We are nearly two years on from the implementation of ISQM 1 (Quality Management For Firms That Perform Audits Or Reviews Of Financial Statements, Or Other Assurance Or Related Services Engagements) and it continues to create significant challenges for smaller independent audit firms.
Here are some practical tips for smaller firms that are still grappling with the standard’s implementation.
1. Think small first and be smart
All firms are required to have a System of Quality Management (SoQM) but they shouldn’t be daunted by what this should look like. A simple set of procedures (maybe 3-4 pages long) which deals with steps the firm takes to comply with the ISQM’s key quality objectives (governance and leadership, relevant ethical requirements, acceptance and continuance procedures, engagement performance, resources and information and communication) is likely to be sufficient.
Firms should aim to be as smart as possible in respect of routine actions which support these procedures. Can web forms be used for annual confirmations for example? Can appraisals be timely and focussed? Also, can you work with your external reviewer to get them to assist with monitoring?
2. Involve others
Partners in smaller practices with ISQM 1 responsibilities often feel isolated and struggle to get full buy-in from others who see it as ‘a compliance thing’. Yet involving others is crucial and we would encourage those responsible for ISQM 1 to sell the commercial and operational benefits of a team approach. Benefits can be streamlined processes, reduced complaints, less time spent fixing things, sharing of good practice and fewer fee disputes.
3. Don’t be daunted by Root Cause Analysis
Because some are daunted by Root Cause Analysis (RCA) and don’t really understand it, they don’t embrace it – and yet it is crucial to quality monitoring and remediation. Again we would encourage firms to think small first when implementing RCA.
Whilst there are a number of RCA methodologies out there, the ‘5-Whys’ approach is perhaps the best known one and a good one to use if you’re unfamiliar with the concept.
Feedback from QAD on ICAEW’s recent ISQM 1 ‘Maintaining Momentum and Feeling Safe’ conference was that many firms only perform RCA on key cold file review findings. Whilst firms might aspire to use it more widely, we feel that this would be a good place to start.
When performing RCA on such findings, getting someone independent of the audit team involved is best (admittedly this can be challenging in a very small firm), remember to keep simple notes of what you’ve done for the record – and keep the process simple. Stop asking ‘Why?’ as soon as you feel that you’ve properly understood the root cause.
4. Work on creating an effective feedback culture
For those that do understand RCA, they are often put off by having to have ‘difficult’ internal conversations about what’s gone wrong. These can leave the audit team attacked and disengaged. Although it’s not an easy thing to embed overnight, we would encourage firms to work hard to create a feedback culture which allows team members to be vulnerable, share their ideas, and ask for help.
Feedback is often most effective when a ‘little and regular’ approach is used and where feedback is backed up with facts. Wherever possible balance positive and negative. Support don’t threaten and be willing to ask as well as tell.
Creating a good SoQM often requires cultural changes within a firm and working on a sound feedback culture might be a very good place to start for those that are still struggling to make inroads.
5. Be alive to emerging risks
The aspect of ISQM 1 that undoubtedly got most coverage when the standard was first introduced was the need for firms to identify, assess and tackle audit quality risks. As we approach the secondary anniversary of the standard’s implementation, some have actually made little progress beyond that.
Remember that your risk assessment and related responses should be revisited as part of the annual evaluation of your system of quality management. Firms need to consider whether initiatives that they’ve taken to address audit quality risks have been successful. If not, why not – and is a ‘plan b’ required?
Also does the firm’s monitoring and remediation work evidence new audit quality risks that need to be responded to? Whilst monitoring and remediation should consist of more than just cold file reviews, such reviews (and related RCA) is likely to be central to this process.
Firms should also be alive to risks resulting from emerging issues. Relevant issues discussed during the recent ICAEW conference particularly relevant to UK firms were: issues created by the implementation of the revised ISA 600 for accounting periods beginning on or after 15 December 2023; challenges resulting from the increased use of automation and artificial intelligence; market factors (including consolidation); and imminent changes to ICAEW’s Audit Regulations.
Peter Herbert
December 2024
