The changes emerging for audit firm quality management standards may pose implementation challenges for firms that are comparable to those caused by Section 404(b) of the Sarbanes-Oxley Act for audit clients a generation ago, according to KPMG’s Christian Peo, CPA.
Yet Peo, KPMG’s national managing partner for audit quality and professional practice, is excited about the new quality management standards because he believes they represent an opportunity for firms to continue the work they have been doing to improve quality in the profession.
“It really allows us some opportunities to further our continuous improvement mindset and really improve audit quality,” Peo said. “We’re excited about this standard even though there are some challenges.”
The implementation efforts are coming as a result of changes by many of the major standard setters in the quality management area:
- The International Audit and Accounting Standards Board (IAASB) in December issued three quality management standards. International Standard on Quality Management (ISQM) 1 and 2 and International Standard on Auditing 220 (Revised) are designed to move the profession away from quality “control” and toward quality “management.”
- The PCAOB in December 2019 issued a concept release that proposed changing standards for audits of U.S. public companies in ways that are similar to the new rules prescribed by the IAASB.
- The AICPA Auditing Standards Board (ASB) issued an exposure draft Thursday proposing three interrelated standards that address quality management. These proposed standards also will be similar to the IAASB’s standards.
Particularly for global firms whose work is subject to different regulatory agencies, minimizing the differences between standards is critical.
“One challenge could be making all that work together,” said Jennifer Haskell, CPA, chief auditor at Deloitte & Touche LLP. “There’s a lot of stakeholders and interested parties, so aiming for as much consistency as possible will be a challenge but will be a really great reward at the end.”
A broad summary of the IAASB’s standards would show that they:
- Move quality management from a policies-based approach to a risk-based approach. ISQM 1 requires a firm to establish quality objectives, processes, procedures, and controls based on the risks that are particular to the individual firm’s circumstances.
- Place more rigor around the accuracy and completeness of the information and communications a firm uses in its system of quality management.
- Establish firm leadership’s responsibility and accountability for quality management and require an annual evaluation of effectiveness.
- Modernize the standards so they are relevant and compatible with the innovations taking place in the profession. For example, where an element in the old standard referred to the “human resources” element of the system of quality control, the new standard refers to a resources element that includes human, intellectual, and technological components.
The requirement to document and test all processes, process risk points, and controls is where the quality management standards most resemble the rules for implementing SOX 404(b). The processes are all in place, Peo said, but documenting and testing them is a different challenge.
“Some people thought the same thing about SOX 404 when they first implemented,” Peo said. “It was like, ‘How hard can that be?’ They already have the processes in place. And you pretty quickly realized, it’s a different exercise when you have to go through and document it all and then test it.”
“My first piece of advice,” Haskell said, “would be to figure out where you are in relation to the new standard, figure out the quality objectives in the new standard, and line them up against what you’re measuring today as part of your system of quality control.”
Experts say it’s critically important that the standards can be easily applied to audits of all levels of complexity at all the various sizes of firms.
“There could be different challenges for different sets of firms, depending on how the standards are written,” said Brian Croteau, CPA, a partner in the National Quality Organization of PwC’s Assurance Practice and Regulatory Risk and Quality Control leader. “But the good news is that it seems the standard setters and regulators are focused on that issue and really are trying to think about how to write the standards, or in the IAASB’s case, already wrote the standard, in a way that they believe is sufficiently scalable to firms of all sizes.”
Nonetheless, firms of different sizes will have different challenges with implementation. Smaller firms may struggle with this effort because they don’t possess the resources that larger firms can rely on for implementation.
On the other hand, processes and controls at small firms that perform less-complex audits won’t be as complicated, so they will be easier to document.
“When you have a huge firm, things can get pretty complicated just from a process standpoint because there are so many people and so many different types of audits,” Peo said. “I think smaller firms will have a challenge, but I think they’re probably just different challenges from larger firms.”
Although implementation may be burdensome, experts say it’s worth it because they believe the standards ultimately will result in better performance on audits.
“A strong system of quality control provides the framework for consistent execution of high-quality audits at the engagement level,” said Christine Davine, CPA, national managing partner for quality, risk, and regulatory for Deloitte & Touche LLP. “That framework then positions our engagement teams for success on their audits.”
The standards add to a groundswell of support in the profession for improving the training, tools, and processes that lead to improved performance on audits. It has been almost seven years since the AICPA embarked on its Enhancing Audit Quality initiative, which has provided resources and guidance for firms and practitioners to use in their pursuit of continuous improvement.
There may be challenging times ahead for auditors as they change their systems to reflect a risk-based approach and document processes and controls. But even if the implementation effort reminds auditors of SOX 404(b), there is a real opportunity ahead with the quality management standards.
It would be possible for firm leaders to treat adoption like a compliance requirement, dutifully checking the boxes and documenting the controls to get the work completed so they can report that they are in compliance. But being thoughtful about the documentation can help firms take inspection findings and perform a root-cause analysis to find weaknesses in the system of quality management and fix them so that improvement becomes continuous.
“I see this as a great opportunity,” Haskell said. “Some firms might see this as an overwhelming exercise, but … this is a good standard and one that will benefit us from thinking about things a little bit differently, perhaps documenting things a little bit differently. Overall, the fact that it’s modernized and helps firms think about their system of quality control, which is such a fundamental topic, I think it is great.”
Ultimately, it’s hoped that the new standards and continued commitment to improvement in the profession will lead to better audit quality and as a result will bring benefits to investors and the capital markets.
“We do believe the costs and efforts that we have and will continue to incur relative to a quickly changing environment and maintaining our quality control system are very important and beneficial to the results of continuous improvement in quality and the reliability of financial reporting,” Croteau said. “All of that has benefit to the capital markets.”
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.