The International Standard on Quality Management (ISQM (UK) 1) requires (in paragraph 53) that the individual(s) assigned ultimate responsibility and accountability for a firm’s system of quality management (SoQM) evaluate this on behalf of the firm. This should be undertaken as of a point in time, and at least annually.

As ISQM (UK) 1 became effective on 15 December 2022, all firms should now have performed an assessment of their SoQM at least once. However, I am finding that many firms have not formally documented this annual SoQM evaluation, which is a fundamental requirement of the standard. 

What does ISQM (UK) 1 require?

The standard provides a clear framework on the conclusions that can be reached. However, it does not set out the process required in reaching this conclusion except to note that:

• the individual assigned ultimate responsibility can be assisted by others in reaching their conclusion (but the conclusion is their responsibility alone); and
• the information used to reach this conclusion will vary but will be based on the monitoring activities put in place under the firm’s SoQM. 

The amount of additional documentation that is required will vary depending on a number of factors, such as the size and structure of a firm and the person with ultimate responsibility for the SoQM. 

Why are firms not performing and evidencing their review? 

In the same way that ISQM (UK) 1 requires root cause analysis on deficiencies identified within the SoQM, it is worth asking why the formal evaluation is not being effectively performed or documented. In my experience, the following reasons are provided:

• lack of understanding of the requirement;
• loss of momentum; 
• uncertainty over what is required by the standard; and
• lack of understanding of when the conclusion should be documented. 

How and when should the review be performed? 

Some of the information necessary for an SoQM evaluation will arise from the firm’s existing audit compliance review, which is required at least annually by (reg 3.20 of) the UK Audit Regulations. In performing the SoQM review I would expect the person with ultimate responsibility to evidence consideration of each element of the firm’s SoQM including:

• the firm’s risk assessment (including how this has been updated);
• the responses to mitigate identified risks, including the progress of these actions; 
• a review of the firm’s SoQM policies and procedures; 
• the outcomes of monitoring activities, for example, internal and external cold file reviews performed in the period, and any visit from ICAEW’s Quality Assurance Department; and
• the outcome(s) of root cause analysis performed and how this has fed into the revision to the firm’s risk assessment, responses and monitoring procedures. 

The process described above also answers the ‘when’ question. The logical time to conduct an annual SoQM review is at the end of your annual compliance cycle, once the detailed audit compliance review has been undertaken. 

What conclusion should be reached?

ISQM (UK) 1 provides clear guidance here as it sets out only three possible conclusions to be reached:

A: The SoQM provides the firm with reasonable assurance that the objectives of the SoQM are being achieved.

B: Except for matters related to identified deficiencies that have a severe but not pervasive effect on the design, implementation and operation of the SoQM, the system provides the firm with reasonable assurance that the objectives of the SoQM are being achieved.

C: The SoQM does not provide the firm with reasonable assurance that the objectives of the SoQM are being achieved.

I would expect many firms to conclude that they fall into category B; unless recommendations stemming from the audit compliance review are minor in nature, a category A conclusion will not be appropriate. Clearly, if conclusion C is reached a detailed understanding of the reason for this and the remediation required must be documented. Where conclusion B or C is reached, a clear action plan must be drawn up. The assessment must be based on the conclusions reached at the point the assessment is made, rather than for the whole of the previous period.

How should the conclusion be documented? 

For many firms, the level of documentation should be relatively simple. I would recommend that the following is evidenced: 

• review of the information feeding into the SoQM assessment;
• the conclusion (A, B, C) as outlined above;
• brief justification of this conclusion; and
• a summary of changes required to the ISQM (UK) 1 risk assessment and SoQM as a result of the review. 

Documentation matters 

Documenting your annual assessment is a fundamental requirement of ISQM (UK) 1. If you have successfully implemented the other requirements of the standard, evidencing this assessment should be relatively quick and simple and allow a clear understanding of future improvements to your SoQM. If more pervasive deficiencies exist, the review is necessary to identify more significant changes and to develop an appropriate action plan. 

Andrew Jarvis, Managing Director, HAT Group. 

A longer version of this article is available at Audit & Beyond, the Audit and Assurance Faculty’s online content hub.