By Jim McFie, a fellow of ICPAK
The International Standard on Quality Control 1 (ISQC1), Quality Control for firms that perform audits
and reviews of financial statements, and other assurance and related services engagements, has been in effect since December 15, 2009, and has required firms to establish and record quality control policies and procedures regarding audit and assurance work. It was promulgated by the International Auditing and Assurance Standards Board (IAASB). In 2013, IAASB saw a need to revise the quality management standards:ISQC 1 and International Standard on Auditing 220 (ISA 220), Quality Control for an Audit of Financial Statements.
IAASB realized that there was a need to improve firm governance including the culture of the firm and the tone at the top, a need to address the emergence of new trends (for example how firms communicate with stakeholders), a need to deal with concerns about firms placing undue reliance on what they get from their network firms, a need to deal with challenges experienced by smaller firms in applying the standards, and finally a need to strengthen the engagement partner’s responsibilities and improve the robustness of a number of aspects of engagement quality control reviews.
The new standards, International Standard on Quality Management (ISQM) 1, Quality Management forFirms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements, International Standard on Quality Management (ISQM) 2, Engagement Quality Reviews, and International Standard on Auditing (ISA) 220 (Revised), Quality Management for an Audit of Financial Statements were published by IAASB in December 2022.
ISQM 2 and ISA 220 (Revised) are both effective for audits of financial statements for periods beginning on or after December 15, 2022: hence, both of these standards will not come into force until audits of financial statements for the year ended 31 December 2023 or later: in keeping with our well-known Kenyatraditions, let us not consider something today when it can be considered one year later in December2023. But systems of quality management in compliance with ISQM 1 are required to be designed and implemented by December 15, 2022: so firms which carry out audits in Kenya should be working on implementing the requirements of ISQM 1 immediately.
However, the evaluation of the system of quality management required by paragraphs 53–54 of ISQM 1 is required to be performed within one year following December 15, 2022: paragraph 53 states: “the individual(s) assigned ultimate responsibility and accountability for the system of quality management shall evaluate, on behalf of the firm, the system of quality management. The evaluation shall be undertaken as of a point in time, and performed at least annually”; paragraph 54 states: “Based on the
evaluation, the individual(s) assigned ultimate responsibility and accountability for the system of quality management shall conclude, on behalf of the firm, one of the following:
(a) The system of quality management provides the firm with reasonable assurance that the objectives
of the system of quality management are being achieved;
(b) Except for matters related to identified deficiencies that have a severe but not pervasive effect on the design, implementation and operation of the system of quality management, the system of quality management provides the firm with reasonable assurance that the objectives of the system of quality
management are being achieved; or
(c) The system of quality management does not provide the firm with reasonable assurance that the objectives of the system of quality management are being achieved”.
ISQC 1 required audit firms to implement a system of quality control that included policies and procedures addressing each of the following elements:
(i) leadership responsibilities for quality within the firm;
(ii) ethical requirements;
(iii) the acceptance and continuance of client relationships and specific engagements;
(iv) human resources; engagement performance; and monitoring.
Weaknesses in a firm’s quality control procedures over audit and regulatory work would often
result in the firm’s failure to achieve a satisfactory outcome to an audit monitoring visit. The guide was written to encourage firms to improve their quality control procedures so that they were more likely to consistently achieve a satisfactory standard in their audit and assurance work, and comply with the
ethical requirements.
The requirements of the new ISQM 1 standard are extensive and represent a significant change from ISQC1. The key requirements of ISQM 1 include:
(i) a more proactive and tailored approach to managing quality, focused on achieving quality objectives through identifying risks to those objectives, and responding to the risks: the introduction of a risk assessment process; the risk assessment is the starting point to begin preparations for the new standard: every firm will identify different risks, so it is likely that under ISQM 1 audit firms will end up designing many more divergent systems of quality management than are seen under ISQC 1;
(ii) enhanced requirements to address firm governance and leadership, including increased leadership
responsibilities;
(iii) a new emphasis on quality management;
(iv) references to audit automation, including audit software and data analytics;
(v) specific references to service providers, such as the training groups and publishers that design and supply audit methodologies;
(vi) changes to monitoring and remediation, including a specific requirement to use root cause analysis;
(vii) documentation requirements;
(viii) new requirements addressing information and communication including communication with external parties; and
(ix) enhanced requirements for monitoring and remediation to promote more proactive monitoring
as a whole, and effective and timely remediation of deficiencies.
ISQM 1 applies to all firms performing audits or reviews of financial statements, or other assurance or related services engagements. If the firm performs any of these engagements, ISQM 1 applies. ISQM 1 requires the firm to establish a quality objective that “The firm demonstrates a commitment to quality through a culture that exists throughout the firm.”
The requirements of the new ISQM 1 standard are extensive and represent a significant change from ISQC 1.The key requirements of ISQM 1 include: (i) a more proactive and tailored approach to managingquality, focused on achieving quality objectives through identifying risks to those objectives,and responding to the risks: the introduction of a risk assessment process; the risk assessment is the starting point to begin preparations for the new standard: every firm will identify different risks, so it is likely that under ISQM 1 audit firms will end up designing many more divergent systems of quality management than are seen under ISQC 1;
It further addresses the need for the culture to recognize and reinforce “the importance of quality
in the firm’s strategic decisions and actions, including the firm’s financial and operational priorities.” Accordingly, the firm’s strategy, decisions, goals, and resource management need to reflect acommitment to quality. For ISQM 1, the objective of the firm in managing quality is to design, implement and operate a system of quality management (SOQM). The SOQM must have a purpose.
The purpose is important for designing the SOQM and determining whether the SOQM is effective (i.e.,
whether it achieves its purpose): the objective of the SOQM is to provide the firm with reasonable assurance that:
(i) the firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements, and conduct engagements in accordance with such standards and requirements; and
(ii) engagement reports issued by the firm or engagement partners are appropriate in the circumstances. A firm may take a phased approach to implementing ISQM 1, building up to the effective date: this may entail designing and implementing policies or procedures for certain components and commencing the operation of those policies or procedures at various stages before the effective date.
In this case, the firm would establish its own effective date for each of the policies or procedures. This approach may lessen the impact of many changes all at once. Although the firm would have implemented policies or procedures before the effective date, the firm would not be considered as “early adopting” ISQM 1 because only a portion of the new SOQM has been implemented.
Alternatively, the firm may commence operation of all the new and revised policies or procedures
on December 15, 2022. The firm may pilot or test the new SOQM prior to the effective date. The pilot, or testing, maybe on certain areas of the SOQM, or by a selection of engagements teams. The SOQM would not be considered to be in operation until the firm has formally implemented and commenced operation
of the new SOQM in its entirety.
ISQC 1 included six elements for which the firm needed to design policies and procedures. ISQM 1 has eight components. The components in ISQM 1 are aligned to the elements in extant ISQC 1 and include
two new components:
(i) The firm’s risk assessment process; and
(ii) Information and communication.
ISQM 1 enables an integrated and iterative process to manage the quality of the firm’s engagements: it is aimed at comprehensively and actively managing risks to quality through greater accountability; improved focus on leadership and culture; and continuous improvement through a required monitoring and remediation feedback loop. The new requirements reinforce the firm leadership’s responsibility of
ensuring that the system operates efficiently and effectively.
ISQM 1 requires more rigorous monitoring of the system, understanding the root causes of deficiencies and swift remediation of those deficiencies.
If you run an audit firm, be sure to spend the next few weeks implementing ISQM 1
