In part two of a three-part series, Kirsten S. Albo of ASK KSA Consulting Inc. explores the design and implementation of risk responses
There are three steps to the risk assessment process outlined in ISQM 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements. The first step is establishing quality objectives, followed by the second step, identifying and assessing quality risks. These steps were addressed in the first article in this three-part series on the new suite of quality management standards  that were approved by the International Auditing and Assurance Standards Board (IAASB).
The third step is designing and implementing responses to identified quality risks. For practitioners working in public practice, ISQM 1 risk responses will be crucial to your compliance with the new standards. This article, the second in the three-part series, includes examples that will help support small- to mid-sized practitioners (SMPs).
It is the assessment of quality risks that provides the basis for the design and implementation of responses. That is, what are the policies and procedures needed at your firm to address one or more of the quality risks?
This step is much more than updating your current quality manual outlining quality policies and procedures.
Unlike the quality objectives stipulated in the standard, there are very few specified responses. Rather, it is up to the firm to identify the appropriate responses to the quality risk. This is where the nature and circumstances of the firm and the engagement it performs comes to the forefront in the risk assessment process. A firm that only performs compilation engagements will have significantly different responses than a firm that performs audit engagements.
As outlined in the first article of this series, quality objectives are required for each of the following components:
- Governance and leadership
- Relevant ethical requirements
- Acceptance and continuance
- Engagement performance
- Information and communication
Responses to quality objectives are required; the assessed risk related to the quality objectives and the nature and circumstances of your firm will drive the level of detail required for the responses. This highlights why steps one and two of the risk assessment process are critical. You want to develop and implement the right responses, but you don’t want to do too much work or develop inappropriate responses.
Where a quality risk has been identified, a response is required. Designing and implementing policies and procedures will depend on the nature and circumstances of the firm and its engagements.
Based on my experience with assisting firms working through ISQM 1, quality risks will result in each of the six components identified above, however the risk assessment, and related responses will vary. The effort arises from designing the appropriate response based on the circumstances of your firm.
In certain cases, existing policies and procedures may be adequate, but in other cases more robust policies and procedures may be required. Or, in other cases, a policy or procedure may not be required because no quality risk has been identified.
Let’s walk through an example. One of the components is resources. Quality objectives are required related to hiring, developing and retaining personnel. For firms with staff, a quality objective and assessed risk is developing staff competence.
Competence is the ability of an individual to perform a role and goes beyond technical knowledge; it is the integration and application of that technical knowledge along with their professional ethics, values and attitudes. Competence can be developed through a variety of methods and will depend on the nature of your firm. If you are a small firm, the policy related to developing personnel may be as simple as on-the-job training and feedback and review of working papers. In a larger firm, the policy may require a senior staff member always reviews the work of a junior, and formal training programs are provided as staff move through each level. And of course, if you are a sole practitioner, you must ensure you develop and maintain your own competence to perform your role, perhaps through the participation in professional development.
Other examples of policies and procedures related to hiring, developing and retaining personnel that can vary depending on the nature of your firm may include your firm’s recruiting process; the use of internal or external training programs; and the timing of providing feedback as an evaluation mechanism.
The information and communication component is another area of how a response may vary from firm to firm. In a less complex firm with fewer personnel and direct interaction between staff and leadership, informal communication may be adequate. However, in a larger firm with many partners and staff, formal policies and procedures may be required that specify how information should be identified, captured, processed, and maintained.
Communication of the new standards and related changes in policies and procedures is the perfect example. How are these changes going to be communicated within your firm?
As you consider what is required in developing your firm’s policies and procedures, you will want to take into consideration ethical requirements. For example, as outlined in the International Code of Ethics for Professional Accountants (including Independence Standards). In some cases, a firm may want to include matters in their system of quality management that are more specific than the code of ethics. For example, the firm may prohibit the acceptance of gifts and hospitality from a client, even if the value is trivial and inconsequential.
While the majority of risk responses are left up to the professional judgment of the firm, there are certain responses specified by the standard.
In our profession, it is critical we follow ethical requirements and ensure that practitioners are independent where necessary. A process for identifying, evaluating and addressing threats is required. In addition, a firm must obtain at least annually a confirmation of compliance with independence from all personnel.
Other specified responses include policies and procedures for receiving, investigating and resolving complaints and allegations, addressing engagement quality reviews in accordance with ISQM 2, Engagement Quality Reviews, and communicating with Those Charged with Governance (TCWG).
Finally, specified responses are required to address circumstances when the firm becomes aware of information subsequent to accepting or continuing a client relationship that would have caused it to decline the engagement had the information been known prior to accepting or continuing the client relationship.
Conclusion and Next Steps
Designing the responses that are right for your firm is critical. Quality is of utmost importance in all engagements. There is a balance between being effective (having the right responses in place) and being efficient (not doing too much). Developing policies or procedures will take time to develop. The time to start is now.
A good place to start will be to use the tracking sheet you started when setting quality objectives and identifying and assessing risks. Now add a column for your firm’s risk responses. This information can then be used as the basis for drafting required policies and procedures for your firm’s system of quality management. Remember, the design and implementation of the system of quality management is to be completed by December 15, 2022, with the operation of the system to follow after this date.
The evaluation of the system of quality management is stipulated in the monitoring and remediating component of the standard. This will be covered in the last article of this series. Stay tuned.
- IAASB ISQM 1 First-time Implementation Guide
- IAASB ISQM 2; First-time Implementation Guide
- IFAC dedicated Quality Management webpage
- Specifically, the suite of Quality Management Standards is comprised of International Standard on Quality Management (ISQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements; ISQM 2, Engagement Quality Reviews; and ISA 220 (Revised), Quality Management for an Audit of Financial Statements. These standards replace International Standard of Quality Control (ISQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements and ISA 220, Quality Control for an Audit of Financial Statements.