International quality management standards – what you need to know now
All audit firms are affected by the new quality management standards. David Smith and Gill Spaul share practical tips to help with preparations.
As audit firms transition from international standards on quality control (ISQC) to international standards on quality management (ISQM), there is a great deal to think about. The new and revised standards are effective for periods beginning on or after 15 December 2022. This means that by this date, firms are required to have compliant systems of quality management (QM) both designed and implemented (although the operation of the responses and monitoring activities is only required to commence from this date).
The new and revised standards for an audit firm’s responsibilities to design, implement and operate a system of quality management (SOQM) focus on proactively identifying and responding to risks to quality. This requires a firm to customise design, implementation and operation of its system of QM, based on the firm’s nature and circumstances, using an integrated approach that reflects on the QM system as a whole.
For some firms, managing the transition will be a significant undertaking, so all firms are advised to assess the impact and start their preparations as soon as possible. Each of the following aspects of QM will need to be on your radar.
Objectives, risks and responses
The key phrase in ISQM 1 is ‘nature and circumstances’. This phrase is emphasised time and again and it highlights the guiding principle at the heart of the standard, which is that QM is not ready-to-wear, it’s made-to-measure. The key impact this philosophy will have on firms is that even for the small ones, a significant amount of thinking and planning will have to take place during the design and implementation of their SOQM.
ISQM 1 pivots firms away from ‘quality control’ (which is often viewed as a reactive model even though it doesn’t have to be and often isn’t) and towards ‘quality management’, which is definitely intended to be more proactive. If your current SOQC focuses a lot on preventive controls, you will have a good basis to begin your QM journey. If not, then you may find things more challenging.
Firms are now required to identify and articulate their quality objectives. There are mandatory objectives identified in the standard, but firms must also consider whether these are sufficient. Firms need to consider what risks might threaten those objectives, assess the identified risks and then craft a set of responses (in the light of the risk assessments) to mitigate those risks.
Key things that firms will have to think carefully about include:
- determining whether they have (or should have) additional quality objectives on top of the mandatory ones;
- identifying, articulating and assessing the risks that threaten those objectives; and
- working out which of their existing responses (formerly known as procedures) will still be fit for purpose, which will need adjusting, and what new responses will be required.
Trying to squeeze existing square pegs into new round holes may be tempting, but it might end up costing firms a lot of time and effort and produce a less than ideal result. Firms will need to spend time considering how they need to evidence the design, implementation and operation of their SOQM. In particular, they must think about how they will evidence that they have produced something made-to-measure rather than ready-to-wear.
Risk assessment process
System design takes time, so kick things off before you really think you need to. In particular, the iterative, non-linear risk-response process can be potentially never-ending, so be sure to set a sensible cut-off point for defining responses to quality risks on first-time adoption.
Defining and assessing quality risks, working out where the gaps in current quality control responses sit and making changes to manage objective-linked-risks in line with this new framework requires planning and resource for firms of all shapes and sizes. A firm with low-risk operations ought to have less to do, but the nature of the QM standards means there won’t be a solution firms can just procure and plonk on a shelf, with no extra work required.
We will all understand our firms, our clients and our people well enough to know where the headline risks to quality lie, and to form an honest appraisal of whether we are doing the right things to mitigate those risks. It makes sense to invest time in articulating this, ahead of off-the-shelf solutions becoming available. Proprietary QM products may be able to translate the standard into a more digestible workflow, help with the linkage of objectives, risks and responses, and provide some of our standard policies and procedures. However, the tailored ISQM-driven approach means that measuring things up early is essential.
At an operational level, there are other changes for teams to digest in this same timeframe. Enough momentum must be gained on SOQM changes to prevent things stalling as teams’ bandwidth diminishes over the coming year, when their focus shifts on to engagement-level risk assessment and (in the UK) fraud-related ISA implementation.
Governance and leadership
This element of the SOQM has many mandatory objectives. For some firms, it may be a prime candidate for additional objectives or sub-objectives. These additional objectives will not necessarily be permanent but reactive, and may, for example, relate to world events, or changes in the structure of the firm, such as mergers.
It will be key to think about:
- which risks may have an impact on collective responsibility for quality and behaviours;
- how the firm’s strategy and business decisions may have an impact on quality; and
- how to appropriately respond to those risks.
Firms also need to remember that although many risks may, on the face of it, look like they belong to other elements of the SOQM, they may also have a governance and leadership dimension. How firms document many-to-many relationships between objectives, risks and responses will be vital in ensuring that important links are not overlooked.
Another important issue related to governance and leadership will be regular evaluation of the SOQM: QM is not a static thing and those with overall responsibility for it will need to regularly check that their SOQM remains fit for purpose. This will take time and resources, but skimping on it is not advisable.
Ethics and acceptance
In the UK, recent changes to anti-money laundering regulations (including implementation ofa more risk-based approach) and independence requirements ought to put audit firms in a relatively good place, with regard to updated objectives and responses relating to ethics and acceptance. Where some of these requirements aren’t well embedded at a firm or operational level, however, ISQM 1 adds to the list of reasons why this needs to be addressed.
For many auditors, the mandatory objectives around engagement performance will seem fairly familiar. The challenge for firms will lie in understanding and addressing the interaction between this element of the SOQM and most of the other elements.
Some risks may threaten multiple objectives. For example, a risk that threatens human resources objectives may also threaten engagement performance objectives, including those that relate to other non-human resources (such as methodology and tools).
Engagement performance will also be threatened by specific risks relating to changes in standards and laws and regulations, which may attract different levels of risk at different times, depending on the nature and circumstances of the changes, the firm’s client base and the firm itself.
ISQM 1, as you would expect, includes many objectives and defined responses in connection with the resources we deploy in our firms. While there are familiar themes in the context of human resources, the objectives are somewhat broader and there are many areas where our response may need to be tailored more heavily than was previously the case. The more you look and think about this area, the further down the rabbit hole you can go, so audit firms need to be sensible and realistic with the level of granularity on the first pass.
Newly specified quality objectives connected with service providers and technological and intellectual resources need to be understood early, as they will affect the actions we take when we procure elements of our SOQM from third parties. For example, there are implications for procedures for: appraising providers, when procuring quality monitoring services; how procedures, methodology or technology solutions are evaluated; and even how component auditors are considered. While the purse strings are anchored in the governance and leadership component, the potential impact of a more granular approach to consideration of most of these components, and the potential impact on budgets, needs to be understood early.
Monitoring and remediation
There are a huge number of things to think about relating to this element of the SOQM. A key point firms will need to take on board is that file reviewing cannot be a quasi-detached activity – file reviewing exists as a response to the risks that have been identified and assessed relating to engagement performance. Cold file reviews will still be needed; however, firms may decide that proactive ‘in-flight’ reviewing is also an appropriate response, both to the particular objectives they have identified for themselves, and to the risks they have identified that threaten those objectives.
ISQM 1 introduces the concept of defined deficiencies. A deficiency occurs when:
- an objective, risk, or response that should be in the SOQM is not in the SOQM;
- an objective or response is in the SOQM, but it is not appropriately designed or implemented, or is ineffective; or
- a risk assessment is inappropriate.
Deficiencies must be included in a root cause analysis (RCA) exercise, to enable firms to work out what actually needs to be fixed and then go ahead and fix it.
Some deficiencies will be straightforward and obvious to identify, if not to fix. Others may be ‘deficiencies in aggregate’: some deficiencies become clear as a result of several different review findings that all point in the same direction.
For example, multiple instances of review findings relating to the audit of estimates might indicate a deficiency in the direction, supervision and review of others’ work, the training provided to staff, the tool that is being used, or all of those things, rather than being just one-off hiccups.
This will be challenging for many firms, but especially for those that have not previously performed RCA. So, it will be a good idea to start thinking at an early stage about how the RCA process might look in your firm, what procedures you might put in place and how they will be evidenced.
As with many aspects of your firm’s transition to the new and revised QM standards, the sooner you start assessing and preparing for the coming changes, the more smoothly your implementation is likely to go.
The standards for QM
New and revised standards for quality management are on the way.
In December 2020, the International Auditing and Assurance Standards Board (IAASB) issued:
- International Standard on Quality Management (ISQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements (ISQM 1), replacing ISQC 1;
- a new standard ISQM 2, Engagement Quality Reviews; and
- ISA 220 (Revised) Quality Management for an Audit of Financial Statements.
In July 2021, the UK local standard setter and regulator, the Financial Reporting Council (FRC) also issued new and revised QM standards: ISQM (UK) 1, ISQM (UK) 2 and a revised ISA (UK) 220.
All of the standards are effective for periods beginning on or after 15 December 2022, although the FRC is ‘strongly encouraging’ early adoption.
This article follows on from a faculty webinar, ‘Quality management in audit firms’, during which David Smith and Gill Spaul discussed the new and revised QM standards and how firms can be proactive in preparing for them. A recording of the webinar is available.