Concerns about transitioning to the new quality management standards are understandable. “Like most of us, I am apprehensive about applying ISQM1 – including the time and resources it will take to get ready. It’s clear we need to start our preparations now,” says Rachel Davis, MD of Just Audit
The potential impact of doing what’s needed for compliance with the International Standard on Quality Management (ISQM) 1 can be particularly concerning for smaller firms. “Small practices lean heavily on service providers, with this reliance encompassing audit methodologies, data analytics, training, external quality control, compliance reviewers, IT and more,” observes Davis. “Under the new standard we will need to assess and document why we are able to rely on them to meet the quality objectives. Most of us will be hoping, for example, that our methodology provider will help us document that.”
Continuing to act as auditors will also be necessary, says Davis: “We must use our experience and keep our sceptical hats firmly on. We can refer to documentation and checklists as guides, but we must remain objective.”
This prompts some burning questions. So Davis reached out to a fellow member of ICAEW’s quality management working group, Jenny Faulkner, Head of Publications, Assurance and Financial Reporting at Mercia Group, looking for answers.
Q: What must my firm understand about using a service provider?
A: There are many matters to consider.
First, you need to be clear as to whether you are using a service provider. A service provider is defined in ISQM 1 as “an individual or organisation external to the firm that provides a resource that is used in the system of quality management (SoQM) or in the performance of engagements. Service providers exclude the firm’s network, other network firms or other structures or organisations in the network.”
This could include organisations providing:
- audit quality reviews/technical support/consultation;
- audit/assurance methodologies;
- software, which houses audit/assurance methodologies (such as a commercial IT application);
- technological resources that are directly used in designing, implementing, or operating a firm’s SoQM (providing a specific monitoring and remediation tool, such as for root cause analysis); and
- technological resources that are used directly by engagement teams in the performance of engagements (such as audit data analytics or audit request confirmation software).
A ‘servicer provider’ might also be an auditor’s external expert, to assist the engagement team in providing audit evidence (eg, actuaries/property valuers/share option valuers/another audit firm to attend a stock count, etc) and component auditors from other firms not within a firm’s network. Where this type of service provider has been used in the past, assessments of experts/component auditors should already have been undertaken through either the auditing standard on experts (ISA 620) or on groups (ISA 600).
However, such assessments are part of individual audit documentation and may not have been reflected in firm level QM documentation or factored into firm level QM. While they will inform a firm’s understanding of their potential impact on the achievement of its quality objectives, they may not be sufficient to enable the firm to determine whether they give rise/contribute to any risks that could threaten the achievement of quality objectives. Consequently, firms using this type of service provider will need to consider what additional information might be needed and, crucially, how to ensure that this type of service provider is factored into the firm’s risk assessment process.
For some firms, you may be using several service providers, or one service provider for several different functions. If your firm is subject to ISQM 1 and using a service provider, the following needs to be considered (where the service provider is performing several functions, separate analysis of those functions should be undertaken).
Resources provided by service providers
Service providers may provide one or more of human, technological or intellectual resources.
The firm remains responsible for its SoQM irrespective of whether the resources are provided directly through the firm or through a service provider. Firms are required to obtain an understanding of the conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives and the firm may consider the nature of the resources provided by service providers, how and the extent to which they will be used by the firm, and the general characteristics of the service providers used by the firm (eg, the varying types of other professional services firms that are used), in order to identify and assess quality risks related to the use of such resources.
A firm may consider:
- the related quality objective and quality risks (eg, in the case of a methodology provider, there may be quality risks that the service provider does not update the methodology to reflect changes in professional standards and applicable legal and regulatory requirements);
- the nature and scope of the resources and the conditions of the service (eg, in relation to an IT application, how often updates will be provided, limitations on its use and how the service provider addresses confidentiality of data);
- the extent to which the resource is used across the firm;
- how the resource will be used by the firm and whether it is suitable for that purpose;
- the extent of customisation of the resource for the firm (eg, if the firm uses a service provider for audit methodology, does the firm customise the methodology themselves, for example for the audit of public interest entities?);
- the firm’s previous use of the service provider; and
- the service provider’s industry experience and reputation.
Where human resources are provided, understanding their appropriate competence and capability, including sufficient time, is critical. Competence is the ability of the individual to perform a role and goes beyond knowledge of principles, standards, concepts, facts and procedures; it is the integration and application of technical competence, professional skills, and professional ethics, values and attitudes.
There is a specific response required to the quality objective(s) in relation to the use of service providers.
To quote ISQM 1, para 24-4: “The firm establishes appropriate policies or procedures that ensure that outsourcing of important audit functions is not undertaken in such a way as to impair the quality of the firm’s internal quality control and the ability of the competent authority to supervise the firm’s compliance with professional standards and applicable legal and regulatory requirements.”
Relevant ethical requirements
The firm must establish quality objectives that address the fulfilment of responsibilities in accordance with relevant ethical requirements, including those related to independence. This includes where service providers are used and are subject to the relevant ethical requirements to which the firm and the firm’s engagements are subject.
(i) understand the relevant ethical requirements that apply to the service provider; and
(ii) understand how they fulfil their responsibilities in relation to the relevant ethical requirements that apply to them.
Firms will need to understand whether service providers used are subject to the same relevant ethical requirements. These ethical requirements may differ depending on the nature and circumstances of the firm and its engagements. It is important to note that various provisions of the relevant ethical requirements may apply only to individuals in the context of the performance of engagements and not the firm itself.
Information and communication
A firm must communicate relevant and reliable information to external parties, which will include service providers. In addition, the firm may need to obtain information from the service provider that supports the firm in the design, implementation and operation of its SoQM. This could include information from the service provider about clients, where there are independence requirements that affect the firm.
Monitoring and remediation process
ISQM 1 requires that in determining the nature, timing and extent of the monitoring activities, the firm shall consider other relevant information. Relevant information from a service provider may include information it has communicated about the resources the firm uses in its SoQM.
Where service providers are providing technological solutions, such as the software that houses audit/assurance methodologies, or those providing technology that supports other audit areas, such as audit data analytics, it will be important to consider:
- the type of solution and understand its access and security;
- how data is collected, processed and stored (eg, desktop/cloud/hybrid); and
- how confidential data is protected (such as how General Data Protection Regulation requirements are met).
Specifically for commercial IT applications, ISQM 1 notes that the firm may need to communicate information to the service provider for the resource to function effectively or, in relation to an IT application, the firm may need to have supporting IT infrastructure and IT processes in place. A clear understanding of this communication and how/when quality control procedures are dealt with will be needed.
Q: How do we obtain all this information?
A: Many service providers have drafted or will be drafting ‘ISQM 1 Service Provider Reports’ to address the points above. Of course, reviewing letters of engagement and contracts will also provide confirmation of some of the above points. Our quality management working group is also working on guidance on the types of information that may be required by audit firms, to enable service providers to be ready for requests. Where the service provider is an audit firm and a transparency report is available, then this may help with some of the evidence needed above.