Professional Documents
Culture Documents
JGA - Bridging The Gap ISQM 1 and The Knowledge and Resource Gaps
JGA - Bridging The Gap ISQM 1 and The Knowledge and Resource Gaps
JGA - Bridging The Gap ISQM 1 and The Knowledge and Resource Gaps
Many in the profession remember the passage of the Sarbanes-Oxley Act of 2002 and the amount of time and effort
that went into the adoption and implementation of internal controls over financial reporting (ICFR). Issuers worked
months upon months with consultants and audit firms to create an internal controls framework and to formalize
processes so that both management and the auditors could opine on the design and operating effectiveness of ICFR.
Now, with the adoption of the International Standard on Quality Management 1 (ISQM 1), issued by the International
Auditing and Assurance Standards Board, the profession is bracing for yet another significant change in the industry.
Whereas 404 regulated internal control requirements for public issuer companies to ensure quality financial reporting,
ISQM 1, for lack of a better comparison, is essentially laying the groundwork for internal controls for audit firms to
ensure quality audits.
Though the PCAOB is lagging behind in its QC standard-setting process, it has repeatedly indicated that its new QC
standard will pull largely from ISQM 1, as was evidenced in the PCAOB QC Concept Release. ISQM 1 is intended to
be scalable, but regardless the size of the firm, all firms will be required to design, implement, and certify the
effectiveness of controls that address specific audit quality risks.
Isn’t that already in place with the PCAOB’s current QC standards? 1 Technically, yes. In fact, many of the components
of ISQM 1 are already part of current PCAOB standards. While there are new incremental requirements under ISQM 1,
principally around risk assessment, root cause analysis and remediation, what make ISQM 1 unique is that audit
firms, similar to public companies, will now have to annually assess the effectiveness of their systems of
quality management.
Similar to the early days of SOX 404, the weight of ISQM 1 (and the anticipated changes to PCAOB QC standards) is
leaving many feeling overwhelmed and unsure where to begin and how to bridge the gap, or should I say gaps (plural),
from current QC standards to the new ISQM 1. In my perspective, just like with the advent of internal controls, there is
first a knowledge gap and then a resources gap.
For instance, take risk assessment; what does it mean for an audit firm to perform a risk assessment over its system
of quality management? Though firms have become accustomed to performing risk assessments over financial
statements when designing an audit, risk assessment over a firm’s system of quality management is foreign. What are
the components of the risk assessment? ISQM 1 provides certain required quality objectives, but the guidance does not
say it is an exhaustive list. Each firm will need to consider other potential risks. Have all relevant risks been
considered? What is the right level of granularity?
Or take root cause as a different example. Root cause has been talk of the town for the past couple years, especially
in the “best practices” arena. Now, with ISQM 1, it will become a mandatory component of firms’ systems of quality
management. What is the methodology and process to execute an effective root cause analysis? What happens with the
results of the root cause analysis?
Despite its “scalability,” in my perspective, ISQM 1 is a significant undertaking. I think firms that want to be successful
need to consider the reality that ISQM 1 may require additional resources, which means additional investment.
Page 2
Invest in Technical Resources
Finally, firms will need to consider additional technological resources. In fact, ISQM 1 has a component dedicated just
to the sufficiency of resources and specifically calls out information technology. Establish mechanisms to track,
communicate and report information reliably. While some firms will continue to use more manual processes mixed with
excel templates, many firms will need to consider implementing new IT systems to assist with the expanded
requirements of ISQM 1. I personally think this is important for all firms to consider as IT continues to play a greater
and greater role in all aspects of business. While an IT investment is a significant upfront investment, it is intended to
drive future efficiency. Don’t be afraid to ask the question, “How can IT help me do this?”
To the extent firms struggle to find resources internally, many will need to look externally, whether to hire in or to
partner with during the implementation/transition period. We already assist many firms with various aspects of QC, such
as monitoring and pre- and post-issuance reviews, consultations, policy reviews, etc. In addition, we’ve also started
researching various technological resources to help support firms as they consider implementing new systems. We’re
here to help, whatever your question or need.
ISQM 1 is a large undertaking. Thankfully, there is still time. And thankfully you don’t have to go it alone. The whole
industry is going to have to adapt and much like we did for SOX 404, we’ll partner together and embrace the changes.
There will be learning curves as we grasp the full extent of the changes required; that’s the nature of overcoming any
knowledge gap. And of course, there will be moments where we feel overwhelmed with the amount of work to do to get
ISQM 1 compliant; that’s the nature of overcoming any resource gap. But together, we’ll get through yet another major
change in the industry and in the end, we hope it truly does result in better audit quality.