ISQM1 - Quality Assurance Management is an essential element of modern practice.
Have you ever wondered how audit firms are organised?
What policies and procedures do they have in place to ensure quality deliverables through the reports they issue?
Audit firms provide assurance about the financial and non-financial status of businesses. They play a critical role in retaining the trust of the various stakeholders and users of the audited published information.
The increasing complexity of the organisational structures, the advancement of technologies, the evolving regulatory requirements and the continuous updates of the financial reporting requirements have led to the adoption of the International Standard of Quality Management 1 ("ISQM 1"), which substitutes the older International Standard of Quality Control.
The ISQM1 is designed to provide a robust and consistent approach to quality management within firms that perform audits and other assurance services. Audit firms move away from "controlling" their systems and procedures towards "managing" their risks. The new standard emphasises the importance of a "risk-based" approach to quality management, which means that firms should identify, assess, and manage risks throughout the audit or assurance engagement process. Each audit firm owns unique policies and procedures that are scalable based on the size of each organisation and are applied to manage its own risks. Professional firms that deep dive into the requirements can be engaged to help Management perform the risk assessment requirement, draft the policies and procedures, and guide through the monitoring programme. The external service providers can also be involved in monitoring reviews of audit and assurance files or monitoring the overall implementation of the designed quality management system.
Managing the risks to the quality of an organisation is a dynamic process which needs to be closely monitored and updated. At least an annual review of the risks involved and the responses to those risks is expected to be performed.
Below, we set out the basics of the eight components of the ISQM1. A series of articles will be published explaining each component's details, aiming to unravel the requirements and applicable considerations for Management.
Risk Assessment Process:
The new standard requires audit firms to strengthen their risk assessment. It is required that a detailed assessment of the risks associated with an individual engagement, as well as the risks inherent in the overall business model and environment, is performed. This assessment will form the foundations to understand the critical business process and ensure that the design of the firm's policies and procedures, including those related to client acceptance and retention, engagement planning, and execution, is done in a way to mitigate any risks that may damage quality.
Leadership and governance:
The overall goals and objectives of the organisation in respect of quality need to be explained and transparent to the stakeholders. Policies need to describe how high-quality service is provided, how client expectations are met, and how ethics and independence are perceived. Clear roles and responsibilities must exist for each departmental employee, while effective communication channels for sharing information and feedback need to be present. The top management should be clearly involved in the day-to-day operations and actively oversee the processes while demonstrating cultural values and desirable behaviours through their actions.
Ethics and independence:
ISQM1 requires firms to ensure that all staff members understand and adhere to the relevant ethical and professional standards. Additionally, the standard emphasises the need for firms to avoid any actions that could compromise their independence from their clients. Relevant policies and procedures need to be in place to ensure that only independent auditors are involved in the client audits who are well-educated and informed about the client industry, act with integrity while only permissible services are contracted to be delivered, considering both the IESBA Code of Conduct and other relevant legal and regulatory requirements.
Acceptance and continuance of client relationships and specific engagements:
The acceptance and continuance component deals with the continuous process of accepting a client relationship and reviewing it at regular intervals based on the risk profile of each client or engagement. Audit firms need to adhere to the Anti Money Laundering laws and regulations and accept clients who only successfully pass through these assessments. The required knowledge, expertise and resources need to exist for the provision of high-quality services. The firm must evaluate the engagement risks and take appropriate action to mitigate them. In cases where an assessment is not successful, the audit firms need to terminate a relationship immediately.
The performance of an engagement shall involve proper planning, execution, completion and consultations. Audit firms must ensure that the engagement teams are adequately planned and allocated to projects. They are qualified, experienced, and sufficiently equipped to carry out the work. Each audit or assurance engagement must start with the team acquiring a thorough understanding of the client's business activities, risks, and internal controls. Specific policies and guidance over consultation requests are mandatory for judgmental or complex situations.
Establishing the risks and agreeing on the procedures to be performed in advance while continuously monitoring the progress towards meeting the end goal is crucial. At the end of each project, the audit firm should evaluate the results and take appropriate action if necessary.
An audit firm's resources include its human capital, technologies, infrastructure and others. ISQM1 requires that all staff members are adequately trained and have the necessary skills and knowledge to perform their duties and responsibilities. This is achieved through on-the-job coaching and training, refresher physical or web-based training, or the availabilities of specific technical and other libraries. Technological resources need to be safeguarded from security threats, and access controls need to exist and ensure only authorised individuals have access to sensitive information, while the latest updates of content and technical specifications need to be processed.
Information and communication:
The information and communication component focuses on the effective exchange of information within the teams, the audit firm as a whole and between the firm and its clients. This includes establishing clear lines of communication, enabling and encouraging ongoing, real-time effective exchange of feedback between the engagement team itself and the clients' management and ensuring that all relevant information is communicated effectively.
Effective and appropriate documentation is essential to be maintained throughout the engagement, including the audit plan, work papers and audit reports. This ensures that all audit work is easily identifiable and easier to review and evaluate the quality of the audit work performed.
Monitoring and remediation process:
Last but not least, the System of Quality Management of an audit firm needs to be monitored closely. In addition to implementing strong internal monitoring and review procedures, the standard requires firms to consider the use of technology and other data analytics tools to identify potential quality issues. This could include monitoring data on key performance indicators, such as engagement completion rates, staff turnover rates, and client satisfaction ratings, to help identify areas where the firm's quality management system may need improvement.