Today, 6 September, marks 100 days until ISQM 1 Quality management for firms that perform audits or reviews of financial statements, or other assurance or related services engagements becomes effective. Firms are required to design, implement, and have in operation an ISQM 1 compliant system of quality management (SOQM) by 15 December 2022. For those firms yet to start on the journey of implementation, don’t panic! We have put together some information, tips and a recommended reading and resource list to get you started.
If you have consistently received good inspection/hot/cold file reviews then your ISQC 1 procedures are likely to be fit for purpose. Much of what you do currently will probably still be relevant. You may question, therefore, why you need to make any changes. The answer, in short, is that ISQM 1 requires firms to consider the nature and circumstances of their own practices and to adopt a proactive risk-based approach to managing audit quality. This is similar to the risk-based approach taken to audit engagements. Ultimately, in the longer term, the proactive risk management approach may create efficiencies in your practice by targeting responses that address the specific risks your firm faces, rather than focussing on responses that are less relevant to your own firm’s nature and circumstances.
As auditors, you already possess the skills to do this – you will know how risk assessments work and you know your firm. Be confident, see it as a journey and remember that Rome wasn’t built in a day.
What are the components of a system of quality management?
ISQM 1 identifies eight components to address in a SOQM:
- The firm’s risk assessment process;
- Governance and leadership;
- Relevant ethical requirements;
- Acceptance and continuance of client relationships and specific engagements;
- Engagement performance;
- Information and communication; and
- The monitoring and remediation process.
Approach to designing a SOQM
- Establish quality objectives
Info: ISQM 1 includes mandatory quality objectives for six of the eight components (paragraphs 28-33 of ISQM 1). There are no mandatory objectives for risk assessment or monitoring and remediation. Those quality objectives included in ISQM 1 may be sufficient for many smaller firms, but some firms may need to establish other objectives or sub-objectives. All firms must consider (and evidence they considered) whether they need additional objectives – it’s not safe just to assume you won’t.
Tip: If a quality objective included in ISQM 1 is not relevant to your firm then you can ignore it.
- Identify quality risks that threaten the achievement of those quality objectives
Info: Consider nature and circumstances, conditions and events, actions and inactions, and engagement base.
Tip: Much of a firm’s nature and circumstances is dictated by the people the firm has working for it, the environment within which it operates and the types of client it serves. All of these things can have an impact on the quality risks that are most relevant to the firm, and the significance and likelihood of those risks crystallising
Tip: Ask yourself what keeps you awake at night. Be careful to identify quality risks rather than focus on the consequences of a risk crystallising – eg, a breach of the Ethical Standard would be a consequence of a quality risk (eg, not understanding the requirements of the ethical standard) crystallising. The nature of the firm (eg, it performs PIE audits) or any number of conditions/events/circumstances might create a quality risk – for example, competency of employees (recruitment or training) or leadership not demonstrating commitment to compliance with standards (leadership/culture/tone at the top).
Tip: If you identify a quality risk that doesn’t result from a quality objective in ISQM 1 then you will need to establish a new quality objective.
- Assess quality risks
Info: Consider the likelihood and significance of the risk crystallising.
Tip: Remember quality management is iterative, so you can adjust the assessment at any time if you think it has changed.
- Develop and implement responses
Info: There are many mandatory responses in ISQM 1 (see paragraph 34 of ISQM 1). However, they will not by themselves be sufficient for full ISQM 1 compliance.
Tip: Many of the policies and procedures you already have in place are likely to be relevant. But they need to link back to the quality risks you have identified and the established quality objectives. Try not to retro-fit by starting with your policies and procedures and working backwards. First jot down key information about your firm and engagements, think about the quality objectives in the standard and risks to not achieving those objectives, then look at your current procedures and policies to identify gaps. If you find that you currently have an ISQC 1 policy or procedure that doesn’t fit any of the risks you have identified, either it isn’t needed or you have missed a risk. Only you can decide which is the case.
- Monitor and revisit
Info: At any point in the process, and as you evaluate and monitor your SOQM, you may revisit and change objectives, risks and responses. Where deficiencies are identified, you must perform root cause analysis, the outcome of which may then involve revising either your objectives, risks or responses.
Tip: You may have already been doing this by responding to file review and inspection findings, but perhaps just not calling it this. For those who haven’t, you don’t need to wait until 15 December 2022 to start – you can have a go now.
Recommended reading and resource list for very small practices
If you haven’t yet started, here are some links to recommended reading and resources to help you on your way.
International Quality Management Standards – what you need to know now (article, 2000 words)
Practical tips to help with preparations.
How smaller firms with low complexity have opportunities to scale ISQM 1 to fit their nature and circumstances.
Identifying and assessing quality risks under the new ISQM 1 (webinar, 1 hour)
This webinar focuses specifically on risk identification and assessment.
This guide is quite long, at approximately 100 pages, but even if you do not plan to read this cover to cover it is useful to dip into when thinking about individual components or documentation requirements.
How to get started with RCA (article, 1300 words)
12 questions to get you started on your RCA journey.
RCA for smaller practices (article, 1000 words)
Five ways in which sole practitioners and other smaller audit practices can embrace RCA.
ISQM 1 and smaller firms: What will QAD be looking for? (article, 650 words)
Even the smallest firm needs to be compliant with ISQM 1 so what will be expected?
This guide explains ISQM 1 requirements in relation to service provider resources. It covers the range of information that practices might need from their service providers to help determine whether the resources they use in their SOQM or engagements are appropriate.
Relevant upcoming events
Virtual webinar from the Essentials CPD programme on 16 September.
This half day conference on 12 October will explore the changes ahead for auditors.
This full day conference on 11 October will provide insights into the key challenges and opportunities currently impacting the profession, including a dedicated session on ISQM for the small practice.
ICAEW’s Audit and Assurance Faculty is keen to hear from very small practices about their experiences of ISQM implementation so far – how they are approaching it, successes, and challenges. Please share any feedback with email@example.com
Implementing ISQMs – a series of on demand webinars (2 hours each):
Quality Management technical resources hub
Hear a panel of guests dissect the latest headlines and provide expert analysis on the top stories from across the world of business, finance and accountancy.Find out more
Stay up to date
You can receive email update from ICAEW insights either daily, weekly or monthly, subscribe to whichever works for you.Sign up
News in brief
Read ICAEW's daily summary of accountancy news from across the mainstream media and broader financing sector.See more