The International Standard on Quality Management (ISQM) 1 is intended to be fully scalable from the smallest firm to the largest. That sounds good on paper, but what does it mean in reality? Scalability works in all directions – some firms may need to scale up, while others may find it appropriate to scale back. This article focuses mainly on opportunities for smaller firms with low complexity to scale the ISQM approach to fit their nature and circumstances.
What does my firm need to know?
Objectives: ISQM 1 includes several mandatory quality objectives, which firms are required to adopt.
For firms with low complexity and flat structures, objectives around, for example, the firm’s organisational structure and the assignment of roles, responsibilities and authority may not need to be very involved. Similarly, for sole practitioners or firms with only one or two audit staff, objectives relating to human resources are unlikely to be very complex.
Firms that are not members of networks will not have to consider objectives relating to network resources or requirements, nor will they have to frame objectives about information exchange within networks. Firms that never participate in group audits are unlikely to need any objectives that envisage cooperating with component or group auditors, and so on.
Risk identification and assessment: this is also scalable. When considering what risks might exist to threaten the firm’s quality objectives, firms with straightforward objectives may be able to identify broad overarching risks in key categories without needing any more granularity. Firms with low complexity and flat structures may also find that the variation in risk assessments for risks that impact more than one objective is also small (or non-existent), whereas larger, more complex firms may find that there is actually a noticeable difference in the assessment of identified risks, depending on which objective is being considered.
For example, where a firm has few staff, competency risk may have a similar impact and likelihood across the board, but for a large firm with many levels of staff, competency risk may have less significance at a junior level, but much more significance at manager level and above.
Responses: firms will need to demonstrate they have crafted responses to address their identified risks.
In the real world, firms will already have policies and procedures that are compliant with the quality control standard ISQC 1 and these may mitigate most of the identified and assessed risks. However, it is important to remember that the risks are the ‘horse’ and the responses are the ‘cart’, not the other way round.
The components of an ISQM-compliant system of quality management (SoQM) are not identical to the components of an ISQC 1-compliant system of quality control, so there will need to be new responses to address the risks that have been identified and assessed in relation to objectives within those new components. Nevertheless, it is possible that adjusting, repurposing or expanding existing procedures might mitigate the identified risks. It all depends on the nature and circumstances of the firm, and what was in place already.
For firms with low complexity and consequentially straightforward objectives and risks, the necessary responses are likely to reflect that lack of complexity.
If a firm with low complexity currently has procedures that exist because they have always existed and which genuinely do not mitigate any quality risks that can be envisaged, then those procedures may not be needed. However, this is an area where care is needed, so beware.
The existence of established procedures that do not address identified risks might indicate that there is a problem with the risk assessment.
It is important to remember that the risk assessment process as a whole is not a one-off exercise and it is also not linear. It must be iterative.
A firm’s nature and circumstances can change (for example, personnel can come and go, new clients can be obtained) and external events and conditions can also have an impact. This may result in changes to objectives, the identification of new risks or the reassessment of old ones and the possibility of new or amended responses to mitigate those risks. Other drivers that could cause a rethink include the results of internal or regulatory monitoring.
How does my firm get started?
Third party resources: these will play a valuable role, but firms cannot simply deploy an ‘off-the-shelf’ solution with no extra work required.
Many firms of all sizes and levels of complexity will no doubt be waiting for service providers to publish manuals and documentation for their ISQM 1 implementation. Unlike with ISQC 1, it won’t be possible for these service providers to supply a ready-to-use set of objectives, risks and responses because ISQM 1 requires that these are tailored to a firm’s own circumstances. If this applies to you, it means you will have to consider your firm’s particular risks and ensure you have appropriate responses in place.
Risk identification and assessment: a very good place for firms to start might be a risk identification and assessment workshop.
This workshop is likely to look very different, depending on the size and complexity of the firm. In a firm that is not complex, there may be limited people involved in the audit process so it may make sense to involve all of those, from junior to Responsible Individual (RI).
In a more complex firm, with technical departments and a significant number of RIs, this process might be assigned to those in senior positions. Equally, in a firm with low complexity, it may be felt that one individual has sufficient knowledge of the processes and procedures, and the firm and its engagements to undertake risk identification and assessment alone (although that concentration of responsibility could, in itself, give rise to quality risks and key person risks).
Start by reminding those attending what your quality objectives are and then ask everyone to think about what could go wrong that would mean these objectives weren’t met. Note down the risks identified.
Now you need to get into more detail, so provide everyone present with a list of the factors that must be considered in the firm’s risk assessment. A risk assessment template might be provided by your service provider, in which case you can go through the points within it to prompt the identification of further risks. If not, go through the list of items in paragraph 25 of ISQM 1. Hopefully this will have identified some more risks, so note these down.
Finally, you need to cross check your list of risks with any suggestions provided by the service provider to see if you have forgotten anything.
Once you are happy that you have identified your risks, you need to assess them. Given that the purpose of the assessment is to help you work out what level of mitigation is required, you may wish to assess for both significance and likelihood.
Once you have performed the assessment, you will be able to consider which of the suggested responses provided by your service provider’s solution might do the job, either singly or in combination, and whether you need to amend, expand or otherwise tailor the suggestion.
If you have risks not identified by your service provider, then you will need to think of an appropriate response and document both the risk and response. In other cases, you may find the service provider has an appropriate risk, but the response is not what you want or need to implement, so you will need to edit what is in the material your service provider has supplied.
It may be tempting to first just look at the service provider’s list of risks and responses and check that they look sensible, but the danger here is that you let the cart drive the horse. You need to start from your objectives (which can, of course, be informed by suggestions from your service provider) and then go on from there.
Documentation and scalability: ISQM 1 requires firms to document their SoQM. Because this has to be specific to your firm, so must the documentation.
It may be helpful for firms to consider three main areas: what must be included in their documentation, in how much detail, and the extent to which existing resources may be useful.
What needs to be included?
ISQM 1 sets out quite a long list of what must be included.
Some of these are factual: for example, who has ultimate responsibility for the SoQM; the firm’s quality objectives, risks and responses; evidence of monitoring; and details about audit clients, such as name, address, key audit partner(s) and fees.
Some will require more thought, such as: root cause analysis of deficiencies; evaluating the design and implementation of remedial actions (ie, why do you think they will address the issues?); threats to independence and safeguards applied; and how your risk responses address the quality risks. On this latter point, for example, ISQM 1 says that you might think about how often you expect the risk to occur and how it might stop you achieving the quality objectives.
How much detail is needed?
It is not necessary to document every matter considered, or every judgement made about the firm’s SoQM. Nor is it necessary to document the consideration of every condition, event, circumstance, action or inaction for each quality objective, or each risk that may give rise to a quality risk.
However, the documentation collectively does need to provide sufficient details to enable its users to understand the SoQM. In particular, people need to understand their roles and responsibilities within the different processes. It’s also important that the firm retains organisational knowledge when specific staff move on.
The documentation also needs to describe the responses in sufficient detail for them to be consistently implemented and operated, and so that whoever is ultimately responsible for the SoQM can conclude whether it’s achieving its objectives. For example, if providing regular update training is a response to a quality risk, there should be an agreed training plan, a specific person or people identified to organise and deliver it, and a record of the content and who attended (and, if an external service provider is used, an evaluation will be needed.
Can existing resources be used?
It’s important to note that ‘documentation’ doesn’t just mean manuals or checklists. Continuing with the training example above, email exchanges between the firm and the training provider may give sufficient documentary evidence about the plan and content, together with a copy of slides used to deliver the course.
ISQM 1 also notes that information held, for example, on websites or intranets can count as ‘documentation’. You’ll just need to take care that such information is retained for an appropriate length of time.
Equally, some documentation may be provided by your network or a service provider (for example, if you buy in an audit manual or outsource your cold file reviews or root cause analysis).
Preparation is key
For the avoidance of doubt, one particular point merits restating. While it may be tempting to simply take ‘off-the-shelf’ solutions from service providers and believe that this is ‘job done’, this is unlikely to enable a firm to comply with the requirements of ISQM 1, given its focus on the nature and circumstances of each firm.
Our key message would be to start thinking now about your ISQM 1 preparations. Even for the least complex audit firm, this is not going to be a 10-minute job.
Don’t be daunted
As the International Standard on Quality Management (ISQM) 1 shifts the emphasis from a reactive procedures-based approach to a proactive risk-based approach, this may seem daunting, but ISQM 1 is designed to be scalable.
One of the most powerful concepts in ISQM 1 is that everything in a firm’s system of quality management (SoQM) should reflect the firm’s own nature and circumstances, and those of its engagements, any events and conditions that might be occurring in the firm’s broader environment, and also any actions or inactions the firm may or may not have taken.
This implies a bespoke Savile Row approach, rather than an off-the-peg approach. It also bakes in the expectation that firms will scale their QM endeavours to fit their circumstances.
Messaging in the standard is clear.
Some larger, more complex firms, or firms with circumstances that impact on their quality objectives (such as expansion as a result of merger or acquisition), may need to expand the mandatory objectives or provide more granularity. Completely new objectives may also need to be added.
It is, however, less likely that smaller (less complex) firms will need to expand the mandatory objectives, although additional granularity might be useful.
About the authors
Julia Penny, Director, JS Penny Consulting
Matt Howells, member of the faculty’s Technical and Practical Auditing Committee and Technical Partner, Smith & Williamson
Jon Baillie, Partner, James Cowper Kreston