Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Guidance for audit firms: ISQM(UK)1 – a reminder

By Lesley Byrne, Director of Regulatory Monitoring

11 September 2023

International Standard on Quality Management (UK) 1 (ISQM (UK) 1) replaced International Standard on Quality Control (UK) 1 (ISQC (UK) 1) effective from 15 December 2022.

In both the winter 2022-23 and the spring 2023 editions of Audit News we published various articles on this important new standard, applicable to all ICAS audit firms. This article provides a round-up of the key requirements, the implications for monitoring visits, what we are finding so far on monitoring visits and a reminder of the resources available.

A reminder of the key changes

ISQM(UK) 1 introduced a new risk-based approach to quality management at the firm level. Each audit firm is required to establish a System of Quality Management (SOQM’) by 15 December 2022 which reflects the unique nature and circumstances of the firm.

The SOQM entails the firm setting quality objectives (what the firm is trying to achieve); conducting a risk assessment which involves identifying and assessing quality risks (what could go wrong); and implementing responses to address those quality risks (how to address the risks) in relation to the following components:

  • Governance and Leadership
  • Risk Assessment
  • Relevant Ethical Requirements
  • Client Acceptance & Continuance
  • Resources
  • Engagement Performance
  • Information & Communication
  • Monitoring & remediation

There are other additional requirements for firms which are members of networks and firms are required to consider the impact of the use of service providers as part of their SOQM.

The firm is required to allocate a person in the firm to take operational responsibility for the SOQM (this is usually, in most firms, the Audit Compliance Principal (ACP) but aspects may also be allocated to other principals or staff members).

The firm is also required to allocate ultimate responsibility, i.e. establish ‘where the buck stops’, in relation to ensuring the effectiveness of the SOQM. The original international standard requires that the managing partner has ultimate responsibility, but the UK plus requirements additionally require that this person or persons is/are audit qualified. The Financial Reporting Council has confirmed that where the managing partner is not audit qualified that the firm allocated ultimate responsibility to a managing board including at least one audit qualified person.

Our current understanding is that in a small firm, this could be satisfied by SOQM matters, such as the results of monitoring, being considered at normal partner meetings, where there is collective responsibility for the SOQM, provided that one of the partners attending those matters holds the audit qualification.

Once established the firm should conduct monitoring over the effectiveness of its SOQM and then remediate any issues found. Remediation involves conducting both root cause analysis over deficiencies identified during monitoring (or as a result, for example, of monitoring inspections) and then creating an action plan, and tracking progress against that action plan, to make sure that improvements have been made.

Finally, those with ultimate responsibility for the SOQM (whether that is the managing partner who is audit qualified or a board or partner meeting including an audit qualified person) must conduct an annual evaluation of the SOQM. This could involve, for example, the ACP feeding back the results of monitoring and remediation to the board in order to assess the effectiveness of the SOQM. This annual evaluation requires those ultimately responsible to conclude either that:

1.The objectives of the SOQM are being achieved.
2.The SOQM provides sufficient assurance except for an identified deficiency which is not pervasive.
3. Does not provide the required assurance.

Where the conclusion is 2 or 3 further action is needed to remediate the issues.

This means the SOQM should be constantly evolving to take into account changes in the nature and circumstances of the firm, changes in risks and to remediate issues found.

Audit firms were required to have the SOQM designed and implemented by the 15 December 2022 deadline. Firms have up until 14 December 2023 to conduct their first monitoring, remediation and annual evaluation of the SOQM.

Firms can decide for themselves whether they wish to establish their own tailored SOQM or use one of the ISQM (UK) 1 products available in the market place. If a commercial product is used, it must be tailored to the firm’s unique nature and circumstances.

What does this mean for ICAS audit monitoring visits?

Put simply, the monitoring visit will take longer (estimated at an additional day) as we are required to review how the firm has implemented all of the above changes during our monitoring visit.

During our assessment of your SOQM, we consider how well you understand your firm’s quality risks and whether your policies and procedures are adequate to mitigate these risks. This involves spending more time in discussions with each firm.  If, for example, we identify risks during the visit that your firm has not identified, this will indicate that there are weaknesses in your SOQM.

Whilst we understand there is a very steep learning curve for firms, on top of all the other pressures firms face, the FRC has made it clear to the RSBs (Recognised Supervisory Bodies) that we are expected to take robust action where there are shortfalls identified. Firms that have not made a good attempt at complying with the standard are likely to be placed on follow-up submissions with the Authorisation Committee.

Alongside the typical follow up action conditions that the Authorisation Committee currently set, such as hot and cold file reviews or training plans, additional submissions may be required such as:

  • Root cause analysis as part of report responses.
  • SOQM documentation to evidence improvements made.
  • Action plans, and progress tracking against action plans.

As we stated before in our recent implementation videos and previous Audit News articles, firms will receive much more favourable outcomes if they have tried their best to implement their SOQM.

What are we finding on monitoring visits so far?

We are very early on in our monitoring but, so far, the results of monitoring have been generally positive.  The majority of firms have been making a good first attempt at implementing ISQM (UK) 1, in a manner appropriate to the scale and complexity of the firm’s activities, and the monitoring team have been advising firms on any improvements required. Some firms have established their own documentation but the majority have used commercial products. Only a few firms to date have failed to implement the new requirements, and it is expected that the ICAS Authorisation Committee will require firms to submit clear evidence of compliance with the new standard before any monitoring visit process can be concluded.

A reminder of key resources

Firms are reminded of the ISQM (UK) 1 resources available as follows:

Links to ICAS guidance and videos

  • ISQM(UK)1 implementation guidance: Highlights certain key elements of ISQM (UK) 1 and provides tips on how to implement the standard, including useful examples- here;
  • Video: ‘ISQM (UK) 1 unwrapped’: A short summary of the main changes from ISQC (UK) 1 and the main requirements in the new standard -  here.
  • Video ‘ISQM (UK) 1: How to get started’ shares practical tips on setting up a system of quality management and can be accessed - here.

Further videos and implementation guidance can be found on the quality management page of icas.com here and an ICAS webinar sharing the tips from two ICAS firms on how to go about implementing ISQM (UK) 1 is available here.

We will be issuing a video later in 2024 on the root cause analysis requirements of the standard.

Links to the new and revised UK quality management standards

ISQM (UK) 1

ISQM (UK) 2

ISA (UK) 220 (Revised July 2021)

Conforming amendments to other ISAs and related materials (as introduced by the IAASB)

FRC Feedback Statement and Impact Assessment

The International Auditing and Assurance Standards Board (IAASB) resources

The IAASB has created a suite of resources and material to support audit firms in the transition to the new quality management approach.

First time implementation guides:

ISQM 1

ISQM 2

ISA 220 (revised)

Webinar series

Article by IAASB Chair, Tom Seidenstein

Quality management videos

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: