Navigating CSQM 1: Risk Assessment Process, Beyond Manuals
In part one of a two-part series, Kirsten S. Albo of ASK KSA Consulting explores the value of the CSQM 1 risk assessment process for Canadian accounting firms
Kirsten S. Albo, FCPA, FCA, ICD.D is the founder of ASK KSA Consulting Inc., which helps SMPs save time and achieve peace of mind through consulting and advisory services related to conducting effective and efficient engagements and meeting the requirements of being in public practice. She has worked closely with over 200 firms in helping them meet the requirements of CSQM 1. |
BY NOW, all firms should be aware of, and assessing, the impact of Canadian Standards on Quality Management (CSQM 1) on their practice. No matter where your firm is on the journey of designing and implementing a system of quality control, it is crucial to recognize that meeting CSQM 1 requirements is much more than the administrative task of writing or updating a quality manual.
CSQM 1 has two processes, the risk assessment process and the monitoring and remediation process. This first article explores the risk assessment process itself and how properly identifying and assessing risk provides value throughout both processes.
There are two key benefits to spending the time to identify and assess the quality risks at your firm. The first benefit is that focusing on risks will help you design and implement a system of quality management that is truly tailored to your firm. Second, knowing where the risks lie will help you be much more efficient in the monitoring and remediation process. And, there is actually a third benefit. Focussing on risks will help you not only meet the requirements of the standard but will provide value in the process as it often brings forward business risks a firm may also want to consider.
The risk assessment process outlined in CSQM 1 is the process to establish quality objectives, identify and assess quality risks and design risk responses.
Identify and Assess Quality Risks
Most of the literature on CSQM 1 suggests starting with establishing quality objectives. But I say, 'start with the risks,' as this is your most critical exercise. Why? The quality objectives are clearly laid out in the standard and are easy to establish. By starting with the risks, you are better able to respond to the risks and understand where to focus your efforts.
Identifying risks involves considering the nature and characteristics of your firm and the engagements you perform. If you haven’t already identified and assessed your risks, then the time to start is now, the deadline for implementation is fast approaching.
To help with the risk identification process, I recommend a simple brainstorming session with other partners in your firm, or with yourself if you are a sole practitioner. The question you are asking, and answering, is: Based on the nature and circumstances of my firm, what can go wrong in meeting our professional responsibilities and getting the right report out the door?
In your risk brainstorming session, don’t worry about quality objectives yet … that comes later. Rather, focus on the conditions, events, circumstances, actions or inactions that create a risk. In working with more than 200 small- to mid-sized practitioners (SMPs) implementing the requirements of CSQM 1, I have seen similar higher quality risks arise time and time again.
Common higher-quality risks typically relate to engagement performance, intellectual resources, technological resources and service providers.
- Engagement performance risk arises as firms have many clients and it is a challenge to juggle it all. It is important to ensure that adequate time is spent on each file, no matter the type of engagement.
- Intellectual resources risk surfaces due to the ever-changing standards and the challenges in keeping template files up to date. This risk is even higher for those firms that create their templates.
- Technological resources risk appears as it is critical to ensure the firm’s applications and infrastructure support the practice and protect their client’s private information. This is a good example of a risk that is both a quality risk and a business risk.
- Finally, service providers introduce risk as firms engage service providers for engagement performance, quality management activities and IT; these individuals must also understand and fulfill their ethical responsibilities. Often a firm has not had discussions with service providers in this context.
Risks that typically end up on the lower end of the spectrum for an SMP include acceptance and continuance and information and communication. Why? These firms know their client base and stick to it. And, communicating is a matter of chatting with staff who are down the hall, not spread out over several offices.
Once quality risks have been identified, the firm needs to assess those risks. The standard does not require a specific scale to be applied. My advice? Avoid over-complicating your risk rating process and choose an approach suitable to your firm. A straight-forward low, moderate or high assessment suffices in my opinion.
Establish quality objectives
Once risks have been identified and assessed, they can easily be linked to the quality objectives. The objectives are clearly laid out within the six operating components of CSQM 1 and encompass governance and leadership, relevant ethical requirements, acceptance and continuance, engagement performance, resources and information and communication.
Firms have the option to establish additional quality objectives. However, based on my experience, there are no additional quality objectives needed for SMPs, therefore this step is not overly onerous.
Develop Risk Responses
The importance of assessing risks is further highlighted when you reach the third step, developing responses to address quality risks.
It is important to remember, this step is more than simply updating an existing quality control manual. Firstly, your existing manual is unlikely to address all the quality objectives in the standard as many objectives are new or enhanced. Secondly, the requirement to identify and assess quality risks, and the documentation to support your conclusions, would be completely overlooked. And finally, if you just update what you have you are most likely not being efficient as there as most likely policies and procedures you don’t need.
The starting point is to review identified and assessed risks and develop a risk response tailored accordingly. Based on my experience, I find the most efficient way to develop risk responses is to walk through the assessed quality risks component by component. That way you ensure that all quality objectives are addressed, and the response is tailored to the specific risk.
For example, most likely intellectual resources have been identified as a moderate risk, therefore the firm will develop policies and procedures such as maintaining a library of relevant and reliable intellectual resources, ensuring staff have access to resources and reviewing the library on a timely basis to confirm up to date. Simple but effective.
Unlike the quality objectives which are established in the standard, there are minimal specified responses. Risk responses do not have to be overly complicated. In fact, keeping them simple and easy to understand and follow reduces the risk of finding a deficiency later on in the monitoring and remediation process. More on that later.
Conclusion and Next Steps
By methodically following these three phases in the right order, a firm ensures that its compliance with CSQM 1 is not a mere exercise but a strategic effort that proves valuable. This strategic approach sets the stage for next steps, the monitoring and remediation process.
I believe efficiencies can be gained by considering the design of monitoring activities as you develop risk responses. Monitoring activities are driven by the risk assessment and related response so if you think about them earlier rather than later you will save time and be more effective. This will be the focus of our next article.
Kirsten S. Albo, FCPA, FCA, ICD.D is the founder of ASK KSA Consulting Inc., which helps SMPs save time and achieve peace of mind through consulting and advisory services related to conducting effective and efficient engagements and meeting the requirements of being in public practice. She has worked closely with over 200 firms in helping them meet the requirements of CSQM 1.
(0) Comments