German payment processing firm Wirecard made the headlines last year when it announced it was filing for insolvency after it emerged that €1.9 billion of cash was “missing.” While the company’s management faced fraud charges and the German regulator was accused of oversight failures, questions were also raised about the quality of the audits conducted on Wirecard’s accounts.
From the collapse of Enron in 2001, to the more recent inflated sales revenue by Luckin Coffee in China, a number of corporate accounting scandals in the past two decades have highlighted the importance of having robust quality management standards for the audit profession. The level of corporate failures in recent years was one of three key drivers behind the International Auditing and Assurance Standards Board’s (IAASB) decision to issue a suite of international standards on quality management.
Len Jui, Deputy Chair of the IAASB and Head of Public Policy and Regulatory Affairs at KPMG China (see his profile here), explains that the first driver was to ensure audits were being performed to the highest quality and to promote global consistency, particularly for large multinational networks of member firms that are undertaking thousands of audit engagements each year across a number of different jurisdictions.
The second purpose was to ensure that firms were focusing on the quality of their audits over financial and operational priorities. “Audit reports are relied on by investors to make investment decisions. The leadership of firms must make sure that everything they do focuses on quality. In the past, a firm might have placed more focus on market share, revenue numbers and how much business a partner can bring to the firm. I think such culture within a firm has to change,” Jui says.
Modernizing quality management
The three new and revised standards, International Standard on Quality Management (ISQM) 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements, ISQM 2 Engagement Quality Reviews, and International Standard on Auditing (ISA) 220 Quality Control for an Audit of Financial Statements, aim to strengthen and modernize audit firms’ approach to quality management and respond to the increasingly complex audit ecosystem.
ISQM 1 replaces International Standard on Quality Control (ISQC) 1 Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements. The new standard encourages firms to adopt a robust and proactive approach to quality management, and strengthen their quality management system by tailoring it to the nature and circumstances of their own firm and the engagements they perform.
Loretta Fong, Partner at PwC Hong Kong, a Hong Kong Institute of CPAs Council member and Chairman of the Auditing and Assurance Standards Committee (AASC), explains: “ISQM 1 shifts from quality control to quality management by incorporating a risk-based approach. The quality management system needs to comprehensively and actively manage risks to quality through greater accountability, an improved focus on leadership and culture, and continuous improvement through a required monitoring and remediation feedback loop.”
“The quality management standards make sure firms introduce a quality management framework to help the leadership manage the business, not just in terms of bringing in new business, but ensuring staff are well-trained.”
Many of the elements of ISQM 2 come from the extant ISQC 1 and ISA 220. ISQM 2 sets out clear guidelines regarding the eligibility for the engagement of a quality reviewer, as well as the performance and documentation of the engagement quality review. “Key enhancements include a two-year cooling-off period before an engagement partner can assume the role of engagement quality reviewer, the performance of the engagement quality review at appropriate points in time during the engagement, and a ‘stand-back’ requirement to determine whether the performance requirements in ISQM 2 have been fulfilled,” Fong says.
ISA 220 covers the responsi-bilities of the engagement partner and engagement team for quality management for an audit of financial statements. The revised standard modernizes the approach to quality management and requires the engagement partner and engagement team to be proactive in managing and achieving quality. Jui adds: “The quality management standards make sure firms introduce a quality management framework to help the leadership manage the business, not just in terms of bringing in new business, but ensuring staff are well-trained, that there is enough investment in technology and technical resources, and that there is effective internal communication and a continuous improvement process built into the firm’s quality management system.
The need for change
Chris Joy, Executive Director, Standards and Regulation, at the Institute and an Institute member, points out that the previous set of standards, which were first issued in 1995, had become outdated. “If you think about how business, auditing and accounting has developed in the last few years at a really quick pace, it really was time the standards were looked at, to check they were still fit for purpose,” Joy says. He adds that post implementation reviews in 2015 and 2016 for IAASB’s revised auditor reporting standards, and the inspection findings that were coming out of various regulators’ monitoring and inspection programmes also showed that a lack of general quality management was at the heart of a lot of issues.
Gary Stevenson, Partner, Technical at RSM Hong Kong, a member of the AASC, and an Institute member, agrees: “In the past 12 to 14 years, the world of auditing and accounting has moved on and the standards have to catch up.” He adds that there is also a public interest aspect because audit reports are relied on by investors, bankers, creditors and other users of financial statements.
Fong points out that having quality management standards is also an important part of driving greater confidence and trust in the audit profession, pointing out that recent corporate failures have raised fundamental questions about the relevance and quality of audits. “In view of growing stakeholder expectations in an increasingly complex environment, we need quality management systems that are proactive and adaptable,” she says.
Joy says that the new standards have been developed after a long period of evidence gathering and discussions, and have been on the agenda of the AASC for the past two years. The Institute jointly held events with the IAASB in May 2019 to obtain the views of stakeholders in Hong Kong on the draft standards.
A proactive approach
One of the biggest changes to the new standards is a move from a binary, compliance-based process to a more proactive, dynamic, risk-based quality management approach. Jui explains that in the past the standards had more of a “checklist” approach, but the new standards call on the management of firms to be accountable to quality and more proactive in managing their risks. “Now, a firm’s leadership must take a more proactive approach to manage quality through a series of policies and processes to be able to demonstrate that it has an effective system of quality management to ensure all audit opinions signed are appropriate in the circumstances,” he says.
The risks firms need to consider include internal factors, such as whether they are able to recruit the right people and whether these recruits have the right ethical values, whether they provide proper training and continuing education. They also include external risks, including the integrity of clients and the potential negative impact of a poor quality client on the reputation of the firm if they fail, and whether the services the firm is providing risk impacting the market. Jui adds that firms will have to demonstrate to regulators how they perform their risk assessment, including the identification of risks, and coming up with responses to address those risks. “The audit partners’ number one job will be to ensure the quality of the audit engagement and the audit report, not going out and selling audit services,” Jui says.
“There is more emphasis in the new standards on inquiry mindsets and culture and leadership. I think it is a more appropriate approach in the current environment.”
Joy suggests this shift in emphasis was necessary, as the old system was not obtaining the desired result. “It is not a compliance approach; it is a much more hands-on management approach. It is more realistic in terms of how people go about doing audits and conducting their business and it is adaptive to real life scenarios,” he says. “There is more emphasis in the new standards on inquiry mindsets and culture and leadership. I think it is a more appropriate approach in the current environment.”
Fong points out that the shift should also enable the audit profession to stay one step ahead of the risks it faces, through establishing a new “baseline architecture” to foster change, noting that it enables firms to consistently manage and achieve quality and better align the needs of all participants in the financial reporting system. “A culture that facilitates proactive and regular self-scrutiny will help engagement teams to feel supported in their aims for quality engagements and enable continual improvements in quality,” she says. Stevenson agrees: “I think taking this risk-based approach should be very helpful to audit firms to actually force them to think about risks, and what solutions they should be looking for.
Impact on firms
When it comes to implementing the new standards, Joy says firms will need to spend time thinking about what they mean in the context of their own practice. “There are some key changes in the approach. It will require a different mindset; it puts a lot more emphasis on the leadership of firms, requires a culture of quality and it expects a lot more rigour about the views of engagements,” he says. Fong adds that the standards highlight the importance of having appropriate resources in place, including human resources, technical resources and intellectual resources, when conducting an engagement, which is something firms will have to focus on.
Stevenson points out that one of the main impacts on firms will be a change to the way they oversee quality, and while many firms already take a risk-based approach, it is not always formalized in the way the new standards will require. “As a group of partners, we might understand the environment and what is going on, but it is all in our heads and there is not much committed to documented plans and policies and memorandums on paper,” he says. “We do think formalizing our thought process will be a good thing for us.” He adds that the biggest concern for his firm is the level of documentation that the regulator will require firms to produce in order to demonstrate how they identify and manage risks, as the requirement is not set out in the standard.
Stevenson also points out that although the standards are designed to be scalable, implementing them might be more challenging for small and medium practices. “We have many partners who can do the work, but if you are a one or two partner practice, you need to do everything, so it is a different level of stress,” he says.
Support from the Institute
Supporting its members’ adoption of new standards is a key priority for the Institute. “The Institute appreciates that the introduction of the new standards is a significant step that will present challenges to many firms and practitioners,” says Joy. “We have endeavoured to engage members throughout the development stages of the standards and fully intend to build on that to support members in their efforts to be able to properly apply the standards from December 2022.”
As well as a range of resources on its website and live and recorded seminars and workshops, the Institute will hold more continuing professional development (CPD) events on the topic in the future.
Practical assistance and training will be most valuable for practitioners, adds Joy. “We will utilize our network of other professional bodies to identify sources of support tools and learning materials that are relevant to and address our members’ needs. The Institute has already contracted for the development and provision of a new Audit Practice Manual, which will help practitioners in their implementation of the standards,” he says.
“There are lots of resources on our webpage with examples. They have been there all the way through the project. We have frequently asked questions (FAQs), webcasts and we are thinking of doing a video,” Joy says. The Institute is also planning to leverage the implementation guidance which is set to be issued by IAASB, which it plans to supplement with local CPD events for members to help them understand the standards. “We have also commenced a project to revamp the extant guide to provide a meaningful tool to help small- and medium-sized firms comply with the new requirements.”
The IAASB has also produced a number of resources to help firms adopt the new standards. These resources, which are available on its website, include videos, practical examples that show how the requirements of ISQM 1 can be scaled according to the nature and circumstances of individual firms and their engagements, and a set of FAQs providing additional explanations and examples for some of the more complex aspects of ISQM 1.
The International Federation of Accountants is producing a series of guides to help firms understand how to implement the three standards, including highlighting the significant changes, setting out how firms should go about conducting risk assessments, and the framework they will need for identifying and evaluating deficiencies. It is also creating a series of fact sheets, FAQs and videos and assist firms with the change.
As well as promoting information from others, future A Plus articles will focus on specific aspects of the standards. “Over the next 18 months we will focus on helping members understand the principles, purpose and objectives of the new standards,” says Joy.
The new standards come into force in December 2022. Joy urges firms to start preparing for the change now. He suggests firms should first read the standards and ensure they understand their contents. “It is going to take time to understand them properly. This isn’t just a routine update of an auditing standard – this is actually the creation of two very new standards and one fundamentally changed one,” he says.
Stevenson advises: “The first thing is to get educated – take advantage of the Institute’s CPD events. The second thing is don’t leave it until December 2022 – start early, and once you get an understanding, start looking at what needs to be done in your firm.” Fong points out that, in many cases, firms will have to exercise a great deal of change management to enable the new standards to be effectively absorbed and implemented. “Firms should start thinking about developing an implementation plan to consider the fundamental concepts of the system of quality management at as early a stage as possible,” she says. “They should also assess and evaluate whether their current resources are adequate and appropriate to meet the requirements of the new standards.”
Stevenson adds that firms should not view the change just as a compliance exercise, but rather as an opportunity to enhance what they already do. “By examining everything we do to ensure we comply with the quality standards, we can make ourselves more efficient and do things better,” he says.
The three new and revised quality management standards come into effect in December 2022. International Standard on Quality Management (ISQM) 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements, ISQM 2 Engagement Quality Reviews, and International Standard on Auditing 220 Quality Control for an Audit of Financial Statements, aim to strengthen and modernize audit firms’ approach to quality management and respond to the increasingly complex audit ecosystem.