Ready for the CSQM changes? Part two: Designing your risk responses

Kirsten S. Albo, FCPA, FCA, ICD.D is the founder of ASK KSA Consulting Inc., which helps SMPs save time and achieve peace of mind through consulting and advisory services related to conducting effective and efficient engagements and meeting the requirements of being in public practice. Contact Kirsten directly by email for more information on implementing CSQM at your Canadian accounting firm: https://ksaconsultinginc.com/contact. Justin Reid, FCA specialises in providing audit training, consulting, and technical advice to SMPs across Australia and New Zealand. Justin also works closely with many of the Auditors General across both countries in the pursuit of audit quality. David Stevens, CA consults to small, medium and large auditing firms in Australia on audit quality related matters and activities. He is also CaseWare Australia and New Zealand’s audit content subject matter expert.

IN OUR first article we covered the first two steps of the risk assessment process in CSQM 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements (“CSQM 1”). The first step, establishing quality objectives is relatively simple, especially when the second step, identifying and assessing quality risks is done right.

The importance of assessing risks is further highlighted when you reach the third step, designing and implementing responses to address the identified quality risks. Think about it like this. The quality objectives are what you are trying to achieve, the quality risks are what can go wrong, and your risk responses are what you are going to do about it. In this article we discuss ways in which you can approach designing your risk responses.

Overview

It is your assessment of quality risks that provides the basis for the design and implementation of responses. Ask yourself, what are the policies and procedures needed at your firm to address one or more of the quality risks identified? 

What we have learnt so far is that this step will require more than simply updating your existing quality control manual. Firstly, your existing manual is unlikely to address all the quality objectives in the standard as many objectives are new or enhanced. Secondly, the requirement to identify and assess quality risks, and the documentation to support your conclusions, would be completely overlooked.

We have assisted multiple firms prepare for their transition to the new quality management standards. As part of our review of the requirements of CSQM 1 and various discussions with clients, the following are some of the more common examples of existing shortfalls when it comes to policies and procedures.

The first area is technological resources. This is new in CSQM 1. To address potential gaps, ask yourself the following questions. What IT applications do we use to manage our existing quality control system and performance of engagements? What policies and procedures are in place to ensure IT applications and related infrastructure is adequate, update-to-date, and have appropriate security controls?

Another area relates to the use of services providers. Questions to ask related to service providers include : What service providers do we use to perform engagements? Are there adequate policies and procedures in place to assess their competency, capability and independence?

Finally, information and communication, a completely new component in the standard. We find this area needs careful consideration if you are a larger firm with many partners and multiple locations; smaller firms may not find this area as complex. Questions to ask include: What systems do we have to identify, capture, process and maintain relevant and reliable information? How do we communicate with engagement teams? Do we have policies and procedures that establish communication expectations between the firm, service providers, network firms or other external parties?

As highlighted in the first article, the firm must identify and assess the risks related to quality objectives by considering the nature and circumstances of your firm.  The relative importance or “rating” of those risks will then drive the level of detail required for the responses. You want to develop and implement the right responses, ensuring you don’t do too much work or develop inadequate responses.   

Tailored Responses

Where a quality risk has been identified, a response is required. The nature and extent of the response will vary depending on the assessed level of the quality risk it is addressing. Therefore, designing and implementing policies and procedures will depend on the nature and circumstances of the firm and its engagements. 

Quality risks exist within each of the six quality management components detailed in CSQM 1, however the assessment of those risks, and related responses, will vary. The effort arises when designing an appropriate response to a quality risk identified, based on the circumstances of your firm.

Based on our experience, we find the most efficient way to develop risk responses is to walk through the assessed quality risk component by component. That you ensure that all quality objectives are addressed, and the response is tailored to the specific risk.

Let’s walk through an example.

Within the resource component is a quality objective related to personnel having the competence and capabilities to consistently perform quality engagements. For firms with staff, there is a risk that engagement team members are not competent or capable.

Your risk response will vary depending on your firm. If you are a small firm, the policy related to developing personnel may be as simple as on-the-job training and feedback and review of working papers. A larger firm may require a more detailed procedure such as “The Firm prioritizes the professional and personal development of partners and staff. Each partner and staff member is afforded adequate opportunity to participate in external or internal training. The Firm also provides opportunities for more experienced engagement team members to coach less experienced engagement team members as part of their own career development plans”. And of course, if you are a sole practitioner, you must ensure you develop and maintain your own competence to perform your role, perhaps through the participation in professional development.

Other examples of risk responses related to competence and capabilities of personnel may include detailing your firm’s recruiting process; the use of internal or external training programs; and the timing of providing feedback as an evaluation mechanism. The level of detail of policies and procedures will depend on the nature and circumstances of your firm and the identified risks. By now you are really understanding the importance of the risk identification and assessment process.

In certain cases, existing policies and procedures in your current quality control manual may be adequate, but in other cases more robust, or new, policies and procedures may be required. 

Specified Responses

Unlike the quality objectives which are established in the standard, there are very few specified or “standard” responses. In order to save time, we believe the specified responses are simple to incorporate into the risk responses overall and do not need a “separate section.”  

Specified responses include a process for identifying, evaluating, and addressing threats as part of both acceptance and continuance and relevant ethical requirements quality objectives. In addition, a firm must obtain at least annually a confirmation of compliance with independence.

Specified responses are also required to address circumstances when the firm becomes aware of information subsequent to accepting or continuing a client relationship that would have caused it to decline the engagement had the information been known prior to accepting or continuing the client relationship. 

Other specified responses include policies and procedures for receiving, investigating and resolving complaints and allegations, addressing engagement quality reviews in accordance with CSQM 2 Engagement Quality Reviews, and communicating with those charged with governance. 

Conclusion and Next Steps

Designing policies or procedures that are responsive to risks identified, and therefore right for your firm, is critical. Quality is of utmost importance in all engagements. There is a balance between being effective (having the right responses in place) and being efficient (not doing too much). Developing policies or procedures will take time to develop. The time to start is now. 

As with establishing quality objectives and identifying and assessing risks, a question around sufficiency and appropriateness of documentation arises. How will you document your system of quality management to adequately demonstrate the linkage between policies and procedures with the assessed quality risks? This is an important question to ask, as in many cases one policy or procedure may address several risks, and conversely, one risk may be addressed by multiple policies or procedures. You want to be efficient in how you document this. And remember, just making a few updates to your existing quality control manual will not enable you to adequately document your firm’s risk assessment process, and therefore meet the requirements of the standard.

The requirement to formally evaluate the system of quality management is addressed in the monitoring and remediating component of the standard. This will be covered in the last article of this series. And, while this is not required until the year following, there are efficiencies to be gained by thinking about it during the design and implementation phase. 

Click on the following links to read the rest of this three-part series: 
Ready for the CSQM changes? Part one: quality objectives and quality risks
Ready for the CSQM changes? Part two: Designing your risk responses
Ready for the CSQM changes? Part three: monitoring and remediation

Kirsten S. Albo, FCPA, FCA, ICD.D is the founder of ASK KSA Consulting Inc., which helps SMPs save time and achieve peace of mind through consulting and advisory services related to conducting effective and efficient engagements and meeting the requirements of being in public practice. Contact Kirsten directly by email for more information on implementing CSQM at your Canadian accounting firm: https://ksaconsultinginc.com/contact.

Justin Reid, FCA specialises in providing audit training, consulting, and technical advice to SMPs across Australia and New Zealand. Justin also works closely with many of the Auditors General across both countries in the pursuit of audit quality.

David Stevens, CA consults to small, medium and large auditing firms in Australia on audit quality related matters and activities. He is also CaseWare Australia and New Zealand’s audit content subject matter expert.