Iain Wright: Hello, and welcome to a special episode of the ICAEW Insights In Focus podcast. My name is Iain Wright, and I’m Managing Director of Reputation and Influence at ICAEW. Today we’re discussing the rollout of the International Standard on Quality Management, or quality management for firms that perform audits or reviews of financial statements or other assurance or related services engagements for its formal title – or ISQM for short – and what firms need to do before the implementation date of ISQM 1 on the 15th of December.
The intention is that ISQM will raise audit quality across the board. But the introduction of ISQM 1 has the potential to be tricky and time consuming for firms. The standard requires practitioners to begin thinking about quality management on a risk assessment basis. But of course, it’s arriving at a time of economic volatility, with rising prices and an increased risk of recession. To make sense of it all, we’re joined by three real experts in this field. First of all, let me introduce Louise Sharp, ICAEW Senior Technical Manager in Audit and Assurance, and two audit professionals – Catherine Hardinge, Technical Partner at Price Bailey, a Top 30 audit, accountancy and business advisory firm, and Peter Hollis, owner of Hollis & Co, based in Sheffield. Louise, Catherine. Peter, thanks very much for joining us. Louise, can I start with you if I may? Could you just set out what is ISQM going to change? And what does it need to put in place?
Louise Sharp: There are two new quality management standards, there’s ISQM 1 and ISQM 2, and there’s also a revised auditing standard ISA 220 and is effective for audits of periods beginning on or after 15th of December 2022. So ISQM 1 addresses quality management for firms that perform audits. It replaces ISQC 1, which firms will be more familiar with. ISQM 1 focuses on managing quality at the firm level, and it requires firms to design, implement and operate a system of quality management.
Under ISQM 1 firms are going to need to establish quality objectives. There are mandatory ones and standard, but firms might need to set more depending on the nature and circumstances of their firm. Firms will need to design and implement a system of quality management by the 15th of December 2022 and then evaluate it within one year. ISQM 2 deals with engagement quality reviews, it sets out the requirements for the appointment and eligibility of the engagement quality reviewer and also the performance and documentation for engagement quality reviews.
Finally, the revised Standard ISA 220 (Revised) addresses quality management at the engagement level. So that differs to ISQM 1 because that’s at the firm level, and significant changes have been made to this standard. There’s much more focus on the responsibility of the engagement partner for managing and achieving quality on audits. There’s a stand back requirement that’s been added, and the definition of the engagement team has changed. So overall, the focus has shifted away from compliance-based approach to a more risk-based approach.
IW: And that’s really interesting. Catherine, so can I come to you as somebody helping to run an audit firm with that movement away from compliance towards risk assessment? How are you approaching that? How do you see that different approach?
Catherine Hardinge: I think it is quite clear that ISQM is very different from ISQC 1. It is very much focused on those risk objectives. The way that we’ve approached that is doing a sort of risk register. So, it’s thinking about those different objectives you want to do, thinking about all the possible things that could go wrong, then thinking about what processes and controls you’ve got in place to mitigate those risks, and then identifying if you’ve got any gaps and then working on those.
IW: Peter, can I turn to you because obviously ISQM and its implementation is not operating in a vacuum. If you look at the external environment that we find ourselves in, the highest inflation rate for 40 years, political uncertainty, what will tax look like in a matter of weeks? A battle for talent in the profession and indeed throughout the labour market? So, on top of that, trying to deliver and implement ISQM in a matter of weeks, does this mean a lot of work, particularly for small and medium-sized practices?
Peter Hollis: I don’t think many firms will actually welcome this piece of regulation and particularly having to implement it in the timescale that we’ve now got up to the middle of December. What firms need to do now is to make a start on this. The time for debating this regulation’s over, and we need to be focused very heavily now on implementation. I don’t think, once you actually start to do this, it’s quite as difficult as it appears. And I think the important thing is to make a start on it.
IW: I’m really interested in what people have been saying in terms of the process that people are going through. But if we take a step back, this is meant to raise audit quality, this is meant to improve the whole auditing process. Do you think it will? What benefits does ISQM actually provide? Louise?
LS: Well, I think by focusing on the risks of the practice, it should raise audit quality, because ultimately, in the past, we had a compliance-based approach and firms might well have been putting things, policies and procedures in place that perhaps just aren’t relevant to their firm. They’ve picked it from a manual, and they’ve been doing it, but actually they could be more focused in terms of dealing with their risks.
IW: Catherine, Peter, in the in the heat of practice, when you’re having to deal with things and satisfy clients’ expectations and demands, this is not meant to be that laborious, box ticking compliance-based exercise, it’s meant to help raise audit quality. Having gone through the process, do you think it has?
CH: I think it’s been useful. It has been hard work, but having that opportunity to take a step back and reflect on what we do – there are lots of things that I know we do, but have I written them down? And that sort of gap analysis actually has been quite useful to make sure that we have picked up on those points and they have been documented.
IW: Peter, from your perspective, a relatively small firm, is this just absolute bureaucratic nonsense?
PH: I think if we define audit quality as not giving a defective audit report, I don’t think that’s going to help me because I’m not aware that I’ve ever given a defective audit report. I think in terms of complying with audit standards, it may well help firms become more compliant with the letter of auditing standards.
IW: Presumably firms will be on a spectrum. There will be some that are well planned, confident that they know what they’re doing. But there’ll be others who are thinking, “Well, I’ve been doing other things, I’ve been distracted by clients, the external environment, I’ve even looked at this, it’s not worth our while.” Firms might drop out, and we’ve got an audit market where you’re seeing a withdrawal from audit firms. So how do you encourage people to stay in the game when we’re asking more and more of audit firms?
PH: We can’t afford, at the moment Iain, for firms to stop auditing. The Charity Commission is very, very concerned about the availability of firms to audit small charities. There are lots of firms out there that are only doing one or two audits. We need to make this easy for them to comply with. I don’t think it is that difficult, but it will require some effort. For the first time, firms are faced with a situation where they’ve got to start with a blank piece of paper and they’ve got to write out some quality objectives, and they’ve got to assess some risks of not achieving those objectives. Firms haven’t been faced with that before. Previously, they’ve been able to buy an off-the-shelf solution from providers like Mercia. They can’t just do that now, they’ve got to put some effort into this. I can just reassure them that it actually doesn’t take that long once you make a start on it. I’ve spent quite a long time on this working out a process that worked for my small firm. If you follow the steps that I undertook, I think you can do this in seven or eight hours.
IW: That’s interesting. Catherine, can I push this point about maybe this is the straw that breaks the camel’s back? Peter referred to many firms, not like yours, but firms that have one or two audits and they think, “I’m gonna have to devote a huge amount of time to this, it’s just not worth my while. I’m gonna pull out of audits.” How do we encourage people, firms, auditors to stay in the game here?
CH: I think there are a lot of challenges on audit firms at the moment. We’ve got the new auditing standards coming in ISA 315, 240 that are also requiring us to do quite a lot of work around that. But it is really important that you do actually stay in the market if you’re thinking of withdrawing. With this standard in particular, it is proportional, you can look at it and there are bits that you can just cut out that are just not relevant to some smaller firms. We had to spend quite a lot of time looking at things like governance and things like that, but if you’re a sole practitioner, you don’t need to worry about that in as much detail. So, I think it is trying to look at how it fits with you. And it’s about you trying to look at your quality control. But it is going to be difficult, and it might well be the straw that breaks the back for some very small firms. But I hope not, because firms are struggling at the moment with having adequate auditors, enough resource in the market. More and more people drop out, then that means there’s less in the market full stop. And, actually, we want to encourage more people in the market, not less.
IW: Louise, we’ve had the debate, this is happening. So what’s the first step? Where do firms have to start on this?
LS: So the first step is, unfortunately, they’re going to have to read the standard. There’s no escaping that it’s a fairly long standard, it’s about 70 pages in length. But obviously, remember that a lot of that is application material in the standard. So that’s the first point, because they need to then understand what is relevant to them, and what isn’t relevant to them. I think they also need to take confidence from the fact that they actually do risk assessments at their clients. Now, it’s a slightly different scenario, because you’re looking at your own practice, but you should be confident of doing a risk assessment. So, it’s thinking about what are the risks in my practice to quality? What are the quality risks there? And what are the issues that might arise out of that? What responses do I have in place? What I suppose I would want to encourage is you read the standard. I don’t want firms to just say, ‘I have procedures and policies in place, I’ve had good inspection results in the past, therefore, I don’t need to do anything.’ Or equally, ‘I’m just going to shoehorn what I currently have into the requirements of ISQM 1.’ You do need to identify your risks. And it may well be that what you have in place actually covers all of the risks that you’ve identified. You might find that you’re doing some things because you’ve been following a standardised manual in the past, you’re doing some procedures that actually you don’t need to do. And that’s a good thing, too.
IW: Catherine, Peter, you’re helping to run firms that are very different to one another. You’ll have different experiences and maybe different time commitments. Peter, you started talking about how long this has taken you already. I’m really interested to find out what your experience has been. How do you go about the steps to start to deliver ISQM 1?
PH: I think the mistake I made at the start was to over-research this. And I would advise anybody who’s doing this not to overprepare for it. Take the standard. If you’re a small firm and you don’t deal with PIEs you can ignore ISQM 2. And once you’ve complied with ISQM 1, you’ve probably done everything you need to do for ISA 220. I started by photocopying the standard, and then I went through it paragraph by paragraph and wrote on it what I was already doing to comply with its requirements. Now, I would ignore the first bit on governance and leave that until last, because it is quite difficult to work out how to apply that to a small firm. And it’s dispiriting, and it can slow you down. So, if I did this again, I would leave the bit on governance until last. I’d then go through the standard and mark off everything that you’re already doing, and you will find that more than half the requirements are already built into your audit system. You will find that a large part of the rest of the requirements only require you to write down a policy and communicate that policy to the staff. And I think you’ll have a lot of confidence by that point that you’re actually getting to the end of the process and it’s not quite as difficult as it initially appears.
IW: Catherine, how did your approach differ to Peter’s? You’re a bigger firm, does that mean more complexity, more processes to go through? How did what you’ve done differ from Peter’s?
CH: I think I started the same way in that I looked at the standard. But I found it quite difficult to get started after that. You can read through the standard, and you start thinking, “How do I picture this? How do I document this? What does it need to look like?” So, in the end, we ended up looking at a couple of products that were out there on the market, more to get a starting point and to give me a bit of structure. After that I’ve built on that. But it is really important going through that – they do provide lots of examples – but it is important that you actually amend that for what you do. I’ve had to take out some of the recommended procedures because we do it differently. And it is really important going through it that it reflects what you do, because that’s what you’re going to be marked against going forward. I had to liaise with different people across the firm. So the section on resources, I talked to our HR team, what we did about recruitment, what we do on appraisal systems, things like that. Looking at systems and controls, talking to our IT department, liaising with some of the providers, so we had to send letters out to the likes of some of our providers for our methodology in our software, and just asking them how they make sure that what they give us is of good enough quality as well. So it has taken some time. It’s not a finished product. It’s going to be something that continues to evolve.
IW: I was really interested, Catherine, in Peter’s comments about if he had his time again, he’d leave governance to last. If you had your time again, what would you do differently?
CH: Probably what I would have done is strip out some of the examples that I had of what they said you should do. I think the structure was quite useful. But actually, you end up trying to think, “Oh, do I need to change what I’m doing to try and fit in this?” And you spend a lot of time doing that. Whereas actually, if you just looked at the risk, you think, “OK, I already know that risk. This is what I’m already doing about it. Let me just document what I’ve done.”
IW: Could I ask you, both of you practitioners Peter and Catherine, what’s been the most challenging aspect of doing this?
PH: The most challenging aspect, without a doubt, is the risk assessment. And I’ve worked out for a small practice like mine with a flat structure, the difficulty is that because you’re involved with the planning, you’re involved with the fieldwork, you review the files. It’s difficult initially to focus on the threats to quality. So you need a bit of a start on it. And, like Catherine, I bought a proprietary manual. I found it over-engineered. And the problem with a proprietary manual is it has to deal with really large firms, firms that are in networks, as well as small firms. So mine was at 107 pages of risk analysis, I got that down to four pages and 16 risks, when I actually distilled all this down. And most of those risks will apply to most small practices. There will be things that are individual to each practice, but there’ll be a core of risks that apply to all practices. Once you’ve analysed the risks of not achieving your objective, how you mitigate them is quite obvious, really. And you’ll be able to write alongside the risks what you’re already doing to mitigate those risks anyway. I don’t see this as creating a lot of ongoing work. It’ll cost seven or eight hours to get to this point and to be compliant. But I’m not seeing it adding time onto every job that we do.
IW: Catherine, in terms of the same question to you, what did you find most challenging?
CH: The risk assessment is quite difficult to begin with, trying to think of everything. But further on now, it’s also thinking about how we’re going to document that we do actually comply with some of this, especially things around the governance and culture. Now we’ve got a really good culture, and we do take quality really seriously as a firm. But how we demonstrate that and how we monitor it on an ongoing basis is going to be more challenging. And I think it’s how we actually put that together, and make sure that we can document it and monitor it, it’s going to be a bit more of a challenge.
IW: And what do you propose to do? Because practitioners will be listening to this and go, “Well, what on earth do I do to document?” What advice would you be giving those SMBs in terms of documentation of this?
CH: Part of it depends on how big your team is. Looking at how you do your messaging and things like that within the firm. What do you cover in training? How do you explain to people that when they’re working for you, it’s important that they do a good job. Some of it might come through on appraisals, some of it might come through on other communications. We’re looking at some of the messages that go out. Our MD dials weekly emails out to the whole firm just updating them on things, and it’s saying, has that got the right focus on quality in those documents? It does. But making sure we pick up on those sorts of bits is difficult. But I think it’s just looking at how, at the moment, do you ensure that people understand that you want them to do a good job? And then it’s trying to think of ways of how you can capture that.
IW: Louise, I think you mentioned at the very start about a variety of different tools. Software can be bespoke, it can be off the shelf. And I wonder whether some firms are thinking, ‘Oh, well, that’s the magic answer. I’ll buy this, I’ll plug it in, and that gives me what I need to do.’ Is that right? People are laughing at that, but does this get in the way of delivering a successful ISQM process?
LS: I do think that there are tools out there that, particularly for firms that are struggling to know where to start, I think it can give them a starting point. But you do have to tailor any tool that you have to your own practice, to the nature and circumstances of your practice. So, you can’t just take a tool and run with it, you’re going to have to think about the risks that are relevant to your firm. Service providers get captured under ISQM 1, in terms of the resources that they provide, and there are specific quality objectives relating to them. So, you also have to then think about whether the tool you’re using is appropriate for use within your system of quality management.
And it doesn’t just stop there because obviously you have other resources from service providers. So, for instance, audit methodologies, you’ve got to be thinking whether they’re relevant for use within your firm for your audit engagements. ICAEW have put out a guide because at the end of the day, you’re going to need some information from service providers to make that assessment. You might need to be asking your service provider how they deal with the competence of those developing the tools, data protection, other laws and regulations, and how the service provider addresses those issues. So, the guide actually sets out the types of information that firms might need to make that assessment and ensure that that tool is appropriate for use. But yes, at the end of the day tools are very helpful, but you need to remember that ISQM 1 is all about being bespoke and having a system of quality management that’s relevant for your practice.
IW: Peter, you said earlier on that you’d bought something. Without putting words in your mouth, it sounded like what you’d bought was perhaps over-engineered for what you needed. Again, could you just reiterate and emphasise what was good and what was bad? What have you learned from doing that?
PH: I thought it was over-engineered, I thought it was far too long, and it was mainly because it was designed to cope with a range of practice sizes, and it had to be what it was. Within the next couple of weeks, I think there’ll be enough information available on the ICAEW website for small firms to be able to cope with this without buying in extra tools. What I did was I set up a spreadsheet. I opened one tab, and I typed out my objectives, which are largely lifted out of the standard. You need to reword these and adapt the wording so it makes sense in your practice – some of the things are written in a way that they would work for big firms. Don’t be frightened to tailor things down, don’t be frightened to delete things, because the standard is supposed to be scalable. So, if you see something you don’t understand, or you don’t think it applies to your firm because of its circumstances, be confident to delete it. I opened the second tab on the spreadsheet to cover my risk assessment, and I had one column with the risks in and a column to the right-hand side with the mitigation of the risks that I’d assessed. I opened a third tab to cover the risks of using service providers.
IW: Catherine, in terms of how you dealt with those sorts of tools and software, how was that approach with you?
CH: It was quite similar in that I started with a big Excel spreadsheet but had different tabs for the different elements. One on governance, one on resources, and some of the other different areas, focus very much on linking the risks through to the different objectives. And then it was doing almost the gap analysis, so just initially writing brief comments: we’ve already got a policy on this, we’ve already got this on that. And then I just identified those areas that thought, “Well, actually, I know we do that, but have I written it down somewhere that that’s what we do.” I highlighted those areas that I thought we needed to improve the documentation on, and then worked on those. So, I have a separate thing of all the things that I need to do. I highlighted those in a different colour and then as that’s progressed, I’ve worked on those and then changed the colour to show that’s now done. So that’s very similar to Peter, but just on a slightly different scale.
IW: Louise, you started mentioning guidance from ICAEW on things like what sort of things you need from your software provider. I would imagine members are looking to their professional body for help and guidance on this. What other ICAEW resources are available to members?
LS: We have a quality management hub up on the website. It includes lots of articles, which share insights from practitioners that are implementing the standard. We also have a series of webinars covering various aspects of the new standards. Obviously, you mentioned the service provider guide, and that’s up there on the on the website, too. We’re pulling together content so small practitioners have a focused area of where they can get the resources that they need as well. And obviously, it doesn’t stop on the 15th of December. We’ll be looking at what additional resources we’ll need to put in place for next year as firms move towards the actual operation of the system of quality management, looking at things like root cause analysis, so there’ll be more to come.
IW: Members might be concerned about inspection and thinking, goodness, after 15th of December, QAD will be coming in and if I haven’t got everything ticked to the maximum amount, I’m going to get penalised and criticised. Should firms be concerned about QAD and the inspection process when it comes to ISQM?
LS: Well, I’d like firms not to be thinking about perfection. The whole purpose of ISQM 1 is about continuous improvement in audit quality. QAD recently published an article, which I believe sets out their expectations in terms of what they’re looking for from firms. They will be focused on the risk assessment. They’ll want to see what risks firms have identified. They’ll want to see how that maps back to the objectives in standard, and also what responses they’ve put in place. But I genuinely believe that those very, very small firms with few audits, they’re not going to be expecting a system of quality management that’s anything like a larger firm’s system of quality management. And I would just like firms to give it a go. Have a go if you’ve not done this yet. If you don’t know where to start, perhaps start with a blank sheet of paper setting out what your firm’s all about, what staffing you have, what clients you have. And then from there looking at the objectives, what kind of risks will flag, what are your future plans as a practice, and then hopefully, you’ll have the courage to develop that system of quality management and maybe not feel so overwhelmed by it. Because if you’re looking at standard, it does feel a bit overwhelming for the first time.
IW: Catherine, Peter, I was really interested in what Louise was saying there in respect of, don’t be frightened of perfection. And you know, to use a cliché, perfection sometimes the is the enemy of the good. You won’t be perfect, nor should you be, but what should you be looking for in order to be of sufficient quality, to be good enough?
CH: I think the key thing is you’ve got to make a reasonable effort. OK, don’t bury your head in the sand, don’t try and put this to the side. You’ve actually just got to make sure that you’ve had a look at the standard, understand what the objectives are, and then have a go. Think about those risks and think about what you already do.
PH: Like Catherine, I think the thing to do is to make a start. I think what you need is to start off with what Louise said. You do an assessment of the firm, record how you go about jobs, what staff you’ve got, what resources you’ve got. You then need to record the objectives, you need to have a go at assessing some risks and you need to record how you’re going to mitigate those risks. I think they’re the key elements that QAD are going to look for. And they’re going to look to see if you’ve made an effort to do that. Please do something. It’s not that difficult once you get started.
IW: There’s been a wealth of great information from your insights and guidance here, but as we’re coming to the end of this podcast, I’m just quite interested if there are one or two things that listeners need to take away, in order for them to do this properly. What would you suggest and recommend to them?
LS: It’s got to fit the nature and circumstances of your firm.
CH: Make a start. It does seem overwhelming, but once you actually get into it, just start documenting what you do. And that’s the key thing, like Louise said.
PH: Trust me, once you’ve made a start, it gets easier. It’s not as hard as it looks. Work from the standard. Don’t overprepare.
IW: Well, I think that’s really helpful advice. I’m afraid that’s all we’ve got time for today. Thank you, Louise, Catherine and Peter for sharing your insights and experiences regarding ISQM. It’s clear there’s plenty for firms to be getting on with ahead of the implementation date of the 15th of December. As Louise says, the ICAEW website continues to be updated with resources for firms impacted by the introduction of ISQM 1, and you can find links to articles and advice for firms of all sizes in the show notes for this podcast. You can listen to the next In Focus podcast later this month, when host Philippa Lamb will be exploring the impact of quantitative tightening on the UK economy. The next Insights podcast, which will discuss the Economic Crime Bill currently passing through Parliament, will arrive in early December. In the meantime, please rate, review and share this episode, and remember to subscribe to ICAEW Insights wherever you get your podcasts. Thank you for listening