On this page
A robust system of quality management must be in place for all auditors. For engagements undertaken in compliance with ASAE 3000, ASAE 3100 or ASAE 3410, the audit team leader must ensure the quality management system complies with ASQM 1
Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements (ASQM 1).
Peer reviews conducted for engagements undertaken in compliance with ASAE 3000, ASAE 3100 or ASAE 3410 must comply with ASQM 2
Engagement Quality Reviews (ASQM 2)2.
4.4.1 A system of quality management—ASQM 1
ASQM 1 reflects a focus on quality management – as distinct from previous practices, embodied in ASQC 1, that focused on quality control. This reflects the intention to transition firms from policies and procedures that address standalone elements as required by ASQC 1, to an integrated and more proactive quality management approach that reflects the system as a whole.
ASQM 1 requires firms to tailor the design, implementation and operation of its system of quality management, based on the nature and circumstances of the firm, and the types of engagements it performs.
It adopts a risk-based approach where the quality objectives that are detailed in ASQM 1, are used to identify the quality risks that are specific to the firm, as well as designing and implementing responses in the form of policies and procedures that are appropriate and relevant to the needs to the firm.
There are enhanced requirements for monitoring and remediation to promote a more proactive monitoring of the system of quality management as a whole, including the effective and timely remediation of deficiencies.
The standard requires a firm to evaluate and make an overall conclusion on the system of quality management at least annually.
ASQM 1 is structured around 2 processes and 6 components that are designed to operate in an iterative and integrated manner.
The 2 processes are:
- risk assessment process
- monitoring and remediation process.
The 6 components are:
- governance and leadership
- resources
- information and communication
- relevant ethical requirements
- acceptance and continuance
- engagement performance.
Two processes
Risk assessment
This is a process that a firm establishes as part of its system of quality management. The firm is required to follow this process in implementing its risk-based approach to quality management. It consists of establishing quality objectives, identifying and assessing quality risks to the achievement of the quality objectives and designing and implementing responses to address the assessed quality risks.
This risk-based approach was introduced to facilitate proactive quality management, as well as to enable the system to be tailored to the nature and circumstances of the firm and the engagements it performs.
The process encompasses 3 essential steps:
establishing quality objectives
What does the firm need to achieve in order to manage the quality of its engagements? The standard prescribes the quality objectives for each of the 6 components in order to drive consistency in the firm's quality management systems. The firm is also required to consider if there are any additional objectives that are needed. But there is no expectation that a firm will identify additional objectives.
identifying and assessing the quality risks
What could go wrong in achieving the quality objectives? Identifying and assessing quality risks is about identifying what the standard describes as the conditions, events, circumstances, actions or inactions that are considered to have a reasonable possibility of occurring and affecting the achievement of a quality objective. The standard includes examples of possible conditions, events, circumstances etc. to aid the firm in identifying quality risks.
designing and implementing responses
These are the policies and procedures the firm needs to put in place to address the quality risks. The firm is expected to develop its own specific policies and processes in response to the quality risks and this is where much of the tailoring to the needs of the firm can be achieved. The standard includes certain responses that are required to be incorporated into the firm's system of quality management, such as independence confirmations from individuals.
The standard also recognises that a firm's circumstances may change, and revisions may be needed to add or change quality risks and/or responses at any point. This is a feature of the proactive management of quality that is an objective of the standard.
Monitoring and remediation
This is another process that a firm establishes as part of its system of quality management. It provides the firm with relevant, reliable and timely information about the design, implementation and operations of the system of quality management.
The process also addresses taking appropriate actions to respond to deficiencies to ensure that these are remediated on a timely basis.
ASQC 1 covered monitoring and remediation, but ASQM 1 more robustly addresses monitoring activities. It has shifted the focus from engagement level monitoring to monitoring the system of quality management as a whole, and aims to encourage a more proactive and effective monitoring, with ongoing consideration of things like the extent of changes to the system, results of prior inspections, deficiencies identified etc. There is still the requirement for engagement level monitoring and the testing of completed engagements and for engagement leaders to be inspected on a cyclical basis.
The standard has a greater focus on establishing a more robust and timely remediation process and has a framework for evaluating findings and identifying and evaluating the severity and pervasiveness of deficiencies. There is a clear focus on the communication of deficiencies to the firm's personnel.
The framework is intended to help in considering deficiencies and deciding if remedial action is needed. Part of the framework is a requirement to investigate the cause of a deficiency using root cause analysis. This requirement is flexible, and firms can scale the root cause process as appropriate to the nature of the firm and the circumstances of the deficiency.
A firm's leadership is also required to determine the effectiveness of remedial actions as well as considering deficiencies in their evaluation of the system as a whole.
ASQM 1 includes a requirement for the person assigned ultimate responsibility and accountability for the system of quality management to evaluate the system. Based on this evaluation, which is internal to the firm, they are required to conclude on whether the objectives of the system of quality management are being achieved. The evaluation is required to be performed at least annually.
The evaluation is at a point in time and the conclusion is focused on whether the system of quality management provides reasonable assurance that:
- The firm and its personnel are fulfilling their responsibilities in accordance with professional standards and applicable legal and regulatory requirements, and engagements are being conducted in accordance with those standards and requirements.
- Reports the firm and engagement leader's issue are appropriate in the circumstances.
Whilst the evaluation is at a point in time, information about the firm's monitoring and remediation over the period since the previous evaluation, as well as the conclusion from the previous evaluation itself, is generally what would be used as the basis for the evaluation. There is professional judgement needed in considering the identified deficiencies and their severity and pervasiveness, the remedial actions that have been put in place, and whether the deficiencies have been corrected.
The evaluation leads to one of 3 overall conclusions being formed as to the effectiveness of the system:
- The system of quality management provides the firm with reasonable assurance that the objectives of the system are being achieved (paragraph 54(a) of ASQM 1).
- Except for matters related to identified deficiencies that have a severe but not pervasive effect on the design, implementation and operation of the system of quality management, the system provides the firm with reasonable assurance that the system's objectives are being achieved (paragraph 54(b) of ASQM 1).
- The system of quality management does not provide the firm with reasonable assurance that the objectives of the system are being achieved (paragraph 54(c) of ASQM 1).
These conclusions are essentially equivalent to a clean opinion, a qualified, except for, opinion or an adverse opinion.
Six components
Governance and leadership
This establishes the environment in which the system of quality management operates. It deals with matters such as the firm's culture, leadership responsibility and accountability. It also addresses the firm's organisational structure, assignment of roles and responsibilities and resource planning and allocation.
ASQM 1 specifies certain roles and responsibilities to be appointed as part of the system of quality management. These are:
- Someone is to take ultimate responsibility. This could be the managing partner or ultimate leader or CEO of the firm. There is increased emphasis on this person having accountability for the system's effectiveness.
- Someone is to take operational responsibility. In a small firm this could be the same person as the one having ultimate responsibility.
- Depending on the size and structure of the firm, others could be assigned responsibility for other aspects of the system. For example, someone is specifically responsible for the monitoring and remediation process.
There are enhanced requirements addressing the qualifications of the individuals assigned to these roles, as well as their experience, knowledge, influence and authority. ASQM 1 also addresses whether people have sufficient time to perform their roles.
Resources
This component was not included in ASQC 1. It deals with obtaining, developing, using, maintaining, allocating and assigning resources in a timely manner. This enables the design, implementation and operations of the other components of the system of quality management.
The resources component includes technological, intellectual and human resources. For example, this would cover the use of audit software tools, audit manuals, documentation templates etc. It also addresses service providers.
Resources may create conditions, events, circumstances, actions or inactions that may give rise to quality risks. For example, teams may place undue reliance on IT applications, they may rely on an audit manual that is not compliant with auditing standards. When using a service provider for an outsourced IT database storage, there may be risk of inappropriate use and access to confidential client data.
Information and communication
This component was also not part of ASQC 1. It enables the design, implementation and operation of the system of quality management. It deals with obtaining, generating or using information concerning the system.
It addresses the culture of the firm in the context of information and communication, exchanging information between the firm and engagement teams, communicating information with a firm's network or service provider as well as other communications externally on a timely basis.
Relevant ethical requirements
These are fundamental for the proper performance of audit engagements. Relevant ethical requirements for both the firm and its personnel must be addressed. These requirements are defined in the auditing standard ASA 102 Compliance with Ethical Requirements when Performing Audits, Review and Other Assurance Engagements.
This component also deals with ethical requirements to the extent that they apply to others who are external to the firm.
Acceptance and continuance
This component is another that is fundamental to engagement performance. It deals with the firm's judgements about whether to accept or continue a client relationship or specific engagement.
Engagement performance
This deals with the firm's actions to promote and support the consistent performance of quality engagements. This includes providing direction, supervision and review, consultation and dealing with differences of opinion.
The component includes how the firm supports engagement teams in their exercising of professional judgement and, when applicable to the nature and circumstances of particular engagements, exercising professional scepticism.
Documentation
In addition to the 2 processes and 6 components, ASQM 1 also focuses on documentation. It requires the firm to prepare documentation to achieve 3 principles:
- to allow a consistent understanding of the system of quality control by the firm's people to allow them to fulfil their roles effectively
- to support the consistent implementation and operation of the firm's responses
- to provide evidence of the design, implementation and importantly the operating effectiveness of the system to support the overall evaluation. Careful consideration is needed for the retention of evidence of the system's operation.
The form and extent of this documentation can be tailored to the size and complexity of the firm. A less complex firm may not need to have granular documentation, such as a matrix, that indicates the quality objective, the related quality risk(s), and the related responses to address those quality risks. This is because it may be obvious how the quality risks relate to the quality objectives, or how the responses address the quality risks. In these circumstances, the firm's documentation may include lists of the quality objectives and quality risks, and a memorandum that explains the responses and how they address the quality risks.
4.4.2 Client and engagement considerations
Before preparing and agreeing engagement terms, the audit team leader must consider if the audit team are collectively appropriately skilled to perform the engagement, and if the engagement being proposed can be accepted. Client and engagement acceptance considerations must be documented and must include:
- the audit team leader taking steps to ensure any conflict of interest situation is resolved (refer to section 4.3.2 below for additional guidance on conflicts of interest)
- the audit team leader or professional member of the audit team ceasing to be part of the audit team, where a conflict of interest situation relating specifically to them is not resolved by 28 days after the audit team leader became aware of the existence of the conflict of interest situation, if no exemption under the NGER Regulations is sought or granted, and
- the audit team leader having in place a quality control system reasonably capable of bringing conflict of interest situations to the audit team leader’s attention.
In addition to those requirements noted above, acceptance considerations should include:
- the integrity and approach to risk management taken by those charged with governance of the audited body
- whether the terms and conditions of the assurance engagement are reasonable (for example, is the audited body or the intended user of the assurance engagement report insisting on engagement terms which could place the audit team leader at risk of litigation?)
- the capability and expertise of the audit team and if they are suitably qualified to perform the engagement, and
- any potential or actual conflicts of interest.
Where issues arise, they should be discussed with the audited body and the audit team leader may choose not to accept the engagement. Such discussions and decisions must be documented by the auditor.
4.4.3 Audit standard ASQM 2
ASQM 2
Engagement Quality Reviews is a new standard that has been developed to provide an increased focus on the rigour of the conduct of engagement quality reviews. There is new content in the standard, but also some material has been relocated from ASQC 1 and ASA 220.
One of the specific or required responses ASQM 1 requires to address quality risks is the conduct of engagement quality reviews — peer reviews in audits conducted under schemes the CER administers. It includes criteria for when an engagement quality review is required. One of the requirements is when the appointment of an engagement quality review is required by legislation. All Part 6 audits require the appointment of a peer reviewer.
If an engagement quality review is required, then ASQM 2 comes into play and this standard addresses the selection of the individual to perform the review, how it is performed and what should be documented.
ASQM 2 places an increased focus on the objectivity of the peer reviewer, as having the right mindset is essential to effectively evaluating the judgements and conclusions of the engagement team.
It includes 2 key elements:
- eligibility requirements for peer reviewers
- performance of peer reviews.
Eligibility requirements for peer reviewers
- a 2-year cooling-off period between audit team leader and peer review roles — if an auditor conducts an audit of an audited body as the team leader, then they must not perform as peer reviewer for an audit of the same audited body for a period of 2 years
- a longer cooling-off period may be required by relevant ethical requirements
- sufficient time to perform the peer review
- use of qualified external peer reviewers and assistants is permitted where the firm does not have the staff to conduct the peer review
- actions required when eligibility of a peer reviewer is impaired.
Performance of peer reviews
- The standard focuses on significant matters and significant judgements — with new guidance to clarify what these are.
- Involvement of peer reviewer at appropriate points in time throughout an engagement — so the engagement team has an opportunity to communicate with and respond in a timely manner to matters the peer reviewer raises.
- There is a stand-back requirement. The peer reviewer takes responsibility as to whether performance requirements of ASQM 2 have been fulfilled. They are not blindly relying on the firm and the engagement team to ensure compliance with ASQM 2.
- The engagement partner is precluded from dating an engagement report until notification of completion from the peer reviewer.
Footnotes