ISQM (UK) 1 – annual evaluations
Effective monitoring and evaluation arrangements are a key component of a functioning System of Quality Management, and firms should have conducted at least one annual monitoring and evaluation cycle by now, with the second due before the end of 2024.
ISQM (UK) 1 – annual evaluations
International Standard on Quality Management (ISQM) (UK) 1 has now been in place for almost two years. Effective monitoring and evaluation arrangements are a key component of a functioning System of Quality Management (SoQM), and firms should have conducted at least one annual monitoring and evaluation cycle by now, with the second due before the end of 2024. The monitoring team thought this would be a good time to remind firms of some of the key monitoring and evaluation requirements.
Monitoring
Firm’s need to establish monitoring processes that will provide relevant, reliable and timely information about the design, implementation and operation of the full SoQM. While the likes of a cold file review process will be one key (and mandatory) element of that, it is not the only monitoring process required. Firms should ensure monitoring activities cover all elements of the SoQM, and the nature and timing of such activities will depend on:
(a) The reasons for the assessments given to the quality risks;
(b) The design of the responses;
(c) The design of the firm’s risk assessment process and monitoring and remediation process;
(d) Changes in the system of quality management;
(e) The results of previous monitoring activities, whether previous monitoring activities continue to be relevant in evaluating the firm’s system of quality management and whether remedial actions to address previously identified deficiencies were effective; and
(f) Other relevant information, including complaints and allegations about failures to perform work in accordance with professional standards and applicable legal and regulatory requirements or noncompliance with the firm’s policies or procedures established in accordance with ISQM (UK) 1, information from external inspections and information from service providers.
Each firm’s monitoring processes will depend on how the firm’s risk assessment process is designed. The standard recognises approaches will differ, given the size and complexity of each audit firm:
“In a less complex firm, the monitoring activities may be simple, since information about the monitoring and remediation process may be readily available in the form of leadership’s knowledge, based on their frequent interaction with the system of quality management, of the nature, timing and extent of the monitoring activities undertaken, the results of the monitoring activities, and the firm’s actions to address the results.
In a more complex firm, the monitoring activities for the monitoring and remediation process may be specifically designed to determine that the monitoring and remediation process is providing relevant, reliable and timely information about the system of quality management, and responding appropriately to identified deficiencies.”
Evaluating the System of Quality Management
Firm are expected to identify whether any ‘deficiencies’ exist in the SoQM by evaluating any findings from their monitoring processes. The standard recognises that a deficiency may arise from a single finding or a combination of findings. Professional judgement needs to be applied in determining whether findings, individually or in combination, give rise to a ‘deficiency’ in the system of quality management. The application material provided in the standard itself provides a number of helpful examples which firms may find useful when conducting evaluation processes and forming judgements on the nature of any findings and their pervasiveness.
The standard requires the individual(s) assigned ultimate responsibility and accountability to evaluate the SoQM at least annually. Typically, in the firms we monitor the evaluation process is conducted by the Audit Compliance Principle, being the individual with ultimate responsibility. The standard recognises that other individuals may assist in performing the evaluation, but firms should be clear that whoever is assigned ultimate responsibility for the SoQM is responsible for the overall evaluation.
Concluding on the evaluation
Based on the evaluation, the individual(s) assigned ultimate responsibility for the SoQM needs to conclude using one of the following three statements:
(a) The system of quality management provides the firm with reasonable assurance that the objectives of the system of quality management are being achieved;
(b) Except for matters related to identified deficiencies that have a severe but not pervasive effect on the design, implementation and operation of the system of quality management, the system of quality management provides the firm with reasonable assurance that the objectives of the system of quality management are being achieved; or
(c) The system of quality management does not provide the firm with reasonable assurance that the objectives of the system of quality management are being achieved.
Conclusion (a) indicates there may have been no deficiencies identified by the firm’s monitoring processes. Where deficiencies have been identified in the SoQM then conclusions (b) or (c) would appear to be more appropriate, depending on how significant those deficiencies were.
Root Cause Analysis
In any case where conclusions (b) or (c) were appropriate, it is expected that root cause analysis would be required over the deficiencies driving that conclusion. Once root causes have been identified the firm would also need to set a remedial action plan. Firms should be clear that a (b) or (c) conclusion to the overall evaluation will require the firm to:
(a) Take prompt and appropriate action to address the deficiencies identified; and
(b) Communicate matters to:
- Engagement teams, to the extent that it is relevant to their responsibilities; and
- External parties, if required under the firm’s policies or procedures.
Monitoring reviewers would expect to see a clear record of a firm’s root cause analysis and remedial action plan on any monitoring visit that followed a (b) or (c) conclusion to the annual SoQM evaluation.
Periodic performance evaluations of individuals with responsibility for the SoQM
It’s also worth noting that in addition to the annual evaluation of the SoQM, ISQM (UK) 1 requires firms to undertake periodic performance evaluations of:
the individual(s) assigned ultimate responsibility and accountability for the SoQM, and
the individual(s) assigned operational responsibility for the SoQM.
It is expected that the outcome of the annual evaluation of the SoQM would form a key element of these periodic performance evaluations.
Annual reporting of the firm’s evaluation
Going forward, firm’s will be asked to report their conclusion on the annual evaluation of the SoQM through the Firm’s Annual Return process.
Importance of a compliant approach
The Financial Reporting Council (FRC) has been very clear on the importance of ISQM (UK) 1's implementation and compliance as part of all audit firms’ registrations, and this will remain an area of focus during 2025. In terms of monitoring compliance, there is a clear expectation that any firms that have not conducted and evidenced the required ISQM (UK) 1 evaluation by 15 December 2023, would be breaching Audit Regulation 3.10 (Compliance with auditing standards and the quality management standards). Where such a breach is identified, any failure to remediate the issue on an expedited basis will result in consideration by the ICAS Authorisation Committee, which could include the consideration of regulatory actions.
Additionally, the FRC has requested we notify it directly of any firms failing to remediate such non-evaluation of ISQM (UK) 1 on an expedited basis. This reporting requirement is a significant step, and should leave all parties in no uncertain terms as to the importance of compliance in this area.
