By Johnny Yong and Lee Tuck Heng
At the onset, the ISQM project team had identified two important elements that the new standard aimed to enhance, noting limitations of the extant International Standards on Quality Control (ISQC) 1: firstly, proactive management of quality that meets public expectation while keeping the standard fit for purpose; and secondly, the importance of scalability, i.e. how firms of different sizes and complexity could apply the standard with reasonable means and commitment.
Setting a New Standard
To address these issues, the International Auditing & Assurance Standards Board (IAASB) proposed that the new standard adopt a fresh approach to managing quality, termed Quality Management (QM), as opposed to quality control, which would focus on proactively identifying and responding to risks to quality. In essence, this entails an integrated approach to QM that reflects upon the System of Quality Management (SOQM) as a whole, focusing on risk and requiring a firm to customise the design, implementation and operation of its SOQM based on the nature and circumstances of the firm and the engagements it performs. Not being a one-size-fits-all approach, the envisaged QM concept has been proven to be more robust and effective, allowing firms to focus on continuous improvement of their SOQM.
Following the issuance of the Exposure Draft (ED) and the subsequent comments received, general acceptance of the QM approach was accompanied by pervasive concern about the scalability of the proposed standard. Even the IFAC SMP Advisory Group had questioned if the proposed standard could “really increase the audit quality from an SMP perspective”, fearing instead of a drive towards a compliance mindset especially among smaller firms which would be subjected to a proportionately greater documentation burden to “explain/prove” their compliance”.
The Malaysian Institute of Accountants (MIA) had also raised similar concerns on scalability and hopes that the IAASB will provide more illustrations and guidance materials on how the standard could be made scalable, especially for SMPs, upon the finalisation of the ED. You can read the submission here.
Refining the Standard: Key Areas of Focus
Given the extent of concerns on scalability, prescriptiveness, complexity, understandability (even the ICAEW commented the standard was very difficult to be read by a native English speaker) and length (double the number of pages compared to ISQC 1), the following key areas of focus were identified by the IAASB in further developing and finalising the standard:
- Scalability of the standard to take on more prominence. Firms are encouraged to tailor the SOQM appropriately based on their respective circumstances;
- Complexity and prescriptiveness of the requirements to be reduced (preferably, to be principles-based); and
- Developing a standard that can be applied in all circumstances, including where firms only perform related service engagements. Going forward, this could be an area of concern as more jurisdictions start applying the International Standards on Assurance Engagements (ISAEs) and International Standards on Related Services (ISRSs).
IAASB’s Actions for Each Key Area
The IAASB has since taken steps to address the following key areas of focus:
(a) Reorganising the structure of ISQM 1 by distinguishing between actual components versus the two processes (the Firm’s Risk Assessment Process [FRAP] and the monitoring and remediation process) while re-writing the standard in an easier to follow manner. The sequence of these components was presented more logically for easier navigation , even though the IAASB has acknowledged that the QM process is not expected to be a linear exercise in compliance.
(b) Refining the quality objectives and responses and in doing so, underscoring the principles-based approach through more outcome-based quality objectives and an increased focus on achieving them. Rather than telling firms what to do, the standard is now crafted to explain to firms of the outcome that they should strive towards. Firms are now expected to tailor most of their responses in the new standard with minimum prescribed responses – Paragraph 34 of the standard only lists some specified responses (further reducing the number of requirements from the ED).
(c) Simplifying and clarifying the FRAP. The process is now consistent with the approach under the revised ISA 315, Identifying & Assessing the Risks of Material Misstatement (the ED had earlier imposed a lower threshold in identifying all quality risks, an area of concern among many SMPs).
(d) Including, within the standard, conditions, events, circumstances, actions or inactions that the firm is required to comprehend when identifying and assessing quality risks which are dependent on the nature and circumstances of the firm and the engagements it performs. This increases the focus on scalability and tailoring the SOQM to the firm’s unique circumstances.
(e) Drafting and presenting the requirements and application material in a manner that is easier to understand, and to reduce the overall length of the standard. This included: (i) redrafting the standard using shorter and simpler sentence structures, (ii) placing examples in the application material in separate boxes, and (iii) clearly signposting examples that demonstrate scalability. For the latter, paragraphs such as 34(e)(i) and (f)(i) on transparency communication with TCWG and the need for EQR are some of the examples that were included.
(f) Increasing the emphasis on the need for the firm to exercise professional judgment in paragraph 19 of ISQM 1, thereby allowing for firms to scale-up or scale-down (depending on their circumstances); and
(g) The monitoring and remediation process is very much being tailored to the firm’s operating environment, well-embedding the concept of risk, for example: (i) The factors the firm considers in determining the nature, timing and extent of the monitoring activities have an element of risk integrated into them. (ii) Promoting a risk-based mindset by considering the severity and pervasiveness of identified deficiencies when responding to these deficiencies since the nature, timing and extent of the firm’s remediation is affected by the severity and pervasiveness of the deficiencies. These are again, examples of how the ISQM standard can be scaled according to the circumstances of the firms and their complexities.
Many of these actions also address other important issues raised by various respondents to the ED. For a good understanding of the IAASB’s rationale on the finalisation of the ISQM 1, please check out its basis of conclusion.
Finally, the IAASB also acknowledged the concern that smaller firms may find it challenging to undertake performance evaluation of leadership, such as within the environment of a sole proprietorship (this being one of the stated requirements of ISQM 1 that cuts across all practice sizes). In the case of a smaller firm, the performance evaluation of leadership may be interconnected with and dependent upon the outcome of an objective SOQM evaluation. A lack of operational formality and possibly documentation should not be an impediment for a small practice.
While the IAASB did not specifically seek respondents’ views on documentation at the ED stage, respondents (including the MIA) invariably provided various comments about documentation. Among others, the IAASB was urged to clarify documentation for certain aspects of the standard such as the firm’s risk assessment process and to provide additional guidance to demonstrate how a firm should document its SOQM, specifically, the evaluation process.
In response to this, the IAASB was of the view that a principles-based approach to documentation was more appropriate and consistent with other ISAs, such as ISA 230. The Board was concerned that adding further material in the standard to specify documentation requirements would be contrary to its efforts to improve the scalability of the standard and address prescriptiveness.
Along these lines, the MIA has requested the IAASB to consider issuing staff publications and other non-authoritative materials for jurisdictions such as Malaysia. Since room for scalability has been accorded in ISQM 1, firms will have to spend an adequate amount of time documenting their decisions (including policies and procedures) so that the regulators and practice reviewers from the MIA (and possibly, AOB) will not second-guess the firms’ decisions, especially with the benefit of hindsight.
Documentation of a firm’s SOQM has to be robust as well as timely and complete as the external environment and rules and regulations constantly evolve. This is surely an opportunity for a firm’s leadership to openly demonstrate their commitment to quality – starting with a credible set of documentation that serves as a blueprint for the firm’s quality practices, with the contents being expected to be well-communicated throughout the firm – as the new QM regime is expected to come into force by 15 December, 2022.
The Way Forward
The process towards compliance of ISQM 1 should have already started with the deadline being slightly less than 6 months away. The firm’s risk assessment process has to be the first of the various critical components to be completed and duly documented. It is understandable that many smaller SMPs do have challenges in this area. Risk based assessment is a fairly new approach to many. Materials provided by the IAASB and IFAC such as Youtube videos and first-time implementation guides should be a good starting point for the SMPs. While ISQM is predicated on a new platform, many of the good practices under ISQC can still continue to be implemented with some necessary tweaks.
On the part of MIA, a dedicated site housing all the 3 QM standards had been created since November 2021 – a one stop center on the quality management standards. The Youtube videos and first-time implementation guides as mentioned earlier have been included in this dedicated site, that can be accessed here: Quality Management Standards (mia.org.my)
Commencing 2022, MIA will also be organising various programs and workshops in the form of paid CPD events (including Masterclass) and free webinars to guide, especially the SMPs as they progress towards adopting the QM standard and uplifting the general quality management standards of the auditing practice in Malaysia over time. The first event had been conducted on 18 May (almost 500 participants registered) with the next one scheduled for afternoon of 14 July. Please check your inbox for all these announcements from time to time.
To get ready for ISQM 1 in December 2022, firms will need to intensify their efforts to ensure that their overall system of quality management (SOQM) will be up and running by the effective date. Thus, in order to gauge the readiness level of firms, the Institute would like to invite audit firms to participate in a survey on the status of firms’ adoption and implementation of ISQM 1 and also to identify other forms of support (if any) that are needed by firms in order to facilitate the implementation of ISQM 1. Please click this LINK to participate in a simple survey by 18 July 2022 (Monday) at 5.00 p.m.
Johnny Yong is Head, Capital Market and Assurance, MIA and Lee Tuck Heng is the immediate past Chairman of the Auditing and Assurance Standards Board, MIA.