As we approach the first anniversary of the International Standard on Quality Management (ISQM) 1, I have seen the firms that HAT supports take very different approaches when addressing the new requirements. 

Some undertook a lot of work prior to implementing their System of Quality Management (SOQM), while others have found their preparation was insufficient and are still bolstering their approach. Some firms are treating the standard as purely a compliance issue, whereas others have understood that it can result in real practical improvements in how they operate.

A key issue I have recently seen is loss of momentum – even the best firms have struggled to maintain this when faced with client deadlines. As explained in the excellent article, ISQM 1 – tools for the journey, compliance with the standard is a journey and not a destination. Regardless of where your firm is on the ISQM 1 journey, more work is required. 

What was new in ISQM 1?

Before we focus on some of the key changes, it is helpful to summarise them using the ‘four Rs’.

1. Risk assessment to identify quality risks.
2. Responding via an SOQM and monitoring of this.
3. Root cause analysis (RCA) on identified deficiencies.
4. Remediation to resolve identified root causes.

Now let’s consider some of the practical issues that firms have experienced in these four key areas – and some practical ways of addressing them.

Risk assessment to identify quality risks 

Many firms found the initial risk assessment process useful and even cathartic. The most effective risk assessments arose where there was wide consultation within the firm (and even with other firms) to identify risks. I chaired several such discussions and it was striking how practical and informative these were.

Put simply, the risk assessment process should be seen as an important part of the firm’s strategy to identify and manage risks with the aim of reducing compliance risk and ultimately improving the firm’s performance.

A common issue identified is the lack of a coherent plan to keep risk assessments up to date. These should be updated when a major new risk is identified, for example loss of key personnel or a serious deficiency arising on an audit. When such an event happens, you may be busy dealing with the actual problem and not consider the wider picture. What prompt do you have to ensure the issue identified is fed back into your formal risk assessment? Whose responsibility is it to do so? 

The risk assessment should also be reviewed periodically. A danger for even the best risk assessment is that subsequent updates are not sufficiently considered. Simply including a review at each partners’ meeting is unlikely to result in robust updating of the document, especially if it is towards the end of the meeting.

Possible solutions include forming a specific committee, made up of a wider group of team members, to report back to partners’ meetings, or by introducing a requirement for responsible individuals (RIs) to consider every quarter what new risks they face before feeding this back into the formal assessment. 

Responding via an SOQM and monitoring of this 

Once risks are identified, the response must be documented and monitored. Many firms subscribe to an ISQM resource pack to assist with compliance and procedures. This must be adequately tailored and bolstered to deal with the firm-specific risks identified. Too often this is not happening. Where risks relate to areas such as information technology (IT) security, it is likely that the response is outside of the core procedures pack and a mapping document to explain where the risk is addressed is necessary. 

Monitoring of the SOQM is also a challenge. As with any action plan, objectives set need to be SMART (specific, measurable, achievable, realistic and time-specific), and responsibilities need to be allocated to appropriate personnel. 

Senior management need to have a process for monitoring progress. I recommend making this a recurring agenda point at partners’ meetings, with clear documentation of who is responsible for monitoring the performance of each documented response and the frequency of this. 

A key method of monitoring is detailed consideration of the results of cold file reviews. I have seen firms where previously there was little coherent consideration of this now formally discuss these results among all RIs on a regular basis, preparing a much stronger action plan to address weaknesses identified, which all RIs have bought into.

Root cause analysis (RCA) on identified deficiencies

Some firms are still grappling with how to undertake good quality RCA. To be effective, RCA needs to ask difficult questions – something that many of us shy away from. Other key practical issues include how RCA should be undertaken and its frequency. This will depend on your firm and, for example, the frequency of cold file reviews. RCA should also be undertaken where there is a serious deficiency: for example, a material error being identified after an audit report is signed. 

In terms of how to undertake RCA, from my experience it is necessary to experiment with different approaches and the involvement of different members of the team, to determine what will work for you. For those struggling with RCA, support is available, including ISQM 1: How to get started with root cause analysis (published in Audit & Beyond in February 2022). 

Remediation to resolve identified root causes 

This is where proactively adopting the standard should reap benefits, improving not only audit quality but efficiency. However, what does remediation look like in practice? 

A good example I found was a firm that struggled at the start of 2023 with the implementation of the revisions to the International Standards on Auditing (ISAs) (UK) 315 and 240. Although the firm believed it had managed the risks posed by the new standards, including installing relevant software updates, it found that in practice these updates were not correctly applied, and the issue was not immediately identified by engagement teams. 

Rapid RCA identified errors in the update process and a lack of awareness from staff of what the changed documentation looked like and how it should be used. As this issue could have serious implications, immediate remediation was necessary. 

This remediation consisted of adding Word documents to all existing audit files to bridge the gap, and briefing staff of their importance and use. A longer term project then took place with the IT provider to ensure the ultimate root causes were also addressed. 

Remaining compliant

Regardless of how compliant you believe your firm to be with ISQM 1, further work is required in all the above areas to remain that way. ISQM 1 must be embedded into the culture of your firm and can support the development of your practice. Effective documentation of how you are doing this will allow you to demonstrate compliance with the standard at your next audit monitoring visit. 

Andrew Jarvis, Managing Director, HAT Group