Published by: ICAEW
The Financial Reporting Council has published two new Quality Management standards and a revised ISA 220. Louise Sharp, Manager at ICAEW’s Audit and Assurance Faculty, looks at steps that firms can take now to help with implementation.
As with the IAASB standards, the UK Quality Management standards are effective for audits of financial statements for periods beginning on or after 15 December 2022. This also means that firms will need to have designed and implemented a system of quality management by 15 December 2022. The Financial Reporting Council strongly encourages early adoption, although this would be challenging for many audit firms.
ISQM 1 introduces a new risk-based approach to quality management at the firm level. This requires the firm to establish quality objectives, identify and assess quality risks, specifically with regard to the nature and circumstances of the individual firm and its engagements, and design and implement responses to address those risks. This is a much more forward-looking, proactive approach than that currently required under ISQC 1, which focuses more on policies and procedures. It is also expected to be an iterative approach that will require revisiting and continuous improvement.
ISQM 2 is a new standard. It addresses the eligibility, appointment and responsibilities of an Engagement Quality reviewer. While many elements have been relocated here from ISQC 1 and ISA 220, the requirements have been enhanced and the scope for such reviews expanded.
Significant revisions have also been made to ISA 220, which clarify and strengthen the key elements of quality management at the engagement level. These include changes to the definition of the engagement team and a new stand-back requirement for the engagement partner to determine that they have taken overall responsibility for managing and achieving quality on the audit engagement.
Given the new risk-based approach to quality management, coupled with other significant enhancements, ICAEW’s Audit and Assurance Faculty is planning a series of activities to inform and support members with implementation.
What steps can audit firms take now?
Read the standards. They are long and the requirements will take time to get to grips with, but there really is no short cut here. The IAASB has also published first-time implementation guides on ISQM 1 and ISQM 2 to help firms understand and apply the standards, and more implementation support is expected to follow.
Break down the requirements into manageable chunks and consider the areas where the firm could start to progress implementation plans and who within the firm needs to be involved. Potential areas for focus are set out below.
Start to identify the quality risks that the firm faces, ie, the risks to the individual firm of not achieving the quality objectives. It is easy to underestimate what might be needed here and the risks will need to relate back to the quality objectives in ISQM 1 or, if required, to additional ones identified by the firm.
To help identify risks, firms could review their list of engagements, thinking about the nature of engagements they provide (audit or otherwise) and the extent to which and how they might create quality risks in relation to the objectives. Audit firms could also review the findings of cold file reviews and QAD monitoring activities to identify areas of concern and potential quality risks.
Firms could look at their existing quality control mechanisms in place to see to what extent they might respond to the risks identified. Firms are likely to have some procedures and policies in place that will continue to be very relevant in meeting the new requirements, but it would be wrong to assume this without considering the specific requirements in ISQM 1 and individual nature and circumstances of the firm and its engagements. A gap analysis, driven by the risk assessment, will help identify the areas where firms may need to design and implement additional – or different – responses.
Firms can begin to map out objectives, quality risks and responses. Those firms using off the shelf solutions for this will firstly need to understand the timing and nature of updates from the service provider to identify gaps and when they will need to perform further work. Under ISQM 1, firms will also need to plan for a greater degree of tailoring of these tools so that they meet the specific needs of the individual firm.
ISQM 1 requires firms to establish specific quality objectives to address appropriately obtaining, developing, using, maintaining, allocating and assigning resources in a timely manner to enable the design, implementation and operation of the system of quality management. ISQM 1 defines ‘resources’ quite widely.
Firms could identify and begin to evaluate their resources, considering those resources that are in-house and those provided by service providers, such as audit software, data analytics tools, methodologies and quality reviews. Firms will have to evaluate whether resources from service providers are appropriate for use in their system of quality management and in the performance of engagements.
For network firms, the individual firm is responsible for its system of quality management, including professional judgments made in the design, implementation and operation of it. It will therefore need to evaluate whether and, if so, how the network requirements or network services need to be adapted or supplemented by the firm to be appropriate for use in its system of quality management. Networks will, in turn, also need to think about what information they need to provide to member firms where resources, such as global audit methodologies, are being used.
Root cause analysis (RCA) and monitoring activities
ISQM 1 specifically requires firms to design and perform monitoring activities to provide a basis for the identification of deficiencies as part of a firm’s monitoring and remediation activities, and to evaluate the root cause of deficiencies. RCA is not a new concept, and some firms will already be doing this. But for those that haven’t, this is an area where firms could begin to make some progress, even where other aspects of the standards have yet to be implemented.
Likewise, internal monitoring activities and ISQM 2 reviews could be performed as if the new standards were in place to demonstrate to engagement teams within firms what areas would need to be improved were the standards fully implemented.
The new quality management standards provide an opportunity for firms to improve the quality and consistency of performance of their audit engagements, but it will be important not to underestimate the time and work effort needed to implement them.