The International Standard on Quality Management (ISQM) represents a paradigm shift in how audit firms approach quality management, moving from a passive, compliance-based model to a proactive, risk-based one. ISQM aims to reinforce a structured and systematic approach to managing audit quality, thereby enhancing the reliability of financial reporting and instilling greater trust in the profession.
A recent review of two firms participating in the Quality Assessment Programme (QAP) highlighted several common challenges and areas for improvement under ISQM 1 and ISQM 2. Additionally, the Malaysian Institute of Accountants (MIA) Practice Review Annual Report 2023/2024 identified key ISQM inspection findings across multiple firms, further reinforcing areas requiring improvement. These findings serve as valuable insights for audit firms looking to improve their system of quality management and ensure compliance with professional standards.
This first part of a two-part article examines these findings, emphasizing areas where firms are struggling and how they can work towards compliance.
Common Findings from ISQM Reviews
Firm’s Risk Assessment Process
Under ISQM 1, firms must adopt a risk-based approach to managing audit quality. The following were among the key weaknesses observed:
- Audit firms attempted to perform the risk assessment process but fell short as certain responses to quality risks were not specifically tailored to the nature and circumstances of each firm and its engagements.
- There were cases where the audit firm’s ISQM 1 manual was reproduced from other external sources/templates without being appropriately customised to align with the firm’s specific profile and requirements, which hindered the firm from effectively achieving the quality objectives.
Governance and Leadership
A firm’s leadership plays a crucial role in driving audit quality and fostering a culture of integrity, professional skepticism, and ethical behaviour. However, the reviews identified the following deficiencies:
- No assignment of Individual Assigned Ultimate Responsibility and Accountability for the firm’s System of Quality Management.
- Some firms did not assign a specific individual responsible for overseeing ISQM implementation, which led to fragmented accountability. Concerns arise when audit firms assign an audit manager as the ethics leader, which may be inappropriate. This role requires consultation and responses on all ethics-related matters, including independence, conflict of interest, privacy and confidentiality. An audit manager may not have the necessary influence and authority within the firm to fulfil this role.
- Weak tone at the top: A culture of quality must be driven by leadership. In many cases, senior management did not actively promote quality-related initiatives.
Relevant Ethical Requirements
Firms are expected to have a policy that requires audit engagement team members to confirm their compliance with relevant independence requirements prior to the commencement of an audit engagement. Based on the inspected audit engagements, it was observed that some audit engagement team members failed to confirm their independence.
Acceptance and Continuance of Client Relationships and Specific Engagements
Some salient issues found are as follows:
- Acceptance of appointments as auditors without carrying out adequate procedures to obtain professional clearance from the previous auditors.
- Client acceptance and continuance procedures often being conducted during the audit planning stage rather than at the conclusion of the previous audit or before the start of the next audit.
- Lapses identified in the letter of engagement issued, as it did not include all pertinent terms and clauses required.
- Audit firms lacked documentation integrating the following considerations into their procedures for client acceptance and continuance assessment:
- The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA)
- Screening for the purpose of knowing their clients in relation to sanctioned persons, entities and Political Exposed Person (PEP) at Acceptance and Continuation/Retention stages.
- Policies and procedures in addressing circumstances when the firm becomes aware of information subsequent to accepting or continuing a client relationship or specific engagement, that would have caused it to decline the client relationship or specific engagement had that information been known prior to accepting or continuing the client relationship or specific engagement.
- Policies for Whistleblowing, Personal Data Protection Act (PDPA) 2010 and Anti-Bribery and Anti-Corruption.
Resources
Among the key issues noted are:
- Audit firms only establishing minimum Continuing Professional Education (CPE) hours for staff who are MIA members, and neglecting to set such requirements for non-MIA member staff.
- Not keeping training records to track and monitor staff compliance with CPE hour requirements, as set out in the firm’s policy.
- No policies and procedures were designed to address the quality objectives of technological resources, intellectual resources and service providers.
Engagement Performance
Some of the common findings are:
Information and Communication
There were instances where the design of the firm’s policies and procedures on information and communication were not customised according to the nature and circumstances of the firm, as the performance of those policies and procedures cannot be verified.
Monitoring and Remediation Process
Effective monitoring mechanisms are critical for ensuring continuous improvement in audit quality. However, the ISQM reviews found:
- Insufficient internal monitoring activities, whereby audit firms failed to conduct monitoring reviews to assess the effectiveness of their quality management systems, including the quality of their audit engagements.
- Although certain audit firms had a policy requiring each audit engagement partner to undergo a quality monitoring review at least once every two to three years, there were cases where partners were not selected for review within the specified timeframe.
- Failure to implement monitoring and remediation processes such as Root Cause Analysis, cold review and annual inspections of ISQM 1.
The findings from the QAP and MIA Practice Review reinforce the need for firms to strengthen their governance structures, risk management processes, and monitoring mechanisms. Addressing these deficiencies is crucial to improving audit quality, maintaining regulatory compliance, and enhancing public trust in financial reporting.
A firm’s ability to establish a strong ISQM framework depends not only on regulatory compliance but also on a mindset shift toward continuous quality improvement. Leadership must be actively engaged in the process, risk assessments must be tailored to firm-specific realities, and monitoring activities must be robust and proactive.
In Part 2 of this article, we will explore key recommendations from the MIA Practice Review and QAP reports, outlining actionable steps that firms can take to strengthen ISQM compliance and create a more robust quality management framework.
This is Part 1 of an article on QAP and ISQM Compliance. To read Part 2: Strengthening ISQM Compliance – Actionable Recommendations, click here.
