Quality control for audits moves to quality management

  • Mercia Group
  • 15 April 2019 00:00


The IAASB has now issued consultations on two new standards, ISQM 1 and 2, to replace ISQC 1, together with planned changes to ISA 220 on quality management at the engagement level. As you might have guessed from the title ISQM stands for International Standard on Quality Management and the new title references the move to a system of quality management, rather than one of quality control. At this point you might be asking yourself what on earth is the difference between these two concepts; the answer is essentially that a quality management approach is a risk-based one, rather than simply setting quality control procedures that all firms must follow.

The impact for SMPs

The IAASB has specifically addressed how the proposed new ISQM 1 will impact smaller and medium-sized practices (SMPs). It starts off by saying that firms will need to be proactive, responsive and thoughtful in designing, implementing and operating its risk-based approach to quality. This would be required for firms of all sizes, but for smaller firms it might be that some areas do not create risks and so do not require a risk-response (e.g. a related procedures). For example, a sole practitioner does not have any staff to direct and supervise, so obviously does not need policies and procedures in this respect.

However, the way that a risk is responded to might also be very different for a smaller firm. For instance, in a small firm a culture of quality might be maintained by the day-to-day interactions of staff and principals. However, a larger firm is likely to need extensive procedures such as appraisals, regular communication with staff, bonus systems and formal training to ensure that a consistent, appropriate culture is embedded throughout the firm.

How does the risk-based approach work?

The new approach sets out quality objectives, which are based on outcomes i.e. do the controls yield the required results, rather than just setting out specific procedures which may or may not be relevant and effective. All firms must take an approach which covers the following steps:

  1. Identify and assess the firm’s quality risks;
  2. Design and implement responses to those risks;
  3. Design processes related to monitoring and remediation.

This approach will require considerable effort and changes in the current quality control requirements that firms implement. However, it is expected that the requirements will be directly scalable depending on the size and complexity of the firm and its clients. The IAASB believes that the new system will generate the following benefits:

  1. A system tailored for the nature and circumstances of the firm;
  2. Facilitating a proactive response by the firm to changing circumstances or risk and promoting continual improvements;
  3. An increased emphasis on monitoring the system as a whole and timely and effective remediation;
  4. Improved integration of the components of the system.

Elements of the system

The ED sets out the following diagram of the components of a system of quality management:

The overall quality objectives set out in the ED are similar to the current ones in ISQC 1:

  1. The firm and its personnel fulfill their responsibilities in accordance with professional standards/law
  2. Engagement reports issued by the firm are appropriate.

Establishing quality objectives

The proposed standard sets out quality objectives in relation to the elements of a quality management system as set out above. The draft also sets out some specific responses to identified risks which firms must comply with. For instance, the firm must assign ultimate responsibility for the system of quality management to the firm’s managing partner/board of partners or equivalent and those people must have appropriate knowledge and experience to fulfil that role.

So although the standard is trying to be a risk-driven regime, it has still taken the route of mandating areas where it feels there are clear quality objectives and clearly required responses. If you read through the exposure draft you will see very many of the requirements are familiar from ISQC 1, such as ensuring there are appropriate procedures for consultation on difficult or contentious matters.

On the plus side this should make it easier for firms to understand what they need to consider in terms of risks and the relevant responses, rather than just being given a blank piece of paper. The danger is that this might limit the ability of the firm to be truly responsive to its own circumstances and it creates a list of mandated items which firms must ensure are addressed.

As well as the quality objectives set out by the draft ISQM 1 firms must include additional quality objectives where their risk assessment identifies that a risk has a reasonable possibility of occurring and would have a significant effect on the achievement of the quality objective.

Responses to risks

Quality objectives all require a response - in most case this will be a procedure or policy, or a requirement to communicate, for example. Just as for the quality objectives, the draft standard sets out lists of responses which must be covered. For instance, firms are still required to establish policies and procedures addressing the nature, timing and extent of the direction and supervision of engagement teams and review of their work. This is in response to the quality objective of ensuring that there is appropriate direction and supervision of the engagement team and review of the work done. However, as for the quality objectives, as well as the required list of responses, firms will need to consider whether any other responses are needed or how to implement the required responses where this is relevant.

Evaluating and identifying deficiencies

One new aspect of the standard is the response required to the identification of deficiencies. A deficiency means either that a response has not been properly designed to address a quality risk or it has not operated as designed and so has not been effective. Deficiencies might be found, for example, as a result of the monitoring activity undertaken by the firm, such as cold file reviews.

One specific requirement worth noting is that the firm must establish policies and procedures for the investigation of the root causes of the deficiencies. We have seen much in recent years about root cause analysis and the new ISQM1 would embed requirements to undertake it for all deficiencies found.

Service providers

It is worth noting that the proposals still permit firms to use an external service provider for elements of its quality management system. Where it does so it must ensure the resource used from the service provider is appropriate and understand that the firm retains the responsibility for its system of quality management and of course for implementing any necessary changes identified by monitoring activities.


The planned implementation of this new approach for quality management will undoubtedly require thought and effort for all firms. Implementation will be required 18 months after the standard is finalised to allow time for firms to design and implement new systems. For small and medium-sized firms there will still be the possibility of buying in a third-party basic set of quality objectives and risk responses to the extent that these are mandated in the standard. However, this alone is unlikely to meet the full requirements of ISQM 1 which requires a firm to consider its own particular quality objectives, risks and responses. This will mean, as a minimum, that firms will have to carefully consider whether a standard set of documentation fully matches their situation and in most cases will also mean that there will be some firm-specific risks and responses to add into the standard list.

Overall the requirements should be scalable for smaller firms and a risk-based approach, with certain mandated procedures, should already be familiar from requirements such as the Money Laundering Regulations. It will be important to not leave the issue until the last minute though, as it takes time to establish, agree and implement new systems.

You might also be interested in these articles…