This is a critical time for professional accountants in public practice. Many standards are evolving, with none perhaps more important than the suite of new and revised quality management standards recently approved by the IAASB.1
These standards strengthen the overall proficiency of firms and the engagements they perform by promoting a robust, proactive and scalable risk-based approach to quality management.
Why should you care about the new standards? Because they will have an impact on all firms — regardless of the firm’s size — as the standards emphasize leadership and the establishment of a system of quality management, not just engagement quality control. The IAASB is addressing an evolving and increasingly complex audit ecosystem, including growing stakeholder expectations.
Preparing for their implementation should be a priority for small- to mid-size practitioners (SMPs), as systems of quality management in compliance with this ISQM are required to be designed and implemented by December 15, 2022, and the evaluation of the system of quality management of this ISQM is required to be performed within one year following December 15, 2022.
ISQM 1 sets out three steps to the risk assessment process. The first step is establishing quality objectives, followed by identifying and assessing quality risks, which provide the basis for the design and implementation of responses, the final step. In this, the first article of the series, I will focus on the first two steps of the risk assessment process.
As you undertake the risk assessment process, ensure you have appointed the individual in your firm who has the ultimate authority for the system of quality management along with the individual who has operational responsibility. These individuals should have the appropriate experience, knowledge and influence to fulfill these roles. In a small firm, this could be the same person whereas, in a larger firm, the roles may be split.
The first step in the risk assessment process is establishing the quality objectives to be achieved. That is, the desired outcomes in your system of quality management. The quality objectives to be achieved are specified in ISQM 1, therefore the first step may not be overly complex.
The quality objectives cover the following six components of the standard.
- Governance and leadership. These establish the firm environment and its commitment to quality through its culture and actions of leaders. A strong culture can be demonstrated through professional manner, teamwork, maintaining an open mind, pursuit of excellence, a commitment to continuous improvement, and social responsibility.
- Relevant ethical requirements. These relate to relevant ethical requirements which ordinarily comprise of the provisions in the International Code of Ethics for Professional Accountants (including International Independence Standards) to which the firm and its engagements are subject. The IESBA Code sets out the fundamental principles of ethics that establish the standard of behavior expected by firms and practitioners, including requirements addressing independence.
- Acceptance and continuance. These address judgments made by the firm about whether to accept or continue with a client and are based on issues such as the complexity and organizational structure of a client. A firm must also ensure it can perform the engagement. For example, it would be challenging for a sole practitioner who typically only audits not-for-profit entities to accept a client who reports under IFRS.
- Engagement performance. These establish the overarching requirements of performing quality engagements. For example, in all cases, engagement teams must understand and fulfill their responsibilities and exercise appropriate professional judgment. These objectives also relate to supervision and review of work performed — a different level of involvement is required with a new staff member versus an experienced staff.
- Resources. Resources include human resources along with technological and intellectual resources. Human resources are the staff you work with, technological resources are the systems you employ, and the intellectual resources are the tools you use, such as a methodology, to conduct engagements. Quality objectives detail the appropriate use of all three.
- Information and communication. Whether information is communicated within the firm or with external parties, it should be relevant, reliable, and on a timely basis. In a firm with fewer personnel and direct involvement of leadership there may not be the need for formal communication policies.
The quality objectives specified in ISQM 1 are required for all firms and all engagements, unless clearly not applicable. For example, if you are a sole practitioner, you do not need quality objectives related to the direction and supervision of staff. If you are not part of a network of firms, you do not need quality objectives related to information and communication within the network.
The final question to address in this step is based on the nature and circumstances of your firm, and whether there are any additional quality objectives required in your system of quality management. In a less complex firm, additional quality objectives would not be expected.
Identify and Assess Risk
The second step in the risk assessment process is to identify and assess the risks of achieving of the quality objective, that is, what are the quality risks in your firm. The definition of a quality risk is a risk “that has a reasonable possibility of occurring and individually, or in combination with other risks, adversely affecting the achievement of one or more quality objectives.”
In identifying a quality risk, think about the conditions, events circumstances, actions or inaction that may have an adverse impact on your firm’s ability to achieve its quality objectives. Take, for example, a quality objective related to governance and leadership. The firm recognizes and reinforces the importance of quality in the firm’s strategic decision and actions. However, the firm may also have incentives that are focused on financial and operational priorities, which may discourage behaviours that demonstrate a commitment to quality resulting in a quality risk.
In working through this step of the process, think about the complexity and operating characteristics of your firm. Are there only two partners who make decisions together or are there many partners led by a managing partner? Another factor to consider is the strategic and operational decisions of the firm. Is the firm in growth mode and aggressively looking for new clients and staff, or maintaining the status quo? The responses to these questions will help determine whether a quality risk exists.
In certain cases, due to the nature of your firm, a quality risk may not be significant. For example, a quality objective related to information and communication is relevant and reliable information is exchanged throughout the firm and with engagement teams. If you operate a small firm, with only a handful of staff members, there is most likely ongoing communication and therefore due to this frequent, albeit informal, process, the quality risk would be expected to be low.
In determining quality risks, you must also consider the types of engagements you perform, your clients, and the industries in which they operate. Quality risks may result based on the nature of your clients.
Think about the risk assessment process as iterative versus linear. When identifying and assessing risk, a firm may determine an additional quality objective needs to be established; or, when designing and implementing responses, the firm may determine a quality risk was not identified and assessed and should have been. This will be an ongoing process, especially as you work through implementing the requirements of the standard.
Conclusion and Next Steps
The concept of quality in engagements is not new, but the approach and key requirements in the upcoming standards are different and incremental in many cases. The time to start is now. Read the new standards. Then assign a leader within your firm who has the overall responsibility for the new quality standards.
The standard focuses on scalability throughout the risk assessment process which is especially important for SMPs. The nature and circumstances of a firm, the engagements it performs, and resulting quality objectives and risks will be unique in each circumstance.
For example, one straightforward document may be adequate to document quality objectives and quality risks and responses as compared to a large firm with many partners. In this case, a more formal and complex manual may be required.
There are several approaches to establishing quality objectives and assessing risks. One simple idea is to start a tracking spreadsheet. List the quality objectives specified in the standard, describe factors related to the nature and circumstances of your firm, identify any risks and assess whether this ultimately leads to a quality risk. Any quality risks that are identified are the basis of designing and implementing risks responses. This topic will be covered in the next article so stay tuned. The final article in this series will detail the evaluation of the system of quality management.
- IAASB ISQM 1 First-time Implementation Guide
- IAASB ISQM 2; First-time Implementation Guide
- IFAC dedicated Quality Management webpage
- Specifically, the suite of Quality Management Standards is comprised of International Standard on Quality Management (ISQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements; ISQM 2, Engagement Quality Reviews; and ISA 220 (Revised), Quality Management for an Audit of Financial Statements. These standards replace International Standard of Quality Control (ISQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements and ISA 220, Quality Control for an Audit of Financial Statements.