Back to articles

Practical considerations for implementing ISQM 1

by Aradhana Ashok

As a measure of continuous improvement in audit quality and in response to high profile audit failures, in late 2020, the International Auditing and Assurance Standards Board (IAASB) issued two new and revised quality management standards.

Background

International Standard on Quality Management 1 (ISQM 1) [Effective 15th December 2022] is applicable for all firms performing (a) audit & review of financial statements (b) Assurance engagements other than audit or review of financial statements (c) Related services engagements.

International Standard on Quality Management 2 (ISQM 2) is a standard with specific focus on the engagement quality reviews.

ISQM 1 requires a firm to design, implement and operate a system of quality management to consistently deliver quality audits, and to evaluate the effectiveness of the system on an annual basis. This is in relation to the nature of engagements that they deliver, keeping in mind the firm’s composition as well.

While ISQC was a process manual based, a passive standard that focused on each separate component of quality control. ISQM 1, on the contrary, is an integrated approach, rooted in firm’s risk assessment and pervading importance to all the components to quality.

Components of quality 

 ISQC   ISQM 1
1. Leadership Responsibilities 1. Risk Assessment
2. Ethical Requirements 2. Governance and Leadership
3. Client Acceptance 3. Ethical Requirements
4. Human Resources 4. Client Acceptance
5. Engagement Performance 5. Engagement Performance
6. Monitoring 6. Resources
  7. Information and Communication
  8. Monitoring

 

There is continuous realisation by most firms whether small, mid-size or big, that unless the audit methodology today encompasses the relevant risk considerations and audit quality processes to ensure adherence, there is a risk of under-audit or audit procedures not commensurate with the nature of the engagement. The actions faced by many firms today for such non-compliance are indeed heavy, resulting in penalties and, disqualifications of the members/firms even. Further, there is increased focus on use of tools and technologies in audits. The expanded pillars within ISQM address continuing shift to tools and technologies as businesses and audits evolve.

We have by now seen the guidance note for the implementation and, there are a few case studies available in the real world in terms of how various firms have adopted and implemented the ISQM 1.

Clearly, firms, big or small will need to invest significant resources in upgrading quality systems to comply with ISQM 1 and it is a fundamental shift to quality thinking within audit firms.

ISQM 1 brings risk assessment as a key proactive component to quality management in addition to information and communication as an additional component to ISQM.

Let us consider some of the components of ISQM 1 in detail.

Firm’s Risk Assessment

This new component is a key element bringing a firm level focus and proactivity to quality management process which was hitherto not specified as a component for enhancing the firm’s audit quality.

What is interesting about this component is that:

  1. While giving flexibility basis nature and size of firm, engagements, this standard requires a specific firm wide risk assessment and a customization. Rather than a checklist, this forces firms to think and adopt appropriate responses to identified risks.
  2. It calls out the requirement of a system that is interdependent on other components and works in tandem rather than behave as a standalone component.

This means that we cannot treat the quality system as a standalone, but as an all-pervading system with all the components of people, processes and technologies working together.

The risk profile of the firm needs to be reassessed and tailored to each firm - in all matters of operations from client acceptance to delivery, market presence etc. This exercise involves creating an expansive risk register, objectives, risk profile and responses/templates and processes for each such identified risks.

This may need a re-assessment of the clientele of the firm, risk calls taken in the past and revisit responses to such risks going forward.

Larger firms with multi-geo operations also need to consider local regulations, risk profiles, firm level available structures as a part of the risk assessment. This entails looking at each facet of the environment or geography where the firm is functional.

Governance and Leadership

Leadership and governance will be a key factor for the implementation of this ISQM. The tone at the top, as always will direct the culture and the organizational acceptance to any changes.

As such, the strong leadership will be key for this implementation. Leadership alone would not be able to implement this, as such, an organization structure that would support the leadership will also be critical. The leadership is required to demonstrate commitment to quality that must be driven by the culture and practices of the firms.

ISQM 1 requires that there is a defined structure, roles, and accountability for operational matters. Quality and other operational functions need to be designed comprehensively, with investments in leadership, people, tools.

This would face a challenge for smaller firms where leaders may be handling multiple responsibilities - delivery as well as quality or firm level functions. The pervasive need to assess, respond and monitor quality requirements places additional demand on bandwidth and may necessitate organization structures with dedicated leaders for quality management.

Even larger firms may not have dedicated functional teams.

Investment in leaders, processes & tools from risk assessment right up to monitoring and correction shall increase for all firms.

Ethical Requirements

Ethical requirements cover independence, relevant ethical requirements for the firm, individuals, network firms and other experts/service providers who are involved in an engagement.

ISQM requires not just alignment, but training, periodic confirmations, communication, breach, complaints, remediation, and assurance of adherence by network firms and external service providers.

These diverse requirements needs to be brought into the initial design and implementation of the framework.

Acceptance and Continuance

The client acceptance and continuance procedures are generally required to be very robust to ensure a better risk management by the firm. ISQM requires extensive documentation, financial and operational considerations at the time of acceptance and to assess any information on the culture and ethical values of the client proposed.

The above enhanced requirements are indicative of the current regulatory environment globally, where frauds and financial irregularities in various sectors place qualitative and prescriptive requirements for assessment for acceptance. There is also a requirement to use this information in the audit planning and performance. Client acceptance procedures need to assess qualitative and quantitative risks and address them prior to acceptance. This would necessitate evaluation of ethical considerations at the time of each client acceptance. And if every firm would choose a very conservative approach to client acceptance, who would audit any company that is considered remotely ‘high-risk’?

Therefore, the designed quality system should have clear process for identifying, addressing, and deciding regarding client acceptance.

Engagement Performance

The core function of any professional service provider is engagement performance. This is the key deliverable that in turn dictates the firm’s credibility, ability to perform, recall of the firm’s name and public opinion on reliability of the firm’s professional opinion.

The engagement team and quality of the team is the first matter of focus. The firm level guidance for sizing the team, selection of the team, external experts, internal experts are a derivative of client risk assessment, client complexity and the availability of key resources.

Demonstrating staffing decisions for firms and their adequacy for all sizes of firms, where overlapping engagement responsibilities lie with the resources may be a challenge. How is quality ensured and demonstrated in such a situation become key.

Where firms use external resources, other experts, ensuring quality, professional skepticism and handling difference in opinions becomes very important.

Many firms today are possibly taking a case-case approach to such differences. A review of the history of such matters/differences could help the firm in addressing this to the extent practical in the framework itself. Engagement documentation is another key factor of the performance. There are various standards and guidance notes on this matter and the framework should consider this at the time of implementation. There are also laws around retention of audit work papers, sharing the work papers, etc; these are all factors to be incorporated at the time of the design and implementation of the ISQM.

Training, assignment of appropriate resources, skill review of the assigned team, periodic updates and various other design elements are required to be incorporated to ensure that the engagement performance is not impacted.

Resources

Resources in ISQM address not only the human resources but also additional resources that contribute towards the engagement performance like technological, intellectual, financial resources etc.

Individuals engaged in delivery of an assignment range from the partner to the staff and may include additional resources contributing to the delivery of the engagement who may be internal or external to the firm. ISQM addresses the focus needed on the having competent and trained individuals to enable quality. Design must include all aspects of resourcing like policy, compensation, competence, training and evaluation/appraisal mechanism, timely feedback, and attrition & retention.

Other resources like technology used in delivery of an audit, in quality management, in general business operations are all critical as well. ISQM touches on these requirements and the need to maintain confidentiality of data and develop policies and procedures to ensure all aspects of the functioning of the technology elements contribute positively to the engagement and the firm.

Another critical resource these days are the intellectual resources such as databases, methodologies, IT resource overlaps and use of service providers in this area.

Financial resources are also addressed in the ISQM as all the above elements will need investment from the firm for it to be successful and functional.

The design must consider the risks and processes that are required to be put in place for the firm to minimize exposure and use all the above resources in the manner prescribed by the policy and in line with the firms’ methodologies to ensure quality objectives are met.

Information and Communication

A firm’s information system will include elements of formal and informal communication, similarly, manual and IT channels that needs to function in tandem. Capturing all this in the design and addressing all the risks that could be associated with the same is a significant step. The firm must take cognizance of the fact that all its channels of communication and all the information disseminated through these channels are covered in the ISQM process.

The culture of the firm must be aligned to the process being considered with the design. The firm will need to work with the existing process but ensuring that any additional requirements/elements as per the ISQM is also incorporated into this design and process.

Not only will this impact the internal channels but also all the external service providers, network partners and any external party that the firm engages with in the delivery of the services including law or regulations, communication of those charged with governance etc, Additionally, this will also apply to specified responses the firm may have to engage in the instances of Peer Review or response to complaints/allegations, etc. The design of the component must consider all this.

For a small/medium size firm, this could mean disproportionate investments. These firms would probably be more reliant on the informal channels thereby posing a challenge to the implementation. Also, personal inputs, verbal communication and more such aspects will have to be considered. The turnaround for these firms to full documentation may be difficult. However, the ISQM does mention that in such instances, the documentation required may be to the extent defined as a requirement under the ISQM.

Monitoring and Remediation Process

The monitoring process is very critical to any business process. In that, for designing and implementing an ISQM process that is a living document undergoing changes that is as dynamic as the businesses it audits, a good monitoring and remediation process is very critical.

A firm is expected to monitor the entire SOQM that that has been implemented. This means, monitoring all the components and the process in its entirety. The monitoring activity and frequency will depend on various factors like the size of the firm, the nature of clientele, how the ISQM has been implemented, the resources that has been used in the implementation, etc. The variability of this exercise and the need to re-visit the activity based on past trends, effectiveness of the process etc, is very critical. The firm will need to monitor not just the components but also the process itself to ensure the risks and issues are identified and remediated in a timely fashion.

There could be focused monitoring of certain factors like internal quality review of certain critical engagements while monitoring for certain other components may be firm-wide, eg. the IT processes.

Evaluation, root cause analysis and remediation of findings is critical to the process.

All pervasiveness of quality means, these must be applied to all processes internal and external to the firm like use of external service providers, network partners, etc, the scalability of such a process for firms in small and medium sizes could mean additional cost/investment.

If taken up by engagement teams themselves, there is a self-review threat or threat of missing the relevant issues in the implementation.

Dedicated teams may be needed to address this and contribute to the exercise for it to be an effective remediation. Hence, the individuals who will perform this will need to be independent, ethical, and objective to identify and solve the issues.

Identifying remedial actions and ensuring the implementation may involve establishing additional steps or changes to the originally implemented ISQM that could percolate to all components and their inter dependencies. This is something of a challenge as the remediation should not only address the issue on hand but also identify all such possible causes and ensuring non-occurrence of the issue in the future. Needless to say that this is a time bound activity.

The final element of this component is the communication of the findings and its remediation. The process loop isn’t complete without the communication from the person in charge of the process on the steps for remediation and action plan for non-occurrence.

This component although generic is the very challenging to implement as this needs a lot of information, resources and process alignment to be effective. All other components must feed into this.

Network Considerations

ISQM also addressed quality management on the network level and places emphasis on the quality management at network level which can be leveraged by the member firms rather than duplicate the efforts. This becomes a critical area of strategy to be reviewed and implemented on priority by national and international networks.

The fact that ISQM adherence is not compulsory across all geographies and therefore may not have buy-in from all network members may create its own challenges

Many questions on ISQM remain unanswered.

With client deliverables being primary for most firms, will the implementation be staggared or done in one go? Will the investment required upfront be recovered eventually, by increased fee? Will the firms non-compliant continue to do so and risk their existence. Will technology and AI solve any of these?

All these are matters to be considered for a discussion once some patterns and data is available to analyze. Meanwhile, it is for each firm, big or small to consider the implications of the ISQM and its implementation.

Challenges and investments

  1. There is an increased focus on risk assessment needing constant evolution, contemporaneous maintenance with the audit practice.
  2. Governance and leadership considerations at all levels of the firm
  3. Focus on the monitoring aspects of the process significantly increases investment needed
  4. Emphasis on information and communication
  5. The expanded definition of resources in the ISQM extends focus to all operational matters, people, tools, data, etc.

For most firms, the full adherence to ISQM will mean need to reassessment of quality processes, partner-level leaders for each of the component of the ISQM standard, leading to significant investments, bandwidth demands, without immediate/commensurate fee returns.

ISQM 1 engenders a rethink of the process and bring in changes that resonates with the way the businesses are run today, by implementing a methodology that is iterative and dynamic to emerging changes.

Takeaways

However, it is also true that, in the long run, firms that take a step towards integrated quality under ISQM 1 are going to have an edge over the rest in terms of being a relevant and a qualitative market player.

Implementation and monitoring also opens opportunities for professionals as a new area of work – as quality professionals for audit firms.

ISQM 1, however, is a great opportunity for all firms irrespective of the size to implement and put in motion a quality thinking process that can contribute to strengthening the course of the quality of audits and all engagements in general.

Steps to implement

  1. Start the process – it is not a one-time perfect implementation but a growing system with iterative changes in response to challenges. Start with process by creating a Quality Leader and their organization.

  2. Determine the requirements and budget.

  3. Review available solutions –
    a. There are multiple software / training solutions such as mercia-group, qm.x (by grant thornton), ISQM-Manager etc who have attempted to provide manuals, documentation, templates.
    b. There are emerging service providers such as www.trueandfair.pro who are creating a more comprehensive system, including audit documentation, technical guidance, and services, such as a Virtual Training Partner or Virtual Quality Partner, assuring objectivity, independence, and cost effectiveness.

  4. Sign off with consensus on the quality management framework.

  5. Agree on periodic review and revamp in response to monitoring & review of the SOQC itself.

Disclaimer: This is not an advise, nor endorsement of any service providers mentioned in the article.


Photo: wichayada - stock.adobe.com

26 September 2023

JAA & Associates