Audit quality in the spotlight

This article was current at the time of publication.

From 15 December 2022, all firms engaging in audits, assurance, or related services, have needed to comply with the new auditing standard ASQM 1. It shifts the focus from quality control to a system of quality management (SOQM), where identified risks are assessed and responded to and quality manuals become continually refined living documents. 

CPA Australia’s Head of Professional Standards, Melissa Read FCPA, says ASQM 1 reinforces the importance of governance and leadership over the systems that support high-quality engagements.

“For any practice that we assess this year, we’re looking for evidence that they have adopted ASQM 1,” Read says.

Each year, CPA Australia assesses a sample of members in public practice in Australia and New Zealand to gauge their compliance with both professional and ethical obligations as well as their requirements under CPA Australia By-laws. 

Read says current assessments indicate that while most members have attempted to implement ASQM 1, the challenge is in shifting their mindset from quality control to quality management.

“Practices have already had a quality control process and so many think there are no risks to quality because they have policies and procedures,” she says. 

“However, they need to think about risks to their quality objectives as though there were no controls in place. 

“It's one thing to say that quality risks are managed because you have these policies and procedures but are they operationally effective? Are you doing anything to evaluate that? The standard now requires that you do this annually.”

Take action to manage quality risks

Quality risks vary depending on the size of a firm. Small firms, for example, may face risks to governance and leadership by not adequately documenting their policies and procedures.

“There might be only two people in the practice, so they may not think it’s worth documenting their procedures because they know them like the back of their hand,” Read says. “But this presents quality risks that need to be managed.”

Conflicts of interest also present risks to relevant ethical requirements. For example, a quality objective for the “Relevant ethical requirements” component under ASQM 1 is “Personnel understand the relevant ethical requirements to which the firm and the firm’s engagements are subject”. 

Failing to fulfil this requirement presents a risk to all firms, and a response under ASQM 1 may include mandatory training for all staff on relevant ethical requirements. 

Other responses might include mandatory rotation periods for all engagement partners to help avoid long associations with an audit client, which can jeopardise independence.

A quality management tool to the rescue

CPA Australia has developed an Excel tool to help you develop a SOQM for your practice, tailored to your individual circumstances. You can choose to use the version for sole practitioners and small firms, or network firms, depending on your needs. 

It provides the quality objectives outlined in ASQM 1 for each of the key components of quality management, as well as a library of possible risks for each. It also includes space to add to or modify objectives and risks. 

Once risks are identified, the tool prompts you to assess them by considering the likelihood and effect of achieving the quality objective. If the assessment requires you to respond to the risk, the tool has a library of possible risk responses, which you can edit or expand on.

From 15 December this year, firms need to have finished monitoring the SOQM under ASQM 1 and have identified appropriate risk remediation. 

“You need to take steps to assess whether the controls you’ve defined against your identified risks to achieving your quality objectives have been effective,” Read emphasises. “We’re adding to our ASQM 1 tool so that members can enter the steps they’ve taken to consider whether the controls have been effective.

“As a result, you’ll be able to determine if you need to change your policies and procedures, whether your risk rating has changed or whether you’re achieving your quality objectives.”

“You can also identify if deficiencies have crept in that shouldn't have if you’d followed the controls you’d put in place, and that’s where a root cause analysis is really important. We would expect to see that being evidenced in your evaluation of a system of quality management.”

A scalable, risk-based approach

ASQM 1 is the Australian equivalent of the International Standard on Quality Management [ISQM 1] – Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements.

It applies to all firms, regardless of size, that perform audits or reviews of financial statements, or other assurance or related services engagements, such as pro bono work.

ASQM 1 has been designed as a scalable, risk-based approach and can be tailored to the nature and circumstances of a firm and to the engagements it performs. 

6 key quality components of a SOQM

Under ASQM 1, a SOQM has the following key components:

1. Governance and leadership
2. Acceptance and continuance
3. Resources
4. Relevant ethical requirements
5. Engagement performance
6. Information and communication

For each quality component, firms must identify and assess quality risks and then design and implement responses that adequately address them.

Regular review of the SOQM is also required to identify and address areas for improvement. This is known as the monitoring and remediation process. 

Read explains that if a deficiency is identified during the monitoring process, the firm must undertake a root cause analysis to get to the bottom of it. 

“This helps you to avoid a quick fix because when you respond to the underlying cause, the deficiency is far less likely to occur again,” she says