ISQM (UK) 1 requires that firms that perform audits or reviews of financial statements, or other assurance or related services engagements:
- design and implement a risk assessment process to establish quality objectives;
- identify and assess quality risks; and
- design and implement responses to address those quality risks that have been identified.
However, ISQC (UK) 1 required a firm to establish and maintain a system of quality control. This was to provide reasonable assurance that the firm was complying with all professional, legal and regulatory requirements and that reports issued were appropriate. So essentially jumping straight to the output from the third bullet point.
Transitioning from ISQC (UK) 1 to ISQM (UK) 1 is therefore about moving from a standard that state the matters to be addressed in a firm’s procedure. To one that specifies a risk assessment process as a driver of the content of those procedures.
ISQM (UK) 1 therefore requires a fundamentally different, risk based, approach to developing a firm’s procedures. Although in many cases the resultant procedures may be similar.
The ISQM risk assessment process
Moving to ISQM (UK) 1 is therefore primarily about establishment of the risk assessment process. This will involve the gathering of information from a number of different sources. These can help identify potential quality objectives, quality risks and responses. These include the following:
- The quality objectives specified in ISQM (UK) 1.
- The results of the firm’s internal monitoring procedures under ISQC (UK). This includes reviews undertaken by an external provider such as Mercia.
- Information arising from complaints and allegations received about failures. Particularly those related in accordance with professional standards, legal and regulatory requirements. Or non-compliance with the firm’s policies or procedures.
- The results of external inspections undertaken by regulatory bodies.
- Information from regulators about the entities for whom the firm performs engagements which is made available to the firm. For example information from a securities regulator about an entity for whom the firm performs engagements. e.g. irregularities in their financial statements or non-compliance with securities regulation.
- Changes in the system of quality management that affect other aspects. For example changes in the firm’s resources. e.g. the acquisition of an existing practice or the expansion of the range of audit and assurance services being offered by the firm; and
- Other external sources. Such as regulatory actions and litigation against the firm or other firms that may highlight areas for the firm to consider. The outcome of disciplinary action undertaken by the FRC and other regulators which are made publicly available are useful for this purpose. As are the findings from their monitoring activities.
Policies and procedures
The risk assessment process envisages responses in the form of policies and procedures being implemented. The aim being to counter the quality risks that have been identified.
However, ISQM (UK) 1 does include a number of specified responses. These must be incorporated into a firm’s system of quality management. This is unless the circumstances of the firm and its engagements do not warrant such a response being implemented.
This means that a firm’s policies and procedures produced under ISQM (UK) 1 should reflect the risk assessment undertaken. And, as a result, be specifically tailored to the requirements of the firm.
Taking a set of standard procedures prepared by a provider such as Mercia and putting the firm’s name at the top did not comply with ISQC (UK) 1. It will certainly not comply with ISQM (UK) 1!
Next steps in ISQM
The next stage in moving to ISQM (UK) 1 is to use the quality objectives included in the standard as a framework for identifying the risks that apply to the firm and how these apply to the firm. This process is as important as the policies and procedures.