ICAEW.com works better with JavaScript enabled.

Practice Assurance guidance for sole practitioners and new / smaller firms

Standard 4: Quality Control

Download or print this guidance

Open PDF

Your firm should ensure that work is conducted in an environment where quality is monitored.

Set out below is some guidance and ICAEW Quality Assurance observations as well as support, including our top tips to help you comply.

Your firm should have procedures and systems in place, appropriate to its size, to ensure that:

  • the work of the firm is organised and controlled to ensure Practice Assurance standards are met;
  • appropriate supervision and review arrangements are applied;
  • all work undertaken is adequately recorded;
  • all principals and staff are made aware of the firm’s systems and procedures;
  • the firm complies with its own procedures; and
  • any complaints from clients are dealt with promptly and effectively.

Organisation and control


The way your firm organises and controls its work will vary according to the size of the firm. Sole practitioners should always bear in mind the possibility of sudden enforced absence, possibly through illness, and make arrangements to ensure that the practice can continue to operate in such circumstances. This may include setting up formal arrangements with another member to cover any period of incapacity.

Your firm should ensure that responsibilities are clearly identified. If your firm has more than one principal, it should be clear which principal is responsible for each assignment. If your firm has staff, you should be clear about, for example, who is able to write letters and send emails on behalf of the firm and who is able to give tax or other judgmental advice to clients.

To help with organisation and control:

  • Files should be well organised, up to date and easy to follow.
  • Keep all files and documentation relating to clients (whether in hard copy or electronic form) secure and ensure that it remains confidential.
  • If you have staff or subcontractors this ought to include putting a confidentiality clause in their written contract terms.
  • Consider recording receipt and return of client books and papers.
  • If you are making any documents, including accounts, available to third parties, you should obtain written authorisation from the client.
  • Consider some kind of work in progress monitoring system to ensure that matters are attended to promptly and both internally and externally imposed deadlines are met.
  • Make sure your firm has a policy regarding file destruction. This policy needs to comply with any relevant laws and regulations (eg, tax, audit, anti-money laundering and data protection).

Top tips to help you comply

  • If you are a sole practitioner make sure you have an alternate in place, and tell your family who it is. This will make life easier for your family if you are incapacitated.
  • Use proprietary systems and work programmes to help organise and direct your work.
  • Use electronic diaries to plan work and alert you with reminders.
  • Use workflow functions within the IT packages you use to monitor work in progress and alert you to deadlines.
  • Devise a file naming protocol for electronic filing.
  • Structure your filing system in such a way so that you know where to file something and, more importantly, you can find it when you need to come back to it.
  • Diarise an annual file destruction session.
  • If you have a procedures manual make sure you keep it up-to-date.


  • Have a filing system in place.
  • Keep notes of all telephone conversations and meetings, highlighting any advice given.
  • Maintain file notes to assist in the absence of the practitioner or key members of staff.
  • Have a reminder system in place for tracking work, so deadlines are not missed.
  • Have a file retention policy in place.
  • Consider whether sufficient PII cover is in place.
  • Make alternate arrangements where applicable.
  • Maintain a record of clients’ books and records held.

For firms with staff

  • Make sure adequate guidance is given to all staff on all areas of work undertaken.

Best practice

  • Put a secure filing and referencing system in place.
  • Put a file retention policy in place and decide whether any file should be destroyed.
  • Carry out an annual PII review in conjunction with brokers/insurers.
  • Put contractual arrangements in place (where applicable) for an alternate.
  • Consider succession planning, where applicable and make appropriate arrangements.
  • Require clients to sign for books and records when they are returned.

For firms with staff

  • Keep an office procedures manual which covers all types of work undertaken by the firm and its other procedures.

IT procedures and security


Increased dependence on computer systems and mobile data storage and communication devices (USB memory sticks, smartphones, the Cloud) presents specific threats.

Your firm needs to ensure that all forms of electronic media are secure. You also need to ensure there is regular back-up of files and protection from unauthorised access and viruses and the contingency arrangements should include action to cope with major systems failure. You should have a policy for computer file retention and file destruction as well as one for paper files.

We also advise firms to have data loss, email and internet usage policies in place to prevent misuse and possible resultant damage to a firm’s reputation.

Top tips to help you comply

  • Think about the personal information you hold on clients (individuals) – if you don’t need it destroy it or return it.
  • Password protect and encrypt your desktop and laptop computers.
  • If you use cloud computing make sure the servers are housed within the EEA or in a jurisdiction with EEA equivalent data protection requirements. Tell your clients where their data is in your engagement letter.
  • Make sure you have an agreement with any cloud service provider which includes clauses on who owns the data, confidentiality and data security.
  • Make sure you transfer personal data securely e.g. through encrypted emails, password protected documents or secure portal.
  • Make sure you have up to date licences for all the IT software you use.


  • The firm must have relevant registrations with the Information Commissioner’s Office.
  • All data should be secure, backed-up regularly and retained in a secure location.
  • Have appropriate security in place to prevent corruption of the firm’s systems e.g. anti-virus, firewalls.

Best practice

  • Make sure written procedures are maintained and staff are trained in them.
  • Put in place disaster recovery and business continuity plans.
  • Put email and internet usage policies in place.

Supervision and review


All firms (other than sole practitioners with no staff) should have procedures to ensure that work, including that of subcontractors, is adequately supervised and reviewed before it is finalised.

Appropriate procedures should be determined by each firm to minimise the risk of errors and misjudgements that might result in sub-standard output.

It is usual practice for senior staff to supervise and review the work of more junior staff. In addition, your firm may decide that in some circumstances, the work of one principal should be reviewed by another. This is likely to depend on the degree of risk associated with the work.

Sole practitioners may decide that there are certain engagements where it is appropriate to have their work reviewed by an external consultant with expertise in the relevant area. Such reviews are part of the assignment process and if review papers are not retained, a note should be made on file that a review has taken place.

Top tips to help you comply

  • Sole practitioners must not think that a review does not apply to you. You may have a particularly complex engagement that would benefit from a hot review from a third party to mitigate risk of errors and mistakes.
  • If you have competent staff you don’t necessarily need to review everything that goes out the door. Formulate your policy for reviews on a risk basis. For the work you don’t review hot, review a sample cold from time to time.


  • Make sure your firm has a policy in place for the review of files, including hot reviews. For sole practitioners this could include situations where a review by a third party is needed.
  • Keep evidence of any review on file.

Best practice

  • Use second principal/manager/external hot reviews where considered necessary.

Recording work


Firms should record all significant work undertaken and identify sources of information and evidence. Take care to make notes of relevant telephone conversations and meetings. Make sure you show all assumptions and estimates and record the thought processes in arriving at judgmental decisions. There should be evidence that completed accounts have been agreed by the client. You also need to record any oral advice given to a client.

Have a clear policy indicating who is authorised to advise clients and third parties such as HMRC whether by letter, email or orally.

Ensure you have evidence of authority from the client to act as its agent – for example, in dealing with HMRC – and you should obtain written evidence of the client’s agreement where accounts or other information are to be provided to third parties.

Top tips to help you comply

  • Use proprietary work programmes to help structure and record your work.
  • Review some of your files cold from time to time to see if you can follow all the work that has been done, conclusions reached and evidence gathered (this doesn’t just apply to audit).
  • Train any staff in your procedures and explain to them why following them is important.


  • Make sure all significant work, conclusions and judgements are recorded on file.
  • Keep final copies of approved tax returns, signed accounts and other reports on file.
  • Make relevant file notes of any other discussions/enquiries.

Best practice

  • Maintain fully documented files with indexes.
  • Keep final copies of signed accounts and other reports on file, cross-referenced to key working papers.
  • Complete appropriate work programmes and keep on file.
  • Document procedures in a manual.

Complaints from clients


All clients should be informed in writing of the firm’s complaints procedures and of their right to complain to ICAEW. Any complaints from clients should be investigated immediately by a principal of the firm. If, following the investigation, the firm is of the opinion that the complaint is justified, it should do whatever is appropriate to resolve the matter; for example, by remedial work, apology, the provision of information, the return of books or documents or the reduction or repayment of fees. The Duty on Firms to Investigate Complaints – Guidance on How to Handle or Avoid Them gives further information on how to deal with complaints.

Top tips to help you comply

  • Deal with any complaints promptly, don’t let them fester.
  • Don’t forget you can discuss any complaint or potential misconduct with our helpline on a confidential basis. Helpline staff are exempt from the duty to report misconduct.


  • All clients should be informed in writing of complaint procedures.
  • Retain evidence that any complaint from a client has been investigated and resolved.
  • Self-report any misconduct to ICAEW.

Best practice

  • Ensure an engagement letter that has been signed and returned by the client states the complaints procedures.
  • Have internal procedures to identify and investigate complaints.
  • Maintain separate files to show how individual complaints are dealt with.
  • Keep a complaints log to review for PII purposes and feedback learning points to principals and staff.

Compliance review


The way in which a firm carries out a review of compliance with its own procedures and these standards, and the frequency of the reviews, will depend largely on the size of the firm and the nature of its work.

It is possible for sole practitioners to carry out a review of their own work, perhaps using a proprietary review programme. Alternatively an external reviewer could be of help.

Reviews are available from training groups or other similar consultancies; or a reciprocal arrangement can be made with another member who provides similar services to those you do. The review should consider firm issues, such as whether staff are receiving adequate training and whether access to technical material is sufficient. The review should include a check on bank accounts to confirm that any client money has been dealt with in accordance with the Clients’ Money Regulations. The review should also include a selection of client files to ensure that the work carried out conforms to the terms of the engagement letter.

There should be a sample check of the output of the firm to verify that the correct systems and procedures have been applied and to check the quality of the work carried out, including that of any advice given. The review should include a review of a sample of accounts prepared by the firm to check that they are materially correct and comply with statute and other relevant requirements.

A sample of tax files should be reviewed to consider both the calculations and the advice given and the review should identify whether submission deadlines were met. Similar reviews should be carried out in other areas of work. The sample should be selected primarily to focus on higher risk assignments; for example, those where a report is being made to a third party or where the firm has been providing services of a specialist nature. Nevertheless, all offices of the firm, all professional staff and all types of work should be covered over a period of time.

Below is a list of practices your firm may put in place to help you comply with this standard. These are divided between what we consider to be essential practice and best practice that further assist with a firm’s quality and risk management. There are also some top tips to help your firm comply.

To help you assess whether you have adequate procedures in place to enable you to comply with this standard you can complete the Practice Assurance compliance review checklist.

There are also lots of helpsheets and guidance on our website to help you and we have signposted these for you here.

Top tips to help you comply

  • Use our PA compliance checklist to drive and record your PA compliance review. Only download the checklist when you need it as we update it from time to time.
  • If you are a sole practitioner with no staff find somebody in a similar situation and conduct reciprocal reviews for each other.


  • Consider the need for an internal whole-firm review to be conducted annually.
  • Consider need for internal cold file reviews of any particularly high risk assignments.

Best practice

  • Conduct whole-firm and cold file reviews annually (consider periodic external reviews).
  • Results of cold file reviews should be given to all principals and staff with a note of any required remedial action.
  • Follow up any remedial action.

Helpsheets and further support

The following helpsheets relevant to standard 4 are available:

You can also discuss technical, ethical and money-laundering enquiries with ICAEW’s Advisory Services on a confidential basis by calling +44 (0)1908 248 250.