Upcoming Changes in Quality Management & Risk Assessment Standards – Is Your Audit Practice Ready?

What’s Changing and When?

In March 2021, the Australian Audit Standards Board (AUASB) released three (3) revised Quality Management Standards:

• ASQM 1, Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements;
• ASQM 2, Engagement Quality Reviews; and
• ASA 220, Quality Management for an Audit of a Financial Report and Other Historical Financial Information.

These standards have been revised to promote a robust, proactive, scalable, and effective approach to quality management, and to mark a significant evolution of the existing quality control standards used by audit practitioners.

The purpose of these revisions is also to place a greater responsibility on firm leadership for continuously improving the quality of their engagements, and ultimately remediating when deficiencies are found.

In addition to the revised Quality Management Standards, the AUASB have also revised ASA 315, Identifying and Assessing the Risks of Material Misstatement, which has been significantly enhanced to require a more robust risk assessment process and to promote consistency in its application.

These four (4) Standards have similar objectives and requirements. Their implementation will be complex and may require a substantial amount of resources to implement within your audit practice.

These Standards become effective for audit practitioners as of 15 December 2022 – Are you ready?

ASQM 1 – Quality Management for Firms

Overview:

ASQM 1 is shifting from ‘quality control’ to ‘quality management.’ It incorporates a risk-based approach which focuses on audit firms proactively identifying and responding to quality risks. It has been designed to be scalable and tailorable to suit the needs of any audit firm.

At a high-level, from 15 December 2022, an audit firm will be required to establish quality objectives within each component of their quality management system.

Components of Quality Management:

There are six (6) components of the quality management system under ASQM 1:

1. Governance and leadership;
2. Acceptance and continuance;
3. Resources;
4. Relevant ethical requirements;
5. Engagement performance; and
6. Information and communication.

Process and Documentation:

For each of the quality components, audit firms will need to identify and assess quality risks, and then design and implement responses which adequately address those quality risks identified.

Regular review of the quality management system will also be required in order to identify and address areas for improvement. This is known as the monitoring and remediation process within ASQM 1.

For scalability purposes, the application of the ‘risk-based approach’ should allow firms to consider not only the nature and circumstances of the firm, but the nature and circumstances of engagements which the firm performs.

The Quality Management System should document/capture the information gathered from these processes, which is then further supported by the firm’s policies, procedures, and any other documentation as needed. 

Ultimate Responsibility:

The ultimate responsibility of the quality management system will depend on the nature and structure of the audit practice (i.e. the CEO, Managing Partner, Board of Partners, or sole Director, whichever is applicable to the firm).

Audit practitioners will need to have their quality management system designed and implemented by 15 December 2022. An evaluation of the quality management system (i.e. monitoring and remediation procedures) is required to be completed annually by the individual who is assigned with the ultimate responsibility. The first evaluation needs to be completed by 15 December 2023.  

5 Tips to get ready:

1. Determine ultimate responsibility based on structure of firm;
2. Assign operational responsibility to a ‘technical’ Director or ‘senior member of the management team’, to lead the design and implementation of the quality management system;
3. Invest in training and resources to gain an in-depth understanding of what is required by your firm and how to monitor (evaluate) the system of quality management’
4. Obtain example tools and resources to assist with the design of implementation of the system of quality management, I.e. from sources such as the Chartered Accountants Australia and New Zealand (CAANZ), Certified Practicing Accountants (CPA), the Australian Audit Standards Board (AUASB), or from other organisations/consultants who have materials available; and
5. Reach out to other audit practitioners within your region or network and collaborate on the implementation and assist with remediating any quality risks due to the size and structure of the firm (you are not alone).  

ASQM 2 – Engagement Quality Reviews

Overview:

ASQM 2 is to be implemented in conjunction with ASQM 1, as ASQM 1 establishes the audit firms’ responsibilities for its system of quality management, with one of the specified responses within the standard, being for the firm to establish policies and procedures addressing engagement quality reviews, in accordance with ASQM 2.

ASQM 1 has extended the scope of engagements which require an engagement quality review to engagements other than audits of listed entities. The scope now covers those engagements that require an engagement quality review pursuant to law or regulation, and those engagements for which the firm determines that an engagement quality review is an appropriate response to address quality risks.

In terms of scalability, this requirement may be difficult for smaller firms with fewer partners and staff. Where EQR is required or necessary, a smaller firm may need to consider engaging with an external EQR (or audit services provider).

Eligibility:

ASQM 2 sets out who is eligible to undertake these reviews and as such includes a new requirement for firms to establish policies and procedures that require the assignment of responsibility for the appointment of an engagement quality reviewer (EQR) to an individual with competence, capabilities, and appropriate authority within the firm to fulfill this responsibility.

Further, an important new requirement is for the firms’ policies and procedures to specify a ‘cooling-off’ period of 2 years or a longer period if required by relevant ethical requirements, before the engagement partner can assume the role of EQR.

EQR Responsibilities:

There is now a new requirement for the engagement quality review (EQR) to be performed at appropriate points in time, during the audit engagement, rather than at the end and before the final sign off.

There is also a new requirement for the EQR to evaluate the basis for the engagement partners determination that their involvement has been sufficient and appropriate throughout the audit engagement. 

A new ‘stand-back’ approach is also included, which specified that the EQR must determine whether the requirements within ASQM 2 have been fulfilled, and whether the EQR is complete.

Key EQR requirements include:

1. Having discussion with the engagement partner regarding significant matters and significant judgements;
2. Reviewing selected documentation as needed; and
3. Evaluating the:
   • basis for making significant judgements,
   • documentation and conclusions reached,
   • engagement partner’s independence determinations,
   • consultations on difficult and contentious matters (or differences of opinions); and
   • basis for the engagement partners determination that their involvement has been sufficient on the audit engagement.

4. Taking responsibility for the documentation of the engagement quality review.

Finally, it’s important to remember that the performance of the engagement quality review does not absolve the engagement partner from their responsibilities in respect to engagement performance and engagement quality.

5 Tips to Ready:

1. Ensure you have an adequate system for identifying and documenting the need for an EQR for an audit engagement (i.e. including responses to quality risks identified);
2. Determine whether the EQR can be performed internally within the firm or if an external EQR may be required;
3. Ensure the EQR’s involvement is not limited to the conclusion and reporting phase of the engagement (i.e. planning and scheduling of EQR procedures must occur through all relevant phases of the engagement);
4. Ensure you have adequate EQR working papers within your audit file which outline the EQR’s responsibilities, performance, actions, documentation, and conclusions accordingly; and
5. Ensure the engagement partner maintains and documents their ultimate responsibility over the engagement performance and engagement quality.

ASA 220 – Quality Management for an Audit

Overview:

ASA 220 is part of the new and revised suite of quality management standards which were approved by the AUASB. The Standard has been revised to clarify and strengthen the key elements of quality management at the engagement level, by emphasising that it is the Engagement Partner that is responsible for managing and achieving quality (at the engagement level), clarifying the engagement partner’s responsibility, and acknowledging that the engagement partner can assign certain tasks and procedures to appropriately skilled, or suitably experienced members of the engagement team, in managing and achieving audit quality.

Engagement Team Concept:

The Engagement Team is an important concept in this standard as it sets the boundaries of the engagement partner’s responsibility. The definition of engagement team has now been changed to recognise different and evolving team structures, including any individual who performs an audit procedure, but excluding an external auditor’s expert and internal auditors.

The engagement partner is responsible for the supervision, direction, and review of all engagement team members, including their independence, even if they are only involved in one audit procedure in an audit engagement.

ASA 220 now includes two (2) types of wording within the standard to indicate whether the requirement can or cannot be assigned to another engagement team member. On this basis, an engagement partner’s requirement may be assigned to other appropriately skilled or suitably experienced engagement team members, where the term ‘the engagement partner shall take responsibility for’, is used. All other requirements must explicitly be fulfilled by the engagement partner.

Ultimate Responsibility:

It is important to note that the engagement partner remains ultimately responsible and accountable for the engagement and meeting the requirements of ASA 220, including meeting the requirements which have been assigned to other engagement team members.

From a scalability perspective, some of the requirements are conditional on there being engagement team members. If the audit is carried out solely by the engagement partner, then these requirements which are conditional on engagement team members are not relevant. Therefore, to the extent this condition does not exist, there is no need for the engagement partner to have the assignment of requirements documented.

Stand-Back Provision:

The final concept in the revised standard is the ‘stand-back provision.’ ASA 220, like some of the other new ASA standards (i.e. see ASA 315), has introduced a requirement for the engagement partner to ‘stand-back’ at the end of the engagement, before dating the auditors report, and assess their involvement on the audit engagement.

The engagement partner will need to consider if they were sufficiently involved throughout the audit engagement, so that the engagement partner has a basis for determining that significant judgments made during the audit and conclusions reached are appropriate, given the nature and circumstances of the engagement.

The engagement partner also needs to determine and document that the firms’ policies and procedures have been followed during the engagement.

5 Tips to get ready:

1. Ensure you have an adequate system for identifying and documenting ‘engagement team members’ in an audit engagement;
2. Ensure engagement partners remain aware of their ultimately responsibility across each audit engagement/service performed;
3. Establish internal policies and procedures for identifying and assigning engagement partner responsibilities as allowed under ASA 220;
4. Ensure you have adequate working papers within your audit file at both the planning and conclusion/reporting sections to document and maintain compliance with the requirements of ASA 220; and
5. Provide ongoing training and development to your audit team to upskill and enhance the overall quality of work being performed by your firm.

ASA 315 – Identifying and Assessing the Risks of Material Misstatement

Overview:

As auditors, we are required to perform our audit procedures in accordance with the Australian Auditing Standards, which are subject to changes from time to time in order to comply with international auditing standards, legislative instruments, public interests, audit environments, and other triggering factors.

The Australian Audit Standards Board (AUASB) has reissued ASA 315 Identifying and Assessing the Risks of Material Misstatement, which becomes effective for auditors of financial reporting periods commencing on or after 15 December 2021 (i.e. December 2022 financial year ends).

The new ASA 315 has been significantly revised, to require a more robust risk assessment process and to promote consistency in application. Changes include new definitions, more detailed compliance requirements and the introduction of some new concepts.

Key Changes:

Some of the key changes in ASA 315 Include:

• Audit planning procedures will require more detailed assessments of inherent risks associated with not only classes of transactions but also significant account balances and disclosures. These assessments will be separate from control risk assessments.
• New definition of ‘significant risk’ for those risks close to the upper end of the spectrum of risk.
• A requirement for auditors to obtain a more in depth understanding of the Entity’s system of internal controls. which includes controls implemented, internal risk assessment procedures, monitoring processes, information systems.
• This understanding and documentation of the Entity’s control and risk environment is an iterative process which requires continues updating throughout the audit engagement.
• Separate focus on documenting our understanding of the applicable financial reporting framework.
• Application of a ‘stand-back’ requirement at the completion of planning procedures in order to evaluate the completeness of significant classes of transactions, account balances and disclosures.
• Enhanced documentation to evidence the audit team exercising their professional scepticism applied throughout the audit engagement.

5 Tips to get ready:

1. Invest in the training and development of your team specifically in relation to the changes to ASA 315;
2. Identify how your firm will respond to the revised requirements (i.e. re-design and convert existing files to a new template file which complies with these changes, or make modifications to existing files as needed);
3. Assign one or two members of the firm to lead the technical development of revised working papers, tools, and any other resources deemed relevant;
4. Allow your firm adequate time to create and/or convert audit files to comply with the revised methodology of ASA 315; and
5. Start communicating with your clients ASAP to ensure they are aware of what will be required from an audit perspective and what they need to do to assist with documenting their own risk assessments, internal control environment (including IT controls), and monitoring procedures leading up to 31 December 2022. 

If your audit practice has not considered these revisions already, you may have already run out of time to make the necessary changes to existing systems and processes before 15^th December 2022.

At National Audits Group, we strive to reduce the burden of designing and implementing changes which are impacting the profession, by aiding accountants and other assurance along the way.

If you or your firm would like to discuss what these upcoming changes mean for you or would like some assistance/collaboration on the design and implementation of the revised changes, please contact our Technical Director, Danielle Nye, directly at 1300 734 707.

Danielle Nye
Director