18 August 2021

Why there is a need for yet another quality standard? This one specifically addresses the Engagement Quality Reviewer; their appointment, eligibility, responsibilities, and documentation.

This standard aims to strengthen the requirements for engagements that should be subject to an engagement quality review by extending the requirement for an Engagement Quality Review (EQR) to engagements other than audits of listed entities. The concept of scalability has been included within the standard, allowing the firm to adjust certain requirements for their size and nature, especially the significant judgements made.

ISQM 1 explains the firm’s responsibility for establishing quality management, including the new quality management approach. An engagement quality review is a response, among others, designed and implemented by a firm to address its assessed quality risks. The performance of an EQR is undertaken at the engagement level. However, the reviewer response is implemented on behalf of the firm.

ISQM 2 is applicable only through requirements in ISQM 1 and ISA 220 for a firm’s quality management system. Therefore, ISQM 2 is interrelated to all quality management standards.

There are some requirements related to EQR within ISQM 1 and the new ISA 220 but are mainly to do with the engagement team supporting the reviewer and a process to trigger and EQR within a firm’s quality management system.

Appointment and Eligibility of Engagement Quality Reviewers

When the firm’s quality management system assesses the need for an engagement quality review, ISQM 2 states the minimum requirements for eligibility and appointment of reviewers around competencies, capabilities, and ethics required, and other relevant considerations. A firm may choose to select further requirements for selecting reviewers.

The standard also lays out the selection of the reviewer, including the qualifications, experience, and objectivity of the individual selected to perform the EQR. It also addresses the reviewer’s requirements of independence, integrity, and objectivity and their ability to challenge the engagement team’s judgements and authority.

ISQM 2 appointment and eligibility requirements for engagement quality reviewers are more selective (whether internal to the firm or external) than those in extant ISQC 1:

• The eligibility of the individual(s) within the firm responsible for the appointment of engagement quality reviewers.

• The eligibility of individuals to assist the engagement quality reviewer in performing the engagement quality review.

• The engagement quality reviewer is responsible for the performance of the engagement quality review, including that the work of individuals assisting in the review is appropriate.

• Limitations on an individual’s eligibility to be appointed as engagement quality reviewer for an engagement for which the individual previously served as the engagement partner.

Competence and Capabilities, Including Sufficient Time

ISQC 1 includes requirements regarding the criteria for eligibility of engagement quality reviewers and has been transferred to ISQM 2 and improved through expanding the eligibility requirements and describes the competence and capabilities of the engagement quality reviewer like other roles described in ISQM 1.

The IAASB believes that the achievement of an effective engagement quality review requires the involvement of the reviewer at appropriate points in the engagement, consistent with when the engagement team is making significant judgements, because doing so facilitates the resolution of issues promptly. Accordingly, ISQM 2 includes a new requirement addressing the reviewer’s responsibility to perform the procedures at the appropriate time during the engagement.

The timing of the performance of the EQR is essential. Not only concerning when the reviewer becomes involved but the time allocated for the performance of the review. ISQM 2 clearly states that the firm’s policies or procedures must give the reviewer sufficient time to perform the review.

Relevant Ethical Requirements, specifically objectivity

To improve the reviewer’s objectivity, ISQM 2 requires a reviewer to comply with relevant ethical requirements and explicitly highlights the threats to objectivity in its application material about the engagement or engagement team. ISQM 2 includes a new requirement for the firm to establish policies or procedures that limit an individual’s eligibility to be appointed as a reviewer for an engagement on which the individual previously served as the engagement partner.

Furthermore, the application material in ISQM 2 suggests objectivity may be accomplished by establishing a two-year cooling-off period and notes that determining a suitable cooling-off period depends on the facts and circumstances of the engagement and applicable law or regulation provisions or regulation and relevant ethical requirements. The standard implies that if the individual is appointed as the reviewer immediately after serving as the engagement partner, there are no safeguards or other actions that would eliminate the threats to the individual’s objectivity or reduce them to an acceptable level.

Outside firm Engagement Quality Reviewers

The standard considers that small to medium firms may not have sufficient experience within and might require external reviewers. The standard has been expressly set up not to be onerous that the availability of suitable engagement quality reviewers is limited or non-existent for small to medium firms.

ISQM 2 clarifies that the exact eligibility requirements apply to any individual appointed as a reviewer, whether within the firm or external (as may be the case when there is no partner or other individual within the firm who is eligible to perform the engagement quality review).

Significant Judgements and Significant Matters

EQR discussions with the engagement partner (or other engagement team members, if applicable), along with the information obtained from the engagement team about the nature and circumstances of the entity, will enable the reviewer to be aware of significant judgements made within the engagement.

Based on that information, the reviewer looks at selected engagement documentation in support of those significant judgements. The standard clarifies that the engagement quality reviewer discusses with the engagement partner and, if applicable, other engagement team members significant matters and significant judgements made in planning, performing, and reporting on the engagement.

Documentation

The engagement quality reviewer evaluates the basis for the engagement team’s significant judgements, including, when applicable to the type of engagement. The reviewer evaluates the professional scepticism of the engagement team based on the review of selected engagement documentation. By doing this, the reviewer acknowledges their role in evaluating the engagement team’s exercise of professional scepticism in making significant judgements and reaching conclusions, and, where appropriate, challenging them.

ISQM 2 includes a specific requirement for the reviewer to take responsibility for documentation of the EQR. The documentation is to be filed with the engagement documentation. The documentation is sufficient to enable an experienced practitioner, having no previous connection to the engagement, to understand the nature, timing, and extent of the engagement quality review procedures performed.

In summary, the implementation of ISQM 2 will make it easier for firms and for reviewers to understand their responsibilities when an EQR is required. The standard clearly places the requirements in one place, in contrast to the current system where EQR requirements are placed in ISQC 1 and ISA 220.

4 June 2021

The new ISA 220 will be effective from December 2022, which means that firm’s have plenty of time to get up to speed with the changes. The standard emphasis can be summarised with:

  • Proactive management of quality at the engagement level by emphasising the importance of professional scepticism.
  • Enhancing the auditor’s documentation’s judgments.
  • Reinforcing the need for robust communications between the engagement team and partner.

A criticism of the prior standard was that firm quality control manuals were purely to satisfy standard requirements and not used in the actual engagement. This standard clarifies the role and responsibilities of the engagement partner. Notably, the required involvement of the engagement partner throughout the engagement, and retain the emphasis on the engagement partner’s responsibility for managing and achieving quality at the engagement level.

The objective of the standard is as follows: the auditor is to manage quality at the engagement level to obtain reasonable assurance that quality is achieved such that:

(a) The auditor has fulfilled the auditor’s responsibilities, and has conducted the audit under professional standards and applicable legal and regulatory requirements; and

(b) The auditor’s report issued is appropriate in the circumstances.

What are the Engagement Partner’s main responsibilities in the engagement?

The new standard makes the engagement partner’s responsibilities around leadership and project management (including assessing the engagement team’s competence and objectivity) more explicit.

The engagement partner needs to be adequately involved throughout the engagement to provide the engagement leadership required to achieve high-quality audits.

The diagram below illustrates how the engagement partner’s overall engagement is responsible for managing and achieving quality through sufficient and appropriate involvement. Their significant judgments made and the conclusions reached are appropriate given the nature and circumstances of the audit. This overall responsibility includes:

Fulfilling leadership responsibilities includes taking actions to create an environment for the engagement that emphasises the firm’s culture and the expected behaviour of engagement team members, and assigning procedures, tasks or actions to other members of the engagement team.

Leadership must assign responsibilities to other engagement team members. ISA 220 recognises that the engagement partner may assign procedures, tasks, or actions to other engagement team members to assist the engagement partner in complying with the requirements but must take overall responsibility for the engagement quality.

Supporting engagement performance includes taking responsibility for the nature, timing and extent of direction, supervision and review of the work performed; and

New requirements require the engagement partner to review the financial statements and the auditor’s report before dating the auditor’s report and, prior to their issuance, to review formal written communications to management, those charged with governance, or regulatory authorities. The engagement partner must review audit documentation relating to significant matters and other areas involving significant judgments. The partner should focus on complex or contentious matters identified during the engagement and the conclusions reached.

Standing back, The engagement partner must take overall responsibility for managing and achieving quality, including whether their involvement has been sufficient and appropriate throughout the engagement. The nature and circumstances of the engagement are taken into account, especially with significant judgements and conclusions reached.

Relevant Ethical Requirements

The standard has strengthened relevant ethical requirements and the engagement partner’s role in dealing with relevant ethical requirements. Accordingly, in addition to enhancing the extant requirements, ISA 220 includes requirements regarding:

• Understanding of the relevant ethical requirements and whether other members of the engagement team are aware of those requirements and the firm’s related policies or procedures;

• Threats to compliance with relevant ethical requirements; and

• Determining whether relevant ethical requirements, including those related to independence, have been fulfilled.

Engagement Resources

The engagement partner is responsible for determining sufficient and appropriate resources assigned or made available on a timely basis. They are responsible for taking appropriate action when the firm provides insufficient or inappropriate resources in the engagement team’s audit engagement.

The standard includes new application material detailing:

  • How human, technological, and intellectual resources may be used to support the performance of audit engagements.
  • How project management skills can help manage the quality of the audit engagement and the appropriate actions if the engagement partner determines that the resources are insufficient or inappropriate.

Examples of engagement resources the engagement partner can use to determine whether to depend on the firm’s related policies or procedures:

• Information systems that monitor independence;

• Information systems that deal with acceptance and continuance of client relationships and audit engagements; and

• Audit methodologies and related implementation tools and guidance.

All these examples of engagement resources are found within Audit Assistant – and more. Plus we are reviewing our templates to add features and content to guide the partner to meet these requirements in a timely and efficient manner.

Firm-level responses

Some firm-level responses to quality risks are not performed at the engagement level but are nevertheless relevant when complying with ISA’s requirements. An example of this is determining whether the engagement team members collectively have the appropriate competence and capabilities to perform the audit engagement. The engagement partner should look at the firm’s policies or procedures dealing with personnel recruitment and professional training.

The engagement partner should take into account when determining whether they may depend on the firm’s policies or procedures in complying with the requirements:

• The engagement partner’s knowledge or understanding of or practical experience with the firm’s policies or procedures.

• Information provided by the firm’s monitoring and remediation processes indicates what firm policies or procedures operate effectively. For example, the engagement partner may depend on the firm’s technological development and maintenance programs when using firm approved technology to perform audit procedures based on the firm’s information.

Project Management

Project management is a crucial part of the engagement, and the engagement partner should be actively involved or a documented process outlining how it is delegated.

Some examples of how a firm may project manage:

• Increasing the engagement team’s ability to exercise professional scepticism through alleviating budget or time constraints that may otherwise impede the exercise of professional scepticism;

• Facilitating timely performance of audit work to more effectively manage time constraints at the end of the audit process when more complex or contentious matters may arise;

• Monitoring the progress of the audit against the audit plan,  including the achievement of key milestones, which may assist the engagement team in being proactive in identifying the need for making timely adjustments to the audit plan and the assigned resources;

• Assisting the engagement partner in taking responsibility for the direction and supervision of engagement team members and the review of their work; or

• Coordinating arrangements with component auditors and auditor’s experts.

The Interaction Between ISA 220 and Proposed ISQM 1 and Proposed ISQM 2

ISA 220 operates as part of the broader system of quality management established by ISQM 1. Under ISQM 1, the firm establishes quality objectives, identifies and assesses quality risks, and designs responses to address the quality risks concerning the components of the firm’s system of quality management. This can be achieved at the firm level or the engagement level, depending on its nature, circumstances, and engagement. Accordingly,  ISQM 1 requires the firm to communicate information to the engagement team about their responsibilities regarding the firm’s responses that require implementation at the engagement level.

ISA 220 and ISQM 1 align concerning monitoring and remediation. The engagement partner is responsible for dealing with the relevant aspects of the monitoring and remediation process. Communication by the firm includes the results of the monitoring and remediation process.

Furthermore, the engagement partner and team requirement to fully cooperate with the engagement quality reviewer is the linkage between ISA 220 and ISQM 2.

In summary, ISA 220 aims to implement a firm’s quality management system at the engagement level. In particular, the standard aims to ensure that the engagement partner is adequately involved throughout the engagement. To ensure that the team has adequate supervision (project management), expertise (in-house or external) and resources to satisfy the level of quality developed by the firm in their quality control manual. The communication between the team members and the firm’s management and governance will help ensure that a firm’s quality management is fit for purpose and applicable to actual engagements.

We hope this and earlier articles will help you to hit the ground running when the new standards become active.

1 April 2021

Overview

For many firms, trying to understand why the IAASB has moved from requiring quality control to quality management and how to meet the requirements may fill you with a sense of unease.

These new standards will come into effect at the latest by December 2022, so we are committed to staying ahead of the changes to ensure the smoothest possible transition, and hopefully quell some of the uneasiness by producing a range of articles and tools to help.

One of ISQM 1’s primary aims is to foster a culture of quality within your practice and for your firm to think critically about what service you are providing and how can it be improved.

In many ways, the quality management standards apply principles from the ISA’S on your firm to ensure their internal controls, policies, procedures, resources, and systems are of sufficient quality to ensure that the firm audit and assurance engagements are free of material misstatement. Unlike ISQC 1 (PES 3), ISQM 1 is scaled for small, medium auditing and assurance practices (SMP). Requirements and application material emphasise professional judgement and professional scepticism when fulfilling the standard’s needs.

The extant ISQC 1 requires firms to establish and maintain a quality control system and specifies the policies and procedures that firms must establish as part of quality control. A criticism of ISQC 1 has been that it acts as a minimum set of quality requirements (Checklist). The new standard has been specifically designed not to be a minimum set of requirements that a firm ticks off to keep the regulators happy but instead makes the firm develop a comprehensive quality management system.

Assuring audit quality is now achieved by regular monitoring of the system and that the practice has sufficient knowledge and expertise.  If the firm detects a quality deficiency, it investigates the root cause and creates new quality objectives, policies, and procedures to manage them. Furthermore, it emphasises having a good firm structure that allows communication of findings up the chain of command without other engagement team members’ ability to hinder this process.

How does ISQM 1 address aspects of the International Framework for Audit Quality?

ISQM 1 addresses aspects of the Framework for Audit Quality, such as:

(i) The competence and capabilities of the engagement team, recruitment and training, and changes in the firm’s resource models (e.g., use of shared service centres).

(ii) Internal monitoring reviews, including the scope and extent of such reviews.

(iii) Governance structures of firms and networks.

(b) The need to address remediation and acknowledge the importance of root cause analysis.

(c) The need for additional guidance to demonstrate how ISQC 1 could be applied proportionately by small- and medium-sized practitioners (SMPs), including clarifying the application to audit, assurance, and related services engagements; this means that it is specifically designed to be scaled. For example, a sole practitioner would not create the same system as a large entity with multiple partners, managers and employees.

(d) Addressing multiple issues related to engagement quality control reviews (e.g., selecting the engagement quality control reviewer and their independence from the engagement team, the professional scepticism exercised by the reviewer and the objective, extent, timing, and documentation of the review).

The new approach’s focus is on the firms’ attention on risks that may impact engagement quality. Unlike extant ISQC 1, the new approach requires the firm to transition from policies and procedures that address standalone elements to an integrated approach that reflects upon the system as a whole.  This approach requires the audit firm to proactively identify and respond to quality risks and adjust or create new quality objectives to address any deficiencies.

What are the benefits of ISQM 1?

The new approach benefits the firms’ systems of quality management that support the consistent performance of quality engagements, including:

  • A system that is tailored for the firm’s nature and circumstances and the engagements it performs (Scalable), thereby improving the robustness and effectiveness of activities undertaken by the firm to address engagement quality. A tailored system of quality management may also result in improved utilisation of firm resources.
  • The facilitation of a firm risk-based proactive response to changing circumstances, proactively managing or mitigating risks, and promoting continual improvement and responsiveness. This new approach will help keep the standard fit for purpose and adaptable to a changing environment would likely enhance firms’ ability to apply the standard proportionately.
  • Increased emphasis on monitoring the system as a whole and timely and effective remediation promotes ongoing improvement and consideration of the system’s appropriateness, including whether it effectively supports engagement quality.
  • Integration of the system’s components promotes an ongoing process of improvement and consideration of the effect of decisions across the system.
  • It requires a firm to customise the design, implement and operate its quality management system based on its nature and circumstances and the engagements it performs.

We will be adding additional blog posts on this plus technical articles on our support hub.

31 March 2021

What are the main components of ISQM 1, and how are they organised and integrated?

ISQM 1 uses a new approach to managing quality that is scalable to deal with differences in firms’ size and nature of their services. As discussed previously, the new quality management approach drives firms to think about the firm’s nature and circumstances and its engagements when designing, implementing, and to operate its quality management system. The approach focuses on achieving outcome-based quality objectives. One of the most important benefits is a tailored system of quality management that is suitable for its nature and circumstances and the engagements it performs.

The IAASB agreed that retaining the elements of extant ISQC 1 is important as they reflect topics that continue to be relevant to a firm’s quality management system and provide a necessary link to quality management at the engagement level.

The eight components of the proposed system of quality management are as follows:

(a)          Governance and leadership (adapted from “leadership responsibilities for quality within the firm” in extant ISQC 1).

(b)          The firm’s risk assessment process (new).

(c)           Relevant ethical requirements.

(d)          Acceptance and continuance of client relationships and specific engagements.

(e)          Engagement performance.

(f)           Resources (adapted from “human resources” in extant ISQC 1).

(g)          Information and communication (new); and

(h)          Monitoring and remediation process (adapted from “monitoring” in extant ISQC 1).

Unlike the elements of extant ISQC 1 that appear disconnected from one another, the eight components in ISQM 1 are designed to be highly integrated. For example, resources and information and communication are essential aspects that enable each of the other components of quality management. The integration of the elements means that the quality management system does not operate in a tick box manner. As a result, many aspects of ISQM 1 would be designed, implemented, and used by the firm holistically through the audit and assurance process.

While ISQM 1 is organised according to the eight components. Firms are not required to arrange their systems according to these eight components, provided that the firm adheres to the standard’s overall objective. A firm may have different names for the components, combine the components, or have additional components if the firm wishes to have a more rigorous system than the standard.

Interrelationship of the Components

1. The firm’s risk assessment process sets out how it implements the risk-based approach to quality management. In doing so, the firm must include the quality objectives and responses set out in each of the components of this ISQM.

2. The governance and leadership component is important to the design, implementation, and operation of the other components quality management system. It provides the basis for the quality management system and creates the environment in which the other quality management components operate.

3. Other components such as information and communication and resources have quality objectives that enable the design, implementation, and operation of quality management. Therefore, such components may include responses that affect or relate to the other components of quality management. For example, the information and communication component containing the information system that provides the information needed for the operation of the other components or the resources component addresses the establishment of human resources needed to operate various quality management aspects. There may be interrelationships within the components as well; for example, human resources are needed to develop intellectual resources.

4. There are also relationships between components because there are matters related to each other. For example, aspects of the relevant ethical requirements component may be relevant when accepting and continuing client relationships and specific engagements.

5. The monitoring and remediation process monitors the entire system of quality management, and therefore the monitoring activities are undertaken over all of the components of the system of quality management.

28 February 2021

Audit Quality Management

The final pronouncements on ISQM 1, ISQM 2 and ISA 220 were published in December 2020. From December 2022 all auditors and assurance practitioners must adhere to the new standards.

At this stage, the XRB has not yet revised PES-3 but will likely occur in the coming months. The adoption date may be some time away but implementing the requirements at a firm and engagement level will take considerable time and effort.

At Audit Assistant, we are planning and developing ways to reduce the burden of the changeover and integrate the requirements of the new standards into our systems. We will keep you updated as new information arises.

Most of our clients are involved in similar audit and assurance engagements and therefore through our network best positioned to develop a system of quality management based on our clients’ experience and expertise.

Under ISQM 1, we could potentially constitute a service provider and act as a network for our clients. We could also act as an advocate for small-medium audit and assurance practices to ensure that regulation is not onerous and favouring larger firms that have more resources.

To achieve our quality management objectives, we are proposing to do the following:

  • Create a customisable quality control manual for our clients which sets out the minimum steps to manage audit and assurance quality in the Tier 2 to Tier 4 Not-for-profit sector (the standard will be scalable and acknowledge that many of our firms are sole practitioners).
  • Partner with our clients to develop quality control steps for auditing commercial and larger entities.
  • Continue to develop a structured training system that teaches users how to use Audit Assistant correctly, including resources that teach audit principles and the fundamentals of the auditing and audit standards.
  • Through file reviews, monitor our clients’ work to ensure that our audit quality policies, procedures, and systems adequately address any quality risks.
  • Work with clients to ensure that engagement team members understand their audit quality responsibilities and inform us of any suspected deficiencies in the quality management system.
  • These processes could be incorporated as part of your quality management system.

If this proposal is of benefit to your firm it would be great to inform us of your interest. We need to know if there is sufficient interest in the endeavour to make it worthwhile.