IAASB approves new quality management standards for auditors
The International Auditing and Assurance Standards Board approved a new and revised set of quality management standards Wednesday for auditors to use around the world, starting at the end of 2022, and firms like KPMG are already gearing up to use them to improve audit quality.
The International Standards on Quality Management, ISQM 1, ISQM 2 and the International Standard on Auditing, ISA 220 Revised, are now awaiting approval by the Public Interest Oversight Board, a global group of regulators that oversees the International Federation of Accountants after some governance changes at IFAC and its affiliated standard-setting boards, including the IAASB.
“The passage of our three Quality Management standards is the culmination of our response to the changing environment, the challenges of the effectiveness of our pre-existing quality control standards, and growing market participant needs,” IAASB chair Tom Seidenstein wrote in a LinkedIn post Wednesday. “The resulting suite of standards are aimed at a more robust System of Quality Management for firms using the IAASB’s standards, and marks an evolution from a traditional, more linear approach to quality control.”
The new standards come at a time when the quality of the audits produced by the Big Four firms has come into question from international financial regulators after a string of high-profile accounting scandals in recent years involving companies such as Wirecard, Samsung, Thomas Cook, Carillion and others.
Seidenstein told Accounting Today how he sees the new standards addressing some of those concerns, and the differences between quality control and quality management at auditing firms: “I think it provides a foundation within the firm to be focused on quality in everything that they do,” he said. “In the U.S. and in our existing standards, the concept is quality control. Control and management have different connotations. Control gives us a sense that we're going to make sure to review things after the fact to make sure that we lived up to our standards of quality. Quality management sees these things as a continuous feedback loop, which is really what our standards are about. Quality is not something that is finite, but we hope it will be continuously improving over time, and the standards are meant to move discussion of the management of quality to the heart of firm strategy, firm operations and firm conduct.”
He compares it to the way many financial institutions now include risk management as part of every element in how they manage their business and corporate strategy. “It's really putting it in the heart and center of leadership, accountability and culture, and then creating a system for them to manage the objectives of quality,” said Seidenstein. “We have quite clear, specific quality objectives. Then we’re saying, ‘OK, where are there deficiencies that you have to remediate rapidly?’ Then that feeds back to stretching ourselves further and improving based upon analysis of the root causes of those deficiencies.”
KPMG is already starting to implement the quality management standards at its member firms around the world. “With the IAASB’s approval of three interrelated quality management standards (ISQM 1, ISQM 2 and ISA 220), a new major milestone has been achieved for the audit and assurance profession,” said Larry Bradley, global head of audit at KPMG, in a statement. “The new standards introduce a robust, scalable and proactive approach to audit quality management which is central to serving the public interest. KPMG applauds the work of the IAASB and believes that these standards will significantly enhance risk-based quality management, global consistency and lay the foundation for high-quality audits across the auditing profession.”
Even though the standards don’t take effect until Dec. 15, 2022, firms in some jurisdictions can adopt them early, as KPMG has begun to do. “We've been in the process of applying the provisions of the exposure draft for quite some time,” Bradley told Accounting Today. “We've been doing it because of a number of reasons. We believe in the IAASB’s mission here, and we believe in their objectives. The way that I look at it, quality at the engagement level and at the firm level is a journey. I don't think you can ever declare victory because things are moving way too fast, whether it be driven by COVID-19 or changes in technology. So, we embraced the objectives of the standard. We've actually been working aggressively to implement them, and we'll continue to do so all the way through the actual adoption date.”
In the U.S., the Public Company Accounting Oversight Board issued a concept release last year proposing an overhaul of the quality control rules for audit firms (see story). The release indicated that the IAASB’s proposed ISQM 1 standard could be the “starting point” for a future PCAOB quality control standard, so the international standard is likely to apply to U.S. firms as well.
PCAOB chairman William Duhnke believes firms should not have to worry about following two sets of standards. “The proposed standard includes specific requirements related to current developments not addressed in PCAOB standards,” he said during an auditing conference in New York last December (see story). “Information gathered through our oversight, outreach and research activities signals that future revisions to the PCAOB's quality control standards should be built on an integrated risk-based framework, similar to Proposed ISQM 1. Many firms that follow PCAOB standards also follow the IAASB standards (or standards based on the IAASB's standards), and we believe it would not be practical to require firms to comply with fundamentally different quality control standards. Indeed, unnecessary differences in standards can detract from audit quality.”
Seidenstein believes the new standards will provide a more robust quality control system for audits. “There’s a realization in the United States, as it was for us, that the existing quality control standards need to be updated,” he said. “They were quite outdated and probably did not reflect modern thinking about how you manage systems and ensure quality throughout the firms and some of the thinking that is possibly going on in risk management practices elsewhere. They put that out for comment, with the idea that they would use ours as a basis. Now they're just in the process of analyzing the comment letters right now, so we don't know where they will land as a result. But from public statements, at least the intent is to use our standards as the basis to modernize the U.S. standards. That being said, in the United States, as elsewhere with our standards, there’s a potential that they would layer on additional requirements that are appropriate for the U.S. jurisdiction. We write our standards for 130 countries around the world, and unlike the PCAOB, we write them for not just public companies and broker-dealers, but for all the audits of all firms, of all sizes, in all jurisdictions, so it's natural that the PCAOB and other jurisdictions may layer on additional requirements.”
Bradley at KPMG sees further alignment ahead between the PCAOB and the IAASB. “It appears to me that there is a desire for close alignment between the PCAOB and the IAASB,” he said. “Certainly, I don't want to get out ahead of the PCAOB because their standard setting is in process on this. But having said that, I think there is a common interest and a common alignment in driving a system of quality management. It's not merely at the engagement level. I think all the standard setters recognize that you have to have an ecosystem when it comes to quality management.”
Not only the PCAOB, but the American Institute of CPAs may also follow the IAASB standards for their assurance standards for privately held companies. “The AICPA goes through a similar process for non-public companies,” said Seidenstein. “There's nothing that we've heard that gives us pause that they'll diverge far from our standard on this. They may make tweaks that are appropriate to comply with laws and regulations in the United States that are different. Our standards always have that out for law and regulation by jurisdiction.”
The AICPA has been smoothing out any difference between its standards and those of other standard-setters such as the PCAOB and the IAASB. “They are really very strongly convergence focused,” said Willie Botha, technical director at the IAASB. “They want to make sure that there's proper convergence between their standards and our standards. Now, obviously, they follow the project because they issue auditing standards under the Auditing Standards Board in the U.S., which gives them the opportunity to layer in any jurisdictional-specific requirements or nuances in terms of the requirements we have in our standards. But, in terms of all our standards, they’ve been a very strong adopter of our standards. They don't have an active project on this yet, but I don't see that there's any cause for believing that it will be any different from any of our other standards.”
Not only the PCAOB in the U.S., but audit regulators in many other countries are expected to adopt the new IAASB standards. “The good thing is that there are about 120, 130 or so jurisdictions that adopt our standards, and most of them adopt them in full,” said Seidenstein. “They may layer on requirements, and they may remove things if they’re inconsistent with law, but most jurisdictions are faithful to the ISAs and ISQMs as a whole.”
Many auditing firms now are moving toward more of an automated approach to audits with data analytics technology. That’s especially true at the Big Four firms, and it's starting to seep down to regional and local firms, with the AICPA’s CPA.com technology unit developing a Dynamic Audit Solution with the help of auditing software provider CaseWare that aims to level the playing field between larger and smaller firms. But by automating more audits with the use of such software, firms will need to be careful that they don’t miss out on the human element, with the professional skepticism and objectivity that an experienced auditor can bring to an engagement.
“It doesn’t lessen the requirements and commitment to quality, but I think our standard does start to think about the use of those resources as ways to both assist, but also potentially cause lapses in quality,” said Seidenstein. “We do have quite specific guidance in the standard on how to use IT-related resources and the adequacy of relying upon them, as relying upon any new source of information. I think that was one of the big areas of modernization that our standards required from something that was created 15 or 20 years ago, where some of this wasn't imagined.”
Auditing technology has evolved to the point where changes in the standards were needed in a general way to encompass areas such as data analytics, artificial intelligence, robotic process automation and machine learning.
“Because of the evolution of technology, it’s such a broad area,” said Botha. “For techniques such as data analytics and all those sorts of things, when we talk about them, we use the term ‘automated tools and techniques,’ especially in our recent technical standards like ISA 550 that deals with risk assessment. This standard is more about how the firm manages engagements and how an engagement partner manages a specific engagement. But on [ISA] 315 and on our current project on advising group audits, we have [made] a concerted effort to actually modernize those standards in terms of the use of automated tools and techniques. Then, in some of our projects that are still in the pre-project proposal stage, our project on audit evidence is driven by three main things. One is technology and how technology affects the timing of audit evidence, the exercise of professional skepticism, and how we can enhance the exercise of professional skepticism in obtaining audit evidence. In today's business environment, different sources of information are available to auditors in terms of obtaining audit evidence. In that project, it will come to the fore very strongly. In one of our other projects, we're looking at fraud and should we be doing anything in terms of our current fraud standards? Technology plays a very important part in how auditors might be looking at fraud or designing their procedures in terms of responding to the risks of fraud. At the beginning of September, we had the first of three roundtables to inform our fraud project. That roundtable was specifically focused on the role of technology in the consideration of fraud, both from an entity perspective and an auditor perspective.”
The IAASB hopes to avoid constant updates to its standards with every new form of technology. “We try to future proof our standards as much as possible these days, so technology doesn't pass us by,” said Seidenstein. “You won't see any mention of telexes and faxes in the standards that we draft.”
KPMG has come under fire from audit regulators in the U.K. over audit failures involving companies like Carillion and Ted Baker, and in South Africa for audits of businesses owned by the Gupta family. Other Big Four firms and smaller firm networks have similarly faced sanctions over their audits in recent years, and regulators are calling for separations between audit and consulting practices and other reforms. An improved quality management system may help address some of these concerns.
“I don't think there's any question that ISQM 1 will improve audit quality over time,” said Bradley. “I firmly believe that. The existing professional standards at the engagement execution level, we believe and I believe, are fit for purpose. Our objective, our responsibility, quite frankly, is to execute on those standards. I'm referring to the existing professional standards that have to be executed at the engagement level, and an interesting juxtaposition, in that all of the firms and the profession are investing heavily in technology — data analytics, digital audits and the like. That is absolutely critical. But at the same time, where the juxtaposition comes in to me, with respect to various business failures and the like that have occurred over the last couple of years, at the same time, there is, to me, a critical need to execute on audit fundamentals.”
He breaks down audit fundamentals into three broad categories. “The first to me is the criticality of professional skepticism, and the second is the need to understand the client's business,” said Bradley. “And the third is just the absolute fundamental importance of executing on audit fundamentals. It may be something as basic as inventory observations or reading contracts and the like. I think ISQM 1, the system of quality management, no doubt is going to drive improvements. But at the same time, I think we have to look to our existing responsibility that we have under the professional standards and our job to execute on those.”
He believes that firms such as KPMG need to go beyond the use of audit technology, although it continues to develop such systems. “Our ability, through the increased technology, to extract enormous amounts of data, to analyze an enormous amount of data, is improving,” said Bradley. “It's pretty remarkable when you think about what we can do. We're driving, for example, a significant investment in a web-enabled, cloud-based mobile audit tool. The ability to digest enormous amounts of information and drive analytics is pretty impressive. But there's one thing that I'll keep coming back to is you have to know what questions to ask. You can't just simply rely on our ability to extract and analyze massive amounts of data without anchoring yourself back into the fundamental professional auditing standards. That's why I go back to those three prongs: understanding the business, executing on the fundamental procedures, and skepticism. To me, that's all about knowing the right questions to ask once you've analyzed these massive amounts of data.”
The current quality management standard is over a decade old. In February 2019, the IAASB issued an exposure draft of a revised ISQM 1 standard to replace it. “We were responding to that need that, in fact, practice had gone well beyond the existing standard,” said Seidenstein. “Indeed, we wanted to push the boundaries a little further. When the board talked about audit quality in their invitation to comment years ago, this became a byproduct of that effort.”
Some of the main changes in the standard approved by the IAASB this week involve the process that auditors will be following. “The biggest thing to understand is that this is an iterative, dynamic process where you're expected to get clear objectives, follow those objectives, determine where deficiencies exist through a risk-based approach and keep on remediating them immediately,” said Seidenstein. “A couple of the key areas to focus on are the role of leadership and governance of a firm in terms of putting audit quality and adherence to a system of quality management at the top of the house and really setting a strong tone at the top as it relates to a commitment to quality. This is not supposed to be a bolt on at the end of the day, but discussions about audit quality are part and parcel of the firm's daily operations. There have to be people designated and accountable for seeing that the quality objectives are adhered to. That's a big one for us.”
Correcting any audit deficiencies, paying attention to the internal culture of a firm, and communicating quality management objectives to constituents like audit committees are other important characteristics of the new standard.
“The other thing that’s really important in this process is the monitoring and remediation of deficiencies — the identification of them and self- remediation of those deficiencies — supported by the culture that we hope permeates,” said Seidenstein. “We also have emphasized the importance of communication in the process within the firm. Many firms are complex operations. They need to communicate what the objectives are, how performance against their objectives are managed, and then when there are external stakeholders, when it's appropriate to communicate to them as well. For example, we have instituted a requirement for listed entities, for firms to speak to those charged with governance — we assume that may be the audit committee of a public company — to have a discussion on the performance of a system of quality management. That's a new requirement under our standard as well.”
The new standard details some of these changes. “There are very specific requirements in terms of putting that system in place, putting accountability at the leadership and governance of the firm,” said Seidenstein. “One of the things that we've done — this is not only at the firm level, but at the engagement level too — is we've placed clear requirements on accountability for the engagement partner in terms of managing the quality of the engagement. And secondly, we've enhanced the requirements as it relates to engagement quality reviews when they're required and the objectivity of those reviewers. For example, this may not be an issue in the United States, but to make sure that there's a cooling off period so the engagement partner of the audit doesn't go on to be the engagement quality reviewer right away. There’s a two-year cooling off period to reinforce objectivity of those reviewers.”
Bradley said he is already making changes to improve audit quality and accountability at KPMG. “ISQM 1 is built on fundamentally driving accountability at the leadership level,” he said. “I've been in my job here for about six months now, but I've been a lifelong audit engagement partner at KPMG for about 40 years and signed opinions for the last 25 years. I am a fundamental believer in driving accountability. In fact, the message that we're sending on accountability is that it starts at the leadership level. The fact of the matter is that when it comes to accountability and quality and integrity at KPMG, it starts with me, and it's my job. We have more than 80,000 auditors in 150 countries globally. But what I tell people is the accountability starts with me. But having said that, we have a concept that we are driving called ‘I own it.’ And ‘I own it’ is just fundamentally about accountability, where that concept of responsibility for integrity, responsibility for quality, I drill down into each of the heads of audit in every country we operate in. It gets drilled down to the audit partners, the engagement team, all the way down through the brand-new associate that's just started with KPMG. Our global chairman, Bill Thomas, is incredibly passionate about this. Bill, for several years, has been driving our global strategy and ambition of being the most trusted and trustworthy professional services organization, because we know that's at the heart of what we do.”
KPMG has been applying some elements of the new standard to improve its audit quality. “ISQM 1 is built on eight fundamental building blocks or concepts,” said Bradley. “I would almost hesitate to call it change, but I would call it an absolute almost maniacal focus on ensuring that we are true to form with respect to applying those eight building blocks. You address your quality objective, you determine what the risks are, and then you make sure that you have procedures in place to do that. I would say the most significant thing we are doing is we're ensuring that it's driven from the center and that our adoption of ISQM 1 is done on a globally consistent basis. It's probably the most important concept that we're driving.”
He believes it’s particularly important that during the COVID-19 pandemic, firms like KPMG have the appropriate quality management systems in place, and the ISQM 1 standard could help once it’s approved by the IAASB’s oversight board. “I think you have to give a lot of credit to the IAASB,” said Bradley. “They still have to get the final approval from the Public Interest Oversight Board, but I would say kudos to the IAASB for what they've done. It's important for us, and we're going to aggressively move to not only adopt the standard, but I think the key message is that we really consider quality to be a journey. It's a spirit of continuous improvement. That's what the standard was about. With the COVID-19 environment, I think this is as important as ever, and the need for auditors to step up in this period of time is absolutely critical. Frankly, these things are occurring in roughly the same period. I can't think of a better time than now, based on what we've experienced over the last five to six months.”
Seidenstein believes many firms will need until the effective date of Dec. 15, 2022 to adhere to the standard, even if they already have quality control systems in place. “This is no small undertaking to put together a robust system of quality management that will conform,” he said. “Many of these activities may be in place already. People are working on the basis that they're going to be in place. But to put a whole functioning system in place with all the requirements for all the employees of a firm, we thought two years was appropriate. We did a lot of consultation on that topic too, with stakeholders, regulators, public interest authorities. I'm conscious we're doing this at the same time that the pandemic is going on, and we have other significant standards that are either being consulted on or have just been applied or are about to be applied, including ISA 315, which is our risk assessment standard.”
He noted that risk-based approaches are starting to flow into many of the IAASB standards.
“I really do think that this is a big step forward for a foundation aimed at improvements in quality, and consistency of quality, across all engagements,” said Seidenstein. “It provides an opportunity to prove to the rest of the world that audit and other assurance engagements are really valuable functions of our economy. It depends upon a lot of parts, though. The standards have to be executed on and enforced.”