What's changed
The International Standard on Quality Control, ISQC 1, is being replaced by two international standards on quality management:
- ISQM 1- focusing on quality management at the firm level
- ISQM 2 - addressing engagement quality reviews
ISA 220 has also been significantly revised. This auditing standard addresses quality management at the engagement level.
The move from quality ‘control’ to quality ‘management’ represents a shift from retrospective appraisal of quality and a focus on compliance to a more pro-active risk-based approach to managing audit quality.
Many audit practitioners may already take a similar approach, but the new standard brings this into focus.
The transition process
Firms will need to design and implement their system of quality management by 15 December 2022 and then evaluate it within a year of this date. ISQM 2 is effective for audits of periods beginning on or after 15 December 2022.
ISQM 2 includes a wider scope of entities and not just those that are listed. It has more robust eligibility requirements relating to reviewers and the standard includes enhancements in relation to the review of engagement performance and how engagements are conducted.
How does ISQM 1 work?
Firstly, Jeremy recommends that you read the standard along with these useful IAASB implementation guides (please note that they do not contain all of the specified responses required in the UK).
The standard introduces eight components to be addressed in a system of quality management:
- Governance and leadership
- Relevant ethical requirements
- Acceptance and continuance
- Engagement performance
- Resources
- Information and communication
- Risk assessment process
- Monitoring and remediation process
The risk assessment and monitoring and remediation components are processes. Firms need to establish quality objectives for the other six components.
The risk assessment process
Risk assessment should be familiar in the audit space. Firms need to firstly think about the quality objectives they are trying to achieve in relation to these components.
Firms then need to think about what the quality risks are to not achieving these objectives and then design and implement responses to address these risks. If there is a reasonable possibility that the risk will occur and adversely affect the achievement of the quality objectives (either alone or in combination with other factors) then this presents a quality risk.
The process should involve three steps:
- Set objectives
- Identify and assess quality risks
- Implement responses
1. Set objectives
ISQM 1 includes several quality objectives that are likely to apply to your firm, but firms may need to establish others (for example, there may be objectives set by a network).
Objectives covering the six of the eight components noted above can be found at paragraphs 28 to 33 of the standard.
2. Identify and assess quality risks
You could start with a blank sheet of paper and discuss what the challenges or failings might be in terms of the risks to audit quality. Pre-populated risk menus are available from commercial providers but may be very prescriptive. Here is an example of questions posed by one system available on the market:
- What, in brief, are the firm’s current strategic goals?
- Does the firm (or does it intend to) specialise in a particular service, industry sector or expertise?
- Which of these statements best describes the role audit is expected to play as one of the firm’s services in the medium term?
- Does the firm’s strategic direction lead to the risk that audit quality will not be (or not perceived to be) one of the firm’s priorities?
An example of a governance and leadership risk might be a relatively low percentage of the firm’s fee income (eg 5%) being derived from audit work with larger focus on, say, tax advisory services. This could present a risk that there is insufficient investment in audit, that the firm may be inclined to use audit as a gateway to tax work and that there may be crossover between tax and audit clients raising further ethical considerations.
The key to your design of your system of quality management will be thinking through your firm’s quality objectives, and the risks that may preclude you from achieving these objectives, based on the nature and circumstances of your firm. This will be an opportunity for firms to consider their priorities.
3. Implement responses
The IAASB version of the standard includes six specified responses. The FRC has added 13 more for adoption in the UK.
Once you have compiled a list of quality risks, look at the specific responses you are required to implement. Are there risks left to address? If so, set out how these will be addressed and by whom. Are there mandatory responses where the firm hasn’t identified a quality risk?
In summary:
- Work out your quality risks
- Devise a priority list of those risks
- Agree responses – many of these will be pre-set; a few may be excluded (for example, if you are a small firm that does not act for Public Interest Entities)
- Construct tailored responses to any identified risks not covered
Monitoring and remediation process
Monitoring should be response by response. As a response is created you should think about how that response can be monitored, checked and recorded and who this should be assigned to.
When something goes wrong, the firm will need to conduct a root cause analysis (‘RCA’) to ensure the issue doesn’t recur. This is a tool QAD expect firms to use to find out what the issue at the heart of the problem is. If you identify a skills gap in this area, attending a root cause analysis course can improve RCA capabilities.
Jeremy’s ten tips for ISQM implementation
Jeremy’s ten tips for ISQM implementation are:
- Read ISQM (UK) 1
- Assess your current approach. Do you need to switch your paper manuals and forms to electronic?
- Find out what your team thinks. Identify your practice’s strengths and weaknesses, and gain partner feedback.
- Start with leadership and governance. This is particularly important where the managing partner in a firm is not the audit partner in terms of creating the right firm culture.
- Don’t miss the appointment stage. Avoid taking on clients who will challenge the firm’s ability to manage audit quality.
- Be honest about priorities. Look at what the firm spends money on, whether that’s IT, methodology software or training for audit team members.
- Refocus on prevention rather than cure. For example, identify key problem areas identified in file reviews.
- Plan monitoring as you go through responses
- Get familiar with RCA (root cause analysis)
- Consider getting external support