Practice National Standards

Ready for the CSQM changes? Part one: quality objectives and quality risks

In part one of a three-part series, establishing quality objectives and the importance of quality risk identification and assessment

Author: Kirsten S. Albo, Justin Reid and David Stevens
Albo, Reid, Stevens
Kirsten S. Albo, FCPA, FCA, ICD.D is the founder of ASK KSA Consulting Inc., which helps SMPs save time and achieve peace of mind through consulting and advisory services related to conducting effective and efficient engagements and meeting the requirements of being in public practice. Contact Kirsten directly by email for more information on implementing CSQM at your Canadian accounting firm: https://ksaconsultinginc.com/contact.
Justin Reid, FCA specialises in providing audit training, consulting, and technical advice to SMPs across Australia and New Zealand. Justin also works closely with many of the Auditors General across both countries in the pursuit of audit quality.
David Stevens, CA consults to small, medium and large auditing firms in Australia on audit quality related matters and activities. He is also CaseWare Australia and New Zealand’s audit content subject matter expert.

BY NOW, risk leaders in firms are well aware there are new quality management standards and actions are needed to ensure the requirements are met by the effective date. The question is, are you prepared for the upcoming changes?

This is the first article in a three-part series to help practitioners answer this question with a resounding yes. Across the series we will highlight the requirements of CSQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements (“CSQM 1”), but more importantly what this means for you.

There are two ends of the implementation spectrum. At one end are those firms that are well down the path in designing and implementing their system of quality management (“SQM”) by the effective date of December 15, 2022. At the other end, there are those firms that have yet to start even thinking about how they are going to implement the requirements of the standard. In our experience, most firms are somewhere in the middle. Conversations have started as to what is required but the next steps are not quite clear. In this series, we will provide practical tips on implementation and provide guidance on implementation matters so that you can move closer to the “almost done” end of the spectrum.

Fundamental requirements of CSQM 1

The fundamental change in this new standard is the shift in approach from a focus on policies and procedures to objectives and risks. This means that implementation is much more than just updating your existing quality control manual. In designing and implementing their SQM, firms are now expected to:  

Step 1: Establish quality objectives related to the components of the SQM 

Step 2: Identify and assess the risks of not achieving those objectives

Step 3: Design appropriate responses proportionate to the assessed risk 

There are other requirements in the standard related to monitoring and remediation and the evaluation of the SQM, but these are required within the year following implementation. While these activities are essential in meeting the requirements of the standard, they are not as critical in the immediate future. However, we do believe efficiencies can be gained by considering the design of monitoring activities as you develop risk responses. Monitoring activities are driven by the risk assessment and related response so if you think about them earlier rather than later you will save time and be more effective.

In this article we address steps 1 and 2.

Step 1: Establish quality objectives  

CSQM 1 introduced the concept of quality objectives. These are defined as the desired outcomes in relation to the components of the SQM to be achieved by the firm. These components are: 

  • Governance and leadership 
  • Relevant ethical requirements
  • Acceptance and continuance
  • Engagement performance
  • Resources
  • Information and communication 

Fortunately, the standard setters have included the minimum quality objectives to be established under each component. We say minimum, because firms have the option to establish additional quality objectives relevant to the firm. Our experience to-date suggests that the majority of small to mid-sized practitioners (“SMPs”) will not need to establish additional quality objectives and therefore this first step should not be overly onerous. In fact, this step is quite simple, read the standard and adopt the quality objectives laid out within. 

Step 2: Identify and assess quality risks 

Once quality objectives have been established, firms are required to identify and assess the quality risks to provide the basis for the design and implementation of responses. We believe this is the most critical step in the implementation process. It helps a firm conclude if there are additional quality objectives required and leads to appropriate risk responses. Identifying risks involves considering the nature and characteristics of the firm, including the types of engagements undertaken, as well as understanding what actions or inactions may adversely affect the achievement of quality objectives.  

To help with the risk identification process, we recommend holding a brainstorming session, ideally with those individuals who have a good grasp of the various audit, assurance and related service offerings of the firm. This will ensure a robust risk identification process. Once risks have been identified, the firm will need to consider how to assess each risk – in effect determining what risks meet the criteria of a quality risk. 

CSQM 1 defines a quality risk as one that has a reasonable possibility of occurring and individually, or in combination with other risks, adversely affecting the achievement of one or more quality objectives. In practice, assessing quality risks can be done in several ways. A firm might elect to use a binary yes/no assessment, or a more detailed 5 by 5 likelihood and consequence risk assessment matrix that some will be familiar with, or something in between. 

Our advice, avoid over-complicating your risk rating process and think about your audience. Who is interested in the risk register? If you are a sole practitioner, you might be satisfied to simply identify a risk as being either a quality risk, or not a quality risk. If you are a larger firm with multiple stakeholders not directly involved in the risk identification and assessment process, you may want to distinguish between those risks at the lower end of the spectrum, and those assessed as being higher risks. Choose an approach suitable to your firm. 

There are three approaches that can be taken to the risk brainstorming process. You can start with a blank piece of paper, a piece of paper that contains your SQM components and quality objectives but no risks, or a piece of paper that contains your SQM components, quality objectives and some example risks. There are pros and cons for each approach, but we suggest the majority of SMPs look for a solution which contains some example risks as a starting point. Makes for a more efficient and palatable process.  

Conclusion and Next Steps

The concept of quality in engagements is not new, but the approach and key requirements in the upcoming standards are different and incremental in many cases. The time to start is now, especially if you are at the “haven’t started” end of the spectrum. 

If you are the individual ultimately responsible and accountable and/or operationally responsible for the SQM in your firm, and you haven’t commenced your transition journey yet, start by reading the standard. Then familiarize yourself with the various resources and toolkits currently available. Documentation is a critical aspect of the standard and required at each step. You may even want to reach out to a trusted advisor who knows CSQM 1 back to front, you never know what they might be working on to make your transition a smooth one.  

The next article in our three-part series will tackle the all-important process of designing and implementing responses that are proportionate to the risks you have identified. We will help answer the question, how much of our firm’s existing quality control manual can we use in our new framework? 

Looking even further forward, we will round out the series with on monitoring and remediation requirements. Our view is that this is definitely a sleeper issue in the implementation process going somewhat under the radar at the moment. 

Click on the following links to read the rest of this three-part series: 
Ready for the CSQM changes? Part one: quality objectives and quality risks
Ready for the CSQM changes? Part two: Designing your risk responses
Ready for the CSQM changes? Part three: monitoring and remediation

Kirsten S. Albo, FCPA, FCA, ICD.D is the founder of ASK KSA Consulting Inc., which helps SMPs save time and achieve peace of mind through consulting and advisory services related to conducting effective and efficient engagements and meeting the requirements of being in public practice. Contact Kirsten directly by email for more information on implementing CSQM at your Canadian accounting firm: https://ksaconsultinginc.com/contact.

Justin Reid, FCA specialises in providing audit training, consulting, and technical advice to SMPs across Australia and New Zealand. Justin also works closely with many of the Auditors General across both countries in the pursuit of audit quality.

David Stevens, CA consults to small, medium and large auditing firms in Australia on audit quality related matters and activities. He is also CaseWare Australia and New Zealand’s audit content subject matter expert.

Canadian Accountant logo

(0) Comments