In September 2017, Karin French, Chair of the Quality Control Task Force (Task Force), presented a webinar which provided an overview of the proposals that the International Auditing and Assurance Standards Board (IAASB) are considering in relation to the IAASB Project: Revisions to Quality Control for Firms. This is a high-level overview of the webinar
Subsequent to the issue of the clarified International Standards on Auditing (ISAs) in 2009, the IAASB initiated a comprehensive post-implementation review project, aimed at assessing whether the clarified ISAs were being understood and implemented in the way that the IAASB intended. This project was completed in 2013 and the findings indicated that some revisions, improvements or clarifications may be required in certain instances to achieve more consistent and effective application of the standards. ISQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements and Other Assurance and Related Services Engagements (ISQC 1), was one such standard.
In response to the matters identified and with the strategic objectives of the IAASB in mind, priority was given to three projects, one being the project on the revisions to quality control for firms. This saw the issue of the Invitation to Comment, Enhancing Audit Quality in the Public Interest: A Focus on Professional Skepticism, Quality Control and Group Audits (the ITC) by the IAASB in December 2015, in which the concept of a quality management approach (QMA) was introduced. The IAASB is also considering the issue of a new firm-level standard, namely the International Standard on Quality Control (ISQC) 2 that would address engagement quality control (EQC) reviews, which is currently included as part of extant ISQC 1.
With the strategic objective of keeping the ISAs fit for purpose in the complex and changing environments of firm structures, the IAASB is mindful of revising the standards in such a way as to keep them as future proof as possible. This includes responding to the challenges identified in relation to the different dynamics of all firms in terms of size and the services provided. This article provides a brief overview of the more pertinent changes that are currently being deliberated.
Quality management approach
The QMA has been described as a proactive, preventative and ongoing approach to managing quality and is aimed at encouraging continual commitment to quality. It is also envisaged that the QMA will more clearly acknowledge the role of external stakeholders to improve the firm’s recognition of its role in protecting the public interest.
At present, the proposal is that the QMA consists of three main components:
- Governance and leadership, including organisation culture and strategy
- Information, communication and documentation
- A quality management process (QMP)
The QMP is the heart of quality management and is a more tailored, integrated approach to managing quality. Under extant ISQC 1, a firm’s system of quality control is required to cover six elements and the standard provides requirements specific to each of these elements. Within the proposed QMP, new requirements will be introduced into the revised ISQC 1 for the firm to establish quality objectives, identify and perform an assessment of the quality risks, design and implement responses to the quality risks, monitor the effectiveness of the system of quality management, and determine the necessary remedial actions.
Within the QMP, in order to keep the standard robust, there will be prescribed quality control objectives and risks and responses that must, as a minimum, be addressed by all firms (that is, objectives and risks that are deemed to be common to all firms). The prescribed quality objectives, quality risks and responses are based on the extant requirements of ISQC 1 but, instead of showing requirements under each of the six elements, as in the extant standard, the requirements will be translated into a set of prescribed objectives, risks and responses.
Although there are minimum prescribed requirements, the QMP will be flexible in that firms will be required to tailor this process, taking into account the circumstances of the firm and the nature of the engagements it performs to identify other specific and relevant quality objectives, quality risks and responses as necessary.
How is this QMP different to the extant ISQC 1?
Extant ISQC 1 is focused on policies and procedures. The main criticism of extant ISQC 1 is that it is seen as a checklist-based approach; a one size fits all with minimal emphasis on the circumstances of the firm and the nature of its engagements in designing the firm’s system of quality management. The proposed changes require a more proactive approach to managing quality, which may be more effective in anticipating risks and responding appropriately (that is, addressing possible quality failures). This risk-based approach will also require firms to think more deliberately about their risks and develop appropriate responses to those risks, resulting in a more effective and efficient use of firm resources.
Overview of other proposed changes to ISQC 1
In addition to the proposed introduction of the QMA, the Task Force is also considering strengthening the requirements in the area of the firms’ internal and external monitoring and remediation, including improving the understanding of the causes of deficiencies through the performance of a root cause analysis. The Task Force is aiming to enforce the need for more robust two-way communication in a number of areas and they are considering proposals to encourage greater transparency with effective communication with external stakeholders and the sharing of more information about how a firm manages quality. This includes considering whether the topic of transparency reporting may be appropriate for inclusion in ISQC 1. The Task Force is proposing strengthening firm governance and responsibility of firm leadership for quality.
ISQC 1 is a firm-level standard and is not only applicable to audits of financial statements but also applies to reviews, other assurance and related services engagements. To achieve the objectives mentioned above, the Task Force is specifically focusing on proportionality in revising the standards, thereby addressing the needs of both large practices as well as small and medium size practices who provide a range of different services to which ISQC 1 applies. Although the importance of the proportionality and scalability of the new and revised standards has been acknowledged, it has also been recognised that these standards need to be sufficiently robust to respond to the calls from stakeholders who have noted that the standard cannot become too flexible as this may result in significant inconsistencies of application between firms.
New firm-level standard: ISQC 2
In June 2017, the IAASB approved the development of a new firm level standard which will include many of the requirements related to EQC reviews. The new standard, ISQC 2, will be exposed at the same time as revised ISQC 1 and revised ISA 220, Quality Control for Audit of Financial Statements. It is envisaged that the introduction of ISQC 2 will also emphasise scalability because the standard will only be applicable to those engagements within the firm that qualify for an EQC review. The issue of a separate standard increases the prominence and emphasises the importance of the EQC review as an appropriate response to certain quality risks. It may also emphasise that the firm may identify other responses in addition to the EQC review that are more appropriate if the EQC review is not required to be performed.
The interaction between the quality control standards would be that ISQC 1 will retain the requirements relating to the selection of engagements subject to the EQC review. ISQC 2 will then include the requirements for the responsibilities of the firm and the EQC reviewer, with ISA 220 dealing with the requirements applicable to the engagement partner’s responsibilities in relation to the EQC review.
The Task Force is looking at a number of enhancements to the EQC review requirements themselves, including:
- Enhancing the requirements relating to an engagement subject to the EQC review
- The eligibility of the person to serve as an EQC reviewer
- Appointment of the EQC reviewer
- The execution of the EQC review, and
- The documentation of the EQC review
At this point the Task Force has agreed that the current requirements relating to an engagement subject to an EQC review will remain; in that an EQC review will be required for:
- Audits of financial statements of listed entities
- Engagements for which an EQC review is required by law or regulation, and
- Other engagements as determined by the firm, including where the firm has identified a risk of significant impact to the public as a result of an engagement not being performed in accordance with professional standards, applicable legal and regulatory requirements and the issuance of the report by the firm or the engagement partner as appropriate in the circumstances
- Firms will need to establish policies and procedures relating to the criteria for the eligibility of the EQC reviewer to ensure that:
- The reviewer has sufficient time to perform the EQC review
- Has the appropriate authority to challenge the significant judgements made by the engagement team and the conclusions reached thereon
- The EQC reviewer would need to comply with law, regulation or relevant ethical requirements that set out provisions in relation to the eligibility of the EQC reviewer
There will also be a requirement for the EQC reviewer to possess a combination of attributes, such as technical competence, including knowledge of the entity’s industry, experience in relation to other engagements of a similar nature and complexity, and objectivity in relation to the engagement subject to the EQC review.
With respect to the timing of the EQC review, there will be a strong message that the review should be undertaken at appropriate points in time throughout the engagement and not just at the end of the engagement right before the report is due to be issued.
The Task Force believes that it is appropriate for the scope of the EQC review to continue to focus on the significant judgments made by the engagement team and the conclusions reached thereon. The EQC reviewer should also consider other matters that may be relevant to the engagement, including, as applicable, the results of monitoring and remediation activities or inspections undertaken by an external oversight authority. The new standard will make it clear that the EQC reviewer can always increase the scope of the review if they feel the need to do so.
The quality control project is significant in that the outcome will form the foundation for current and future projects undertaken by the IAASB. This project is currently a work in progress and the Task Force is still working on ensuring that the new and revised standards are scalable and of an acceptable length, particularly the application material. The Task Force is in the early stages of developing and discussing the documentation requirements with the IAASB and need to continue to discuss how the new and revised standards should deal with engagement partner performance awards, competency and human resources and transparency reporting. Consideration also needs to be given to the possible impact of the proposed changes to ISQC 1 on other standards such as ISRE 2400 (Revised), Engagements to Review Historical Financial Statements and ISAE 3000 (Revised), Assurance Engagements Other than Audits and Reviews of Historical Financial Information.
The target date for the issue of exposure drafts of the revised ISQC 1, ISA 220 and the new ISQC 2 is September 2018. The aim is to issue new and revised standards in 2019 with effective dates of at least 18 months thereafter. A recording of the IAASB webinar is available on the IAASB website.
Author: Hayley Barker Hoogwerf CA(SA) is Project Director: Assurance at SAICA