As firms begin to realise the fast approaching deadline of complying with new requirements under quality management standard ISQM (UK) 1, Helen MacNeill FCA and Sarah Baxendale FCA look in more detail at the risk assessment process
ISQM (UK) 1 Quality management for firms that perform audits or reviews of financial statements, or other assurance or related services engagements (July 2021), introduces a risk-based approach to quality management, which will be mandatory for accountancy firms from 15 December 2022.
A risk assessment process must be followed by the firm to:
- establish quality objectives;
- identify and assess quality risks; and
- design and implement responses to address the quality risks.
ISQM (UK) 1 sets out certain quality objectives and responses that a firm must include in its risk assessment. The firm should add any additional objectives and responses needed to achieve the objectives of the system of quality management.
The risk assessment process is iterative and firms are required to identify relevant information that would indicate a need to change an objective, risk and response. A continual approach to managing quality is an integral part of ISQM (UK) 1.
The steps in the risk assessment process are inherently interlinked. Determining a response may help identify further quality risks and assessing risks may help determine additional quality objectives or vice versa.
Establishing quality objectives
ISQM (UK) 1 sets out quality objectives to be considered by an audit firm, but each firm must also consider and establish any additional quality objectives that are relevant to its structure and circumstances.
Quality objectives relate to the following components of the quality management system:
- governance and leadership;
- relevant ethical requirements;
- acceptance and continuance of client relationships and specific engagements;
- engagement performance;
- resources; and
- information and communication.
In addition to identifying additional objectives, a firm may choose to identify sub-objectives to help the firm identify and assess quality risks and design and implement relevant responses.
This may be useful for a firm with separate departments performing different engagements, which may decide it would be more appropriate to establish specific sub-objectives relevant to each of the departments.
Identifying and assessing quality risks
Firms are required to identify and assess quality risks to provide a basis for the design and implementation of responses. ISQM (UK) 1 does not prescribe quality risks that are applicable to all firms. Determining the risks is a matter for each individual firm and is based on professional judgment.
A quality risk is defined in the standard as a risk that has a reasonable possibility of:
(a) occurring; and
(b) individually or in combination with other risks, adversely affect affecting the achievement of one or more quality objectives (ISQM (UK) 1:16(r)).
This definition requires firms to identify quality risks based on the potential impact on quality objectives rather than any sub-objectives that the firm may have chosen to identify. An adverse effect on the achievement of a sub-objective would not meet the threshold for identifying a quality risk.
To identify and assess quality risks, the standard requires firms to take into account the degree to which conditions, events, circumstances, actions or inactions may adversely affect the achievement of the quality objectives.
ISQM (UK) 1:25 provides specific detail on how a firm should obtain and understand the relevant conditions that may adversely affect the achievement of the quality objectives.
ISQM (UK) 1:25(a)(i) states that the firm must consider the following points with respect to the nature and circumstances of the firm:
- the complexity and operating characteristics of the firm;
- the strategic and operational decisions and actions, business processes and business model of the firm;
- the characteristics and management style of leadership;
- the resources of the firm, including the resources provided by service providers;
- law, regulation, professional standards and the environment in which the firm operates; and
- in the case of a firm that belongs to a network, the nature and extent of the network requirements and network services, if any.
The standard also requires firms to understand the nature and circumstances of the engagements performed by the firm, including:
- the types of engagements performed by the firm and the reports to be issued; and
- the types of entities for which such engagements are undertaken.
The standard is not exhaustive and there may be other considerations besides those listed in ISQM (UK) 1:25 that may be relevant to the achievement of a quality objective.
A risk assessment template is being developed by Croner-i to help with the identification of quality risks in your firm.
ISQM (UK) 1:16(u) defines the term ‘response’ in respect to a system of quality management as policies or procedures designed and implemented by the firm to address one or more quality risks. The definition goes on to state that:
'• policies are statements of what should, or should not, be done to address a quality risk(s). Such statements may be documented, explicitly stated in communications or implied through actions and decisions; and
• procedures are actions to implement policies.'
The firm is required to design and implement responses to address the quality risks in a way that is responsive to the reasons for the assessments given to the quality risks ( ISQM (UK) 1:26).
To help address the quality risks, the firm needs to consider the reasons for the assessments given to the quality risks. The response should be appropriate to the degree to which the potential circumstances affect the quality objectives and the possible occurrence of the quality risk. This means in determining a response, the firm should consider:
• the nature of the quality risk;
• the timing or frequency of the response; and
• the extent of the response and whether a combination of responses is necessary.
A response may address a variety of quality risks across different components of the quality management system. It may also help support other responses across different components.
For example, a response to the risk that there are engagement teams comprising inappropriate personnel resources may relate to a governance and leadership objective as well as one relating to resources.
ISQM (UK) 1:10 acknowledges that the complexity and formality of a system will vary and a firm that performs different types of engagements for a wide variety of entities will need more complex and formal quality management systems and supporting documentation than a firm that performs few types of engagements within a smaller team.
The exact responses of the firm will need to be based on the circumstances of the firm. Even where quality risks are common across firms of all sizes, the nature, timing and extent of the response is likely to differ based on the size and complexity of the firm.
The firm must be able to demonstrate to the Financial Reporting Council (FRC) that the responses designed are appropriate given the scale and complexity of the firm’s activities.
ISQM (UK) 1:34 includes a list of specified responses that must be implemented by the firm. This is not a comprehensive list and the firm is expected to design and implement responses in addition to these.
The risk and response mapping template from Croner-i will assist with the documentation and mapping of responses to quality risks.
Amending objectives, risks and responses
The system of quality management is not static and firms must consider changes in the nature and circumstances of the firm, as well as the results of monitoring activity and how this will impact the identified quality objectives, risks and responses.
Firms must consider whether new objectives, risks and responses need to be established or whether existing ones need to be modified or removed.
About the authors
The new quality management standards are available in Croner-i Navigate Audit: Auditing Standards along with an interactive linked mind map of ISQM (UK) 1 to help users navigate and digest the new requirements at source and further guidance and tools are being developed in Navigate Audit. See also the Audit quality control and monitoring quick link.
This article first appeared in Croner-I Audit and Accounting Weekly > Audit > ISQM (UK) 1 and the risk assessment process
Croner-i Navigate is the UK’s leading online research service for tax, audit and accounting professionals. Find out more at Croner-i or call 0800 231 5199.
This article was correct at the date of publication. It is intended as an aid and cannot be expected to replace specific professional advice and judgment. No liability for errors or omissions will be accepted. It is the responsibility of those using the information to ensure it complies with the law at the time of use and that it is used in line with relevant rules and regulations governing the subject matter in question.
Except where otherwise indicated, all content is copyright of Croner-i Ltd.
© Croner-i Ltd, 2022
All rights reserved. No part of this publication may be reproduced without prior permission