With the impending arrival of new ISQM just seven months away, audit firms are being warned that the new quality management standards will require them to go back to the drawing board on the design of their systems of quality management.

Speaking at the first in a series of webinars organised by ICAEW’s audit and assurance faculty, John Selwood, a chartered accountant and independent training consultant, said that the risk assessment element of the quality management process is potentially quite tricky for firms.

“As audit professionals, you’d think we’d be good at doing risk assessments, but a lot of auditors have found it quite odd doing a risk assessment on the quality of their own audits,” Selwood says.

Selwood also warns that, historically, documentation developed to support the design of quality control systems under ISQC 1 had tended to end up as shelfware, developed once and subsequently left to gather dust on a server, awaiting some external inspection. However, repurposing those assessments for the purposes of ISQM 1 is not an option, he warns. “All firms have something that demonstrates their compliance with ISQC 1. But you can’t take what you have under ISQC 1 and rebadge it – ISQM 1 is a different process.”

ISQM marks a significant shift in focus on quality and moves towards a more proactive approach. “This is not just about managing quality in a reactive way but thinking about what could go wrong so you can avoid problems before they happen,” Selwood says.

“While it doesn’t mean that audit firms should bin all of their existing quality control procedures, it does mean that you will have to start from scratch when it comes to designing their system of quality management,” he adds.

ISQM 1 identifies overarching quality objectives across areas including governance and leadership, relevant ethical requirements and acceptance and continuance of client relationships and specific engagements, amongst others. “When it comes to setting your own quality objectives, watch out for paraphrasing quality objectives because you risk losing the sense of the words,” Selwood warns.

Bearing in mind that quality risks are so interlinked, Selwood’s advice is that firms performing risk assessments for the first time avoid dwelling on any single element for too long. “There will be time to refine and perfect it, but if you aim too high initially, you’ll probably find that you grind to a halt. My top tip on this is to give it your best shot but go back and refine it and refine it.”

Although there is an implementation deadline of 15 December 2022, Selwood says identifying and assessing risks should not be approached as a one-off process – you will review it at least annually and perhaps more regularly in the early stages.

At the same time, Selwood says the tailored approach to managing quality brought in by ISQM 1 means that it will be impossible to outsource the entirety of the quality management process to a third party or external service provider, which may be providing your audit methodology or training providers for CPD, Selwood warns.

Peter Herbert, a Director of Insight Training, says risk assessment should focus on conditions, events and circumstances that may adversely affect the achievement of quality objectives. “It’s about thinking about the risks that keep you awake at night that could impede audit quality.”

In the seminar, Herbert highlights the many and varied areas that should be factored into the risk assessment process. They include decisions about financial and operational matters, the composition and tenure of management and how leadership motivates staff to deliver really good audits.

“When identifying risks, it’s important to make sure they’re framed in a way that is appropriate to your firm,” Herbert says. “What specifically is the problem that could have a negative impact on quality, what is the likelihood of it happening and what would the impact be if it did? Audit quality risks will vary depending not only on the size of the firm but also its client and service profile and how it is evolving. This is not an easy process,” Herbert warns.

Firms should also factor in the likelihood of a particular quality risk occurring, the frequency of occurrence, and also think about the likely effect on audit quality objectives to determine how big an audit quality risk it is. “If you use external reviewers, don’t be frightened to use them to facilitate conversations around areas that could impinge on the achievement of audit quality objectives,” Herbert suggests.

Linking risks to quality objectives is key. The seminar also offers guidance on how to do that, alongside case studies to show risk assessment in action and bring guidance to life.

Two further webinars on the subject of ISQM have been arranged by ICAEW’s Audit and Assurance faculty. The next, on Thursday 26 May, will focus on developing a quality management strategy and offer advice on how to respond to quality risks and guidance on mapping and documenting responses.

The third webinar in the series, on Monday 13 June, will look at some of the practical implications of using root cause analysis in quality management and the role it plays in driving improved audit quality in firms. To find out more and to book your place go to ICAEW’s dedicated webpage.

• Standard setter the IAASB has produced a first-time implementation guide to help stakeholders understanding the requirements of the new ISQM standards
• ICAEW’s quality management hub offers a range of resources dedicated to helping audit firms prepare for new quality management standards ISQM 1, ISQM 2 and ISA 220 (Revised).