used in their SoQM.

Assessment of network resources

It’s important to remember that network resources may come from a global or regional network, another firm or provider in the network, or a service provider that is managed within the network.

☆ Good practices include:

• firms obtaining draft reporting from their networks which enable early sight of emerging findings, and can facilitate the design and implementation of timely mitigating actions; and
• receiving detailed information on offshore delivery centres, including key developments in or changes to the delivery centres’ SoQMs.

Firms need to ensure that network reporting is sufficiently detailed to enable understanding of the scope of the monitoring, testing performed and findings identified, and clearly evidence their review and evaluation of network reporting to support the extent of assurance taken.

⚠ In some instances, firms’ network reporting only shares findings on controls the network deemed relevant to member firms, and high-level reporting on the testing of IT controls and reporting only identifies findings, not the underlying testing of controls. 

⚠ At some firms, there is insufficient or no evidence of their review of network reporting and the underlying test procedures.

Annual evaluation processes

ISQM 1 and the other quality management standards (ISQM 2 and the revised ISA 220) have been effective from 15 December 2022, and many firms may now be approaching the time of their second annual SoQM evaluation. 

The FRC report reminds firms of the need to ensure that they have clear processes to identify and evaluate the severity and pervasiveness of any deficiencies relating to service providers and network resources – not least because these need to be reported to those responsible for performing and concluding on the annual SoQM evaluation. 

This is particularly important where deficiencies relate to pervasively used resources – such as audit methodology and audit software – that are fundamental to the performance of audits. The FRC saw widely differing approaches in how firms identify and evaluate deficiencies related to providers of audit methodology and audit software, and the report offers insights that all firms may want to consider.