Audit firms all have quality control manuals with policies and procedures to address quality on audits and other engagements. These policies and procedures are required by the International Standard on Quality Control 1 (ISQC 1), Quality control for firms that perform audits and reviews of financial statements, and other assurance and related service engagements.
In December 2020, the final pronouncement of the replacement to ISQC 1 was approved.
The new standard is called the International Standard on Quality Management 1 (ISQM 1), Quality management for firms that perform audits or reviews of financial statements, or other assurance or related services engagements.
The focus in this standard has therefore changed from merely controlling quality to a more pro-active management of the quality in the firm and the engagements that the firm performs.
What has remained relevant, is that this standard is not only applicable to firms performing audits of financial statements, but also to any firm performing
- Independent reviews in terms of ISRE 2000 – 2699,
- Assurance engagements other than audits or reviews of historical information (ISAE 3000 – 3699), typically including audits of trust accounts or prospective information, and
- Related services (ISRS 4000 – 4699), which include agreed-upon procedures (or factual findings engagements) and compilation engagements.
The new standard requires firms to follow a risk-based approach to managing quality through a three-step approach which requires a firm to:
- Establish quality objectives
- Identify and assess quality risks
- Design and implement responses to the quality risks, typically through policies and procedures
This is all achieved through the firm’s risk assessment process, akin to the risk assessment process that auditors typically expect their clients to follow as part of their system of internal control.
The benefit of following a risk-based approach is that the system for quality management will be fit-for-purpose because the firm’s policies and procedures will be aligned to the potential risks of achieving quality in the specific firm and the types of engagements that the firm performs. A big firm that audits listed companies’ financial statements will have a more formal system will lots of policies and procedures, while a small firm, that only performs compilations will have very few quality risks (resulting in less policies and procedures to respond to those quality risks).
The work required to design and implement this system of quality management should not be underestimated – the standard prescribes several quality objectives and each firm will have to assess whether there are any other quality objectives before performing the risk assessment and designing the appropriate responses.
The deadline of implementing ISQM 1 is fast approaching, when firms consider all that must be done before then. By 15 December 2022 firms have to complete the following:
- Establish the firm’s quality objectives
- Identify and assess the quality risks
- Design and implement responses to the assessed risks
- Design and implement monitoring activities
Thereafter, from 15 December 2022, firms must ensure that their designed responses to quality risks are operational. Monitoring activities must also commence from this date.
Lastly firms must also start thinking how the individual assigned ultimate responsibility and accountability for the system (typically the CEO or managing partner of the firm) will evaluate the system of quality management and conclude whether the system provides the firm with reasonable assurance that the objectives of the quality system are achieved. This evaluation must be completed by 15 December 2023.
The requirements of the standard may seem somewhat intimidating and it is definitely a new way of addressing quality in firms. Thankfully there are lots of examples included in the application material of the standard and even a first-time implementation guide!
Best you start early and involve all role players in this new process of quality management so as to give yourselves as much time as possible to implement this new standard (and the new system of quality management).