Quality control requirements and audit regulation are a means to an end. By and large, the audit inspectorates of the various professional bodies, including ICAEW’s QAD, have approached both in a constructive manner over the years. Standards and regulation are there to help practitioners get things right, as well as to provide sanctions when things go wrong. The general view seems to be that while the system is far from perfect, it has at least served to drive some of the truly shoddy work out of the market.
But quality control requirements still make practitioners nervous. Practitioners will therefore be looking to professional bodies and training providers for help when the next round of proposed changes go through. No need to panic just yet – we’re looking at implementation dates of 2021 and beyond. But systems will need to be in place before then and firms need to be aware that there are some potentially significant changes in the pipeline.
As always, the more on top of quality control a firm is, the less likely it will need to make major changes, but all firms will need to think about the proposed new requirements.
Three exposures drafts have recently been issued, with a comment deadline of 1 July 2019 – longer than usual reflecting the extent and significance of these proposals.
- Proposed International Standard on Quality Management (ISQM) 1 (formerly ISQC 1 (Revised)), Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements
- Proposed International Standard on Quality Management (ISQM) 2, Engagement Quality Reviews
- Proposed International Standard on Auditing (ISA) 220 (Revised), Quality Management for an Audit of Financial Statements
‘Quality control’ will become ‘quality management’. ISQC 1 becomes ISQM 1, and ISA 220 will be updated. But there will also be a completely new standard to deal with: ISQM 2 on engagement quality reviews.
Updates to ISA 220
Proposed ISA 220 largely follows ISQM 1, albeit with slightly different headings. One of the key issues seems to be ensuring that the engagement partner takes full responsibility for the audit at the engagement level, and doesn’t try to rely on (or hide behind) firm level procedures inappropriately.
The proposals clearly acknowledge the significance of IT, intellectual resources (such as methodologies) and project management to audit quality.
ISQM 1 – the new ISQC 1
The main proposed change embodied in ISQM 1 is the need for an eight-component system of quality management. Much of what that system comprises will already be there, but thinking about it as a system will be new.
The eight components are:
- Governance and leadership, covering culture, decision-making, organisational structure and leadership
- Risk assessment process, applied to the other components and consisting of:
- (a) establishing quality objectives – some of them mandated – and determining whether other objectives are needed
- (b) identifying risks to the achievement of those objectives (quality risks)
- (c) implementing responses – again, some (but not all) responses are mandated
Mandated risks and responses arise partly from the need to ensure that none of the more procedural requirements in the extant standard have been lost
- Relevant ethical requirements
- Acceptance and continuance
- Engagement performance
- Information and communication
- Monitoring and remediation to deal with internally and externally identified deficiencies
This covers some key terms:
- Deficiencies – always an alarming word but one now firmly embedded in auditing standards – are usually understood in the context of auditor evaluation of the client’s internal controls. Here, the term is applied to the firm’s quality management process. Deficiencies exist when quality objectives or assessed quality risks are missing, or where responses are not designed or operating in a way that can achieve a quality objective.
- Remediation includes investigating root causes, and monitoring includes evaluating whether the quality management system provides ‘reasonable assurance’ that the objectives have been achieved, which is a ‘high, but not absolute’ level of assurance. This is more audit terminology being turned on auditors themselves, always a potential worry where subjectivity is involved – in this case in determining where the dividing line is between is ‘high, but not absolute’.
Networks are another big issue in quality management. Firms subject to network requirements will often want audit inspectors to take account of network-level policies and procedures, and the firm’s use of network services related to quality management.
The proposed requirements are not (and cannot be, realistically) applied to the networks themselves. They apply to the firm itself, because the firm always retains ultimate responsibility for its own quality management, regardless of network arrangements.
The proposed definition of a network is taken from existing IAASB ethical requirements and is wide-ranging; it is a larger structure ‘aimed at cooperation’ and at profit or cost-sharing, or shares common ownership, control or management, common quality processes, business strategies, a brand name, or significant professional resources. While the definition is not new, the proposed requirements will be another new area for all network firms to consider.
ISQM 2 and engagement quality reviews
Proposed ISQM 2 is about ‘engagement quality reviews’, formerly known as ‘engagement quality control reviews’. There will be concerns about whether a completely new standard is really needed, as well as worries about the extent to which the proposals require the reviewer to challenge the engagement partners’ judgements. In the past, reviews have sometimes focused on process at the expense of assessing the quality of judgements.
Another area of substantive change relates to scope. The proposed standard suggests that reviews should be required for:
- listed entity audits and audits of entities the firm determines to be of ‘significant public interest’
- audits and other engagements (such as reviews) required by law or regulation
- audits and other engagements the firm itself determines should be reviewed in response to a ‘quality risk’
Such engagements include those involving high levels of complexity or judgement, where there are un-remediated deficiencies in internal control at the entity, recurring inspection findings on the audit, and engagements for new clients where there were disagreements with the previous auditor.
Many smaller firms will have few, if any, clients falling into these categories. Does this mean that some firms might not have to do any reviews at all? Proposed application material in ISQM 1 makes it clear that in some cases there may be no engagements for which a review is either required or an appropriate response to quality risks.
In terms of who will be able to perform reviews, the intention is to tighten up. Regulators complain about inappropriate delegation to reviewers with insufficient seniority or experience, and of them having insufficient time or resources to do the job properly.
The ever-increasing emphasis on quality generally within firms, and the adverse consequences associated with quality failings, seems likely to make the role of engagement quality reviewer an even more challenging one than it is now. Even so the proposals should provide clarity in some areas which currently cause confusion.
It seems unlikely that the proposals will wholly eliminate regulator dissatisfaction with the mismatch between deficiencies identified by inspectors and deficiencies identified by the firms themselves. Furthermore, the Kingman review of the FRC will bring in a new regulatory approach in due course, and one can only hope that the new approach will involve continuing to work with firms, making sure that the anticipated improvements to quality management do actually happen.
For more detailed insights into audit standards and requirements, see the Croner-i range of tax, accounting, and audit products.