Available Languages:

Part three of a three-part series from Kirsten S. Albo of ASK KSA Consulting Inc.

In this, the last of a three-part series on the new quality management standards[1] , we cover the evaluation of the system of quality management. We began the series addressing establishing quality objectives and identifying and assessing risks. The second article covered the design and implementation of risk responses.

Overview

The standard requires the evaluation of the system of quality management to be undertaken at least annually at a point in time. The objective of the system of quality management is to provide the firm with reasonable assurance that the firm and its personnel fulfil their responsibilities and conduct engagements in accordance with standards and requirements and issue engagement reports that are appropriate in the circumstances. In the context of ISQM 1, reasonable assurance is a high, but not absolute, level of assurance.

It is the evaluation of the system that provides the firm with the conclusion that the objectives have been met. Accordingly, the standard requires a firm to establish a monitoring and remediation process to provide relevant, reliable and timely information about the design, implementation and operation of the system of quality management as well as to take actions to respond to identified deficiencies.

Designing and Performing Monitoring Activities

In order to evaluate the system of quality management, the firm must perform monitoring activities which will vary from firm to firm and therefore is tailored to the firm’s nature and circumstances. For example, when determining the extent of monitoring activities, take into account the assessments given to the quality risks, the design of risk responses, and any changes that may have occurred in the system of quality management. The firm should also consider other relevant information including any complaints and allegations, previous monitoring results and information from external inspections. However, similar to the extant standard, external inspections are not a substitute for the monitoring process.

The nature, timing and extent of monitoring activities may also be affected by other matters including the size, structure, and organization of the firm and the resources that the firm intends to use to enable monitoring activities. In a less complex firm, the monitoring activities may be simple, since information about the monitoring and remediation process may be readily available in the form of leadership’s knowledge and interaction with the system of quality management. In a more complex firm, the monitoring activities would likely be more robust, involve many individuals, and involve more detailed policies and procedures. That is, a partner in a small firm likely has their pulse on the activities of their firm more so than in a larger, more complex firm. Think about the differences in monitoring and remediation activities for one office versus many.

File Inspections

One monitoring activity that is mandatory is the inspection of completed engagements. Judgment will be required as to which engagements and which engagement partners should be selected. The requirement is to select at least one complete engagement for each engagement partner on a cyclical basis, but there may be reasons to select a file on a more frequent basis. For example, with a new partner, a partner that has taken on a new type of engagement, or there have been problems encountered in past inspections. 

Separate and distinct from the completed file inspections conducted as a part of monitoring, the standard also introduces the concept of in-process engagements. That is, engagements where the report has not yet been issued. While these inspections may appear to similar to completed file inspections, their objective is different. These file reviews area response to an identified quality risk versus a complete file inspection that is a monitoring activity.

Evaluating Findings and Identifying Deficiencies

It is fully expected that findings will result from monitoring, but not all findings will result in a deficiency.  Findings must be evaluated to determine if they are a deficiency.  A deficiency is the result of:

a)       A quality objective not established.

b)      A quality risk is not identified or properly assessed.

c)       A response to reduce the likelihood of a quality risk occurring to an acceptably low level has not been designed or implemented.

d)      The response is not operating effectively.

Let’s walk through an example for each of the above. Imagine a mid-sized firm with six partners and 50 staff.  Based on the monitoring activities, a deficiency may arise if:

a)       A quality objective related to review and supervision of staff is missing.

b)      Based on the nature and circumstances of this firm and the fact that they have a large staff, it would be expected a quality risk exists. If not, a deficiency would most likely be reported. 

c)       A deficiency may also arise if the firm concluded this is a quality risk, but no response has been designed or implemented. For example, they have no policy or procedure that all work of a junior is to be reviewed by someone more senior. 

d)      Finally, a deficiency may exist because they have designed a response but based on the results of monitoring and completed file inspections, is it clear the review is not taking place. That is, the response is not operating effectively. 

When a deficiency has been identified, its severity and pervasiveness must be also be evaluated. Is the deficiency a unique circumstance or is it pervasive across the firm?  In answering this question, it is important, and required, to consider the root cause of the deficiency. The answer to this then drives different remedial actions. If unique to an engagement or an engagement team, then perhaps further training is required; however, if pervasive across the firm, perhaps a change in firm templates is required along with training.

Conclusion and Next Steps

Monitoring and remediation is the final component of the system of quality management. It will be important to design and perform monitoring activities relevant to your firm. In doing so, you will want to consider the nature and circumstances of your firm. 

The time to start is now. The effective date of December 15, 2022 will soon be upon us. Read the standard. Think about the nature and circumstances of your firm and the types of engagements you perform. Appoint a leader. Determine your approach to the risk assessment process. Establish a monitoring and remediation process. And, seek further guidance if needed. 

Additional Resources
Footnotes
  1. Specifically, the suite of Quality Management Standards is comprised of International Standard on Quality Management (ISQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements; ISQM 2, Engagement Quality Reviews; and ISA 220 (Revised), Quality Management for an Audit of Financial Statements. These standards replace International Standard of Quality Control (ISQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements and ISA 220, Quality Control for an Audit of Financial Statements.
Kirsten S. Albo, FCPA, FCA, ICD.D

Kirsten is the founder of ASK KSA Consulting Inc., providing consulting and advisory services to small- and mid-sized practitioners (SMPs) to help ensure they are conducting their assurance engagements in an effective and efficient manner and meeting the requirements of being in public practice. Kirsten works closely with SMPs in all aspects of practice including monitoring, file inspections, engagement quality reviews and file efficiency assessments. Another large component of her business is developing and delivering professional development sessions for firms of all sizes.

Kirsten has been in public practice for over three decades. She gained much of her experience as a partner at PricewaterhouseCoopers LLP where she was responsible for her many public and private company clients operating in a variety of industries. In this role, Kirsten developed a strong technical background and the ability to deal with complex matters. Kirsten has an in-depth knowledge of assurance standards.

Kirsten is also very involved in the profession. She is a member of the Advisory Group to the Canadian Audit and Assurance Standards Board (AASB) on the Audits of Less Complex Entities and has been involved with a variety of other CPA provincial and Canadian Task Force Committees. In addition, Kirsten authors and instructs assurance courses for substantially all the provincial Canadian CPA bodies. Kirsten is known for her drive, passion and leadership and recognized for setting and achieving high standards without sacrificing quality.