Remedial action
Types of remedial action
Taking remedial action to address cold file review findings is hardly a new concept, so has anything changed? ISQM1 is a little more specific in requiring you to put in place remedial actions ‘that are responsive to the results of the root cause analysis’. The theory is to guard against ‘treating the symptom’, or assuming that, for example, more training is the answer without too much delving. That’s not to say that training isn’t the answer, or one of the answers, or that it will be a wasted effort….
Unsurprisingly, many of the actions taken by the firms we contacted did centre around training or awareness-raising. But the firms had thought carefully about the style and delivery of training to ensure maximum impact, rolling out more regular, short, single-topic sessions, breakfast or lunchtime updates, making them as accessible as possible. There was also more mandatory training with tighter control/monitoring of attendance. Some firms were adding tests or quizzes at the end of training sessions to reinforce key messages.
Training covered a wide range of topics, from the purely technical, for example on how to audit cash flow forecasts, to more practical and project management areas. One firm had tightened up on the link from its root cause analysis to any training needs by including its training manager in its root cause discussions.
Aside from training, remedial actions included the roll out of new or improved templates for certain areas of audit testing and IT fixes to make things as easy as possible for audit teams. Actions also included better resource planning. For example, one firm had started to pre-book audit seniors for finalisation time where this was identified as a root cause of some audit file completion issues. Another firm had implemented a ‘new work log’ to triage new opportunities to ensure it had sufficient staff resource before taking on new jobs. The same firm had introduced more timely written feedback to audit staff on individual audits to be discussed with their line manager/student counsellor. The firm found this to be effective in flushing out technical or practical issues which could then be addressed more promptly. Some of the firms had introduced ‘inflight’ technical support for audit teams, for example to help them with the new requirements of ISA315 revised.
How to assess effectiveness
It is obviously important to check that the actions you’ve taken are working.
ISQM1 requires the person responsible for monitoring and remediation to evaluate whether remedial actions are appropriately designed and implemented, and whether actions implemented to address previously identified deficiencies are effective. You have probably already been doing these things. In the firms we contacted, those designing and implementing remedial actions were generally part of a small, close-knit central team led by senior individuals, so it was clear that they were in a position to evaluate these aspects.
The firms were checking up on actions taken to address previous deficiencies in various ways. One common method was to include action points from cold reviews on the subsequent year’s audit file, in some cases requiring the audit teams to formally sign off on how they had addressed the points. This may well be something you already do.
Feedback from any form of subsequent review can help you to assess whether the actions previously taken have been effective. In assessing the results of their cold file reviews, the firms were highlighting and looking hard at any recurring points. One firm had a rolling program of peer reviews, done by managers, which incorporated ‘hot topics’ including common findings from cold file reviews. Other evidence may be relevant for this purpose, for example staff feedback on individual jobs.
The message is to use the evidence available to you. If the same old points keep cropping up, you need to ask why and think again about the root causes and how to address them. You can be sure this is something the Quality Assurance Department will look at on monitoring visits.
Annual evaluation
How to conclude
This is effectively the culmination of all the monitoring and follow-up action you have done in the period. Whatever the timing of your monitoring activities, ISQM1 requires you to evaluate, at least annually, whether your system of quality management provides you with ‘reasonable assurance’ that its objectives are being achieved. Your evaluation should be based on your monitoring results, the seriousness of any deficiencies, and how effective your remedial action has proved up to the date of your evaluation.
ISQM1 gives you a choice of three conclusions; (a) reasonable assurance provided, (b) reasonable assurance provided except for matters relating to identified deficiencies that have a severe but not pervasive impact, and (c) reasonable assurance not provided.
Deciding how to conclude will involve a degree of judgement as to the seriousness of any deficiencies you have found. The ISQM1 Application Notes (A190 -A194) do offer some help, particularly on what you might consider to be pervasive. Things don’t have to be perfect for you to justify a type (a) conclusion. If any deficiencies identified in the period are not deemed to be severe, a type (a) conclusion should be supportable. Depending on the timing/ pattern of your monitoring activities, you could have identified a severe and pervasive deficiency early in the period, but as long as you can demonstrate that you have fixed it, you could still conclude at the date of your evaluation that your quality management system provides you with reasonable assurance. This is, after all, how the system is meant to work; you do your monitoring, evaluate and explore the findings, and take action to address any deficiencies.
If you are not yet able to say that any deficiencies classed as severe have been addressed, you will be looking at a type (b) or type (c) conclusion, and you will need to take action in the next period of monitoring to address the issues.
The firms we contacted had arrived at either conclusion (a) or conclusion (b). Were they totally consistent with each other in the way they’d assessed their results? It is difficult to be sure, but the key thing was how they’d supported their judgements and conclusions, and that they’d taken action where they needed to.
Documenting your evaluation
You need to document the basis for your conclusion. It isn’t enough just to tick a box! Most of the firms we contacted had prepared some form of overall report or board pack which drew together the evidence from the various forms of monitoring they had done, any significant findings and the remedial actions taken. In some cases they had used standard templates (from a training provider) to help to support their conclusions. ICAEW has recently released guidance showing how you might document the process using a tabular approach.
Remember this is all scalable. For a very small firm, there will be less to monitor and less to bring together for the annual evaluation exercise. Documentation could therefore be quite short and straightforward.
Timing
You should have completed your first formal evaluation by December 2023 at the latest, which means you should now have done your second one. Some of the firms we talked to were keen to align their annual evaluation with other annual processes such as their PII renewal and Annual Return dates, as well as their audit compliance review (ACR). At least one of the firms had updated its December 2023 evaluation to the date of its annual return. As long as there is proper evidence of your evaluation at that later date, it seems reasonable to keep that as the annual evaluation date going forwards. Another firm talked about choosing a date when you are least busy with other matters. You don’t have to stick with a December date if it doesn’t suit you, as long as the process is at least annual.
Overlap with the annual compliance review
As recognised in the first article in this series, there is some overlap between the monitoring and evaluation requirements of ISQM1, and those of the ACR required by the Audit Regulations. Some of the firms referenced the ACR in the report underpinning their annual evaluation. One firm regarded the ACR as more of a final over-arching check to ensure nothing had been missed. Either approach seems reasonable, although both will involve a level of duplication. You may be able to find a more streamlined way to deal with these requirements as you go forward.
ISQM1 refers to fulfilling regulatory requirements in its overall objective. It may therefore make sense to avoid duplication with the ACR by establishing additional quality objectives to cover the audit regulation aspects (for example eligibility, which may be especially relevant given the recent changes in the terms ‘voting rights and ‘majority’), or tie the audit regulations into existing objectives. In accordance with ISQM1, you would then set out your related risks and responses (eg, procedures and controls) and show how you monitor them. The ICAEW guidance linked below includes a separate table within the documentation to cover the requirements of the Audit Regulations.
Whatever approach you take, you should be able to demonstrate that you have covered the relevant regulatory aspects every year.
Read ICAEW’s guidance on documentation of evaluation
Read Safeguarding the quality of your audits: part 1
Read Safeguarding the quality of your audits: part 2
Register for our 2025 webinar series: Audit monitoring insights
The content for the three articles is drawn from talking to a sample of firms about what they have done and from looking at some of their documentation. ICAEW would like to thank the firms involved for volunteering their time and help.