ISQM: Preparing for the new Quality Management standards

To recap, there are two new standards that audit firms will need to consider:

• ISQM 1 which will require audit firms to set up quality objectives. Firms will also need to identify and assess the risks that could threaten the ability of the firm to achieve those objectives. Thus requiring firms to design, implement and evaluate a system of quality management in response to those risks.
• ISQM 2 sets out specific requirements for the engagement quality review. This is a key response designed to ensure audit quality, especially in higher risk engagements.

These new ISQM standards replace the existing requirements of ISQC 1. They have also required considerable changes to be made to ISA 220, the standard that covers quality management for an audit of financial statements.

The immediate focus for firms will be to assign roles and responsibilities. Followed by the performance of a risk assessment of their audit practice. And the need to modify their system of quality management in response where necessary. As it is this process that firms will need to have completed by December this year.

Firms will then have a further year to undertake their first evaluation of the system of quality management. This will allow time to carry out any remedial action.

The requirements of ISQM 2 and the revised ISA 220 will apply to audits of periods beginning on or after 15 December 2022.

The Quality Management Team

The standard makes clear that the firm’s chief executive or managing partner has ultimate responsibility and accountability for the system of quality management.

On occasion this responsibility could be shared by the firm’s managing board of partners (or equivalent).

For example when the firm’s chief executive/managing partner is not eligible for appointment as a statutory auditor.

As part of the adoption of the new standards, the firm will need to assign operational responsibility for the system of quality management.

In most cases this is likely to be the firm’s audit compliance partner. But there is nothing in the standard that says this has to be the case. Only that they too have to be eligible for appointment as a statutory auditor.

Other persons may also need to be assigned senior roles within the system of quality management. The firm’s ethics partner is likely to be assigned operational responsibility for compliance with independence requirements. And a separate individual may be given responsibility for the monitoring and remediation process to provide a degree of objectivity.

In assigning roles within the system of quality management, firms need to ensure that the individuals involved have the appropriate experience. As well as knowledge, influence and authority within the firm. Finally, they will need to have sufficient time to fulfil their assigned responsibility.

Additionally the firm needs to ensure that everyone understands their assigned roles and that they are responsible for fulfilling them.

In doing so this may reveal a skills gap that needs to be addressed. This can be through additional training. Or it may require a reallocation of other responsibilities to ensure that there is sufficient time available for the role that each individual has been assigned.

The Risk Assessment Process

At first glance the risk assessment process can appear to be a daunting one for many audit firms. The old standard ISQC 1 basically told firms what processes they needed to implement.

Firms will now need to work it for themselves. And they will need to have in place a system of quality management that is underpinned by their risk assessment.

Although it is worth mentioning that much of ISQC 1’s requirements remain as mandatory procedures in the new standard where they are of relevance to a firm.

It may be the case that many firms will not actually see any significant initial changes to their system of quality management. But they will need to have performed their risk assessment. This is to provide the necessary evidence that the system is sufficiently robust in addressing the risks to quality that the firm faces.

The risk assessment process will involve four separate stages:

1. Establishing the firm’s quality objectives

Although this may sound like a complicated task, for the majority of firms this is likely to be a fairly straight-forward process.

ISQM 1 sets out in detail quality objectives which we would recommend firms adopt directly from the standard.

These quality objectives are grouped into six areas as follows:

• Governance and leadership
• Relevant ethical requirements
• Acceptance and continuance of client relationships and specific engagements
• Engagement performance
• Resources
• Information and communication.

With perhaps the exception of some of the larger audit firms it is likely to be rare that firms will need amend or enhance these objectives. It should not take long to review the quality objectives as set out in the standard to confirm that this is the case. Or to identify any changes that are required.

2. Identifying and assessing the risks that could impair the firm’s ability to achieve its quality objectives

This is the stage of the process that could prove most problematic for firms. Seeking to identify the risks to audit quality that they face can be a challenge. Especially, given that it’s a task many firms will not have previously undertaken.

Most practitioners will have experienced occasions where audit quality has not been of the required standard. For example where highlighted by a complaint from a client or from comments made in the course of a regulatory inspection.

Such instances may help firms to identify certain quality risks. But how do firms go about ensuring that they have identified all potential areas of risk that they face?

This is a question that we have been considering at Mercia for some time now. And in doing so we have developed a database of potential quality risks that firms could face for each of the six quality objectives.

Firms will still need to assess the significance of each risk to their practice. After all, every firm will have its own set of circumstances which will throw up differing quality risks of varying potential impact.

We have sought to address this by identifying quality risks that are more likely to be relevant to smaller or larger firms. This is along with a core set of quality risks that are likely to be relevant to firms of all sizes.

3. Determining a suitable response to the identified quality risks

The firm’s system of quality management will need to incorporate policies and procedures that are responsive to the quality risks that have been identified. Our database tool will be of use by suggesting one or more possible responses to each potential risk. So, hopefully, at least one possible solution will be suitable for your practice.

The standard does set out a number of mandatory responses that should be incorporated into the system of quality management. These have been highlighted in the database tool so that they are not overlooked.

These responses are only required though when relevant to the firm in question. Smaller firms that do not act for public interest entities or have other higher risk audit engagements are unlikely to have to implement all the required responses, for example.

4.Amending where necessary the firm’s existing policies and procedures to ensure that they are responsive to the risks that have been identified

The amount of work that will be necessary to amend the existing policies and procedures will depend on how well the existing system already reflects the required responses to the identified quality risks.

It’s possible that a firm that already has a robust system of quality management in place given the nature of the audit engagements it has will see little change. But firms will still need to ensure that those policies and procedures are adequately documented.

Firms with weaker systems will clearly have more work to undertake in developing a system of quality management that is fit for purpose. And will need to make sure to implement this in good time before the December deadline.

For firms that utilise the Mercia audit methodology, we can confirm that it will be updated in good time for any changes that need to be made to reflect the new and revised standards.

Evaluation of the system of quality management

Firms may not be required to formally evaluate the system of quality management by December this year. But they will need to consider what the evaluation process will involve. This includes ensuring that it is adequately reflected in the documented policies and procedures of the system.

ISQM 1 contains significantly greater requirements on the evaluation and remediation of quality management systems than ISQC 1. It reflects how the system needs to continually evolve and develop. And how the firm’s situation and the regulatory framework in which it operates change. As such this might be an area where existing systems may see the greatest changes.

Those systems will for the first time have to incorporate root cause analysis as part of the remediation process. This is to ascertain the true causes of any quality issues that have arisen and which may require changes to the systems in place.

The firm’s policies will need to consider the circumstances when root cause analysis will be performed. It’s likely to be impractical to perform an analysis of all issues that arise as a result of a cold file review, for example.

Given that root cause analysis will be new for many firms, there may be a need to consider training requirements. This is to ensure that the firm has the necessary skills available to it ahead of the need to start evaluating the system of quality management from next year.

Conclusion

The adoption of the new quality management standards represents a major shift in the way quality needs to be addressed by audit firms.

The amount of work this will entail will vary from firm to firm. Generally, this will be based on how robust their existing policies and procedures are. But all firms need to be considering now what the implications are for them so that they are ready by the implementation date later this year.

Firms do not face this task alone though - Mercia are able to provide the resources needed to guide you through the process.