Part three of a three-part series from Kirsten S. Albo of ASK KSA Consulting Inc.
In this, the last of a three-part series on the new quality management standards , we cover the evaluation of the system of quality management. We began the series addressing establishing quality objectives and identifying and assessing risks. The second article covered the design and implementation of risk responses.
The standard requires the evaluation of the system of quality management to be undertaken at least annually at a point in time. The objective of the system of quality management is to provide the firm with reasonable assurance that the firm and its personnel fulfil their responsibilities and conduct engagements in accordance with standards and requirements and issue engagement reports that are appropriate in the circumstances. In the context of ISQM 1, reasonable assurance is a high, but not absolute, level of assurance.
It is the evaluation of the system that provides the firm with the conclusion that the objectives have been met. Accordingly, the standard requires a firm to establish a monitoring and remediation process to provide relevant, reliable and timely information about the design, implementation and operation of the system of quality management as well as to take actions to respond to identified deficiencies.
Designing and Performing Monitoring Activities
In order to evaluate the system of quality management, the firm must perform monitoring activities which will vary from firm to firm and therefore is tailored to the firm’s nature and circumstances. For example, when determining the extent of monitoring activities, take into account the assessments given to the quality risks, the design of risk responses, and any changes that may have occurred in the system of quality management. The firm should also consider other relevant information including any complaints and allegations, previous monitoring results and information from external inspections. However, similar to the extant standard, external inspections are not a substitute for the monitoring process.
The nature, timing and extent of monitoring activities may also be affected by other matters including the size, structure, and organization of the firm and the resources that the firm intends to use to enable monitoring activities. In a less complex firm, the monitoring activities may be simple, since information about the monitoring and remediation process may be readily available in the form of leadership’s knowledge and interaction with the system of quality management. In a more complex firm, the monitoring activities would likely be more robust, involve many individuals, and involve more detailed policies and procedures. That is, a partner in a small firm likely has their pulse on the activities of their firm more so than in a larger, more complex firm. Think about the differences in monitoring and remediation activities for one office versus many.
One monitoring activity that is mandatory is the inspection of completed engagements. Judgment will be required as to which engagements and which engagement partners should be selected. The requirement is to select at least one complete engagement for each engagement partner on a cyclical basis, but there may be reasons to select a file on a more frequent basis. For example, with a new partner, a partner that has taken on a new type of engagement, or there have been problems encountered in past inspections.
Separate and distinct from the completed file inspections conducted as a part of monitoring, the standard also introduces the concept of in-process engagements. That is, engagements where the report has not yet been issued. While these inspections may appear to similar to completed file inspections, their objective is different. These file reviews area response to an identified quality risk versus a complete file inspection that is a monitoring activity.
Evaluating Findings and Identifying Deficiencies
It is fully expected that findings will result from monitoring, but not all findings will result in a deficiency. Findings must be evaluated to determine if they are a deficiency. A deficiency is the result of:
a) A quality objective not established.
b) A quality risk is not identified or properly assessed.
c) A response to reduce the likelihood of a quality risk occurring to an acceptably low level has not been designed or implemented.
d) The response is not operating effectively.
Let’s walk through an example for each of the above. Imagine a mid-sized firm with six partners and 50 staff. Based on the monitoring activities, a deficiency may arise if:
a) A quality objective related to review and supervision of staff is missing.
b) Based on the nature and circumstances of this firm and the fact that they have a large staff, it would be expected a quality risk exists. If not, a deficiency would most likely be reported.
c) A deficiency may also arise if the firm concluded this is a quality risk, but no response has been designed or implemented. For example, they have no policy or procedure that all work of a junior is to be reviewed by someone more senior.
d) Finally, a deficiency may exist because they have designed a response but based on the results of monitoring and completed file inspections, is it clear the review is not taking place. That is, the response is not operating effectively.
When a deficiency has been identified, its severity and pervasiveness must be also be evaluated. Is the deficiency a unique circumstance or is it pervasive across the firm? In answering this question, it is important, and required, to consider the root cause of the deficiency. The answer to this then drives different remedial actions. If unique to an engagement or an engagement team, then perhaps further training is required; however, if pervasive across the firm, perhaps a change in firm templates is required along with training.
Conclusion and Next Steps
Monitoring and remediation is the final component of the system of quality management. It will be important to design and perform monitoring activities relevant to your firm. In doing so, you will want to consider the nature and circumstances of your firm.
The time to start is now. The effective date of December 15, 2022 will soon be upon us. Read the standard. Think about the nature and circumstances of your firm and the types of engagements you perform. Appoint a leader. Determine your approach to the risk assessment process. Establish a monitoring and remediation process. And, seek further guidance if needed.
- IAASB ISQM 1 First-time Implementation Guide
- IAASB ISQM 2; First-time Implementation Guide
- IFAC dedicated Quality Management webpage
- Specifically, the suite of Quality Management Standards is comprised of International Standard on Quality Management (ISQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements; ISQM 2, Engagement Quality Reviews; and ISA 220 (Revised), Quality Management for an Audit of Financial Statements. These standards replace International Standard of Quality Control (ISQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements and ISA 220, Quality Control for an Audit of Financial Statements.