Doesn’t a year fly by? It may seem only a few months since audit compliance partners were knee-deep in quality management manuals and compliance documents ready for the adoption of ISQM 1 (I’m aware that for some firms, it literally has been only a few months since they began this process!). But it’s now November, and only a month away from the deadline for audit firms’ first annual evaluation of their system of quality management (SOQM).
What does ISQM (UK) 1 say about the annual evaluation?
ISQM (UK) 1 paragraph 53 requires the ‘individual with ultimate responsibility’ (IUR) to evaluate the SOQM at least annually as of a point in time. This supplements the requirements for ongoing monitoring and remediation which should ideally include both regular (e.g. monthly or quarterly) activity and event-driven activity such as going through the findings of an external file review or dealing with a quality failure on a specific audit.
The IUR should be able to arrive at what amounts to either an unqualified, ‘except for’ or adverse conclusion on whether the SOQM provides reasonable assurance that the quality objectives are being met. In the UK, this review must explicitly include evaluating the policies and procedures for statutory audits including coaching, supervision and review of the team and organising the audit file (paragraph 34-1(f)(i) and (ii)). As you’d expect, unless the conclusion is unqualified, the IUR needs to act promptly to rectify the deficiencies (with the help of the wider audit team).
ISQM (UK) also requires audit firms (in paragraph 56) to undertake periodic performance evaluations of the IUR and anyone assigned operational responsibility for the SOQM.
When should the IUR perform the evaluation?
Although most firms have, I suspect, left it until now to undertake their first annual review, it would be sensible to do so either at the firm’s year-end or at the end of an annual monitoring cycle (paragraph A188). For many ICAEW and ACCA firms, completion of the annual return marks a natural point to assess not only compliance with the professional body’s audit regulations but with ISQM, too.
How onerous is this evaluation likely to be?
The answer (as I’m sure you suspected) is that it depends! A key factor will be how well the firm tackled the original adoption of ISQM (UK) 1 – notably, how many risks and responses were specified, and whether the firm’s policies and procedures were proportionate and organised. Let’s consider each of these points.
Risks and responses: too many?
For a small-to-medium audit firm, the number of audit quality risks should have been modest. Unfortunately, some ISQM (UK) 1 methodologies presented firms with an extensive list of potential risks and, though these should have been tailored down, we’re still seeing SOQMs with more than 50 audit risks. This is almost certainly not proportionate and it is hard to imagine a firm of this size being able to monitor and evaluate so many risks and responses.
As a reminder, there are six topics covered by ISQM (UK) 1:
- Governance and leadership
- Ethical requirements
- Acceptance and continuance of client relationships and engagements
- Engagement performance
- Resources
- Information and communication
As a rule of thumb, we’d expect up to four risks per topic to be proportionate for smaller audit firms, each leading to responses (remember that one risk can lead to more than one response and vice versa). This should be a manageable list of responses to monitor and evaluate.
Documentation
Our audit quality review visits have found some firms’ SOQM to be a mishmash of different documents, manuals and checklists cobbled together from multiple sources. This inevitably makes it hard to evaluate and maintain compliance.
For smaller firms, a simple documentation approach could look like the following:
SOQM Procedures | A single document (typically 10-30 pages) setting out: · Key roles and responsibilities · The risks and responses · Integration with Audit Regulations and any external/internal review cycle · Monitoring and remediation procedures |
Monitoring and remediation | A folder with copies of external/internal file review reports, root cause analysis on individual problems or complaints. The folder can also contain regulatory documents or links e.g. to PII, copies of the annual return, correspondence with QAD/ACCA. |
Audit team documents | Forms and checklists for audit team members to include: · Fit and proper, independence and confidentiality confirmations (with a summary of any issues arising and a conclusion from the IUR); · CPD and appraisals, including audit-specific training · Firm’s assessment of the IUR and others involved in operating the SOQM |
Consider whether there are ‘smart’ approaches to some of these documents. For example, instead of circulating word-processed confirmation forms (and then chasing these with multiple emails), some firms are using web-based forms that can automatically send reminders and which allow the responses to be exported into Excel for analysis. Also consider whether the SOQM Procedures document can be filed on a shared server/intranet so that all team members can access this.
How should the IUR record their evaluation?
This isn’t specified in ISQM (UK) 1 and should, for most firms, be straightforward. We’d encourage a bespoke approach – e.g. a checklist of the firm’s documents that the IUR has reviewed, along with narrative of the issues arising and how they have been tackled, with a final conclusion as set out in paragraph 54.
Jez Williams, November 2023
