The culture shift of ISQM 1

“When you have to go through the formal risk assessment, then that brings in IT, marketing, legal, sales — all aspects of the business where a risk could reside.”

Jeff Hughes

Grant Thornton Audit Quality and Innovation National Managing Partner

Risk assessment

Your system of quality management needs to begin with a risk assessment process where you identify quality objectives and risks to meeting those objectives, then determine and test the firm’s responses that mitigate or address those risks. Sara Ashton, Grant Thornton Audit Managing Director, explained, “Firms never had to undertake a formal risk assessment process to comply with the quality control standards that existed before.”

Past guidelines were broad enough that they could overlook some specific risks. ISQM 1 directs companies to identify and assess risk in ways that are unique to each firm. That requires some definitional work. Companies need to involve stakeholders and develop an accurate picture of the business.

“ISQM 1 doesn’t necessarily prescribe a certain way to characterize risks,” explained Hannah Crabtree, Grant Thornton Audit Innovation Manager. “It doesn’t say that you need three levels of risk or four levels of risk.” While your risks will be rigorously judged, the definition of risk is left to your firm.

Hughes noted that, “There’s an underestimation of how far into the organization these tentacles reach. Historically, it was primarily the quality control around the audit function. But, when you have to go through the formal risk assessment, then that brings in IT, marketing, legal, sales — all aspects of the business where a risk could reside.” Your risk model could continually be reshaped as you learn more about your risks, by probing more deeply, finding new connections, or adapting to new data.

“For ISQM 1, I’ve spoken to people I have never spoken to before, because I needed to get new information.”

Sara Ashton

Grant Thornton Audit Managing Director

This might require collaboration with business areas that are not traditionally involved in quality assessments. To succeed, teams will need to develop and maintain relationships with people who have many competing demands on their time. Ashton recalled that, “For ISQM 1, I’ve spoken to people I have never spoken to before, because I needed to get new information.”

Once you capture the risks unique to your firm, you still have more to do. This can mean tracing those risks across departments and charting their possibility of occurrence — and should they occur, the significance of their effect. This framework can then be used for ongoing tracking, testing and reporting.

An ongoing culture

ISQM 1 will prompt deeper engagement across your firm, because it stresses active ownership of the quality program. “It’s really extended to the firm’s culture,” Ashton said. “I think that’s something very unique that was brought into this standard, which is something that you wouldn’t have thought of from a quality control perspective in the past.”

Your system of quality management needs to include ongoing monitoring that may result in findings about your quality management. You need to be able to visually represent your risk and response relationships, and key findings, for discussion.