ISQM 1 - Implementing Quality Management Procedures

  • Person icon Andy Holton
  • Calendar icon 11 July 2022 15:54

Previous articles in this series have looked at the assignment of responsibilities for ISQM. As well as the use of quality objectives to assess risk and how the risk assessment should drive the firm’s policies and procedures.

The final stage to consider is the implementation of those ISQM policies and procedures. And the ongoing monitoring remediation and evaluation of their effectiveness.

Two women sat at a desk looking at a report.
Podcast
ISQM – Getting Ready
David Norris talks about preparing for 15 December 2022 and what it means to undertake Root Cause Analysis.

 

 

ISQM 1 Policies and procedures

Circulation of the policies and procedures to all relevant partners and staff is a key part of implementation. They are not just another document to collect virtual dust on the compliance file!

The firm should document all communications about the circulation of the policies and procedures.

Also consider if any training or guidance on the implementation of the policies and procedures is required. Again, document the process to ensure all relevant partners and staff are included.

 

Ongoing monitoring

ISQM (UK) 1 requires that a firm establish a monitoring and remediation process. This need to:

  • Provide relevant, reliable and timely information about the design, implementation and operation of the system of quality management; and
  • Take appropriate actions to respond to identified deficiencies such that deficiencies are remediated on a timely basis.

An annual compliance review that includes a sample of completed audit engagements are existing requirements under ISQC (UK) and the Audit Regulations.

These will continue under ISQM (UK) 1. However, the new standard has more extensive requirements. This are concerning identifying, evaluating and responding to deficiencies. As well as the evaluation of the system of quality management.

In addition to file reviews other ongoing monitoring activities could include review of:

  • Any complaints about the quality of audit work or the conduct of an engagement partner.
  • The results of an external inspection of the firm’s audit work.
  • Reports published by regulators on their findings from inspection visits.

 

Evaluating and responding to deficiencies

Having performed monitoring activities, the firm is required to evaluate its findings. This is to determine whether any deficiencies exist. As well as identifying any deficiencies, the monitoring process should also highlight any positive outcomes arising from actions, behaviours or conditions.

This will help demonstrate the effectiveness of the system of quality management.

Root cause analysis is a technique for identifying the underlying circumstances that resulted in a deficiency in the system of quality management arising. Or, in short, what happened and why did it occur?

The root cause may not always be obvious, and it may require a detailed analysis to arrive at the true cause of the deficiency. It is important to strip away the more superficial reasons why a deficiency arose. This will help you to arrive at the fundamental reason for why the deficiency occurred.

So, for example if the audit team missed a technical issue – why was this?

The first answer is unlikely to be the root cause. If this was because the job was rushed at the end, then why was this?

And so, the process continues asking ‘why?’ again until you reach the route cause.

Whilst it is not required by the standard, root cause analysis can also be used where things went well to identify the reasons behind the good behaviour. So that, where applicable, this can be replicated on other engagements.

It is important that this process is documented. This is to evidence that the evaluation of deficiencies has taken place.

 

Evaluation of the system of quality management

The final stage is to evaluate the system of quality management and make any changes required because of the deficiencies identified.

This evaluation must be undertaken at a point in time and performed at least annually.

It would therefore make sense to do this as part of the annual audit compliance review required by the audit regulations.

You might also be interested in these articles…