Important reminders on key audit compliance issues
Our recent monitoring visits have highlighted a number of key compliance issues. Here's a reminder of what you need to know to stay compliant.
In recent editions of Audit News and in articles on icas.com, we’ve discussed the importance of meeting the eligibility requirements set out in the Audit Regulations.
Common eligibility issues
In our 2025 Annual Monitoring Report, we flagged the most common underlying causes of eligibility issues our Monitoring team had encountered, which included:
- No notification of a new principal, and lack of required audit affiliate application.
- A change in principals leading to insufficient control by individuals with the Audit Qualification.
- A holding company, which wholly owned an audit firm, not being audit registered itself.
- Articles of association for ltd company firms not containing the required provisions regarding disclosure and transfers of shares.
Eligibility breaches
Eligibility breaches are among the most serious matters identified during a monitoring visit and will always require consideration by the full ICAS Authorisation Committee.
Given the fundamental importance of eligibility to the validity of audit reports, any related breaches could well result in regulatory action being taken, including the likes of regulatory penalty with associated public notice, or even more serious consequences depending on the circumstances.
Our previous communications on this have identified that some firms may be able to get temporary dispensation from the eligibility requirements depending on their circumstances.
Notifying ICAS
The Financial Reporting Council (FRC) has written to all Recognised Supervisory Bodies (RSBs) to clarify how temporary breaches of audit firm eligibility requirements should be handled and to reinforce the importance of prompt action when eligibility issues arise.
The letter followed a recent case in which a non-ICAS audit firm unknowingly remained in breach of eligibility criteria for an extended period and failed to notify its RSB until long after the issue first occurred.
The FRC has used the case to emphasise that firms have a continuing obligation to meet eligibility requirements at all times and must notify their RSB as soon as practicable - and no later than 10 business days after a breach arises.
Three-month dispensation starts when the breach occurs
The three-month dispensation period, allowed under the Audit Regulations (which originates in Schedule 10 of the Companies Act 2006), runs from the date the eligibility issue first arose, not from the date it’s reported to the RSB.
Delayed notification doesn’t extend the period available for remedial action, and once a breach has existed for more than three months the FRC's view is that an RSB shouldn’t grant a dispensation and should instead begin the deregistration process.
Firms shouldn’t sign audit reports while their eligibility status is unresolved.
Check eligibility before problems arise
The FRC’s letter serves as a reminder for all audit firms to regularly check that they meet the eligibility requirements. If there are any issues, please tell the Authorisations team and fix problems promptly to avoid the firm's audit registration being affected.
Remember that the eligibility requirements apply to all principals of an audit firm, meaning that a change in circumstances (eg a loss of membership of an institute) by a single principal can create an eligibility issue requiring prompt action.
Although firms have to report significant changes in the practice within 10 business days after they happen, our Monitoring team strongly advises them to contact our Authorisations team as soon as they become aware of any potential changes. This helps deal with any eligibility issues early, before the firm becomes non-compliant.
The importance of recording annual SOQM evaluations
Under ISQM (UK) 1, firms are required to monitor their System of Quality Management (SoQM) and, at least annually, evaluate whether the system provides reasonable assurance that the firm's quality objectives are being achieved.
The FRC has already written to all RSBs, including ICAS, to make clear that firms must complete their evaluations on time. If they haven’t, they need to fix this on “an expedited basis”.
Where a firm fails to do so, the matter is expected to be escalated through the relevant regulatory processes, and the FRC has also requested that any future instances of non-evaluation are reported to them directly.
Firms should remember that the annual evaluation isn’t simply a compliance exercise. It’s a key part of the monitoring and remediation process within ISQM (UK) 1, requiring firms to consider the results of monitoring activities, identify deficiencies, evaluate root causes and determine whether remedial actions are necessary.
All audit firms should make sure they complete a clear, evidence-based evaluation of their SoQM at least once a year and keep a record of it as part of their quality management records Failure to do so is likely to attract regulatory attention and may result in further action being taken where deficiencies aren’t addressed promptly – which may include direct reporting of the firm to the FRC.
Committee conditions – the importance of understanding what is required
If an audit monitoring visit finds issues that need further action, the ICAS Authorisation Committee may impose conditions for the firm.
This could include the requirement to provide extra information, carry out specific review work, or demonstrate that problems have been fixed. These conditions are an important part of the regulatory process. They help make sure issues are properly resolved and, where needed, protect clients and the wider public interest.
There have been some recent cases which highlight the importance of firms carefully reading and understanding exactly what’s required by any conditions imposed. In particular, what’s required when the Committee imposes a ‘hot file review’ condition – as may be applied to a specific audit file or more generally to audits being undertaken.
The raising of a hot file review condition isn’t a step the Authorisation Committee takes lightly. When communicating this condition to a firm the Committee is clear in its expectations. It requires reviews to be conducted to an appropriate standard.
When choosing a reviewer, it's important that a firm is satisfied that the reviewer has the appropriate competence, capabilities, and authority to undertake the review. Further information on the related requirements can be found within the International Standard on Quality Management (UK) 1 & 2 (ISQM1&2) and within Audit Regulation 3.20.
A hot file review must be completed before the audit report is signed, to make sure the audit work meets auditing standards and the firm’s own procedures.
The Committee requires the hot file reviewer to ensure there’s a summary of key areas of non-compliance recorded .
They must conclude on whether all relevant points raised have been resolved by the auditor appropriately before the audit report is signed. This means the reviewer must consider how the auditor has dealt with any significant issues found, which may include re-reviewing work that has been updated.
The reviewer must then formally confirm that the audit report can be signed before the auditor signs it. If these steps are not completed, the firm will not have met the Committee’s condition, which is a very serious matter.
There have been recent cases where firms under a hot file review condition have engaged an experienced external reviewer to carry out the review and submitted the results on time. However, it was apparent that the review process undertaken didn’t fully meet the Committee's requirements as the submissions didn’t include evidence that the auditor's responses had been considered by the reviewer and that they had formally confirmed that all significant matters had been satisfactorily addressed before the audit report was signed.
Importantly, this non-compliance didn’t happen because the firm failed to engage the hot file review. Instead, it was due to not fully understanding the requirements set out in the Committee’s condition letter and the scope of the review they had arranged.
These cases should provide an important reminder for all firms. Where conditions are imposed, firms should take the time to read the requirements carefully, ensure they understand exactly what evidence or outputs are expected, and confirm that any third-party reviewer or consultant engaged to assist is aware of the Committee's specific expectations.
If there’s any uncertainty, firms should discuss the matter with our Authorisation Committee Secretary at an early stage rather than risk completing and submitted work that doesn’t fully satisfy the condition(s) raised.
Failure to comply with a condition on a firm’s audit registration will be reported to the Authorisation Committee and it’s expected that, in most cases, further regulatory action would be considered as a result. Such action could include regulatory penalty (along with public notice); further restrictions and/or conditions being raised over a firm’s registration, or ultimately the Committee withdrawing the firm's audit registration.
Categories:
- Audit and assurance
- Audit News




