Getting ready for the new audit quality management standards
The new international quality management standards issued by the IAASB, and adopted by the FRC with additional requirements for UK firms, introduce a new approach to Quality Management, focused on proactively identifying and responding to risks to audit quality. The key to complying with these standards will be for the audit firm to perform a detailed risk assessment and ensure that the System of Quality Management is explicitly designed to address the identified risks.
The standards comprise:
- International Standard on Quality management 1 (ISQM1)
- International Standard on Quality Management 2 (ISQM2) – Engagement quality reviews; and
- A revised ISA 220 Quality management for an audit of financial statements.
ISQM1 replaces International Standard on Quality Control (ISQC1), and ISQM2 is a brand-new standard that sets out the appointment and eligibility of the engagement quality reviewer and their responsibilities relating to performance and documentation of the quality review. Although the change in name from ISQC1 to ISQM1 may be subtle, it is underlain by a fundamental shift to proactive system of quality management (SoQM), as opposed to a reactive system of quality control.
The three standards will come into effect from 15 December 2022. The System of Quality Management needs to be designed and implemented by this date. The first assessment of the effectiveness of the SoQM is to be undertaken within one year of implementation.
An overview of the Quality Management standards
The requirements of ISQM1 are extensive and the standard is a complete overhaul of extant requirements in ISQC1. The key changes include:
- ISQM1 introduces a risk assessment process;
- Proactive Quality management is greatly emphasised;
- Requirements over managing audit software, audit automation, and data analytics modernise the standard;
- Audit firms’ considerations of service providers used may include training groups, audit software & methodology suppliers, data analytics providers to name but a few;
- Firms are required to take ownership of quality and not rely on their networks unduly and there are new requirements on information flows between firms and their networks;
- A specific requirement to implement root cause analysis when assessing deficiencies in the system of quality management;
- Changes to audit quality monitoring and remediation requirements; and
- Enhanced requirements for documentation of the system of quality management.
ISQM2 extends the requirements concerning engagement quality reviews, another terminology change replacing engagement quality control reivews. These requirements apply to :
- Audit of listed entities
- Public interest entities (PIE’s)
- Public reporting under UK standards for Investment Reporting (SIRS)
- Reporting to the UK Financial Conduct Authority on compliance with CASS, and
- When the firm determines as necessary to address quality risk.
Challenges in implementing the new quality management standards
The requirements are far too extensive to go into in detail here, but some considerations and potential challenges when implementing the QM standards include:
- Risk Assessment
The firm’s risk assessment is the starting point for developing the SoQM and success will be dependant upon a robust risk assessment, and identification of appropriate responses to identified risksISQM1 does not specify what a SoQM looks like; instead, it sets out how the firm should design a system that is appropriate for the firm’s size and circumstances. All components as set out in the standard should be considered by the firm individually or in combination when addressing quality risks and in developing their SoQM.
2. Root Cause Analysis
Root cause analysis (RCA) forms part of the firm’s remediation process when addressing quality deficiencies. The standard does not provide extensive detail on root cause analysis, and in practice, the nature and timing of root cause analysis is much debated. Firms will need to consider how they will perform RCA (e.g. using the Five Why model, or another approach), who will undertake the RCA (e.g. members of a central team, independent members of the audit practice or even outside suppliers) and which deficiencies or audit engagements will be subject to RCA. Firms will need to determine the best timing for their circumstances, including consideration of client and other deadlines.
The implementation date is 15 December 2022. For most firms, this may seem like a long way away, but undertaking the risk assessment, designing and responsing to the identified risks, documentation, and perhaps trialling of the new system is likely to be time-consuming if it’s done correctly. It would be wise to commence planning for the new quality management standards as soon as possible to allow sufficient time for effective implementation. The first assessment of the effectiveness of the SoQM is to be undertaken within one year of implementation.
Find out more
If you would like further guidance or to discuss in more detail these new audit requirements, please contact your local MHA member firm.