The IAASB’s new quality management standards represent a fundamental shift in focus for auditors and firms must act now to prepare for the fast-approaching compliance deadline, writes Noreen O’Halloran.
The suite of quality management standards released by the International Auditing and Assurance Standards Board (IAASB) will have a major impact on all audit firms, regardless of size, and now is the time to start getting your house in order.
Effective from December of this year, these standards include a revised International Standard on Auditing – ISA 220 (revised) Quality Control for an Audit of Financial Statements and two new International Standard on Quality Management.
These are ISQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements; and ISQM 2 Engagement Quality Reviews.
Practitioners are required by these standards to have necessary systems designed and implemented by 15 December 2022, with the monitoring reviews performed within one year of this date.
Irish standards align
The Irish Auditing and Accounting Supervisory Authority (IAASA) has released revised quality management standards aligned with those released by IAASB.
By releasing new standards, the IAASB is addressing the need for the audit profession to perform quality engagements consistently.
These standards require audit firms to have in place a strong system of quality management that is robust, proactive, and scalable, enabling the consistent execution of high-quality engagements.
While these standards are welcome, they do impose additional time, effort and ultimately costs on audit firms.
ISQM 1: the lowdown
ISQM 1, the standard replacing International Standard on Quality Control 1 (ISQC 1), addresses a firm’s requirement to design a system of quality management to manage the calibre of engagements performed by the firm.
This standard applies to all firms performing audits or reviews of financial statements, or other assurance or related services engagements. A firm must now establish quality objectives, identify, and assess quality risks, and design and implement responses to address those risks.
This is a much more forward-looking, proactive approach than that currently required under ISQC 1. The process is expected to be iterative, requiring continuous improvement and revisiting.
ISQM 1 comprises eight components, two of which are process driven. These are the risk assessment process and the monitoring and remediation process.
The remaining six are quality objective components, comprising governance and leadership, relevant ethical requirements, resources, acceptance and continuance, engagement performance, resources, and information and communication.
Audit firms must apply a risk-based approach in designing, implementing, and operating the components in an interconnected and coordinated manner, tailoring their approach to the specific risks arising for a firm.
Risk assessment
Audit firms are required to establish quality objectives for each of the six quality objective components. Certain quality objectives are predetermined in ISQM 1.
Firms must also establish additional quality objectives responsive to the nature and circumstances of the firm or its engagements.
Once the quality objectives are established, the firm will then need to identify and assess quality risks, taking into consideration the type of engagements carried out and the extent to which this work may create quality risks in relation to specific quality objectives.
Firms are likely to have some existing policies and procedures in place, which may continue to be relevant in meeting these new requirements.
Existing policies and procedures should not, however, be carried forward without first considering the specific requirements in ISQM 1 and the individual nature and circumstances of a firm and its engagements.
Gap analysis
A gap analysis is a must for all firms to help them identify areas where they may need additional or different responses.
Not all risks identified will rise to the level of a quality risk as defined in ISQM 1. Quality risks are those that have a reasonable possibility of occurring and a reasonable possibility of individually, or in combination with other risks, adversely affecting the achievement of one or more quality objectives.
For example, in a small firm, where leadership may be concentrated in a single or a very small number of individuals the firm may identify a quality risk with respect to the Governance and Leadership component as staff may be reluctant to challenge or question the actions or behaviours of leadership, due to fear of reprisal.
After quality risks have been identified, firms must then design and implement a response to those specific risks.
Appropriate response
The ISQM 1 identifies several specific responses required by a firm. Responses that are properly designed and implemented will mitigate the possibility that the quality risk will occur, resulting in the firm achieving its quality objective.
Take the previous example of a small firm with a single or very small number of individuals at leadership level, whose behaviours staff may be reluctant to challenge. The quality risk arising here might be addressed by obtaining anonymous periodic feedback from staff at all levels within the firm using focus groups and/or staff surveys.
Firms should keep in mind that the quality objectives for one component may support or overlap with those of another.
When establishing quality objectives, therefore, it can be useful to think of the components as interrelated or interdependent with each other.
Here’s one example. The quality objective in the information and communication component, regarding relevant and reliable information exchange throughout the firm, links with the ethical requirements component, regarding the communication of relevant ethical requirements applying to individuals within the firm.
The nature and circumstances of the quality objectives, the identified risk and the subsequent responses will differ from one firm to the next, depending on their size, network structure (when relevant) and the type of engagements they provide.
Monitoring and remediation
The monitoring and remediation process can be split into several elements, comprising:
- the design and performance of monitoring activities;
- evaluating findings and identifying deficiencies;
- evaluating identified deficiencies;
- responding to the identified deficiencies; and
- communicating the findings.
Looking back at our earlier quality risk regarding staff reluctant to challenge or question the actions or behaviours of leadership, a potential response was that the firm might facilitate focus groups and/or staff surveys to gather anonymous feedback regarding the actions and behaviours of leadership.
Once sought, such feedback must then be monitored. The firm may collate the feedback and present it to leadership, including details of the actions required to address the feedback and a corresponding timeline for these actions.
The purpose of monitoring the activity here is to determine whether the response to the quality risk is appropriate. If deficiencies are identified as part of this monitoring, firms need to evaluate their severity and determine how pervasive they may be.
This will help firms to focus on the deficiencies giving rise to the most significant risks. They should also evaluate the root cause of these deficiencies. Root cause analysis is not a new concept to practitioners. Many will already be undertaking this process when deficiencies are identified.
However, for those firms not currently doing so, ISQM 1 requires a root cause analysis in respect of identified deficiencies.
ISQM 2 and ISA 220 revised
While ISQM 2 is a new standard released by the IAASB, many of its elements have been relocated from either ISQC 1 or ISA 220, addressing both the responsibilities of the firm and the engagement quality reviewer.
The engagement quality reviewer is part of the firm’s response, rather than the engagement team’s response to quality management.
The engagement quality reviewer is required to exercise professional scepticism, rather than professional judgement, which is the responsibility of the engagement team when obtaining and evaluating audit evidence.
Revisions have also been made to ISA 220 (revised), which remove the requirement for an engagement quality review (as that is now contained in ISQM 2), and also clarify and strengthen the key elements of quality management at the engagement level, including the responsibility of the engagement partner.
The engagement partner is responsible for managing and achieving quality at the engagement level. These changes include revision to the definition of the engagement team, to include all those who perform audit procedures on the engagement regardless of their location or relationship to the firm.
There is also a new stand-back requirement for the engagement partner to determine that they have taken overall responsibility for managing and achieving quality on the audit engagement.
Ensuring compliance
The IAASB’s new quality management standards represent a fundamental shift in focus from quality control to quality management, and all firms should act swiftly to prepare for these changes. Here are three steps you can take to help ensure compliance by 15 December 2022:
- Consider your current position against the new requirements, and identify areas where your firm could start to progress implementation plans, along with the individuals within the firm who need to be involved.
- Look at your current resources and – particularly for non-network firms – consider whether additional resources might be needed, and if service providers may be required to fill any gaps.
- For network firms, each individual firm is responsible for its own system of quality management, including design, implementation, and operation. Locally you may need to consider how the network requirements might need be adapted or supplemented by the individual firm to be appropriate.
Bear in mind that the new quality management standards provide an excellent opportunity to enhance the quality and consistency of audits.
These standards will drive firms to implement quality management consistently, supporting audits of a higher quality.
A word of warning, though: don’t underestimate the time, resources and investment needed to implement these standards. You will also need appropriate buy-in and a commitment to quality enhancement from those in leadership.
A great deal of change management may be required to effectively implement the new and revised standards. With the implementation date fast approaching, time is of the essence.
Noreen O’Halloran is a Director in the Department of Professional Practice at KPMG Ireland.