The culture shift of ISQM 1

 

The work required for ISQM 1 compliance might be more than firms expect, and the nature of that work could be surprising as well.

 

Those who are familiar with earlier standards might expect ISQM 1 to be a non-event and akin to a checklist. However, in many ways, it represents a firm-wide reckoning and culture shift.

 

Jeff Hughes, Grant Thornton Audit Quality and Risk National Managing Partner, said, “I think the surprise is what you have to go through to document compliance. Then, you have to test it, identify deficiencies, assess them and fix them.”

 

 

 

Jeff Hughes

“When you have to go through the formal risk assessment, then that brings in IT, marketing, legal, sales — all aspects of the business where a risk could reside.”

Jeff Hughes

Grant Thornton Audit Quality and Innovation National Managing Partner

Risk assessment

 

Your system of quality management needs to begin with a risk assessment process where you identify quality objectives and risks to meeting those objectives, then determine and test the firm’s responses that mitigate or address those risks. Sara Ashton, Grant Thornton Audit Managing Director, explained, “Firms never had to undertake a formal risk assessment process to comply with the quality control standards that existed before.”

 

Past guidelines were broad enough that they could overlook some specific risks. ISQM 1 directs companies to identify and assess risk in ways that are unique to each firm. That requires some definitional work. Companies need to involve stakeholders and develop an accurate picture of the business.

 

“ISQM 1 doesn’t necessarily prescribe a certain way to characterize risks,” explained Hannah Crabtree, Grant Thornton Audit Innovation Manager. “It doesn’t say that you need three levels of risk or four levels of risk.” While your risks will be rigorously judged, the definition of risk is left to your firm.

 

Hughes noted that, “There’s an underestimation of how far into the organization these tentacles reach. Historically, it was primarily the quality control around the audit function. But, when you have to go through the formal risk assessment, then that brings in IT, marketing, legal, sales — all aspects of the business where a risk could reside.” Your risk model could continually be reshaped as you learn more about your risks, by probing more deeply, finding new connections, or adapting to new data.

 

Sara Ashton

“For ISQM 1, I’ve spoken to people I have never spoken to before, because I needed to get new information.”

Sara Ashton

Grant Thornton Audit Managing Director

This might require collaboration with business areas that are not traditionally involved in quality assessments. To succeed, teams will need to develop and maintain relationships with people who have many competing demands on their time. Ashton recalled that, “For ISQM 1, I’ve spoken to people I have never spoken to before, because I needed to get new information.”

 

Once you capture the risks unique to your firm, you still have more to do. This can mean tracing those risks across departments and charting their possibility of occurrence — and should they occur, the significance of their effect. This framework can then be used for ongoing tracking, testing and reporting.

 

 

 

An ongoing culture

 

ISQM 1 will prompt deeper engagement across your firm, because it stresses active ownership of the quality program. “It’s really extended to the firm’s culture,” Ashton said. “I think that’s something very unique that was brought into this standard, which is something that you wouldn’t have thought of from a quality control perspective in the past.”

 

Your system of quality management needs to include ongoing monitoring that may result in findings about your quality management. You need to be able to visually represent your risk and response relationships, and key findings, for discussion.

 

 

 

Related resources

 

ARTICLE

 

SOLUTION

 

VIDEO

 

Steve Villani, Grant Thornton Audit Risk Management National Managing Partner, noted, “You need an observable and replicable process for meeting the standard, and the process needs to continually evolve. It is very difficult to manage that through spreadsheets, because of all the relationships, breadth and scope.”

 

The key to successful ISQM 1 preparation is to appreciate and adapt for the challenge that the new standard presents.

 
Laptop screen

The qm.x video tour

Our three-minute video tour of qm.x shows you exactly what the solution can do, how it looks and how it helps facilitate compliance with less manual work.

 
 

Contacts:

 
 
 
 
 

Our audit insights