For sustainability assurance engagements to be effective and maintain public trust, they must be performed in a way that ensures firms and their personnel fulfil their responsibilities in accordance with applicable legal and professional standards. It is imperative that assurance firms adopt a culture of best practice in accordance with these standards, enabling assurance partners in issuing appropriate assurance reports. The threats of self interest caused by increasing financial pressure on assurance partners will compromise assurance reports, as will the issues of poor planning, inadequate risk assessment and lack of resources and assurance evidence. The International Auditing and Assurance Standards Board (IAASB) issues quality standards to support firms in achieving this aim.
This article provides further background to learning outcome D1b of the Professional Diploma in Sustainability syllabus.
This article focuses in ISQM1: International Standard on Quality Management (ISQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements or Other Assurance or Related Services Engagements.
The quality standards are focused on public interest, with the hope of addressing some of the circumstances where assurance failure has occurred. The need for assurance partners and assurance teams to exhibit professional scepticism, with an independent and challenging mindset, is emphasised. This is especially important when assessing client judgements and estimations. Assurance teams need to have the competence and support to do this without fearing negative implications. The quality standards adopt a proactive attitude to quality in firms rather than a compliance (‘tick box’) approach and one which is scalable from small firms to large multinational networks.
There is a need to ensure assurance quality evolves; there must be scope within quality guidance for a firm’s processes to change as technology and business practices change.
There is also focus on improving both internal and external monitoring of firms and their networks and on improving communication, both internally and to external parties such as those charged with governance (TCWG) and regulators.
ISQM 1 embeds this approach through a principle driven requirement for firms to create a system of quality management (SoQM) which is tailored to the firm and its client base. This scalability enables firms to design a system which addresses their specific circumstances and risks.
1. Firm’s risk assessment process
Firms must design and implement a risk assessment process that sets quality objectives and identifies risks. The firm’s specific situation and environment is considered and will include the technologies employed by the firm, their networks, and any external service providers. This is an ongoing monitoring process rather than one-off, enabling the SoQM to adapt with any changes.
This approach will allow the firm to tailor to address the specific risks within their firm, and it will vary according to the size of the assurance firm and their client portfolio.
By maintaining this tailored focus on risks and their mitigation, the firm should be able to focus on ensuring the right engagement or assurance report is issued for each assignment. This may be due to more competent and well-trained individuals performing complex or risky assurances, assurance partners feeling more empowered to issue modified assurance reports, by ensuring acceptance procedures fully identify threats to independence and ensure safeguards are enacted and many other factors. The most crucial point is that this approach is tailored to address the specific risks arising in specific firms and not expected to be the same for every assurance firm regardless of size or client portfolio.
2. Governance and leadership
Firms should create an environment which demonstrates a commitment to quality through its culture and recognises its role in serving the public interest. This responsibility is firm wide rather than at the individual assurance level, with the chief executive or managing partner assigned the responsibility and accountability for the SoQM. This should ensure the ‘tone at the top’ enforces a commitment to quality and ethics across the whole firm.
Systems and policies should be in place to reward commitment to quality rather than focusing on client retention and engagement profit. This should allow assurance engagement partners to challenge client judgements without fear of the negative consequences of losing the revenue arising from the loss of the client. In this way, all employees of the firm are supported to fulfil their legal and regulatory requirements without undue commercial pressures or self-interest resulting in inappropriate decision making.
3. Relevant ethical requirements
The SoQM should include objectives and policies for ensuring the fulfilment of ethical requirements. These processes will again differ depending on firm size and client portfolio; the scalability of the standard requires firms to have in place mitigations for ethical risks arising which are appropriate to the firm rather than a fixed response to a given risk.
Not only must a firm ensure its own personnel understanding of and compliance with relevant ethical requirements, for example, through training and ethical declarations such as independence forms, firms must also ensure that any component assurance practioners in a group understand and apply the ethical regulations applicable to the group.
Relevant ethical requirements for a firm depend on the jurisdiction it operates in; these may go beyond those set out in the IESBA International Code of Ethics for Professional Accountants (the Code). It is also the case that many firms will have in place policies to mitigate ethical threats which go beyond the minimum required by the Code and regulatory requirements of the jurisdiction in which the firm operates: ISQM 1 requires firms to ensure these requirements are also captured by the SoQM. For example, many firms or jurisdictions prohibit the acceptance of gifts, even of trivial value. Failure to adhere to the firm’s policies would be seen as a failure of its SoQM despite not giving rise to a breach of the Code.
Scalability of the standard enables firms to mitigate for ethical risks arising which are appropriate to the firm, for example, a firm which is part of a large network will require more detailed processes to identify possible conflicts of interest between clients than those in a smaller firm.
4. Acceptance and continuance of client relationships
ISQM 1 places additional emphasis on the procedures addressing client acceptance and continuance of existing business relationships. Firms must assess the integrity and ethical values of the client and its management, as well as the firm’s ability to perform the engagement within legal and professional requirements. The SoQM should ensure that the firm’s financial and operational priorities do not lead to inappropriate judgements when deciding whether to accept or continue with a client engagement. The decision to continue with or accept a new client should focus on the firm’s ability to provide a quality engagement.
Existing business relationships should be reassessed at the start of each new year prior to reappointment as assurance practioner. This may mean performing fresh identity checks, reperformance of independence declarations of employees, and re-evaluating conflicts of interest and/or competence to perform the assurance. It will also involve assessing whether new information, had it been known at point of acceptance, would have prevented the firm from accepting the client. For example, a client involved in breaches of regulations may not be a client with values compatible with the assurance firm.
5. Engagement performance
Engagement teams must understand their responsibilities for ensuring a quality assurance. Less experienced engagement team members should be appropriately supervised and reviewed. ISQM 1 specifically references the need for the assurance engagement partner to be sufficiently and appropriately involved throughout the engagement.
Assurance teams should ensure professional scepticism and judgement are exercised. Processes should ensure professional scepticism and judgement are exercised by engagement teams. If an assurance team has insufficient time to perform necessary procedures, or team members are not experienced enough to challenge management or identify misstatements, then detection risk increases and assurance quality will be compromised. For assurances to be effective, and to maintain public trust, they must be performed in such a way as to ensure the assurance reports issued are appropriate in the circumstances and that firms and their personnel fulfil their responsibilities in accordance with applicable legal and professional standards.
The SoQM should ensure that teams can consult on contentious matters; differences of opinion within the engagement team are addressed and any issues raised by the engagement quality reviewer are brought to the attention of the firm and resolved.
6. Resources
A firm must ensure that appropriate resources are available in a timely manner. This includes employees with the required competence, training, and capabilities to perform the engagements to which they are assigned. Firms should ensure more experienced individuals to work on areas of a complex nature requiring additional judgement and ensuring sufficient review by senior team members or allowing adequate time to do sufficient testing and analysis of the issues.
Consideration should be made to use independent experts where the firm does not have appropriate personnel, or if the firm requires additional specialist technological resources.
7. Information and communication
Information and communication are required to enable other components of the SoQM to operate. This includes obtaining, generating and using information and communicating the information within the firm, for example, communicating policies to personnel, communication of information obtained during an assurance with an engagement quality reviewer, or communication between group and component assurance practioners. It also includes external communications such as to TCWG or a regulator.
ISQM 1 considers information and communication to be pervasive to all components of the SoQM as without it, the system cannot operate. The full range of information and communications within the SoQM is extensive; the boxed text below considers just a few examples in some of the elements of ISQM 1 for context.
Ethical and professional requirements
Client acceptance and continuation
Engagement performance
Communications should be made in a timely manner supporting the firm’s culture to exchange information where appropriate, for example where an ethical threat precludes the assignment of a team member to a specific client, the team member would be expected to inform the firm.
ISQM 1 also makes specific reference to external communications required to maintain assurance quality. This includes communication within the firm’s network and with service providers, communications required by law or professional standards, such as when there is a specific requirement to report a client’s non-compliance with certain laws and regulations to TCWG.
8. Monitoring and remediation process
Firms must put in place a process for monitoring the SoQM’s effectiveness and ensure deficiencies are identified in a timely manner, allowing corrective actions to be implemented. This process is a continuous cycle which firms are specifically required to undertake.
ISQM 1 provides a focus on assurance quality and a process of risk management with respect to quality that aims to ensure all firms have quality as a priority when performing assurances engagements. The standard is principles driven with a focus on scalability, flexibility and continuous improvement.
Quality management is core to assurance, and a detailed understanding of the importance of both assurance quality and quality management underlies the performance of an assurance engagement. Quality is a key part of ensuring that assurances are fit for purpose and retain the public trust. As such, it is key to every assurance engagement and every stage of the assurance process.
Further reading
Adapted from an article written by a member of one of ACCA’s examining teams