Quality management ISQM 1
COVID-19 has already prompted adjustments to audit firms’ procedures. Now getting ready for ISQM 1 in December 2022 will mean more big changes for some small firms. John Selwood looks at what’s coming, including risk assessment, quality management, root cause analysis and implementation of the new standards.
There are three priorities for auditors today: quality; quality; and quality. COVID-19 has created significant challenges for audit firms, with remote working, higher audit risk and some difficult accounting issues to struggle with. At the same time, there have been major changes to some International Standards on Auditing (ISAs); namely ISA 540 on accounting estimates, as well as UK-specific changes in ISA (UK) 570 on going concern, and ISA (UK) 700 on audit reports for UK audits; further important changes to ISAs are coming soon.
From my discussions with auditors over the past year or so, it is clear that most audit firms have made big changes to their whole-firm quality procedures as a result of the pandemic and new ISAs. But more change will be needed in the future, as there are new quality management (QM) standards coming (see right). Also, recent changes would have been made using whole-firm procedures designed to comply with the extant International Standard on Quality Control 1 Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements (ISQC1).
The procedures that firms have been paying particular attention to over the past year or more, because of COVID-19 and the new ISAs, include:
More robust second partner review and technical review procedures: some audit firms have required second partner reviews or reviews performed by the technical department on all audits. Other firms, usually because they determined lower audit risks, have implemented more selective second partner review procedures. ‘Second partner review’ is a commonly used term, but it means different things to different firms. Some firms are very prescriptive about the content of the review, perhaps using an in-house developed checklist. Confusingly, however, in some firms ‘second partner’ reviews do not necessarily need to be done by partners. For example, some firms have implemented second reviews for all responsible individuals (RIs), with ‘second RI’ reviews. Many firms have implemented more rigorous cold file review procedures.
More consultation: many audit firms have refined the circumstances under which audit teams have to consult, either with second partners or the technical team.
Audit procedures and standard working papers: for periods commencing on or after 15 December 2019, changes to ISA 540 and, for UK audits also, ISAs (UK) 700 and 570 would have required all auditors to rewrite important elements of their audit methodology.
CPD training: the impact of COVID-19 and revised ISAs has increased training needs, at the same time that face-to-face training, the most common delivery method for most audit firms, has had to stop. Firms have successfully moved the training online, but this has required a change of approach.
I think it is worth noting that audit firms have had to independently adapt their quality procedures to address the issues they have been facing in relation to COVID-19. This is not usual practice. In the past, there was a tendency for audit firms to effectively outsource the design of these procedures, by buying in an audit methodology from a training group or publisher and not adequately tailoring these to the firm’s specific circumstances. Whole-firm procedures can sometimes be treated as if ‘one-size-fits-all’ and the COVID-19 crisis has demonstrated very well that it does not.
The process of independently adapting their quality procedures, over the past year or so, will be good practice for firms and their preparations for the demanding new QM standards.
Moving from ISQC to ISQM
The new QM standards (issued by the International Auditing and Assurance Standards Board and being proposed by the FRC in the UK), introduce a new QM approach that is focused on proactively identifying and responding to risks to quality. The key to complying with these standards will be for audit firms to perform their own risk assessment, to ensure that their QM system is designed specifically to address these risks.
The standards comprise:
- International Standard on Quality Management 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements (ISQM 1);
- ISQM 2 Engagement Quality Reviews; and
- a revised ISA 220 Quality Management for an Audit of Financial Statements.
ISQM 1 replaces ISQC 1. ISQM 2 is a new standard setting out the appointment and eligibility of the engagement quality reviewer and the engagement quality reviewer’s responsibilities relating to the performance and documentation of an engagement quality review (EQR). This EQR is not something entirely new: it was previously the engagement quality control review (EQCR) in ISQC 1 and in ISA 220 (before the latest revisions).
In line with the international standards, the FRC proposes that the QM standards in the UK will apply from 15 December 2022. This means that the systems of quality management are required to be designed and implemented by this date.
A brief overview
The requirements of the new ISQM 1 standard are extensive and represent a very significant change from ISQC 1. This article does not intend to cover all aspects of the standard, but instead look at big picture issues, to help audit firms plan for the coming changes.
Briefly, the key requirements of ISQM 1 include:
- the introduction of a risk assessment process;
- a new emphasis on quality management;
- references to audit automation, including audit software and data analytics;
- specific references to service providers, such as the training groups and publishers that design and supply audit methodologies;
- changes to monitoring and remediation, including a specific requirement to use root cause analysis; and
- documentation requirements.
ISQM 2 extends the requirements in relation to EQRs. These requirements would apply to audits of listed entities, Public Interest Entities (PIEs), when required by law or regulation, public reporting under UK Standards for Investment Reporting (SIRS), reporting to the UK Financial Conduct Authority on compliance with CASS (or the ‘Client Assets Sourcebook’), and when otherwise determined by the firm as being necessary to address quality risk.
There will be plenty for firms to think about going forward (see Quality Management Highlights, opposite) and less time to get ready than a December 2022 implementation deadline may seem to indicate.
ICAEW is developing resources to assist firms, such as the recent QM webinar (available as a recording at icaew.com/aafwebinars). As always, of course, the best way to understand any auditing standard is to read it yourself and this will be vital for audit compliance partners or anybody involved in or responsible for designing, implementing and operating an audit firm’s system of quality management.
QUALITY MANAGEMENT HIGHLIGHTS
The requirements of the new QM standards are too extensive for all significant changes to be covered here. The following three aspects of ISQM 1 do, however, merit particular consideration.
Risk assessment and design of quality management systems
The risk assessment is the starting point to begin preparations for the new standards. Larger firms will have already started the process of identifying where the audit quality risks are for their firm.
I imagine that many smaller firms might be waiting for the training group or publisher that provides their audit methodology to address this. I happen to know that the major providers are working hard on this, but, as I mentioned earlier, these service providers cannot do the risk assessment for the firm. Also, every firm will identify different risks, so it is likely that under ISQM 1 audit firms will end up designing many more divergent systems of quality management than are seen under ISQC 1.
In other words, ISQM 1 does not specify what an audit firm’s quality management system looks like. Instead, it sets out how a firm should design a system that is appropriate for them. It seems likely that service providers will follow suit and become much more active in helping their customers to design a system that is right for their particular firm.
Root cause analysis
One of the other major changes is the requirement to use root cause analysis (RCA) as part of the firm’s quality remediation processes. I hope that all auditors are already familiar with the concept, benefits and operation of RCA, as it has been encouraged within the audit profession for a few years now.
ISQM 1 sets out little detail on RCA. What is interesting to me is that there does not appear to be strong consensus on the practicalities of how RCA will be done. I think this raises some important questions:
- Should RCA be done at the same time as the cold file review?
- Should RCA be done by the cold file reviewer?
- How much additional time resource is needed for RCA?
Inevitably, firms will take different approaches. Indeed, what is right for one firm may not be right for another. In any event, audit firms will need to start planning their approach to meeting this ISQM 1 requirement and managing the associated issues.
In the UK, the FRC is proposing to ‘strongly encourage’ early adoption.
Realistically, early adoption is only likely to be possible for the most organised of audit firms or on a partial basis. Perhaps a more important consideration than if, when or whether to aim for early adoption, is whether all audit firms will be ready to implement the requirements of the standards by the December 2022 deadline. The risk assessment, designing of responses to identified risks, documentation and perhaps trialling of new systems is likely to be time consuming, if it is to be done properly.