Quality Management in Audit - TONTUF Money

Critically evaluate audit work already performed and identify whether it meets the required quality standard. If an audit lacks quality, the risk of issuing an inappropriate auditor's report increases — damaging both the firm's reputation and the profession as a whole.

1. The Three Key Standards

Three professional standards govern quality in auditing:

ISA 220 (Revised) — Quality Management for an Audit of Financial Statements. This operates at the engagement level — it governs what the engagement partner and team must do on a specific audit.

ISQM 1 — Quality Management for Firms that Perform Audits or Reviews. This operates at the firm level — it governs how the entire firm builds and maintains a system of quality management.

ISQM 2 — Engagement Quality Reviews (EQR). This governs the independent review of significant judgements on high-risk engagements.

2. Elements of a Quality Management System (under ISA 220 Revised)

Leadership Responsibilities

The engagement partner takes overall responsibility for quality. This requires a culture where:

• Every team member is responsible for contributing to quality
• Professional ethics, values, and attitudes are prioritised
• Team members can raise concerns without fear of reprisal
• Professional scepticism is exercised throughout

Ethical Requirements

The engagement partner must throughout the audit: identify, evaluate, and address ethical threats; remain alert for breaches; take appropriate action where requirements are not fulfilled; and, before dating the report, confirm that all ethical requirements have been met.

Acceptance and Continuance

Before accepting or continuing a client relationship, the engagement partner considers: 

• management integrity, 
• availability of sufficient resources, 
• whether management has acknowledged their responsibilities, 
• team competence, 
• and whether significant past issues have implications for continuing. 

Engagement Resources — Three Types

Human resources — the team must be competent and capable. Competence includes practical experience, professional standards knowledge, IT expertise, industry knowledge, the ability to exercise professional scepticism, and understanding of firm policies. If resources are insufficient, actions include: changing the audit approach, extending the deadline, following firm dispute procedures, or withdrawing from the engagement.

Technological resources — communication tools, automated techniques. The auditor must not over-rely on these.

Intellectual resources — methodologies, checklists, guides, templates — allowing for consistent application of standards.

Engagement Performance — Direction, Supervision, and Review

Direction means informing team members of their responsibilities: to maintain a questioning mind, fulfil ethical requirements, exercise scepticism, understand their objectives, and not let budget pressures cause them to skip planned procedures.

Supervision means tracking audit progress, addressing arising issues (e.g., reassigning complex matters to senior staff), identifying matters for consultation, coaching team members, and creating an environment where concerns can be raised.

Review responsibilities cover checking that: work was performed per standards, consultations occurred, work supports conclusions, evidence is sufficient and appropriate, and engagement objectives were achieved.

The engagement partner must review documentation at appropriate points, focusing on significant matters and judgments.

3. Engagement Quality Review (EQR) — Examined Heavily

Definition

An EQR is an objective evaluation of the significant judgments made by the engagement team and the conclusions reached, performed by the Engagement Quality Reviewer (EQR) and completed on or before the date of the auditor's report.

When Is an EQR Required?

• Listed entities
• Public interest entities
• High-risk clients (unusual circumstances, high risk of material misstatement)
• Where laws or regulations require it

Engagement Partner's Obligations Where an EQR Is Required

• Determine that an EQR has been appointed
• Cooperate with the reviewer; inform team members to do the same
• Discuss significant matters and judgments with the reviewer
• Must not date the report until the EQR is complete 

EQR Eligibility Rules

• Cannot be a member of the engagement team
• Must have competence, sufficient time, and appropriate authority
• Must comply with relevant ethical requirements
• A former engagement partner must serve a cooling-off period of at least two years before acting as EQR for the same client

EQR Documentation Requirements

The EQR reviewer must document: their name and assistants; documentation reviewed; the basis for their conclusion; confirmation that the engagement partner was notified of any concerns; and the date of completion.

4. Monitoring and Remediation

The firm must establish a monitoring and remediation process to provide relevant, reliable and timely information about the operation of its quality management system and respond to deficiencies on a timely basis.

To achieve this, the firm must:

• Establish quality objectives
• Identify and assess quality risks
• Design and implement responses to those risks

Monitoring involves inspecting completed engagements selected by risk, evaluating the severity of deficiencies, investigating their root causes, and remediating appropriately. An annual evaluation is required.

Pre-Issuance (Hot) Review vs. Post-Issuance (Cold) Review 

Feature	Pre-Issuance (Hot) Review	Post-Issuance (Cold) Review
Purpose	Enhance quality before the report is issued	Monitor firm processes; identify deficiencies
Timing	Before the auditor's report is issued	After the report has been issued
Files selected	Listed/public interest/high-risk clients; each partner should have some reviewed	A selection of completed engagements
Performed by	Independent partner of suitable experience	Compliance/quality department, external consultant, or independent partner
Focus	Processes underpinning significant judgements (risks, materiality, independence, conclusions, audit opinion, communications)	All working papers — checking they are on file, complete, signed off and evidenced as reviewed
Outcome	Reduction in audit risk — reduces the chance of an inappropriate opinion	Recommendations for: communication of findings, additional reviews, training, policy changes, disciplinary action

---

5. ISQM 1 — Firm-Level Quality Management (The Eight Components)

ISQM 1 requires firms to move from standalone policies to an integrated, risk-based approach customised to the firm's size and nature.

The eight components of a firm's quality management system are:

1. Governance and leadership — Sets the environment. Addresses culture, decision-making, and organisational structure. Leadership must demonstrate a commitment to quality through actions and behaviours.
2. The firm's risk assessment process - Consists of: (a) establishing quality objectives; (b) identifying and assessing quality risks; (c) designing and implementing responses to those risks.
3. Relevant ethical requirements — Compliance with the IESBA Code of Ethics and independence requirements.
4. Acceptance and continuance — Policies for deciding which clients and engagements to accept or continue.
5. Engagement performance — Covers direction, supervision, review, consultation, differences of opinion, and documentation.
6. Resources — Human, technological, and intellectual resources, including adequate staffing, tools, and methodologies.
7. Information and communication — Systems to share quality-related information appropriately within the firm.
8. Monitoring and remediation — Ongoing monitoring of the quality management system and timely remediation of deficiencies.

Benefits of ISQM 1's approach: improved robustness of quality activities; proactive response to changing circumstances; increased emphasis on monitoring the whole system; improved integration of components.

Common Areas of Concern Identified in UK Monitoring

• Fair value and value in use measurements (impairment testing, property valuations)
• Revenue recognition
• Audit committee communication
• Inaccuracies in the auditor's reports
• Independence and ethics