BRIDGING THE GAP: May 2021

ISQM 1 AND THE KNOWLEDGE AND RESOURCE GAPS

By Dane Dowell, Director, JGA

Many in the profession remember the passage of the Sarbanes-Oxley Act of 2002 and the amount of time and effort
that went into the adoption and implementation of internal controls over financial reporting (ICFR). Issuers worked
months upon months with consultants and audit firms to create an internal controls framework and to formalize
processes so that both management and the auditors could opine on the design and operating effectiveness of ICFR.

Now, with the adoption of the International Standard on Quality Management 1 (ISQM 1), issued by the International
Auditing and Assurance Standards Board, the profession is bracing for yet another significant change in the industry.
Whereas 404 regulated internal control requirements for public issuer companies to ensure quality financial reporting,
ISQM 1, for lack of a better comparison, is essentially laying the groundwork for internal controls for audit firms to
ensure quality audits.

Though the PCAOB is lagging behind in its QC standard-setting process, it has repeatedly indicated that its new QC
standard will pull largely from ISQM 1, as was evidenced in the PCAOB QC Concept Release. ISQM 1 is intended to
be scalable, but regardless the size of the firm, all firms will be required to design, implement, and certify the
effectiveness of controls that address specific audit quality risks.

Isn’t that already in place with the PCAOB’s current QC standards? 1 Technically, yes. In fact, many of the components
of ISQM 1 are already part of current PCAOB standards. While there are new incremental requirements under ISQM 1,
principally around risk assessment, root cause analysis and remediation, what make ISQM 1 unique is that audit
firms, similar to public companies, will now have to annually assess the effectiveness of their systems of
quality management.

Similar to the early days of SOX 404, the weight of ISQM 1 (and the anticipated changes to PCAOB QC standards) is
leaving many feeling overwhelmed and unsure where to begin and how to bridge the gap, or should I say gaps (plural),
from current QC standards to the new ISQM 1. In my perspective, just like with the advent of internal controls, there is
first a knowledge gap and then a resources gap.

The Knowledge Gap

The phrase we’ve been hearing from our clients on this and other audit quality issues is, “We don’t know what we don’t
know.” As is often the case with any new guidance, whether accounting or auditing, it takes time to fully digest and
understand the literature. Through webinars and articles, many learn about key talking points, such as the new
requirement for firms to perform risk assessment or to perform root cause analyses, but what do these concepts entail?

For instance, take risk assessment; what does it mean for an audit firm to perform a risk assessment over its system
of quality management? Though firms have become accustomed to performing risk assessments over financial
statements when designing an audit, risk assessment over a firm’s system of quality management is foreign. What are
the components of the risk assessment? ISQM 1 provides certain required quality objectives, but the guidance does not
say it is an exhaustive list. Each firm will need to consider other potential risks. Have all relevant risks been
considered? What is the right level of granularity?
Or take root cause as a different example. Root cause has been talk of the town for the past couple years, especially
in the “best practices” arena. Now, with ISQM 1, it will become a mandatory component of firms’ systems of quality
management. What is the methodology and process to execute an effective root cause analysis? What happens with the
results of the root cause analysis?

Start at the Source: Read the Standard

I recommend firms take the time to sit down and actually read the ISQM 1 standard. Although the PCAOB standard will
not be issued and effective for several more years, the general requirements are already known and the sooner firms
start to internalize the information and have conversations about the new requirements, the more they’ll synthesize and
start to understand the potential impact these standards will have. Along with reading the standard, take this time to
read other viewpoints about ISQM 1 whether industry publications or thought leadership from large firms who have
taken a lead on implementing the new standard.

Create a Gap Analysis

After reading the standard, revisit QC manuals and start to draw linkages between current policies and what is in the
new ISQM 1. This a “gap analysis,” will highlight the key differences and make it easier for you to see what’s new.
Then, start to have conversations internally with firm leadership as well as externally with peers. These conversations
will help stimulate thought about the new guidance and provide diverse perspectives on how other firms are interpreting
and implementing the new requirements.

Engage Specialized Knowledge

Finally, don’t be afraid to ask for help. We have started working with multiple firms to help them understand the new
requirements, perform the gap analysis, risk-rate controls, and redesign QC policies to comply with ISQM 1. Through
our experience as inspectors critically evaluating hundreds of firms’ QC policies from all over the world and now
working with firms to improve their systems of QC, we have gained incredible insight into effective systems of quality
control that cut across all sizes of domestic and foreign firms. Regardless the actions you take, it starts first with
learning what you don’t know and getting the right knowledge.

The Resource Gap

And now that we know, or at least know what we don’t know, the next big hurdle in the implementation of ISQM 1, much
like SOX 404, is the resource gap. Though many aspects of firms’ systems of QC will remain unchanged (for instance, I
would expect that most independence policies and procedures will remain unchanged), the new requirements around
firm monitoring, including root cause analysis and remediation at the engagement level as well as the requirement to
test and evaluate the effectiveness of a firms’ system of QC will be a huge undertaking. In an industry where busy
season seems to last all year now, do firms have the capacity to design and implement controls to comply with the new
requirements of ISQM 1?

Despite its “scalability,” in my perspective, ISQM 1 is a significant undertaking. I think firms that want to be successful
need to consider the reality that ISQM 1 may require additional resources, which means additional investment.

Designate Implementation Champions

The first resource is typically “human capital.” Firms should consider designating specific employees to take ownership
over ISQM 1 implementation. Perhaps its an ISQM 1 Champion or a team of individuals that works individually to
address specific components and collectively to ensure the plan is cohesive and interconnected. Depending on the size
of the firm, this could be a part-time job for one individual or a full-time job for a team of individuals for a couple years.

Build Out a Perpetual QC Team

Beyond just the implementation, however, firms will need to build in additional time and resources to execute the
updated QC policies, and certify to their effectiveness, on an annual basis. The monitoring program both at the
engagement level and the firm QC level is going to need to be much more robust. Given the need to perform root cause
analyses as well as perform remedial actions for negative findings, engagement level monitoring programs are going to
be much more comprehensive. In addition, the requirement to evaluate the effectiveness of the firm’s QC system will
require time to test controls, analyze the results, and evaluate implications from the findings (i.e. impact on the firm’s
risk assessment, new controls to address potential risks, etc.).

Page 2
 Invest in Technical Resources
Finally, firms will need to consider additional technological resources. In fact, ISQM 1 has a component dedicated just
to the sufficiency of resources and specifically calls out information technology. Establish mechanisms to track,
communicate and report information reliably. While some firms will continue to use more manual processes mixed with
excel templates, many firms will need to consider implementing new IT systems to assist with the expanded
requirements of ISQM 1. I personally think this is important for all firms to consider as IT continues to play a greater
and greater role in all aspects of business. While an IT investment is a significant upfront investment, it is intended to
drive future efficiency. Don’t be afraid to ask the question, “How can IT help me do this?”

To the extent firms struggle to find resources internally, many will need to look externally, whether to hire in or to
partner with during the implementation/transition period. We already assist many firms with various aspects of QC, such
as monitoring and pre- and post-issuance reviews, consultations, policy reviews, etc. In addition, we’ve also started
researching various technological resources to help support firms as they consider implementing new systems. We’re
here to help, whatever your question or need.

ISQM 1 is a large undertaking. Thankfully, there is still time. And thankfully you don’t have to go it alone. The whole
industry is going to have to adapt and much like we did for SOX 404, we’ll partner together and embrace the changes.
There will be learning curves as we grasp the full extent of the changes required; that’s the nature of overcoming any
knowledge gap. And of course, there will be moments where we feel overwhelmed with the amount of work to do to get
ISQM 1 compliant; that’s the nature of overcoming any resource gap. But together, we’ll get through yet another major
change in the industry and in the end, we hope it truly does result in better audit quality.

1 For more information on the need for new standards: https://www.jgacpa.com/why-do-we-need-new-quality-control-standards-don-t-we-

have-them-already

Dane Dowell, CPA Jackson Johnson, CPA

Director President
Denver Las Vegas
ddowell@jgacpa.com jjohnson@jgacpa.com
323.648.6645 323.648.6645

Johnson Global Accountancy

5670 Wilshire Boulevard, Suite 1800
Los Angeles, CA 90036
www.jgacpa.com