Traditionally, an iterative process has been associated with software engineering and agile project management. But today, most organisations iterate in one form or another. Applying an iterative method can help teams cut risk, improve efficiency and approach problems in a more agile way.

The iterative process involves building, refining and improving a system. Organisations that apply the iterative process create, test and revise until they’re satisfied with the end result. In short, an iterative process is a type of trial-and-error method that helps one achieve the ultimate goal. 

The new quality management standards for audits, ISQM 1, ISQM 2 and ISA 220, effective from 15 December 2022, introduce a new requirement for firms to proactively identify and respond to risks to quality. So how different is the iterative nature of quality management to the old ways of doing things?

Nick Reynolds, Senior Manager, Professional Standards, ICAEW, says: “I’m not convinced that there is a difference in principle. The previous standards didn’t talk explicitly about them being iterative. But I would have said that if the previous quality control procedures weren’t actually working and monitoring established that they weren’t fit for purpose, all firms needed to go back and upgrade them.”

The increased focus on audit over the past few years and the small minority of firms that do not follow the spirit of the rules as well as the letter has likely accelerated this change.

John Selwood, freelance lecturer, says: “These are audit professionals, and we would hope that they would be accustomed to risk assessment. But an observation of mine is that it probably is an aspect of audit that not everyone gets right every time.”

At the time of announcing the new international standards in September 2020, Tom Seidenstein, Chair of the International Auditing and Assurance Standards Board (IAASB), said: “The new and revised standards facilitate an integrated and iterative process to manage the quality for the firm’s engagements where the quality standards are applicable. The standards are aimed at comprehensively and actively managing risks to quality, through greater accountability, improved focus on leadership and culture, and continuous improvement through a required monitoring and remediation feedback loop. 

“Moving from binary, compliance-based processes to a much more proactive, dynamic, risk-based quality management approach is crucial to the audit profession staying a step ahead.”

A big challenge for provision of guidance on ISQM 1 in the UK is there’s such a variety of firms from the Big Four down to sole practitioners with maybe less than five audit clients. So, the procedures needed for a Big Four firm versus those for a sole practitioner will be poles apart. The iterative nature of the standards is equally important for all – if a sole practitioner takes on a number of more complex audit clients, then clearly their procedures are going to have to develop along with the audit client base.

“That would always have been understood under UK Audit Regulations and ISQC1, but the new ISQM 1 certainly brings in a very comprehensive framework with a whole new level of detail behind it to make sure that nobody can possibly think that just putting in some procedures once and then leaving them to gather dust on a shelf is going to work,” Reynolds says.

There has always been a requirement for a review of procedures every year as a whole firm compliance review. And within that, there has always been an expectation that partners reflect on any points arising and develop an action plan to resolve them, which is effectively the same as an iterative method.

“One of the messages I’d like to get out to smaller firms is that if you read the monitoring and remediation requirements of the new standard, and feel really puzzled, thinking, ‘surely, I was doing some of this already’, then you may well be correct. I think there’s a chance that there are firms that haven’t been doing this – or at least not well, and so there is a nudge in the new standards,” Reynolds says.

That said, there are lots of elements in ISQM 1 that are resulting in significant amounts of work at the biggest firms, because the scale of their activities means that their procedures need to be pretty complex and to show that they’re complying with the new standards takes quite a lot of effort.

ISQM 1 reinforces the fact that the methods need to be iterative; it also embeds the iterative process within the audit practice in a way that it should have been embedded in and not just left on the shelf.

In many regards, the new international quality management standards reinforce many of the elements that the UK audit standards, long established, required anyway. The first challenge for some UK firms, says Reynolds, will be to assess (or at least elucidate) the risks to audit quality within their client base, which then drives the relevant procedures, and provides the starting point for the iterative process.

Although substantial work is required to update process and systems, especially for those audit firms with more complex audits, the aim is that under the new regime no one is expecting firms to get it right first time. The nature of iterative methods allows for room to improve. 

“Recognising the iterative nature of the process of risk assessment in quality management is that you end up with better risk assessment. The way you identify and assess the risks will probably fall short first time. You’re fairly likely to have gaps in terms of the risks you’ve identified, or you’re likely to not properly assess them from day one. It’s once you’ve been through the process that you’ll have a better perspective,” Selwood says.

As the saying goes ‘perfect is the enemy of the good’, but the new regime isn’t about perfection. It is about starting something that firms can then build on.

The IAASB has more detail on the new quality management standards for audit.