ISQM 1 and 2 – setting new standards

The IAASB has raised the bar for quality management

IP image

In July 2021 the Financial Reporting Council (FRC) issued UK versions of a suite of new quality management standards for audit and assurance work:

The standards are effective for audits of financial statements for periods beginning on or after 15 December 2022.

The impact of ISQMs mean that professional accountancy firms will need to change the way they handle quality management; it is important to put in the time and effort required to implement them correctly.

The new and revised standards strengthen and modernise the audit firm’s approach to quality management. The standards direct audit firms to improve the robustness of their monitoring and remediation, embed quality into their corporate culture and the ‘tone at the top’, and improve the robustness of engagement quality reviews. ISQM (UK) 1 replaces the existing ISQC 1 and it requires systems of quality management to be designed and implemented by 15 December 2022 with the evaluation of that system of quality management performed within one year of that date.

The new standard requires a more proactive approach to identifying and managing 'quality risks'. To achieve this, firms must establish and monitor a System of Quality Management (SoQM) which is more comprehensive than existing audit procedures documentation. A gap analysis, driven by the risk assessment, will help identify the areas where firms may need to design and implement additional responses.

ISQM (UK) deals with a firm’s responsibilities to design, implement and operate a system of quality management (SoQM) for audits or reviews of financial statements, or other assurance or related services engagements.

Members with an audit practising certificate will benefit from ACCA’s webinar, 'Understanding the ISQM updates' that provides a deep dive into the practicalities of how best to implement the new ISQM updates in their practice. Below are some of the questions answered in the webinar.

1. Do the core reviews need to be carried out by external providers?
There isn’t a mandatory requirement to have external reviews, but obviously it depends on the quality of your internal reviews as to whether you can rely on those. So, you have to have reviews, but it doesn’t specify that you have to have external reviews.

If you’re a sole practitioner, it will be inappropriate for you to be reviewing your own work so for the vast majority of sole practitioners, it’s certainly good practice to have external providers who can carry out the review.

In larger firms, it may be possible to engage partners who aren’t involved in the job to do reviews of other partners’ work, but again the quality of that will be monitored by ACCA on their reviews. An external review generally tends to add more value, although you need to evaluate who’s doing the reviews.

In conclusion it isn’t mandatory to have an external review; you could do it internally if you could show that your internal reviews were strong. 

2. What is the difference between different quality management reviews?

There are three types of review now: a cold review, a hot review and an engagement quality management review.

cold review is done after your audit report is signed off, so that would form part of your monitoring procedure.

hot review is one that’s done before the audit report is signed off, and that might be a risk assessment procedure that you put in place in relation to your risk that you’ve identified.

An engagement quality management review is specified by ISQM 2. If it’s classified as an engagement quality management review, it can’t be a cold review: it has to be a hot review. For an engagement quality management review, the reviewer has to be involved in the planning stage, which involves extra time and extra cost as well; it will take even longer than a hot review.

A reviewer for a hot review doesn’t have to be involved in the planning, but an engagement quality management review has to specifically tick a number of the boxes that are contained within ISQM 2.

3. What does an audit firm with no audit clients have to do? How does ISQM 1 apply to audit-registered firms that do not have audit engagements?

If there are no audit engagements, assessment is not possible because you haven’t any objectives to fill. As a minimum, we would expect firms with an audit qualification to have an understanding of the requirements of ISQM 1, and by the time that they undertake an audit engagement, a system of quality management should be up and running, and their policies should begin from that day onwards.

In the practical guidance by the IAASB on the implementation of ISQM 1, there is a section that deals with instances where a firm might be new to the market or be only used to forming engagements after the effective date of ISQM 1, so it’s made clear that the firm is required to have the system designed by the time it commences work on the engagement, and operational responses and the monitoring activities would commence from that day onwards.

4. Which ISQM manual should be used for independent examinations of charities? Will those firms require to have independent examination files externally cold file reviewed?

Independent examination of a charity doesn’t fall within the scope of ISQM 1, so that’s why you don’t need an audit certificate to do it in the first place. Therefore, there would be no requirement for external reviews specifically for ISQM 1 purposes. It would have been done in the past as part of quality check, but ACCA doesn’t have quality checks anymore. There would be no ISQM 1 implication from the independent examination for charities. And if you don’t hold an auditing certificate then you won’t have to comply with ISQM 1.

5. What are the implications of the policies and procedures of ISQM 1 not matching the audit file? For example, a small firm that accepts a big audit client and uses external contractors to carry out the work.

If you undertake an audit which is something different from what you have done so far, of course you need to redesign your system of quality management to address the specific risk of that engagement. It’s made clear in the standard that the system of quality management needs to be relevant to the audit engagements that you undertake. So, if you decide to undertake a more complex audit, then your system would be more complex; it would mean you should be more responsive to what you actually do.

If you use external contractors to carry out the work, then you should be extra careful that your firm reviews the work and you are happy with the quality and the competence and think of the risk of this external contractors performing the work to a satisfactory standard. You will need to be more alert or more cautious if you’re using somebody external to carry out the work as these external people are not familiar with your methodology or the culture of the firm, so you need to be very careful as the overall responsibility lies with the firm and not with the external contractors.

6. What level of evidence and documentation would be satisfactory?

There is a section in the standard that discusses the documentation. The idea behind it is that it should be sufficient enough to show understanding by all the personnel and to support the consistent implementation and operation of responses. There should be a record of the risk assessment detailing the objectives, the risk and the assessment of whether the risk qualifies as being a quality risk or not, and then the responses to the risk. These responses again need to be linked to the actual policies and procedures that are in place. This could be in a document and manual, but it can be beyond that. The documentation can extend to any other information – for instance, training records, email communication, any alerts sent to the staff from the company management, and also any information and methodological issues on your intranet or website.

The definition mentioned above – ie being sufficient to enable an experienced practitioner with no connection with the audit to understand – is always a good benchmark. You have to think about what they’re going to look for. Can they sit down and look at it and be happy that you have assessed all the risks and documented it properly? That has to be the overarching factor.

The documentation/evidence has always been an issue on the monitoring visit but this principle applies here. It would be necessary for the firm to demonstrate to a reviewer that this is what they’ve done, the reason for doing this, this is why they have reached this conclusion and why this is sufficient.