ISQM1 requires firms to design, implement and operate a system of quality management (SoQM) to manage their engagement quality. Firms need to establish quality objectives, identify and assess the risks that could threaten the achievement of those objectives before designing and implementing responses to mitigate those risks.
Larger audit firms and members of networks should now be some way down the road in developing and implementing their SoQM for ISQM1.
Audit compliance partners and others who will be responsible for designing and implementing the SoQM at smaller audit firms ought to at least have some appreciation of the changes from articles and webcasts. If you have not done so already, we strongly recommend that you also put aside time in the coming weeks to read the ISQM1 standard and First Time Implementation Guide. This preparation will help when further guidance and support is released by UK audit methodology providers later in 2022.
ISQM1 and the SoQM represent a significant change from ISQC1 requirements, but once fully understood these should be seen as a positive development by firms. In a few cases ISQC1 procedures have become a boiler-plate document inhabiting the depths of a shared server, and get out of date. Many of your existing quality control policies and procedures will remain relevant, but ISQM1 requires proactive monitoring, review and evolution of these procedures as the nature of your firm, its audit clients and the external environment change.
Tailored risk assessment is key to the SoQM. Quality risks will differ substantially between a sole practitioner with few staff, and a 4-5 partner firm with 20-30 audit staff. Equally, an assessment of the quality risks from a stable audit portfolio of small and medium sized corporates will quickly change if the firm then takes on its first group audit, a large corporate or specialist audits such as charities, academies and pension schemes.
If not yet underway, you should start your risk assessment process as soon as possible. Our reviewers will discuss this with firms at our visits from early 2022. For smaller firms this risk assessment may be a single document, and the standard itself includes comprehensive audit quality objectives for guidance. While the standard does not preclude identification of other audit quality objectives, those in the standard should suit the circumstances of most UK audit firms.
With your initial risk assessment complete, you can then review the effectiveness of your existing quality control policies and procedures against the audit quality objectives. If you have recently had positive feedback from external monitoring or cold file reviews then hopefully you will be able to conclude that few changes are necessary at present. More challenging or critical reviews of your audit work may indicate policies and procedures that were not fit for purpose (and should possibly already have been improved). One area that will require work for many if not all firms will be evaluation of service providers – including methodology, CPD and external file reviewers.
Most firms will need to enhance their process of monitoring and remediation. All will be familiar with the need for cold file reviews on an annual basis, and some will have started to consider root cause analysis of the findings from those reviews. For smaller firms, monitoring and remediation does not need to be over-engineered but the process will need to include regular review of risk assessment, audit quality objectives and responses.
As an audit regulator we want to see that our firms are on track to be able to comply with ISQM1 by December 2022, including in the important new area of risk assessment, and the enhancement of monitoring and remediation. Even with the assistance of methodology providers, implementation of ISQM1 will require the investment of time and effort by senior individuals at all audit firms over the course of this year.
However, this is not simply a race ending at the implementation date, and we don’t expect that all firms’ initial SoQM will be flawless. Quality Management will be an integral part of your audit practice by December 2022 and the system can then evolve and strengthen over time.