Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Changes to the Audit Regulations – Audit compliance review

By Michael Lavender & Lesley Byrne

6 November 2024

On 1 October, revised Audit Regulations were published on ICAS.com. This article covers the changes to the requirements relating to audit compliance reviews.

Changes to the Audit Regulations

On 1 October, revised Audit Regulations were published on ICAS.com. There have been several amendments made, and firms should ensure that the revised regulations are reviewed and adhered to going forward. While there have been various changes made, revisions to the following three areas are considered to have the most significant effect on our audit firms:

  • Audit eligibility;
  • Maintaining competence / Continuing Professional Development; and
  • Audit compliance review.

Changes to the regulations relating to the audit compliance review process

The guidance notes to Audit Regulation 3.20 have been expanded and updated to more clearly cross refer to the requirements brought in by the International Standard on Quality Management (UK) 1 (ISQM1).

Audit Compliance Review (including Cold File Review)

Given the guidance and commentary available elsewhere on ISQM1, and the monitoring and evaluation processes it requires, this update will not go into detail on those changes. However, we do want to signpost an amendment to the commentary on cold file review processes.

Firms should already be aware that the regulations require a process of cold file review(s) to be conducted annually. Previously the de minimis required by the Audit Regulations was for at least one cold file review to be conducted per year. The updates to the regulations give additional guidance:

“ISQM1 requires firms to select at least one completed engagement for each responsible individual on a cyclical basis determined by the firm. It also prohibits and engagement team members or the engagement quality reviewer from performing any inspection of that engagement.

However, to comply with these regulations the firm’s procedures for review of completed engagements must also meet the following two criteria:

1. The cycle of inspection of completed engagements for each responsible individual must not exceed three years.
2. Monitoring must include at least one inspection of a completed engagement, each year.

Where the additional reviews required by ‘2’ above exceed those that would be required for the firm to comply with ISQM1, the firm may relax the requirement for the inspection to be conducted by an individual independent from the engagement team providing it considers that the selected individual is able to conduct the review with a sufficiently independent and objective mindset.

A firm that does not have a suitable internal reviewer meeting the criteria set out in ISQM1 should engage an external reviewer at least once every three years.”

The latter two paragraphs here recognise that a small, sole RI firm may well have challenges in conducting an independent cold file review process. As in the previous Audit Regulations, a sole RI can conduct a cold file review of one of their own files (so long as they are able to conduct the review with a sufficiently independent and objective mindset) on the proviso that an externa cold file review process is engaged at least once every three years.

Firm Quality Management processes in the year of a monitoring visit

One other minor amendment flagged in the revised regulations, is that:

“A firm should conduct monitoring each year, even when the firm has had a quality inspection from the Institute during the year.”

While this has always been the case, as ICAS Audit Monitoring do not form part of a firm’s quality management (or control, as was) processes, this is a welcome opportunity to remind firms that they must continue to conduct their own quality management reviews, including ‘whole firm’ monitoring and cold file reviews, even in years when a monitoring visit is expected, planned, or has taken place.

ICAS Audit Monitoring findings

Looking back at the 2023 ICAS Audit Monitoring visits, 32% of visits identified a breach of AR 3.20. The most common underlying issue being the lack of an effective cold file review process. In most cases, this resulted from a complete lack of a cold file review process in the year of the monitoring visit, and that preceding it.

Our 2023 Monitoring Report noted that an effective cold file review process is an essential component of a firm’s SOQM, and firms with good quality audit files tend to have an effective cold file review process in place more often than not. Most cases where a cold file review process had not been conducted at all involved smaller firms, and it is acknowledged that sole RI practices can find it especially challenging. As above, it is recognised that a sole RI can still conduct their own cold file review so long as an external reviewer is engaged at least once every three years. Smaller firms may also want to consider whether there is any another individual in the firm who, although not a responsible individual, is very experienced in current auditing requirements and might be able to undertake an effective review. If so, assuming that the individual did not take part in the audit, the firm may decide this individual would be a suitable person to conduct the required cold file review.

In 2023, reviewers also came across some instances where a cold file review had been conducted as required, but where the findings of the process were inconsistent with the findings of ICAS Audit Monitoring. This is most often the case where an internal review did not raise many queries, or did not identify significant issues that were identified in the monitoring visit. Firms should ensure that any cold file review process is robust and conducted by individuals with sufficient capability and experience.

More latterly, the monitoring team has anecdotally considered there to be a correlation between firms (including even larger firms) that choose to engage an external cold file review process and better levels of audit quality, even when such reviews are only engaged on a periodic basis (e.g. every second or third year). This may not be unexpected where internal reviews tend towards considering compliance with firm procedures and ‘the way we do things’, while external reviews give a different perspective. While external reviews are not certainly required under the regulations (other than as previously stated) firm’s may want to consider what options are available to them to ensure their monitoring procedures are as affective and robust as possible.

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: