For audits to be effective and maintain public trust, they must be performed in a way that ensures firms and their personnel fulfil their responsibilities in accordance with applicable legal and professional standards. It is imperative that audit firms adopt a culture of best practice in accordance with these standards, enabling audit partners in issuing appropriate auditor’s reports. The threats of self interest caused by increasing financial pressure on audit partners will compromise auditor reports, as will the issues of poor planning, inadequate risk assessment and lack of resources and audit evidence. The International Auditing and Assurance Standards Board (IAASB) issues quality standards to support firms in achieving this aim.
The current standards in this area are International Standard on Quality Management (ISQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements and ISQM 2, Engagement Quality Reviews, alongside ISA 220 (Revised), Quality Management for an Audit of Financial Statements.
These standards are examinable in Advanced Audit and Assurance (AAA) and candidates are expected to be able to demonstrate an understanding and application of the key principles. Quality management is pervasive to the performance of audits and so it is also pervasive to the AAA exam with aspects potentially arising multiple times within a single exam.
This article focuses on ISQM 1; a second article will look at ISQM 2 and ISA 220 (Revised). There are examples provided demonstrating how certain aspects of quality management may be examined. These are intended to indicate potential ways candidates may encounter questions on quality, however, these are illustrative examples only and should not be considered comprehensive; alternative examples and aspects are also examinable.
The quality standards are focused on public interest, with the hope of addressing some of the circumstances where audit failure has occurred. The need for audit partners and audit teams to exhibit professional scepticism, with an independent and challenging mindset, is emphasised. This is especially important when assessing client judgements and estimations. Audit teams need to have the competence and support to do this without fearing negative implications. The quality standards adopt a proactive attitude to quality in firms rather than a compliance (‘tick box’) approach and one which is scalable from small firms to large multinational networks.
There is a need to ensure audit quality evolves; there must be scope within quality guidance for a firm’s processes to change as technology and business practices change.
There is also focus on improving both internal and external monitoring of firms and their networks and on improving communication, both internally and to external parties such as those charged with governance (TCWG) and regulators.
ISQM 1 embeds this approach through a principle driven requirement for firms to create a system of quality management (SoQM) which is tailored to the firm and its client base. This scalability enables firms to design a system which addresses their specific circumstances and risks.
1. Firm’s risk assessment process
Firms must design and implement a risk assessment process that sets quality objectives and identifies risks. The firm’s specific situation and environment is considered and will include the technologies employed by the firm, their networks, and any external service providers. This is an ongoing monitoring process rather than one-off, enabling the SoQM to adapt with any changes.
This approach will allow the firm to tailor to address the specific risks within their firm, and it will vary according to the size of the audit firm and their client portfolio.
By maintaining this tailored focus on risks and their mitigation, the firm should be able to focus on ensuring the right engagement or audit report is issued for each assignment. This may be due to more competent and well-trained individuals performing complex or risky audits, audit partners feeling more empowered to issue modified audit reports, by ensuring acceptance procedures fully identify threats to independence and ensure safeguards are enacted and many other factors. The most crucial point is that this approach is tailored to address the specific risks arising in specific firms and not expected to be the same for every audit firm regardless of size or client portfolio.
In the AAA exam, candidates may be required to explain and/or evaluate a firm’s risk assessment process and make recommendations for improvement.
2. Governance and leadership
Firms should create an environment which demonstrates a commitment to quality through its culture and recognises its role in serving the public interest. This responsibility is firm wide rather than at the individual audit level, with the chief executive or managing partner assigned the responsibility and accountability for the SoQM. This should ensure the ‘tone at the top’ enforces a commitment to quality and ethics across the whole firm.
Systems and policies should be in place to reward commitment to quality rather than focusing on client retention and engagement profit. This should allow audit engagement partners to challenge client judgements without fear of the negative consequences of losing the revenue arising from the loss of the client. In this way, all employees of the firm are supported to fulfil their legal and regulatory requirements without undue commercial pressures or self-interest resulting in inappropriate decision making.
Candidates may be required to explain the importance of governance and leadership in maintaining the SoQM or may be required to evaluate a scenario’s weaknesses in this area, alongside recommendations for improvement.
3. Relevant ethical requirements
The SoQM should include objectives and policies for ensuring the fulfilment of ethical requirements. These processes will again differ depending on firm size and client portfolio; the scalability of the standard requires firms to have in place mitigations for ethical risks arising which are appropriate to the firm rather than a fixed response to a given risk.
Not only must a firm ensure its own personnel understanding of and compliance with relevant ethical requirements, for example, through training and ethical declarations such as independence forms, firms must also ensure that any component auditors in a group understand and apply the ethical regulations applicable to the group auditor.
Relevant ethical requirements for a firm depend on the jurisdiction it operates in; these may go beyond those set out in the IESBA International Code of Ethics for Professional Accountants (the Code). It is also the case that many firms will have in place policies to mitigate ethical threats which go beyond the minimum required by the Code and regulatory requirements of the jurisdiction in which the firm operates: ISQM 1 requires firms to ensure these requirements are also captured by the SoQM. For example, many firms or jurisdictions prohibit the acceptance of gifts, even of trivial value. Failure to adhere to the firm’s policies would be seen as a failure of its SoQM despite not giving rise to a breach of the Code.
Scalability of the standard enables firms to mitigate for ethical risks arising which are appropriate to the firm, for example, a firm which is part of a large network will require more detailed processes to identify possible conflicts of interest between clients than those in a smaller firm.
Candidates may be asked to appraise ethical threats arising in the scenario, whilst also considering whether the firm is compliant with the firm’s SoQM. The issues of quality management and ethical issues are inherently interlinked and as such, they may need to consider the significance of such threats and the availability of suitable safeguards within the context of the engagement, the firm and the SoQM as well as other available information. This enables candidates to obtain professional skills marks in addition to the technical marks as they are recognising the inherent ethical requirements regarding quality management on a firm wide basis.
Candidates may be asked to identify breaches of the SoQM which may not breach the Code but are relevant to the given scenario addressing any resulting implications for the engagement, the firm or making recommendations to prevent future breaches.
4. Acceptance and continuance of client relationships
ISQM 1 places additional emphasis on the procedures addressing client acceptance and continuance of existing business relationships. Firms must assess the integrity and ethical values of the client and its management, as well as the firm’s ability to perform the engagement within legal and professional requirements. The SoQM should ensure that the firm’s financial and operational priorities do not lead to inappropriate judgements when deciding whether to accept or continue with a client engagement. The decision to continue with or accept a new client should focus on the firm’s ability to provide a quality engagement.
Existing business relationships should be reassessed at the start of each new year prior to reappointment as auditor. This may mean performing fresh identity checks, reperformance of independence declarations of employees, and re-evaluating conflicts of interest and/or competence to perform the audit. It will also involve assessing whether new information, had it been known at point of acceptance, would have prevented the firm from accepting the client. For example, a client involved in breaches of regulations may not be a client with values compatible with the audit firm.
Candidates may have to discuss the importance of acceptance and continuation assessments or to apply the requirements of ISQM 1 in this regard when evaluating whether to accept a new client, undertake additional work for existing clients or accept reappointment for the audit of a continuing client. The ISQM 1 framework provides a starting point for evaluating the scenario and this may be extended into other professional and commercial considerations. Candidates should consider legal, regulatory, and ethical considerations as well as professional and availability of resources when considering a new client engagement.
Candidates should be aware that the ability to perform the engagement within legal and professional requirements will incorporate legal, regulatory, and ethical considerations, including the availability of resources when considering a new client engagement. and requirements covering acceptance may be extended into other professional and commercial considerations.
The cyclical nature of continuation considerations means that this aspect of quality management may impact questions at all stages of the audit process and the considerations regarding client acceptance are likely to apply to audit and non-audit assignments.
5. Engagement performance
Engagement teams must understand their responsibilities for ensuring a quality audit. Less experienced engagement team members should be appropriately supervised and reviewed. ISQM 1 specifically references the need for the audit engagement partner to be sufficiently and appropriately involved throughout the engagement.
Audit teams should ensure professional scepticism and judgement are exercised. Processes should ensure professional scepticism and judgement are exercised by engagement teams. If an audit team has insufficient time to perform necessary procedures, or team members are not experienced enough to challenge management or identify misstatements, then detection risk increases and audit quality will be compromised. For audits to be effective, and to maintain public trust, they must be performed in such a way as to ensure the audit reports issued are appropriate in the circumstances and that firms and their personnel fulfil their responsibilities in accordance with applicable legal and professional standards.
The SoQM should ensure that teams can consult on contentious matters; differences of opinion within the engagement team are addressed and any issues raised by the engagement quality reviewer are brought to the attention of the firm and resolved.
Further detail on these aspects will be addressed in the second article where ISA 220 (Revised) will be examined, including examples of how these may be examined.
A firm must ensure that appropriate resources are available in a timely manner. This includes employees with the required competence, training, and capabilities to perform the engagements to which they are assigned. Firms should ensure more experienced individuals to work on areas of a complex nature requiring additional judgement and ensuring sufficient review by senior team members or allowing adequate time to do sufficient testing and analysis of the issues.
Consideration should be made to use independent experts where the firm does not have appropriate personnel, or if the firm requires additional specialist technological resources.
Candidates may have to evaluate scenarios where inappropriate resources have been employed within an audit and make recommendations for improvements to the firm’s SoQM.
7. Information and communication
Information and communication are required to enable other components of the SoQM to operate. This includes obtaining, generating and using information and communicating the information within the firm, for example, communicating policies to personnel, communication of information obtained during an audit with an engagement quality reviewer, or communication between group and component auditors. It also includes external communications such as to TCWG or a regulator.
ISQM 1 considers information and communication to be pervasive to all components of the SoQM as without it, the system cannot operate. The full range of information and communications within the SoQM is extensive; the boxed text below considers just a few examples in some of the elements of ISQM 1 for context.
Ethical and professional requirements
Client acceptance and continuation
Communications should be made in a timely manner supporting the firm’s culture to exchange information where appropriate, for example where an ethical threat precludes the assignment of a team member to a specific client, the team member would be expected to inform the firm.
ISQM 1 also makes specific reference to external communications required to maintain audit quality. This includes communication within the firm’s network and with service providers, communications required by law or professional standards, such as when there is a specific requirement to report a client’s non-compliance with certain laws and regulations to TCWG.
Candidates may have to evaluate scenarios with respect to these issues and make recommendations for improvements to the firm’s SoQM in this area. Candidates should remember that I&C is embedded within all aspects of a SoQM and may not be isolated as a topic.
8. Monitoring and remediation process
Firms must put in place a process for monitoring the SoQM’s effectiveness and ensure deficiencies are identified in a timely manner, allowing corrective actions to be implemented. This process is a continuous cycle which firms are specifically required to undertake.
Candidates may have to explain how this contributes to continuous improvement of a firm’s SoQM. Candidates may also take the role of a reviewer performing this element of the process: identifying deficiencies and making recommendations to remediate them.
ISQM 1 provides a focus on audit quality and a process of risk management with respect to quality that aims to ensure all firms have quality as a priority when performing audits and other assurance engagements. The standard is principles driven with a focus on scalability, flexibility and continuous improvement.
Quality management is core to audit, and a detailed understanding of the importance of both audit quality and quality management underlies the performance of an audit. Quality is a key part of ensuring that audits are fit for purpose and retain the public trust. As such, it is key to every audit and every stage of the audit process and candidates should expect to see aspects of quality management examined at all stages of an audit in exam questions and in either section of the exam.
Candidates can find more explanation of the requirements of ISQM 1 in the appendix to the standard, available on the IAASB website.