The evolving role of quality control in audit

Feb 10, 2020
Changes to quality control systems and regulation require some getting used to, but let us not forget their primary goal – to help firms complete good quality audits effectively, writes Lisa Campbell.

Most accountants know that having a sound quality control system is a good idea, but people often think in terms of the various systems that feed into the quality of products and/or financial statements. A good quality control system is essential in a professional services environment as well. So, in relation to an audit firm, what does a quality control system mean and how does it interact with the regulation of the firm?

What is quality control in an audit firm?

The purpose of a quality control system in an audit firm is to ensure that the firm has the capacity, capability and resources required to carry out its audit engagements effectively and consistently. ISQC (Ireland) 1 applies to all audit firms in Ireland, from sole practitioners to the largest firms. It sets out requirements for all firms to implement policies and procedures covering all aspects of carrying out a proper and independent audit, from hiring and training to methodology, remuneration, accepting an audit engagement, ethics and the tone at the top of the firm.

Firms are responsible for ensuring that the people employed to carry out audits, from the most junior to the most senior, are suitably qualified, trained and are aware of – and complying with – ethical requirements. The leaders in the firm are required to ensure that their communications have enough focus on quality, aiming to ensure a robust culture of performing quality audits and not tolerating anything less than that.

The standard also requires firms to implement their own monitoring systems to ensure that the relevant requirements are complied with, and to action failure to do so. Furthermore, firms are required to have documented evidence of the operation of each element of its system of quality control, including whether the firm has competent personnel, time and resources; any threats to independence; and whether the firm complies with the relevant independence and objectivity requirements.

How does it interact with regulation?

All audit firms in Ireland, and many places across the globe, are subject to what is known as a quality assurance review (sometimes also known as an audit inspection). In Ireland, this may be done by an accountancy body or directly by IAASA. Regardless of which organisation carries out the quality assurance review, the review is split into an assessment of the firm’s quality control system, supported by the analysis of a sample of the audits completed by the firm. The inspector will review policies and procedures and assess if they appear to be appropriate given the size and complexity of the firm. The proof of the pudding, however, is in the eating, so a sample of audits are reviewed to assess whether the policies and procedures have resulted in good quality audits.

Where poor quality is identified as part of an inspection or review and hasn’t been caught in advance by the firm, the firm needs to ask itself whether there was an issue with the design or implementation of their quality control systems – or both. Was it a case of an isolated incident of an audit team failing to comply with good policies? Is it a pervasive issue that might indicate a firm culture of ignoring policies? Was it a lack of policy or an unclear policy? Could another policy have been implemented that would either have prevented or detected the problem? Do the policies contain enough incentive and/or sanction to encourage a continuous focus on quality?

Future of quality control

Most people are aware that the best control processes will prevent an issue arising in the first place (preventative control) rather than catch a problem after the fact (detective control); and that a good quality control system is not something that is designed once and left in place forever. It needs to be part of a continuous cycle of design, implement, assess, tweak the design, implement, assess etc. It evolves in a constant feedback loop, taking inputs from internal reviews, external reviews, experiences of peers, global developments and technology developments. And that is, really, the basis for proposed changes to the international standard on quality control, which will ultimately be adopted in many countries around the globe, including Ireland. The new international standard is expected to be finalised in 2020.

The standard has been updated to think in a different way about quality control and to underpin the need for firms to proactively manage quality to prevent issues arising, rather than just react to control quality issues that do arise. The existing standard has a list of policies and procedures that must be developed and implemented by firms, whereas the new standard requires a much more integrated process and a more bespoke system customised by firms to address the risks that may impact on that particular firm’s engagement quality, specific to the nature of that particular firm and its audit clients. This fundamental shift in thinking is even reflected in the name of the standard, which is changing from “international standard on quality control” to “international standard on quality management”. In addition to the components of quality control dealt with in the existing standard, the new standard introduces some other elements, looking at the firm’s risk assessment process as well as information and communication.

This shift in thinking may appear subtle on the face of it. However, firms are going to be required to rethink their entire systems of control and ensure that they are mapped to the standard. The US regulator, the Public Company Accounting Oversight Board (PCAOB) announced in December 2019 that it is also considering the standards on quality control in place in the US, which is something that needs to be considered by the many firms in Ireland that carry out work on any part of a US group of companies. PCAOB has stated that it intends to use the international standard as a starting point in developing its standard, which is good news for many firms as it should allow them to comply with both standards easily should they need to.

So, what will this change mean for regulation? The changes will require regulators, to the extent that they don’t already do so, to become part of the feedback loop for firms. IAASA’s inspection approach already reflects this, whereby we look at the design of controls and do some sample testing to ensure that the controls are in place. For example, we look at communications issued by the firm’s leadership to ensure that there is enough focus on quality in those communications. This test may look okay, but then, when audits are inspected, we find poor quality. If this happens, we then reconsider the tone at the top testing and consider whether, while the control might be operating as designed, is it effective enough and should we recommend changes to firms to make the control more effective? The future for quality control is, therefore, a more interlinked and integrated approach with firms needing to integrate their internal reviews, external reviews and other feedback into a continuous loop of tweaking their systems – all the while remembering the ultimate aim, which is to get consistently good quality audits completed effectively.
Lisa Campbell FCA is Head of Operations at the Irish Auditing & Accounting Supervisory Authority.