ICAEW.com works better with JavaScript enabled.

ISQM 1: Use of resources obtained from service providers

ICAEW has produced a guide for ISQM 1 requirements in relation to resources obtained from service providers.

This ICAEW Audit and Assurance Faculty guide focuses on ISQM 1 requirements in relation to resources obtained from service providers.

It highlights the range of information that firms applying ISQM 1 may require in order to identify and assess quality risks arising from the use of such resources and determine whether specific resources are appropriate for use in their system of quality management and performance of engagements.

What are the requirements?

ISQM 1 addresses firms’ responsibilities to design, implement and operate a system of quality management (SOQM) for audits or reviews of financial statements, or other assurance or related services engagements and is effective from 15 December 2022. A SOQM must be risk based – the risk-based approach must be embedded through the establishment of quality objectives, the identification and assessment of quality risks which might threaten the achievement of those objectives and the design, implementation and operation of responses which will mitigate identified and assessed risks.

The identification and assessment of quality risks involves understanding relevant aspects of the nature and circumstances of the firm itself, and relevant conditions, events, actions or inactions that could prevent quality objectives being achieved.

One of the key concepts underlying ISQM 1 is that a firm is solely responsible for the design, implementation and operation of its own SOQM – even where it obtains resources (such as manuals, tools and/or training) from service providers. Such resources (where obtained) will automatically be part of a firm’s SOQM and therefore firms that use resources obtained from service providers must make a thorough evaluation of their fitness for purpose in the light of the firm’s own nature and circumstances (and those of its client base). To make such an evaluation, firms are likely to need information from their service providers.

This guide focuses on the range of information that firms are likely to need to enable them to identify and assess quality risks and, where necessary, determine appropriate responses. It focuses on the range of information that firms may require for four key resources provided by service providers – audit methodologies (paper-based or in IT applications), training, commercial IT applications used in a firm’s SOQM or to perform audit engagements, and audit quality support such as file/EQR reviews/Root Cause Analysis/technical consultations. This guide is primarily aimed at firms applying ISQM 1 but it may also be relevant to service providers as an illustration of the types of information that they may be asked for.

What specific quality objectives in ISQM 1 relate to resources from service providers?

ISQM 1 specifically requires firms to establish the following quality objectives in relation to resources provided by service providers:

Human, technological or intellectual resources from service providers are appropriate for use in the firm’s system of quality management and in the performance of engagements (ISQM 1:32 (h)).

This is considered by taking into account the following quality objectives:

Engagement team members are assigned to each engagement, including an engagement partner, who have appropriate competence and capabilities, including being given sufficient time, to consistently perform quality engagements (ISQM 1:32 (d)).

This could be relevant where service providers are engaged to provide consultation on technical matters and where training is provided by service providers.

Individuals are assigned to perform activities within the system of quality management who have appropriate competence and capabilities, including sufficient time, to perform such activities (ISQM 1:32 (e)).

Service providers may be engaged to provide services, such as training, to assist in the performance of root cause analysis, to perform internal monitoring and to assist in the implementation of software. All of these services would constitute activities within the SOQM.

Appropriate technological resources are obtained or developed, implemented, maintained, and used, to enable the operation of the firm’s system of quality management and the performance of engagements (ISQM 1:32(f)).

Service providers may supply, implement and maintain resources such as audit software and associated tools, such as data analytics.

Appropriate intellectual resources are obtained or developed, implemented, maintained, and used, to enable the operation of the firm’s system of quality management and the consistent performance of quality engagements, and such intellectual resources are consistent with professional standards and applicable legal and regulatory requirements, where applicable (ISQM 1:32(g)).

Intellectual resources that service providers may supply include training, consultation and methodologies.

The firm must also establish the following quality objective in relation to service providers to address the fulfilment of responsibilities in relation to ethical requirements, including independence:

Others, including the network, network firms, individuals in the network or network firms, or service providers, who are subject to the relevant ethical requirements to which the firm and the firm’s engagements are subject:

  1. Understand the relevant ethical requirements that apply to them; and
  2. Fulfil their responsibilities in relation to the relevant ethical requirements that apply to them. (ISQM 1:29 (b))

This may be relevant, for example, where service providers provide technical consultations or reviews.

What is a service provider?

ISQM 1 defines a service provider as:

An individual or organisation external to the firm that provides a resource that is used in the system of quality management or in the performance of engagements. Service providers exclude the firm’s network, other network firms or other structures or organisation in the network.

This could therefore include:

Providers of commercial IT applications used in the SOQM or to perform audit engagements  and methodology providers; 
external consultants providing file review services; 
auditor’s experts utilised on an audit engagement; 
component auditors; and 
training providers.

This guide does not address resources provided by auditor’s experts or component auditors. These are service providers under ISQM 1 and the resources provided are likely to be bespoke so firms will need to carefully consider what information they may need and should refer to ISA 620 and ISA 600 for further support in these areas. The examples also do not cover the use of subcontractors.

How much information is needed?

This depends on the nature and circumstances of the firm, and the service provider in question, the resources being used and in what capacity they are used within the firm.

The more homogeneous the resource the greater the likelihood that a generic statement will be sufficient, for example, where there are multiple customers (eg. audit firms) of an identical product/service from the provider with little or no personalisation (an off the shelf purchase).

If firms are using bespoke resources, then it is likely that, while the service provider may automatically provide some generic information that is useful (for example relating to their credentials, experience, competence etc), firms may identify a need for more specific information directly related to the unique or personalised characteristics of the resource provided.

If a resource that has been supplied by a service provider is fundamental to a firm’s SOQM, for example, the provision of internal monitoring reviews, or tailored/bespoke audit programmes, then more detailed information may be needed, for example, information about the frequency of updates and the service provider’s technical competence, to provide the firm with sufficient information to evaluate whether all relevant ISA requirements will be appropriately reflected/considered.

Information requested may also differ depending on whether the service provider is providing one or a range of resources, or a combination of human, technological and intellectual resources within one product, for example, where a firm purchases an audit related tool together with initial training and then ongoing support and updating.

Even in a simple scenario, such as attending a publicly available course, in order to determine whether the course actually meets the firm’s needs (or the needs of its staff), and to what extent, it is likely that firms will want to review the course outline to understand the objectives of the course and its coverage, and obtain information on who is running it and their relevant credentials.  If firms are, however, buying remedial training for all or some staff on a particular issue, as a result of a specific identified need, then this will be very important to the firm and more information is likely to be required.

Where can I find this information?

Depending on the resources being considered, information may be available from a variety of sources including directly from the service provider. 

A good starting point for finding this information would be the service agreement (contract or engagement letter) that the firm has with the service provider, or in a service provider’s service report. Service providers are likely to have different service reports for different resources, such as audit methodologies, commercial IT applications used in the SOQM or to perform audit engagements, file reviews and training and they may also provide more specific quality statements to help firms address ISQM 1 requirements. Information may also be available from websites, gathered from other sources (eg. firm networks) and from previous experience with the service provider.

Do I need to corroborate the information provided?

As always, this is likely to depend on the nature and circumstances of the firm and the service provider and also on events and conditions relevant at the time. In most cases, information provided by, and enquiries made of, service providers are likely to be sufficient, without a need for further corroboration. It will however be important for firms to keep this information up-to-date.

Key information

The information highlighted in this guide is likely, in most cases, and particularly for less complex firms, to be sufficient to enable them to identify and assess quality risks, and determine responses, in relation to the appropriateness of the resources from service providers that are used in their SOQM or the performance of their engagements. However, it is not possible to provide a comprehensive list of all the information that may be required for all firms as it will depend on the nature and circumstances of individual firms and the resources used. Some firms may, therefore, need to make further enquiries or request additional information.

The table below illustrates the range of information that firms may require from service providers for the four types of resources: methodologies, training provision, software and audit quality support services such as file review/technical consultations. 

Information from service providers required
Information from service providers required
Themes Key information Audit methodologies IT applications Training provision Audit quality support services

Leadership and governance of the service provider

Leadership commitment to quality

X X X X

How the organisational structure and assignment of roles, responsibilities and authority support quality

X X X X

Processes in place to ensure that sufficient time and resources are allocated to meet contractual obligations and deadlines 

X X X X

Technical content, for example, an audit methodology which could be either paper-based or software, a tool to support a service (eg checklist), content for software, or presentation materials

Key content details – scope and depth of coverage

X X X X

Objectives of the resource and any relevant limitations

X X X X

Controls to ensure the technical accuracy of content (how the service provider ensures that the technical content addresses all necessary legal, regulatory and other requirements, the process for technical review and how and what resources and time are allocated) 

X X X X

Controls to ensure that the content is updated on a timely basis to reflect changes in standards, laws and regulations

X X X X

Confirmation that a mapping process (to ISAs) is undertaken and a description of that process, including confirmation of compliance with all relevant standards

X  

Format and scope of training provided and how users in a firm can access it

X
Competence and capability  Capabilities/skills/experience/competence/qualifications of relevant people involved in developing/reviewing/maintaining/providing the resource and how these are maintained, and where relevant, allocated X X X X

Compliance with laws and regulations

How the service provider identifies/evaluates/addresses threats to compliance with any relevant ethical requirements

X X X X

How the service provider identifies/evaluates/addresses threats to compliance with any relevant laws and regulations eg. data protection, cyber security

X X X X

Feedback, monitoring and complaints

Processes in place to address the receipt, investigation and resolution of complaints and allegations of failures

X X X X

Monitoring activities and how the service provider addresses deficiencies 

X X X X

Access to references/testimonies of other customers 

X X X X

Resources dedicated to customer support

X X X X
Software development

Controls and processes in place in the following areas:

  • Scoping: to ensure that the software is designed to do what it needs to do
  • Testing
  • Security eg. audit trails/access controls covering how the file can be completed/locked down with suitable controls to meet the requirements of ISA 230
  • Privacy/confidentiality features
  • Maintenance of software
  • Data breaches
  • Back up and file recovery arrangements
  • Layered service provision eg. if a service provider uses another provider for software development, how they ensure that the other provider has suitable controls in place
  • Controls over API interfaces with other software to address similar issues listed above (e.g. security)
  • Disaster recovery
X X

What next?

While the focus of this guide is on information that may be needed from service providers, audit firms are also likely to need information from within their firms to ensure they have identified/assessed relevant quality risks in relation to the appropriateness of the resource for use within the firm’s SOQM and engagements. This information may include how the resource is being used within the firm, whether it has been well-integrated and/or adapted (and, if so, how) and whether it is being used appropriately. 

Further resources