As a label, ‘quality risks in audit’ sounds quite clear cut. But delve a little deeper and it soon emerges that is far from the case. As Matt Howells, Partner and Head of the National Assurance Technical Group at Smith & Williamson, says: “For us – and, I suspect, others who have embarked on their ISQM 1 journey – the more you look at this field, the more the risks that you thought would fit into neat categories bleed into each other."

Nick Jeffrey, Director of Professional Standards at Baker Tilly International, takes a similar view: “A quality risk in a City-based auditor that deals with clients in the financial sector is going to be a different proposition to one that affects a smaller, rural practice involved with farming and agribusiness.”

In other words, quality risks cut across the spectrum of auditors’ activities, and will vary according to the nature and circumstances of the firm and the engagements the firm performs. Fortunately, ISQM 1 offers some guidance, in two parts by defining a quality risk. Howells explains: “The first says that these are risks that have a reasonable chance of occurring, which provides some scope – eliminating things that could happen, but are relatively remote. Then the second part marks out a quality risk as one that prevents an audit team from meeting one or more of its quality objectives.” Quality risks are therefore linked to the firm’s quality objectives (ie. those required in ISQM 1 and any others that the firm might have established).

In that context, Howells and Jeffrey agree, quality risks may emanate from external or internal events, conditions, circumstances, actions or inactions. Examples include:

External

• Poor company culture: audit is simply not a valued process on the client’s side and does not receive due care and attention, impacting the quality of data passed on to the audit firm.

• A dominant owner-manager: the client firm’s most senior figure has set up all its audit procedures personally, or dictated how they should work – and finance staff are discouraged from questioning that system.

• Absent key contact: a critical member of the client firm’s finance team, vital to its audit work, is on extended leave and the cover is struggling to maintain that individual’s standard.

• Regulatory environment: a client firm’s subsidiary is operating in a weakly regulated jurisdiction, affecting the quality of its financial data as produced locally.

Internal

• Lack of experience: the assigned auditor has not been working in a relevant, specialist sub-domain long enough to properly understand the task before them.

• Lack of training: alternatively, there is a gap in the assigned auditor’s skillset that is preventing them from executing the task with confidence and accuracy.

• Excessive workload: a team member is working on too many assignments at once, and is struggling to devote appropriate time and care to each one.

• Inadequate tools: the firm’s chosen software or hardware is ill suited to the nature or scale of the work that the audit team is required to deliver.

Honest mistakes

Quality risks may arise from the performance of more complex audit engagements, for example, group audits.. “If I’m auditing a group-structured firm with subsidiaries all over the world, those subsidiaries would probably all be audited by local professionals,” Howells explains. “So I may choose to rely on the work of those local auditors and review their working papers, rather than go in and audit the subsidiaries myself.

“My client wouldn’t necessarily want me to do that work anyway for efficiency reasons – which is perfectly understandable. But when you’re relying on the work of other auditors, you have to assess their competence.”

Howells notes: “That may be a fairly simple process if the client happens to be a UK firm with a single, UK subsidiary. But in a group firm working across multiple subsidiaries, numerous jurisdictions, time zone differences and language barriers, all sorts of complications arise that can impact upon quality. So, as the auditor responsible for rationalising that complex picture, I must have measures in place to ensure that those risks are properly addressed.”

Assessing internal quality risks through the lens of skills and experience particularly applies to how we manage juniors, Jeffrey notes. “Are we applying the Four-Eyes Principle in the correct places when we review their work? Do they understand the standards they’re reporting to? And do we have the correct quality controls in place to ensure that honest mistakes are identified before the work goes public?”

That approach is a very traditional one – but for a reason: “It has a long-established track record of effectiveness,” Jeffrey says.

Paper trail

So, what sort of red flags would typically show an audit firm that its quality management system isn’t up to scratch?“

There are some obvious signs – for example, your file review scores or regulatory findings could be flagging up specific problems, or perhaps you’re even receiving complaints,” Howells suggests. “But I would say that the main red flag is far more systemic – and there’s a direct link here with the requirements of ISQM 1.”

Howells explains: “Under the standard, how you document your system of quality management is really important, because once a year, a senior figure – for example, your CEO or managing partner – will have to come along and assess whether that system is fit for purpose. And they can’t necessarily do that if they don’t have any written material to refer to that will tell them what the system actually looks like, or how it has worked over the past year.”

“As we move towards the smaller end of the audit firms scale, we may notice that some teams tend to rely upon a collective memory of how quality management works: things happen in a certain way because that’s how they’ve always happened, but none of the relevant procedures is documented. Or perhaps they are – but the documentation is scattered and disorganised. Neither scenario is good enough under ISQM 1,” Howells warns.

Audit firms should identify, assess, and develop appropriate responses to, external and internal quality risks as part of their systems of quality management, Jeffrey urges: “Be proactive rather than reactive. Try to identify where the pressure points are, so you can perhaps anticipate where risks to quality will be at their greatest, rather than just relying on alerts after the fact.”

Jeffrey adds: “If you’ve identified some issues in work that was signed off a year ago, it’s too late – that data is already out in the public domain. Yes, we can learn some lessons and apply them to upcoming work, and it’s important we do that. But it’s not the only or sufficient answer.”