Audits are meant to ensure compliance, accuracy and a range of other factors that add up to quality. That’s why quality is so central for audits — and auditing firms.
To help ensure quality, the International Auditing and Assurance Standards Board (IAASB) established the International Standard on Quality Management (ISQM) 1. ISQM 1 outlines that a firm needs to have a system of quality management.
Every firm that performs engagements under the IAASB’s international standards is required to design and implement a system of quality management in line with ISQM 1 by December 15, 2022.
The requirement is clear, but the level of effort for implementation — and the need for ongoing monitoring and remediation — can be more than firms expect.
The challenge
“One of the biggest challenges is that firms are trying to do this by leveraging existing resources and technology, and that’s very difficult — especially for smaller firms.”
“One of the biggest challenges is that firms are trying to do this by leveraging existing resources and technology, and that’s very difficult — especially for smaller firms,” said Grant Thornton Audit Quality and Risk Managing Director Marcy Johnson.
The work begins with designing the system. “The way that the standard is laid out, the objectives are there, but how they apply to each firm is going to be unique,” Johnson said. “It’s not just ‘Here are the ten things every firm needs to have and do.’ It’s ‘Here are things that firms need to be able to demonstrate they have done,’ and how you may go about them is going to be different.”
Your system of quality management needs to track your objectives, risks and responses. These relationships are unique for every firm. “The evaluation of the system of quality management is not as easy as a check-the-box exercise, because you may have many-to-many relationships across your risks and responses,” Johnson said, adding that Grant Thornton has identified hundreds of different risks and responses to map. Every firm needs to begin by acknowledging the complexity of its relationships, tracing all of its responses that address each risk and all of the risks addressed by each response.
Your system of quality management needs to document and track these relationships within your firm’s risk management process itself, as well as your governance, ethical requirements and other areas. To align your system with your governance and leadership area, for example, be sure to:
- Capture your governance commitment to quality.
- Capture how leadership is responsible for quality.
- Document a strategy and priorities that demonstrate commitment to quality.
- Show an organizational structure that demonstrates commitment to quality.
- Show resource plans and allocations that demonstrate commitment to quality.
- Show how you fulfil responsibilities per legal, regulatory and professional standards.
For the governance and leadership component within your system of quality management, the relationships might look like this:
You need to clarify each of these relationships to the appropriate degree. That means mapping an abundance of data and analyzing it, often from different perspectives, to ensure that you monitor the most relevant information.
“Making sense of all the information that’s required can be very difficult,” Johnson said. Mapping and tracking these relationships across multiple areas could require more time and resources than firms expect — or have available. Plus, these relationships and other factors will continue to evolve.
Beyond December 15
“Firms are always evolving, so this isn’t something you document once and it remains that way forever,’” Johnson said. “You’re documenting the current environment, but you know some things you’ve documented are going to change and the use of a tool can help efficiently manage those changes.” Changes can arise because the firm updates policies, implements new technology, changes how it executes its procedures or because of many other factors in how the firm is structured or operates.
As factors change, they can impact your processes. That, in turn, informs your responses to risks.
“This is not just a push to December 15th — you’re always going to need to have time and resources to stay current, test, evaluate and report,” Johnson said. “The standard emphasizes your particular responses to your particular risks, and those are going to change.”
The qm.x video tour
Our three-minute video tour of qm.x shows you exactly what the solution can do, how it looks and how it helps facilitate compliance with less manual work.
Our audit insights
No Results Found. Please search again using different keywords and/or filters.