Question corner

There is a lot of change on the horizon for audit firms over the coming months, as December 2022 deadlines approach. Implementing the new and updated International Standards on Quality Management (ISQM), the revised risk ISA (315) and the revised UK fraud standard (240) will require significant resources from firms, and compliance will mean not just changes to systems and processes, but mindset change for many individual auditors.

I have read ISQM 1, related guidance from the International Auditing and Assurance Standards Board (IAASB), and attended the faculty’s webinars. I realise that to address the requirements of the standard I may need some help in the form of a tool. Would you recommend that I use one of the commercially available ISQM 1 tools, and if so which one?

In my opinion, using a preparatory tool to help with implementing ISQM 1 is a good idea. Even quite large firms are doing so. Predictably, I can’t recommend third party products in Audit & Beyond, but, even if I could, I wouldn’t.

The commercially available products, from different providers, are all very different and provide different types of assistance. Some will give your firm leeway to go its own way, others will do more to direct you. I can’t tell you which of the available options is going to best meet the needs of your firm.

You will need to be proactive in making this decision – and addressing the requirements of the standard.

ISQM 1 requires each audit firm to design, implement and operate a system of quality management to manage their engagement quality. Firms are required to:

• establish quality objectives;
• identify and assess the risks that could threaten the achievement of those objectives; and
• design and implement (then eventually evaluate and improve, if necessary) responses to mitigate those risks.

There is a shift to proactivity in terms of taking a risk-based approach to managing quality and to tailoring the firm’s system of quality management (SoQM). Your firm needs to consider its nature and circumstances, its clients and staff, and identify what particular risks might impact you and your firm.

You’ll also need to be proactive in determining which commercially available product to use to assist with implementation. You will need to look at what’s available and you will need to decide what’s best for your firm.

How much resource (mostly time) should I be dedicating to addressing the requirements of ISQM 1?

Obviously, the answer to this question will depend on the audit firm and even then, this is a ‘how long is a piece of string’ question. In short, the string is probably longer than you think it is.

Carrying out a risk assessment and then devising appropriate responses is not straightforward and will take time to do properly. However, all of the firms that I know that have already done this have found it a very useful exercise. Even firms that already had good quality systems found that they better understood why things were designed the way they were. Some audit firms have been able to make very significant improvements to how they do things.

In other words, the work to comply with ISQM 1 takes time, but is worth it.

This said, time to prepare is fast disappearing. Both international and UK versions of ISQM 1 are effective from 15 December 2022, meaning that an ISQM 1 compliant system of quality management needs to be designed and implemented by that date. It is also worth noting that ISQM 2 and the revised ISA 220 are effective for audits of financial statements for periods beginning on or after 15 December 2022.

QM RESOURCES

To assist firms on their QM journey, the faculty has created and collated specialist resources at a ‘Quality management in audit firms’ hub.

It introduces the new QM standards and covers matters such as:

• ISQM 1 implementation;
• quality risk assessments;
• QM and resources obtained from service providers;
• the ‘people factor’ in your tailored approach to QM;
• QM benefits for smaller firms; and
• links to external resources from trusted sources such as the IAASB.

How big an impact will the revisions in ISA 315 and ISA (UK) 240 have when they are implemented?

ISA 315 Revised Identifying and Assessing the Risks of Material Misstatement and ISA (UK) 240 Revised The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements are effective for periods beginning on or after 15 December 2021.

The extent to which the revisions will impact on a particular audit firm will depend upon how well prepared the firm is for the changes. Auditors already doing very good work on risk assessments and auditing for fraud will notice less change than those doing a less good job. But this is not the only factor.

The significance of the revisions in these standards has prompted some firms (and maybe more importantly, service providers) to overhaul other aspects of their audit approach, at the same time. This can make it appear as if these revised ISAs have created more change than they have. Indeed, one very popular proprietary audit system has chosen this moment to overhaul its file referencing system.

I am sometimes accused of spreading alarm and despondency when I warn of significant change ahead. That is not my intention. I am hoping that if auditors appreciate the magnitude of the changes for December 2022 year ends, they will put in place plans to be properly prepared.

The renewed focus on a good risk assessment and auditing for fraud should bring noticeable benefits in audit quality for many audit firms.

Revised ISA 315 has new requirements relating to the understanding of IT controls. How much needs to be done? Should we be engaging more with IT specialists?

I think this is an ISA revision that the audit profession might struggle with for some time. Space does not permit me to set out an A to Z on IT controls here, but I can briefly highlight some key considerations for auditors.

In short, there is a great deal more on the IT environment in the revised ISA 315, particularly IT general controls. Auditors will have to gain an understanding of information-processing activities and identify risks arising from the use of IT. They will also need to understand the entity’s general IT controls that address such risks, including risks arising from use of IT applications.

Auditors therefore need to:

• identify all relevant IT applications;
• understand what they do and how they operate;
• understand the general IT environment that they operate in;
• assess related risks; and
• devise appropriate responses.

The key issue is, how far should auditors go? The answer is, far enough to properly assess inherent risk and (if necessary) control risk. This will require good judgement on the part of the auditor. Remember, the auditors’ objective is to identify the risks of material misstatement in the financial statements, not weaknesses in the IT system, per se.

The use of IT specialists is an interesting issue. On the largest audits (usually with the most complex IT systems), this is already happening, but it shouldn’t be necessary on most audits. After all, audits are done by auditors and what is described above is still directed at an audit of historic financial statements. It is not the audit of an IT system.

Nonetheless, when considering whether to use IT specialists, this requires an assessment of the complexity of the IT systems and whether the audit team has the necessary skills to address that complexity.

What should I be doing to prepare for revised ISA 315 and ISA (UK) 240?

I have addressed this question more fully in previous Q&As in Audit & Beyond (see tinyurl.com/AB-July22 on ISA 315, tinyurl.com/AB-June22 on the UK’s ISA 240, and tinyurl.com/AB-April22 on both ISAs). What I would like to add is that there needs to be a particular focus on training audit teams.

Typical lecturing on the subject in webinars or face to face is fine, but the subjects of risk assessment and auditing for fraud seem to be well suited to more interactive training. The use of practical case studies and discussion groups work particularly well to help auditors better understand the issues.