Philippine Standard on Quality Management 1 PDF
Document Details
Uploaded by Deleted User
2022
Tags
Related
Summary
This document details the Philippine Standard on Quality Management 1 (PSQM1), providing guidelines for quality management for firms performing audits or reviews of financial statements, or other assurance or related services. This standard, effective December 15, 2022, is based on the International Standard on Quality Management 1 (ISQM1).
Full Transcript
Philippine Standard on Quality Management 1 Philippine Standard on Quality Management 1 (Previously Philippine Standard on Quality Control 1) Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services...
Philippine Standard on Quality Management 1 Philippine Standard on Quality Management 1 (Previously Philippine Standard on Quality Control 1) Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements PHILIPPINE STANDARD ON QUALITY MANAGEMENT 1 (PREVIOUSLY PHILIPPINE STANDARD ON QUALITY CONTROL 1) QUALITY MANAGEMENT FOR FIRMS THAT PERFORM AUDITS OR REVIEWS OF FINANCIAL STATEMENTS, OR OTHER ASSURANCE OR RELATED SERVICES ENGAGEMENTS Contents AASC Preface to Philippine Standard on Quality Management 1 (Previously Philippine Standard on Quality Control 1), Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements IAASB International Standard on Quality Management 1 (Previously International Standard on Quality Control 1), Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements 2 AASC PREFACE TO PHILIPPINE STANDARD ON QUALITY MANAGEMENT 1 (PREVIOUSLY PHILIPPINE STANDARD ON QUALITY CONTROL 1) QUALITY MANAGEMENT FOR FIRMS THAT PERFORM AUDITS OR REVIEWS OF FINANCIAL STATEMENTS, OR OTHER ASSURANCE OR RELATED SERVICES ENGAGEMENTS 1. The Auditing and Assurance Standards Council (AASC) has approved on February 1, 2021 the adoption of International Standard on Quality Management 1 (Previously International Standard on Quality Control 1), Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements, issued by the International Auditing and Assurance Standards Board (IAASB) in December 2020, as Philippine Standard on Quality Management 1 (Previously Philippine Standard on Quality Control 1), Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements (PSQM1). 2. PSQM1 is effective as of December 15, 2022. 3 Final Pronouncement December 2020 International Standard on Quality Management International Standard on Quality Management 1 (Previously International Standard on Quality Control 1) Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements About the IAASB This document was developed and approved by the International Auditing and Assurance Standards Board. The objective of the IAASB is to serve the public interest by setting high-quality auditing, assurance, and other related standards and by facilitating the convergence of international and national auditing and assurance standards, thereby enhancing the quality and consistency of practice throughout the world and strengthening public confidence in the global auditing and assurance profession. The IAASB develops auditing and assurance standards and guidance for use by all professional accountants under a shared standard-setting process involving the Public Interest Oversight Board, which oversees the activities of the IAASB, and the IAASB Consultative Advisory Group, which provides public interest input into the development of the standards and guidance. The structures and processes that support the operations of the IAASB are facilitated by the International Federation of Accountants (IFAC). For copyright, trademark, and permissions information, please see page 72. Page 2 of 73 ISQM 1 INTERNATIONAL STANDARD ON QUALITY MANAGEMENT 1 QUALITY MANAGEMENT FOR FIRMS THAT PERFORM AUDITS OR REVIEWS OF FINANCIAL STATEMENTS, OR OTHER ASSURANCE OR RELATED SERVICES ENGAGEMENTS (Effective as of December 15, 2022) CONTENTS Paragraph Introduction Scope of this ISQM…...……………………………………………………………………… 1–5 The Firm's System of Quality Management………………………………………………... 6–11 Authority of this ISQM………………………………………………………………………… 12 Effective Date ………………………………………………………………………………... 13 Objective ……………………………………………………………………………………… 14–15 Definitions ………………………………………………………………………………….... 16 Requirements ………………………………………………………………………………... Applying, and Complying with, Relevant Requirements……………………………...…... 17–18 System of Quality Management……………………………………………………………... 19–22 The Firm's Risk Assessment Process…………………….………………………………... 23–27 Governance and Leadership……………………………….………………………………... 28 Relevant Ethical Requirements...………………………….………………………………... 29 Acceptance and Continuance of Client Relationships and Specific Engagements.…... 30 Engagement Performance ………………………………………………………………….. 31 Resources………………...………………………………………..………………………….. 32 Information and Communication.………………………………..………………………….. 33 Specified Responses…….………………………………………..………………………….. 34 Monitoring and Remediation Process….………………………..………………………….. 35–47 Network Requirements or Network Services….……………..…………………………….. 48–52 Evaluating the System of Quality Management………………..………………………….. 53–56 Documentation ……………………………………………………………………………….. 57–60 Application and Other Explanatory Material Scope of this ISQM.…………………………………………………………………………... A1–A2 The Firm's System of Quality Management………………………………………………... A3–A5 Authority of this ISQM………………………………………………………………………… A6–A9 Page 3 of 73 ISQM 1 Definitions ……………………………………………………………………………………... A10–A28 Applying, and Complying with, Relevant Requirements……………………………...…... A29 System of Quality Management……………………………………………………………... A30–A38 The Firm's Risk Assessment Process…………………….………………………………... A39–A54 Governance and Leadership……………………………….………………………………... A55–A61 Relevant Ethical Requirements...………………………….………………………………... A62–A66 Acceptance and Continuance of Client Relationships and Specific Engagements.…... A67–A74 Engagement Performance………………………………………..………………………….. A75–A85 Resources………………...………………………………………..………………………….. A86–A108 Information and Communication.………………………………..………………………….. A109–A115 Specified Responses…….………………………………………..………………………….. A116–A137 Monitoring and Remediation Process….………………………..………………………….. A138–A174 Network Requirements or Network Services….……………..…………………………….. A175–A186 Evaluating the System of Quality Management………………..………………………….. A187–A201 Documentation ……………………………………………………………………………….. A202–A206 International Standard on Quality Management (ISQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements, should be read in conjunction with the Preface to the International Quality Management, Auditing, Review, Other Assurance, and Related Services Pronouncements. Page 4 of 73 ISQM 1 Introduction Scope of this ISQM 1. This International Standard on Quality Management (ISQM) deals with a firm’s responsibilities to design, implement and operate a system of quality management for audits or reviews of financial statements, or other assurance or related services engagements. 2. Engagement quality reviews form part of the firm’s system of quality management and: (a) This ISQM deals with the firm’s responsibility to establish policies or procedures addressing engagements that are required to be subject to engagement quality reviews. (b) ISQM 2 1 deals with the appointment and eligibility of the engagement quality reviewer, and the performance and documentation of the engagement quality review. 3. Other pronouncements of the International Auditing and Assurance Standards Board (IAASB): (a) Are premised on the basis that the firm is subject to the ISQMs or to national requirements that are at least as demanding; 2 and (b) Include requirements for engagement partners and other engagement team members regarding quality management at the engagement level. For example, ISA 220 (Revised) deals with the specific responsibilities of the auditor regarding quality management at the engagement level for an audit of financial statements and the related responsibilities of the engagement partner. (Ref: Para. A1) 4. This ISQM is to be read in conjunction with relevant ethical requirements. Law, regulation or relevant ethical requirements may establish responsibilities for the firm’s management of quality beyond those described in this ISQM. (Ref: Para. A2) 5. This ISQM applies to all firms performing audits or reviews of financial statements, or other assurance or related services engagements (i.e., if the firm performs any of these engagements, this ISQM applies and the system of quality management that is established in accordance with the requirements of this ISQM enables the consistent performance by the firm of all such engagements). The Firm’s System of Quality Management 6. A system of quality management operates in a continual and iterative manner and is responsive to changes in the nature and circumstances of the firm and its engagements. It also does not operate in a linear manner. However, for the purposes of this ISQM, a system of quality management addresses the following eight components: (Ref: Para. A3) (a) The firm’s risk assessment process; (b) Governance and leadership; (c) Relevant ethical requirements; (d) Acceptance and continuance of client relationships and specific engagements; (e) Engagement performance; 1 ISQM 2, Engagement Quality Reviews 2 See, for example, International Standard on Auditing (ISA) 220 (Revised), Quality Management for an Audit of Financial Statements (Revised), paragraph 3 Page 5 of 73 ISQM 1 (f) Resources; (g) Information and communication; and (h) The monitoring and remediation process. 7. This ISQM requires the firm to apply a risk-based approach in designing, implementing and operating the components of the system of quality management in an interconnected and coordinated manner such that the firm proactively manages the quality of engagements performed by the firm. (Ref: Para. A4) 8. The risk-based approach is embedded in the requirements of this ISQM through: (a) Establishing quality objectives. The quality objectives established by the firm consist of objectives in relation to the components of the system of quality management that are to be achieved by the firm. The firm is required to establish the quality objectives specified by this ISQM and any additional quality objectives considered necessary by the firm to achieve the objectives of the system of quality management. (b) Identifying and assessing risks to the achievement of the quality objectives (referred to in this standard as quality risks). The firm is required to identify and assess quality risks to provide a basis for the design and implementation of responses. (c) Designing and implementing responses to address the quality risks. The nature, timing and extent of the firm’s responses to address the quality risks are based on and are responsive to the reasons for the assessments given to the quality risks. 9. This ISQM requires that, at least annually, the individual(s) assigned ultimate responsibility and accountability for the system of quality management, on behalf of the firm, evaluates the system of quality management and concludes whether the system of quality management provides the firm with reasonable assurance that the objectives of the system, stated in paragraph 14(a) and (b), are being achieved. (Ref: Para. A5) Scalability 10. In applying a risk-based approach, the firm is required to take into account: (a) The nature and circumstances of the firm; and (b) The nature and circumstances of the engagements performed by the firm. Accordingly, the design of the firm’s system of quality management, in particular the complexity and formality of the system, will vary. For example, a firm that performs different types of engagements for a wide variety of entities, including audits of financial statements of listed entities, will likely need to have a more complex and formalized system of quality management and supporting documentation, than a firm that performs only reviews of financial statements or compilation engagements. Networks and Service Providers 11. This ISQM addresses the firm’s responsibilities when the firm: (a) Belongs to a network, and the firm complies with network requirements or uses network services in the system of quality management or in the performance of engagements; or Page 6 of 73 ISQM 1 (b) Uses resources from a service provider in the system of quality management or in the performance of engagements. Even when the firm complies with network requirements or uses network services or resources from a service provider, the firm is responsible for its system of quality management. Authority of this ISQM 12. Paragraph 14 contains the objective of the firm in following this ISQM. This ISQM contains: (Ref: Para. A6) (a) Requirements designed to enable the firm to meet the objective in paragraph 14; (Ref: Para. A7) (b) Related guidance in the form of application and other explanatory material; (Ref: Para. A8) (c) Introductory material that provides context relevant to a proper understanding of this ISQM; and (d) Definitions. (Ref: Para. A9) Effective Date 13. Systems of quality management in compliance with this ISQM are required to be designed and implemented by December 15, 2022, and the evaluation of the system of quality management required by paragraphs 53–54 of this ISQM is required to be performed within one year following December 15, 2022. Objective 14. The objective of the firm is to design, implement and operate a system of quality management for audits or reviews of financial statements, or other assurance or related services engagements performed by the firm, that provides the firm with reasonable assurance that: (a) The firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements, and conduct engagements in accordance with such standards and requirements; and (b) Engagement reports issued by the firm or engagement partners are appropriate in the circumstances. 15. The public interest is served by the consistent performance of quality engagements. The design, implementation and operation of the system of quality management enables the consistent performance of quality engagements by providing the firm with reasonable assurance that the objectives of the system of quality management, stated in paragraph 14(a) and (b), are achieved. Quality engagements are achieved through planning and performing engagements and reporting on them in accordance with professional standards and applicable legal and regulatory requirements. Achieving the objectives of those standards and complying with the requirements of applicable law or regulation involves exercising professional judgment and, when applicable to the type of engagement, exercising professional skepticism. Definitions 16. For purposes of this ISQM, the following terms have the meanings attributed below: Page 7 of 73 ISQM 1 (a) Deficiency in the firm’s system of quality management (referred to as “deficiency” in this ISQM) – This exists when: (Ref: Para. A10, A159–A160) (i) A quality objective required to achieve the objective of the system of quality management is not established; (ii) A quality risk, or combination of quality risks, is not identified or properly assessed; (Ref: Para. A11) (iii) A response, or combination of responses, does not reduce to an acceptably low level the likelihood of a related quality risk occurring because the response(s) is not properly designed, implemented or operating effectively; or (iv) An other aspect of the system of quality management is absent, or not properly designed, implemented or operating effectively, such that a requirement of this ISQM has not been addressed. (Ref: Para. A12) (b) Engagement documentation – The record of work performed, results obtained, and conclusions the practitioner reached (terms such as “working papers” or “work papers” are sometimes used). (c) Engagement partner 3 – The partner or other individual, appointed by the firm, who is responsible for the engagement and its performance, and for the report that is issued on behalf of the firm, and who, where required, has the appropriate authority from a professional, legal or regulatory body. (d) Engagement quality review – An objective evaluation of the significant judgments made by the engagement team and the conclusions reached thereon, performed by the engagement quality reviewer and completed on or before the date of the engagement report. (e) Engagement quality reviewer – A partner, other individual in the firm, or an external individual, appointed by the firm to perform the engagement quality review. (f) Engagement team – All partners and staff performing the engagement, and any other individuals who perform procedures on the engagement, excluding an external expert 4 and internal auditors who provide direct assistance on an engagement. (Ref: Para. A13) (g) External inspections – Inspections or investigations, undertaken by an external oversight authority, related to the firm’s system of quality management or engagements performed by the firm. (Ref: Para. A14) (h) Findings (in relation to a system of quality management) – Information about the design, implementation and operation of the system of quality management that has been accumulated from the performance of monitoring activities, external inspections and other relevant sources, which indicates that one or more deficiencies may exist. (Ref: Para. A15–A17) (i) Firm – A sole practitioner, partnership or corporation or other entity of professional accountants, or public sector equivalent. (Ref: Para. A18) (j) Listed entity – An entity whose shares, stock or debt are quoted or listed on a recognized stock exchange, or are marketed under the regulations of a recognized stock exchange or other equivalent body. 3 “Engagement partner” and “partner” is to be read as referring to their public sector equivalents where relevant. 4 ISA 620, Using the Work of an Auditor’s Expert, paragraph 6(a), defines the term “auditor’s expert.” Page 8 of 73 ISQM 1 (k) Network firm – A firm or entity that belongs to the firm’s network. (l) Network – A larger structure: (Ref: Para. A19) (i) That is aimed at cooperation; and (ii) That is clearly aimed at profit or cost-sharing or shares common ownership, control or management, common quality management policies or procedures, common business strategy, the use of a common brand name, or a significant part of professional resources. (m) Partner – Any individual with authority to bind the firm with respect to the performance of a professional services engagement. (n) Personnel – Partners and staff in the firm. (Ref: Para. A20–A21) (o) Professional judgment – The application of relevant training, knowledge and experience, within the context of professional standards, in making informed decisions about the courses of action that are appropriate in the design, implementation and operation of the firm’s system of quality management. (p) Professional standards – IAASB Engagement Standards, as defined in the IAASB’s Preface to the International Quality Management, Auditing, Review, Other Assurance, and Related Services Pronouncements, and relevant ethical requirements. (q) Quality objectives – The desired outcomes in relation to the components of the system of quality management to be achieved by the firm. (r) Quality risk – A risk that has a reasonable possibility of: (i) Occurring; and (ii) Individually, or in combination with other risks, adversely affecting the achievement of one or more quality objectives. (s) Reasonable assurance – In the context of the ISQMs, a high, but not absolute, level of assurance. (t) Relevant ethical requirements – Principles of professional ethics and ethical requirements that are applicable to professional accountants when undertaking engagements that are audits or reviews of financial statements or other assurance or related services engagements. Relevant ethical requirements ordinarily comprise the provisions of the IESBA Code related to audits or reviews of financial statements, or other assurance or related services engagements, together with national requirements that are more restrictive. (Ref: Para. A22–A24, A62) (u) Response (in relation to a system of quality management) – Policies or procedures designed and implemented by the firm to address one or more quality risk(s): (Ref: Para. A25–A27, A50) (i) Policies are statements of what should, or should not, be done to address a quality risk(s). Such statements may be documented, explicitly stated in communications or implied through actions and decisions. (ii) Procedures are actions to implement policies. (v) Service provider (in the context of this ISQM) – An individual or organization external to the firm that provides a resource that is used in the system of quality management or in the performance of engagements. Service providers exclude the firm’s network, other network firms or other structures or organizations in the network. (Ref: Para. A28, A105) (w) Staff – Professionals, other than partners, including any experts the firm employs. Page 9 of 73 ISQM 1 (x) System of quality management – A system designed, implemented and operated by a firm to provide the firm with reasonable assurance that: (i) The firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements, and conduct engagements in accordance with such standards and requirements; and (ii) Engagement reports issued by the firm or engagement partners are appropriate in the circumstances. Requirements Applying, and Complying with, Relevant Requirements 17. The firm shall comply with each requirement of this ISQM unless the requirement is not relevant to the firm because of the nature and circumstances of the firm or its engagements. (Ref: Para. A29) 18. The individual(s) assigned ultimate responsibility and accountability for the firm’s system of quality management, and the individual(s) assigned operational responsibility for the firm’s system of quality management shall have an understanding of this ISQM, including the application and other explanatory material, to understand the objective of this ISQM and to apply its requirements properly. System of Quality Management 19. The firm shall design, implement and operate a system of quality management. In doing so, the firm shall exercise professional judgment, taking into account the nature and circumstances of the firm and its engagements. The governance and leadership component of the system of quality management establishes the environment that supports the design, implementation and operation of the system of quality management. (Ref: Para. A30–A31) Responsibilities 20. The firm shall assign: (Ref: Para. A32–A35) (a) Ultimate responsibility and accountability for the system of quality management to the firm’s chief executive officer or the firm’s managing partner (or equivalent) or, if appropriate, the firm’s managing board of partners (or equivalent); (b) Operational responsibility for the system of quality management; (c) Operational responsibility for specific aspects of the system of quality management, including: (i) Compliance with independence requirements; and (Ref: Para. A36) (ii) The monitoring and remediation process. 21. In assigning the roles in paragraph 20 the firm shall determine that the individual(s): (Ref: Para. A37) (a) Has the appropriate experience, knowledge, influence and authority within the firm, and sufficient time, to fulfill their assigned responsibility; and (Ref: Para. A38) (b) Understands their assigned roles and that they are accountable for fulfilling them. 22. The firm shall determine that the individual(s) assigned operational responsibility for the system of quality management, compliance with independence requirements and the monitoring and remediation process, have a direct line of communication to the individual(s) assigned ultimate responsibility and accountability for the system of quality management. Page 10 of 73 ISQM 1 The Firm’s Risk Assessment Process 23. The firm shall design and implement a risk assessment process to establish quality objectives, identify and assess quality risks and design and implement responses to address the quality risks. (Ref: Para. A39–A41) 24. The firm shall establish the quality objectives specified by this ISQM and any additional quality objectives considered necessary by the firm to achieve the objectives of the system of quality management. (Ref: Para. A42–A44) 25. The firm shall identify and assess quality risks to provide a basis for the design and implementation of responses. In doing so, the firm shall: (a) Obtain an understanding of the conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives, including: (Ref: Para. A45– A47) (i) With respect to the nature and circumstances of the firm, those relating to: a. The complexity and operating characteristics of the firm; b. The strategic and operational decisions and actions, business processes and business model of the firm; c. The characteristics and management style of leadership; d. The resources of the firm, including the resources provided by service providers; e. Law, regulation, professional standards and the environment in which the firm operates; and f. In the case of a firm that belongs to a network, the nature and extent of the network requirements and network services, if any. (ii) With respect to the nature and circumstances of the engagements performed by the firm, those relating to: a. The types of engagements performed by the firm and the reports to be issued; and b. The types of entities for which such engagements are undertaken. (b) Take into account how, and the degree to which, the conditions, events, circumstances, actions or inactions in paragraph 25(a) may adversely affect the achievement of the quality objectives. (Ref: Para. A48) 26. The firm shall design and implement responses to address the quality risks in a manner that is based on, and responsive to, the reasons for the assessments given to the quality risks. The firm’s responses shall also include the responses specified in paragraph 34. (Ref: Para. A49–A51) 27. The firm shall establish policies or procedures that are designed to identify information that indicates additional quality objectives, or additional or modified quality risks or responses, are needed due to changes in the nature and circumstances of the firm or its engagements. If such information is identified, the firm shall consider the information and when appropriate: (Ref: Para. A52–A53) (a) Establish additional quality objectives or modify additional quality objectives already established by the firm; (Ref: Para. A54) Page 11 of 73 ISQM 1 (b) Identify and assess additional quality risks, modify the quality risks or reassess the quality risks; or (c) Design and implement additional responses, or modify the responses. Governance and Leadership 28. The firm shall establish the following quality objectives that address the firm’s governance and leadership, which establishes the environment that supports the system of quality management: (a) The firm demonstrates a commitment to quality through a culture that exists throughout the firm, which recognizes and reinforces: (Ref: Para. A55–A56) (i) The firm’s role in serving the public interest by consistently performing quality engagements; (ii) The importance of professional ethics, values and attitudes; (iii) The responsibility of all personnel for quality relating to the performance of engagements or activities within the system of quality management, and their expected behavior; and (iv) The importance of quality in the firm’s strategic decisions and actions, including the firm’s financial and operational priorities. (b) Leadership is responsible and accountable for quality. (Ref: Para. A57) (c) Leadership demonstrates a commitment to quality through their actions and behaviors. (Ref: Para. A58) (d) The organizational structure and assignment of roles, responsibilities and authority is appropriate to enable the design, implementation and operation of the firm’s system of quality management. (Ref: Para. A32, A33, A35, A59) (e) Resource needs, including financial resources, are planned for and resources are obtained, allocated or assigned in a manner that is consistent with the firm’s commitment to quality. (Ref: Para. A60–A61) Relevant Ethical Requirements 29. The firm shall establish the following quality objectives that address the fulfillment of responsibilities in accordance with relevant ethical requirements, including those related to independence: (Ref: Para. A62–A64, A66) (a) The firm and its personnel: (i) Understand the relevant ethical requirements to which the firm and the firm’s engagements are subject; and (Ref: Para. A22, A24) (ii) Fulfill their responsibilities in relation to the relevant ethical requirements to which the firm and the firm’s engagements are subject. (b) Others, including the network, network firms, individuals in the network or network firms, or service providers, who are subject to the relevant ethical requirements to which the firm and the firm’s engagements are subject: (i) Understand the relevant ethical requirements that apply to them; and (Ref: Para. A22, A24, A65) Page 12 of 73 ISQM 1 (ii) Fulfill their responsibilities in relation to the relevant ethical requirements that apply to them. Acceptance and Continuance of Client Relationships and Specific Engagements 30. The firm shall establish the following quality objectives that address the acceptance and continuance of client relationships and specific engagements: (a) Judgments by the firm about whether to accept or continue a client relationship or specific engagement are appropriate based on: (i) Information obtained about the nature and circumstances of the engagement and the integrity and ethical values of the client (including management, and, when appropriate, those charged with governance) that is sufficient to support such judgments; and (Ref: Para. A67–A71) (ii) The firm’s ability to perform the engagement in accordance with professional standards and applicable legal and regulatory requirements. (Ref: Para. A72) (b) The financial and operational priorities of the firm do not lead to inappropriate judgments about whether to accept or continue a client relationship or specific engagement. (Ref: Para. A73– A74) Engagement Performance 31. The firm shall establish the following quality objectives that address the performance of quality engagements: (a) Engagement teams understand and fulfill their responsibilities in connection with the engagements, including, as applicable, the overall responsibility of engagement partners for managing and achieving quality on the engagement and being sufficiently and appropriately involved throughout the engagement. (Ref: Para. A75) (b) The nature, timing and extent of direction and supervision of engagement teams and review of the work performed is appropriate based on the nature and circumstances of the engagements and the resources assigned or made available to the engagement teams, and the work performed by less experienced engagement team members is directed, supervised and reviewed by more experienced engagement team members. (Ref: Para. A76–A77) (c) Engagement teams exercise appropriate professional judgment and, when applicable to the type of engagement, professional skepticism. (Ref: Para. A78) (d) Consultation on difficult or contentious matters is undertaken and the conclusions agreed are implemented. (Ref: Para. A79–A81) (e) Differences of opinion within the engagement team, or between the engagement team and the engagement quality reviewer or individuals performing activities within the firm’s system of quality management are brought to the attention of the firm and resolved. (Ref: Para. A82) (f) Engagement documentation is assembled on a timely basis after the date of the engagement report, and is appropriately maintained and retained to meet the needs of the firm and comply with law, regulation, relevant ethical requirements, or professional standards. (Ref: Para. A83– A85) Page 13 of 73 ISQM 1 Resources 32. The firm shall establish the following quality objectives that address appropriately obtaining, developing, using, maintaining, allocating and assigning resources in a timely manner to enable the design, implementation and operation of the system of quality management: (Ref: Para. A86–A87) Human Resources (a) Personnel are hired, developed and retained and have the competence and capabilities to: (Ref: Para. A88–A90) (i) Consistently perform quality engagements, including having knowledge or experience relevant to the engagements the firm performs; or (ii) Perform activities or carry out responsibilities in relation to the operation of the firm’s system of quality management. (b) Personnel demonstrate a commitment to quality through their actions and behaviors, develop and maintain the appropriate competence to perform their roles, and are held accountable or recognized through timely evaluations, compensation, promotion and other incentives. (Ref: Para. A91–A93) (c) Individuals are obtained from external sources (i.e., the network, another network firm or a service provider) when the firm does not have sufficient or appropriate personnel to enable the operation of firm’s system of quality management or performance of engagements. (Ref: Para. A94) (d) Engagement team members are assigned to each engagement, including an engagement partner, who have appropriate competence and capabilities, including being given sufficient time, to consistently perform quality engagements. (Ref: Para. A88–A89, A95–A97) (e) Individuals are assigned to perform activities within the system of quality management who have appropriate competence and capabilities, including sufficient time, to perform such activities. Technological Resources (f) Appropriate technological resources are obtained or developed, implemented, maintained, and used, to enable the operation of the firm’s system of quality management and the performance of engagements. (Ref: Para. A98–A101, A104) Intellectual Resources (g) Appropriate intellectual resources are obtained or developed, implemented, maintained, and used, to enable the operation of the firm’s system of quality management and the consistent performance of quality engagements, and such intellectual resources are consistent with professional standards and applicable legal and regulatory requirements, where applicable. (Ref: Para. A102–A104) Service Providers (h) Human, technological or intellectual resources from service providers are appropriate for use in the firm’s system of quality management and in the performance of engagements, taking into account the quality objectives in paragraph 32 (d),(e),(f) and (g). (Ref: Para. A105–A108) Page 14 of 73 ISQM 1 Information and Communication 33. The firm shall establish the following quality objectives that address obtaining, generating or using information regarding the system of quality management, and communicating information within the firm and to external parties on a timely basis to enable the design, implementation and operation of the system of quality management: (Ref: Para. A109) (a) The information system identifies, captures, processes and maintains relevant and reliable information that supports the system of quality management, whether from internal or external sources. (Ref: Para. A110–A111) (b) The culture of the firm recognizes and reinforces the responsibility of personnel to exchange information with the firm and with one another. (Ref: Para. A112) (c) Relevant and reliable information is exchanged throughout the firm and with engagement teams, including: (Ref: Para. A112) (i) Information is communicated to personnel and engagement teams, and the nature, timing and extent of the information is sufficient to enable them to understand and carry out their responsibilities relating to performing activities within the system of quality management or engagements; and (ii) Personnel and engagement teams communicate information to the firm when performing activities within the system of quality management or engagements. (d) Relevant and reliable information is communicated to external parties, including: (i) Information is communicated by the firm to or within the firm’s network or to service providers, if any, enabling the network or service providers to fulfill their responsibilities relating to the network requirements or network services or resources provided by them; and (Ref: Para. A113) (ii) Information is communicated externally when required by law, regulation or professional standards, or to support external parties’ understanding of the system of quality management. (Ref: Para. A114–A115) Specified Responses 34. In designing and implementing responses in accordance with paragraph 26, the firm shall include the following responses: (Ref: Para. A116) (a) The firm establishes policies or procedures for: (i) Identifying, evaluating and addressing threats to compliance with the relevant ethical requirements; and (Ref: Para. A117) (ii) Identifying, communicating, evaluating and reporting of any breaches of the relevant ethical requirements and appropriately responding to the causes and consequences of the breaches in a timely manner. (Ref: Para. A118–A119) (b) The firm obtains, at least annually, a documented confirmation of compliance with independence requirements from all personnel required by relevant ethical requirements to be independent. (c) The firm establishes policies or procedures for receiving, investigating and resolving complaints and allegations about failures to perform work in accordance with professional Page 15 of 73 ISQM 1 standards and applicable legal and regulatory requirements, or non-compliance with the firm’s policies or procedures established in accordance with this ISQM. (Ref: Para. A120–A121) (d) The firm establishes policies or procedures that address circumstances when: (i) The firm becomes aware of information subsequent to accepting or continuing a client relationship or specific engagement that would have caused it to decline the client relationship or specific engagement had that information been known prior to accepting or continuing the client relationship or specific engagement; or (Ref: Para. A122–A123) (ii) The firm is obligated by law or regulation to accept a client relationship or specific engagement. (Ref: Para. A123) (e) The firm establishes policies or procedures that: (Ref: Para. A124–A126) (i) Require communication with those charged with governance when performing an audit of financial statements of listed entities about how the system of quality management supports the consistent performance of quality audit engagements; (Ref: Para. A127– A129) (ii) Address when it is otherwise appropriate to communicate with external parties about the firm’s system of quality management; and (Ref: Para. A130) (iii) Address the information to be provided when communicating externally in accordance with paragraphs 34(e)(i) and 34(e)(ii), including the nature, timing and extent and appropriate form of communication. (Ref: Para. A131–A132) (f) The firm establishes policies or procedures that address engagement quality reviews in accordance with ISQM 2, and require an engagement quality review for: (i) Audits of financial statements of listed entities; (ii) Audits or other engagements for which an engagement quality review is required by law or regulation; and (Ref: Para. A133) (iii) Audits or other engagements for which the firm determines that an engagement quality review is an appropriate response to address one or more quality risk(s). (Ref: Para. A134-A137) Monitoring and Remediation Process 35. The firm shall establish a monitoring and remediation process to: (Ref: Para. A138) (a) Provide relevant, reliable and timely information about the design, implementation and operation of the system of quality management. (b) Take appropriate actions to respond to identified deficiencies such that deficiencies are remediated on a timely basis. Designing and Performing Monitoring Activities 36. The firm shall design and perform monitoring activities to provide a basis for the identification of deficiencies. 37. In determining the nature, timing and extent of the monitoring activities, the firm shall take into account: (Ref: Para. A139–A142) Page 16 of 73 ISQM 1 (a) The reasons for the assessments given to the quality risks; (b) The design of the responses; (c) The design of the firm’s risk assessment process and monitoring and remediation process; (Ref: Para. A143–A144) (d) Changes in the system of quality management; (Ref: Para. A145) (e) The results of previous monitoring activities, whether previous monitoring activities continue to be relevant in evaluating the firm’s system of quality management and whether remedial actions to address previously identified deficiencies were effective; and (Ref: Para. A146– A147) (f) Other relevant information, including complaints and allegations about failures to perform work in accordance with professional standards and applicable legal and regulatory requirements or non-compliance with the firm’s policies or procedures established in accordance with this ISQM, information from external inspections and information from service providers. (Ref: Para. A148–A150) 38. The firm shall include the inspection of completed engagements in its monitoring activities and shall determine which engagements and engagement partners to select. In doing so, the firm shall: (Ref: Para. A141, A151–A154) (a) Take into account the matters in paragraph 37; (b) Consider the nature, timing and extent of other monitoring activities undertaken by the firm and the engagements and engagement partners subject to such monitoring activities; and (c) Select at least one completed engagement for each engagement partner on a cyclical basis determined by the firm. 39. The firm shall establish policies or procedures that: (a) Require the individuals performing the monitoring activities to have the competence and capabilities, including sufficient time, to perform the monitoring activities effectively; and (b) Address the objectivity of the individuals performing the monitoring activities. Such policies or procedures shall prohibit the engagement team members or the engagement quality reviewer of an engagement from performing any inspection of that engagement. (Ref: Para. A155– A156) Evaluating Findings and Identifying Deficiencies 40. The firm shall evaluate findings to determine whether deficiencies exist, including in the monitoring and remediation process. (Ref: Para. A157–A162) Evaluating Identified Deficiencies 41. The firm shall evaluate the severity and pervasiveness of identified deficiencies by: (Ref: Para. A161, A163–A164) (a) Investigating the root cause(s) of the identified deficiencies. In determining the nature, timing and extent of the procedures to investigate the root cause(s), the firm shall take into account the nature of the identified deficiencies and their possible severity. (Ref: Para. A165–A169) Page 17 of 73 ISQM 1 (b) Evaluating the effect of the identified deficiencies, individually and in aggregate, on the system of quality management. Responding to Identified Deficiencies 42. The firm shall design and implement remedial actions to address identified deficiencies that are responsive to the results of the root cause analysis. (Ref: Para. A170–A172) 43. The individual(s) assigned operational responsibility for the monitoring and remediation process shall evaluate whether the remedial actions: (a) Are appropriately designed to address the identified deficiencies and their related root cause(s) and determine that they have been implemented; and (b) Implemented to address previously identified deficiencies are effective. 44. If the evaluation indicates that the remedial actions are not appropriately designed and implemented or are not effective, the individual(s) assigned operational responsibility for the monitoring and remediation process shall take appropriate action to determine that the remedial actions are appropriately modified such that they are effective. Findings About a Particular Engagement 45. The firm shall respond to circumstances when findings indicate that there is an engagement(s) for which procedures required were omitted during the performance of the engagement(s) or the report issued may be inappropriate. The firm’s response shall include: (Ref: Para. A173) (a) Taking appropriate action to comply with relevant professional standards and applicable legal and regulatory requirements; and (b) When the report is considered to be inappropriate, considering the implications and taking appropriate action, including considering whether to obtain legal advice. Ongoing Communication Related to Monitoring and Remediation 46. The individual(s) assigned operational responsibility for the monitoring and remediation process shall communicate on a timely basis to the individual(s) assigned ultimate responsibility and accountability for the system of quality management and the individual(s) assigned operational responsibility for the system of quality management: (Ref: Para. A174) (a) A description of the monitoring activities performed; (b) The identified deficiencies, including the severity and pervasiveness of such deficiencies; and (c) The remedial actions to address the identified deficiencies. 47. The firm shall communicate the matters described in paragraph 46 to engagement teams and other individuals assigned activities within the system of quality management to enable them to take prompt and appropriate action in accordance with their responsibilities. Network Requirements or Network Services 48. When the firm belongs to a network, the firm shall understand, when applicable: (Ref: Para. A19, A175) Page 18 of 73 ISQM 1 (a) The requirements established by the network regarding the firm’s system of quality management, including requirements for the firm to implement or use resources or services designed or otherwise provided by or through the network (i.e., network requirements); (b) Any services or resources provided by the network that the firm chooses to implement or use in the design, implementation or operation of the firm’s system of quality management (i.e., network services); and (c) The firm’s responsibilities for any actions that are necessary to implement the network requirements or use network services. (Ref: Para. A176) The firm remains responsible for its system of quality management, including professional judgments made in the design, implementation and operation of the system of quality management. The firm shall not allow compliance with the network requirements or use of network services to contravene the requirements of this ISQM. (Ref: Para. A177) 49. Based on the understanding obtained in paragraph 48, the firm shall: (a) Determine how the network requirements or network services are relevant to, and are taken into account in, the firm’s system of quality management, including how they are to be implemented; and (Ref: Para. A178) (b) Evaluate whether and, if so, how the network requirements or network services need to be adapted or supplemented by the firm to be appropriate for use in its system of quality management. (Ref: Para. A179–A180) Monitoring Activities Undertaken by the Network on the Firm’s System of Quality Management 50. In circumstances when the network performs monitoring activities relating to the firm’s system of quality management, the firm shall: (a) Determine the effect of the monitoring activities performed by the network on the nature, timing and extent of the firm’s monitoring activities performed in accordance with paragraphs 36–38; (b) Determine the firm’s responsibilities in relation to the monitoring activities, including any related actions by the firm; and (c) As part of evaluating findings and identifying deficiencies in paragraph 40, obtain the results of the monitoring activities from the network in a timely manner. (Ref: Para. A181) Monitoring Activities Undertaken by the Network Across the Network Firms 51. The firm shall: (a) Understand the overall scope of the monitoring activities undertaken by the network across the network firms, including monitoring activities to determine that network requirements have been appropriately implemented across the network firms, and how the network will communicate the results of its monitoring activities to the firm; (b) At least annually, obtain information from the network about the overall results of the network’s monitoring activities across the network firms, if applicable, and: (Ref: Para. A182–A184) (i) Communicate the information to engagement teams and other individuals assigned activities within the system of quality management, as appropriate, to enable them to take prompt and appropriate action in accordance with their responsibilities; and Page 19 of 73 ISQM 1 (ii) Consider the effect of the information on the firm’s system of quality management. Deficiencies in Network Requirements or Network Services Identified by the Firm 52. If the firm identifies a deficiency in the network requirements or network services, the firm shall: (Ref: Para. A185) (a) Communicate to the network relevant information about the identified deficiency; and (b) In accordance with paragraph 42, design and implement remedial actions to address the effect of the identified deficiency in the network requirements or network services. (Ref: Para. A186) Evaluating the System of Quality Management 53. The individual(s) assigned ultimate responsibility and accountability for the system of quality management shall evaluate, on behalf of the firm, the system of quality management. The evaluation shall be undertaken as of a point in time, and performed at least annually. (Ref: Para. A187–A189) 54. Based on the evaluation, the individual(s) assigned ultimate responsibility and accountability for the system of quality management shall conclude, on behalf of the firm, one of the following: (Ref: Para. A190, A195) (a) The system of quality management provides the firm with reasonable assurance that the objectives of the system of quality management are being achieved; (Ref: Para. A191) (b) Except for matters related to identified deficiencies that have a severe but not pervasive effect on the design, implementation and operation of the system of quality management, the system of quality management provides the firm with reasonable assurance that the objectives of the system of quality management are being achieved; or (Ref: Para. A192) (c) The system of quality management does not provide the firm with reasonable assurance that the objectives of the system of quality management are being achieved. (Ref: Para. A192– A194) 55. If the individual(s) assigned ultimate responsibility and accountability for the system of quality management reaches the conclusion described in paragraph 54(b) or 54(c), the firm shall: (Ref: Para. A196) (a) Take prompt and appropriate action; and (b) Communicate to: (i) Engagement teams and other individuals assigned activities within the system of quality management to the extent that it is relevant to their responsibilities; and (Ref: Para. A197) (ii) External parties in accordance with the firm’s policies or procedures required by paragraph 34(e). (Ref: Para. A198) 56. The firm shall undertake periodic performance evaluations of the individual(s) assigned ultimate responsibility and accountability for the system of quality management, and the individual(s) assigned operational responsibility for the system of quality management. In doing so, the firm shall take into account the evaluation of the system of quality management. (Ref: Para. A199–A201) Page 20 of 73 ISQM 1 Documentation 57. The firm shall prepare documentation of its system of quality management that is sufficient to: (Ref: Para. A202–A204) (a) Support a consistent understanding of the system of quality management by personnel, including an understanding of their roles and responsibilities with respect to the system of quality management and the performance of engagements; (b) Support the consistent implementation and operation of the responses; and (c) Provide evidence of the design, implementation and operation of the responses, to support the evaluation of the system of quality management by the individual(s) assigned ultimate responsibility and accountability for the system of quality management. 58. In preparing documentation, the firm shall include: (a) The identification of the individual(s) assigned ultimate responsibility and accountability for the system of quality management and operational responsibility for the system of quality management; (b) The firm’s quality objectives and quality risks; (Ref: Para. A205) (c) A description of the responses and how the firm’s responses address the quality risks; (d) Regarding the monitoring and remediation process: (i) Evidence of the monitoring activities performed; (ii) The evaluation of findings, and identified deficiencies and their related root cause(s); (iii) Remedial actions to address identified deficiencies and the evaluation of the design and implementation of such remedial actions; and (iv) Communications about monitoring and remediation; and (e) The basis for the conclusion reached pursuant to paragraph 54. 59. The firm shall document the matters in paragraph 58 as they relate to network requirements or network services and the evaluation of the network requirements or network services in accordance with paragraph 49(b). (Ref: Para. A206) 60. The firm shall establish a period of time for the retention of documentation for the system of quality management that is sufficient to enable the firm to monitor the design, implementation and operation of the firm’s system of quality management, or for a longer period if required by law or regulation. Application and Other Explanatory Material Scope of this ISQM (Ref: Para. 3–4) A1. Other pronouncements of the IAASB, including ISRE 2400 (Revised) 5 and ISAE 3000 (Revised), 6 also establish requirements for the engagement partner for the management of quality at the engagement level. 5 International Standard on Review Engagements (ISRE) 2400 (Revised), Engagements to Review Historical Financial Statements 6 International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information Page 21 of 73 ISQM 1 A2. The IESBA Code 7 contains requirements and application material for professional accountants that enable professional accountants to meet their responsibility to act in the public interest. As indicated in paragraph 15, in the context of engagement performance as described in this ISQM, the consistent performance of quality engagements forms part of the professional accountant’s responsibility to act in the public interest. The Firm’s System of Quality Management (Ref: Para. 6–9) A3. The firm may use different terminology or frameworks to describe the components of its system of quality management. A4. Examples of the interconnected nature of the components include the following: The firm’s risk assessment process sets out the process the firm is required to follow in implementing a risk-based approach across the system of quality management. The governance and leadership component establishes the environment that supports the system of quality management. The resources and information and communication components enable the design, implementation and operation of the system of quality management. The monitoring and remediation process is a process designed to monitor the entire system of quality management. The results of the monitoring and remediation process provide information that is relevant to the firm’s risk assessment process. There may be relationships between specific matters, for example, certain aspects of relevant ethical requirements are relevant to accepting and continuing client relationships and specific engagements. A5. Reasonable assurance is obtained when the system of quality management reduces to an acceptably low level the risk that the objectives stated in paragraph 14(a) and (b) are not achieved. Reasonable assurance is not an absolute level of assurance, because there are inherent limitations of a system of quality management. Such limitations include that human judgment in decision making can be faulty and that breakdowns in a firm’s system of quality management may occur, for example, due to human error or behavior or failures in information technology (IT) applications. Authority of this ISQM (Ref: Para. 12) A6. The objective of this ISQM provides the context in which the requirements of this ISQM are set, establishes the desired outcome of this ISQM and is intended to assist the firm in understanding what needs to be accomplished and, where necessary, the appropriate means of doing so. A7. The requirements of this ISQM are expressed using “shall.” A8. Where necessary, the application and other explanatory material provides further explanation of the requirements and guidance for carrying them out. In particular, it may: Explain more precisely what a requirement means or is intended to cover; and Include examples that illustrate how the requirements might be applied. 7 The International Ethics Standards Board for Accountants’ International Code of Ethics for Professional Accountants (including International Independence Standards) (IESBA Code) Page 22 of 73 ISQM 1 While such guidance does not in itself impose a requirement, it is relevant to the proper application of the requirements. The application and other explanatory material may also provide background information on matters addressed in this ISQM. Where appropriate, additional considerations specific to public sector audit organizations are included within the application and other explanatory material. These additional considerations assist in the application of the requirements in this ISQM. They do not, however, limit or reduce the responsibility of the firm to apply and comply with the requirements in this ISQM. A9. This ISQM includes, under the heading “Definitions,” a description of the meanings attributed to certain terms for purposes of this ISQM. These definitions are provided to assist in the consistent application and interpretation of this ISQM, and are not intended to override definitions that may be established for other purposes, whether in law, regulation or otherwise. The Glossary of Terms relating to International Standards issued by the IAASB in the Handbook of International Quality Management, Auditing, Review, Other Assurance, and Related Services Pronouncements published by IFAC includes the terms defined in this ISQM. The Glossary of Terms also includes descriptions of other terms found in the ISQMs to assist in common and consistent interpretation and translation. Definitions Deficiency (Ref: Para. 16(a)) A10. The firm identifies deficiencies through evaluating findings. A deficiency may arise from a finding, or a combination of findings. A11. When a deficiency is identified as a result of a quality risk, or combination of quality risks, not being identified or properly assessed, the response(s) to address such quality risk(s) may also be absent, or not appropriately designed or implemented. A12. The other aspects of the system of quality management consist of the requirements in this ISQM addressing: Assigning responsibilities (paragraphs 20–22); The firm’s risk assessment process; The monitoring and remediation process; and The evaluation of the system of quality management. Examples of deficiencies related to other aspects of the system of quality management The firm’s risk assessment process fails to identify information that indicates changes in the nature and circumstances of the firm and its engagements and the need to establish additional quality objectives, or modify the quality risks or responses. The firm’s monitoring and remediation process is not designed or implemented in a manner that: o Provides relevant, reliable and timely information about the design, implementation and operation of the system of quality management. o Enables the firm to take appropriate actions to respond to identified deficiencies such that deficiencies are remediated on a timely basis. Page 23 of 73 ISQM 1 The individual(s) assigned ultimate responsibility and accountability for the system of quality management does not undertake the annual evaluation of the system of quality management. Engagement Team (Ref: Para. 16(f)) A13. ISA 220 (Revised) 8 provides guidance in applying the definition of engagement team in the context of an audit of financial statements. External Inspections (Ref: Para. 16(g)) A14. In some circumstances, an external oversight authority may undertake other types of inspections, for example, thematic reviews that focus on, for a selection of firms, particular aspects of audit engagements or firm-wide practices. Findings (Ref: Para. 16(h)) A15. As part of accumulating findings from monitoring activities, external inspections and other relevant sources, the firm may identify other observations about the firm’s system of quality management, such as positive outcomes or opportunities for the firm to improve, or further enhance, the system of quality management. Paragraph A158 explains how other observations may be used by the firm in the system of quality management. A16. Paragraph A148 provides examples of information from other relevant sources. A17. Monitoring activities include monitoring at the engagement level, such as inspection of engagements. Furthermore, external inspections and other relevant sources may include information that relates to specific engagements. As a result, information about the design, implementation and operation of the system of quality management includes engagement-level findings that may be indicative of findings in relation to the system of quality management. Firm (Ref: Para. 16(i)) A18. The definition of “firm” in relevant ethical requirements may differ from the definition set out in this ISQM. Network (Ref: Para. 16(l), 48) A19. Networks and the firms within the network may be structured in a variety of ways. For example, in the context of a firm’s system of quality management: The network may establish requirements for the firm related to its system of quality management, or provide services that are used by the firm in its system of quality management or in the performance of engagements; Other firms within the network may provide services (e.g., resources) that are used by the firm in its system of quality management or in the performance of engagements; or Other structures or organizations within the network may establish requirements for the firm related to its system of quality management, or provide services. 8 ISA 220 (Revised), paragraphs A15–A25 Page 24 of 73 ISQM 1 For the purposes of this ISQM, any network requirements or network services that are obtained from the network, another firm within the network or another structure or organization in the network are considered “network requirements or network services.” Personnel (Ref: Para. 16(n)) A20. In addition to personnel (i.e., individuals in the firm), the firm may use individuals external to the firm in performing activities in the system of quality management or in the performance of engagements. For example, individuals external to the firm may include individuals from other network firms (e.g., individuals in a service delivery center of a network firm) or individuals employed by a service provider (e.g., a component auditor from another firm not within the firm’s network). A21. Personnel also includes partners and staff in other structures of the firm, such as a service delivery center in the firm. Relevant Ethical Requirements (Ref: Para. 16(t), 29) A22. The relevant ethical requirements that are applicable in the context of a system of quality management may vary, depending on the nature and circumstances of the firm and its engagements. The term “professional accountant” may be defined in relevant ethical requirements. For example, the IESBA Code defines the term “professional accountant” and further explains the scope of provisions in the IESBA Code that apply to individual professional accountants in public practice and their firms. A23. The IESBA Code addresses circumstances when law or regulation precludes the professional accountant from complying with certain parts of the IESBA Code. It further acknowledges that some jurisdictions might have provisions in law or regulation that differ from or go beyond those set out in the IESBA Code and that professional accountants in those jurisdictions need to be aware of those differences and comply with the more stringent provisions, unless prohibited by law or regulation. A24. Various provisions of the relevant ethical requirements may apply only to individuals in the context of the performance of engagements and not the firm itself. For example: Part 2 of the IESBA Code applies to individuals who are professional accountants in public practice when they are performing professional activities pursuant to their relationship with the firm, whether as a contractor, employee or owner, and may be relevant in the context of the performance of engagements. Certain requirements in Parts 3 and 4 of the IESBA Code also apply to individuals who are professional accountants in public practice when they are performing professional activities for clients. Compliance with such relevant ethical requirements by individuals may need to be addressed by the firm’s system of quality management. Example of relevant ethical requirements that are applicable only to individuals and not the firm, and which relate to the performance of engagements Part 2 of the IESBA Code addresses pressure to breach the fundamental principles, and includes requirements that an individual shall not: Allow pressure from others to result in a breach of compliance with the fundamental principles; or Page 25 of 73 ISQM 1 Place pressure on others that the accountant knows, or has reason to believe, would result in the other individuals breaching the fundamental principles. For example, circumstances may arise when, in performing an engagement, an individual considers that the engagement partner or another senior member of the engagement team has pressured them to breach the fundamental principles. Response (Ref: Para. 16(u)) A25. Policies are implemented through the actions of personnel and other individuals whose actions are subject to the policies (including engagement teams), or through their restraint from taking actions that would conflict with the firm’s policies. A26. Procedures may be mandated, through formal documentation or other communications, or may result from behaviors that are not mandated but are rather conditioned by the firm’s culture. Procedures may be enforced through the actions permitted by IT applications, or other aspects of the firm’s IT environment. A27. If the firm uses individuals external to the firm in the system of quality management or in the performance of engagements, different policies or procedures may need to be designed by the firm to address the actions of the individuals. ISA 220 (Revised) 9 provides guidance when different policies or procedures may need to be designed by the firm to address the actions of individuals external to the firm in the context of an audit of financial statements. Service Provider (Ref: Para. 16(v)) A28. Service providers include component auditors from other firms not within the firm’s network. Applying, and Complying with, Relevant Requirements (Ref: Para. 17) A29. Examples of when a requirement of this ISQM may not be relevant to the firm The firm is a sole practitioner. For example, the requirements addressing the organizational structure and assigning roles, responsibilities and authority within the firm, direction, supervision and review and addressing differences of opinion may not be relevant. The firm only performs engagements that are related services engagements. For example, if the firm is not required to maintain independence for related services engagements, the requirement to obtain a documented confirmation of compliance with independence requirements from all personnel would not be relevant. System of Quality Management Design, Implement and Operate a System of Quality Management (Ref: Para. 19) A30. Quality management is not a separate function of the firm; it is the integration of a culture that demonstrates a commitment to quality with the firm’s strategy, operational activities and business processes. As a result, designing the system of quality management and the firm’s operational activities and business processes in an integrated manner may promote a harmonious approach to managing the firm, and enhance the effectiveness of quality management. 9 ISA 220 (Revised), paragraphs A23–A25 Page 26 of 73 ISQM 1 A31. The quality of professional judgments exercised by the firm is likely to be enhanced when individuals making such judgments demonstrate an attitude that includes an inquiring mind, which involves: Considering the source, relevance and sufficiency of information obtained about the system of quality management, including information related to the nature and circumstances of the firm and its engagements; and Being open and alert to a need for further investigation or other action. Responsibilities (Ref: Para. 20–21, 28(d)) A32. The governance and leadership component includes a quality objective that the firm has an organizational structure and assignment of roles, responsibilities and authority that is appropriate to enable the design, implementation and operation of the firm’s system of quality management. A33. Notwithstanding the assignment of responsibilities related to the system of quality management in accordance with paragraph 20, the firm remains ultimately responsible for the system of quality management and holding individuals responsible and accountable for their assigned roles. For example, in accordance with paragraphs 53 and 54, although the firm assigns the evaluation of the system of quality management and conclusion thereon to the individual(s) assigned ultimate responsibility and accountability for the system of quality management, the firm is responsible for the evaluation and conclusion. A34. An individual(s) assigned responsibility for the matters in paragraph 20 is typically a partner of the firm so that they have appropriate influence and authority within the firm, as required by paragraph 21. However, based on the legal structure of the firm, there may be circumstances when an individual(s) may not be a partner of the firm but the individual(s) has the appropriate influence and authority within the firm to perform their assigned role because of formal arrangements made by the firm or the firm’s network. A35. How the firm assigns roles, responsibilities and authority within the firm may vary and law or regulation may impose certain requirements for the firm that affect the leadership and management structure or their assigned responsibilities. An individual(s) assigned responsibility for a matter(s) in paragraph 20 may further assign roles, procedures, tasks or actions to other individuals to assist them in fulfilling their responsibilities. However, an individual(s) assigned responsibility for a matter(s) in paragraph 20 remains responsible and accountable for the responsibilities assigned to them. Scalability example to demonstrate how assigning roles and responsibilities may be undertaken In a less complex firm, ultimate responsibility and accountability for the system of quality management may be assigned to a single managing partner with sole responsibility for the oversight of the firm. This individual may also assume responsibility for all aspects of the system of quality management, including operational responsibility for the system of quality management, compliance with independence requirements and the monitoring and remediation process. In a more complex firm, there may be multiple levels of leadership that reflect the organizational structure of the firm, and the firm may have an independent governing body that has non-executive oversight of the firm, which may comprise external individuals. Furthermore, the firm may assign operational responsibility for specific aspects of the system of quality management beyond those specified in paragraph 20(c), such as operational Page 27 of 73 ISQM 1 responsibility for compliance with ethical requirements or operational responsibility for managing a service line. A36. Compliance with independence requirements is essential to the performance of audits, or reviews of financial statements, or other assurance engagements, and is an expectation of stakeholders relying on the firm’s reports. The individual(s) assigned operational responsibility for compliance with independence requirements is ordinarily responsible for the oversight of all matters related to independence so that a robust and consistent approach is designed and implemented by the firm to deal with independence requirements. A37. Law, regulation or professional standards may establish additional requirements for an individual assigned responsibility for a matter(s) in paragraph 20, such as requirements for professional licensing, professional education or continuing professional development. A38. The appropriate experience and knowledge for the individual(s) assigned operational responsibility for the system of quality management ordinarily includes an understanding of the firm’s strategic decisions and actions and experience with the firm’s business operations. The Firm’s Risk Assessment Process (Ref: Para. 23) A39. How the firm designs the firm’s risk assessment process may be affected by the nature and circumstances of the firm, including how the firm is structured and organized. Scalability examples to demonstrate how the firm’s risk assessment process may differ In a less complex firm, the individual(s) assigned operational responsibility for the system of quality management may have a sufficient understanding of the firm and its engagements to undertake the risk assessment process. Furthermore, the documentation of the quality objectives, quality risks and responses may be less extensive than for a more complex firm (e.g., it may be documented in a single document). In a more complex firm, there may be a formal risk assessment process, involving multiple individuals and numerous activities. The process may be centralized (e.g., the quality objectives, quality risks and responses are established centrally for all business units, functions and service lines) or decentralized (e.g., the quality objectives, quality risks and responses are established at a business unit, function or service line level, with the outputs combined at the firm level). The firm’s network may also provide the firm with quality objectives, quality risks and responses to be included in the firm’s system of quality management. A40. The process of establishing quality objectives, identifying and assessing quality risks and designing and implementing responses is iterative, and the requirements of this ISQM are not intended to be addressed in a linear manner. For example: In identifying and assessing quality risks, the firm may determine that an additional quality objective(s) needs to be established. When designing and implementing responses, the firm may determine that a quality risk was not identified and assessed. Page 28 of 73 ISQM 1 A41. Information sources that enable the firm to establish quality objectives, identify and assess quality risks and design and implement responses form part of the firm’s information and communication component and include: The results of the firm’s monitoring and remediation process (see paragraphs 42 and A171). Information from the network or service providers, including: o Information about network requirements or network services (see paragraph 48); and o Other information from the network, including information about the results of monitoring activities undertaken by the network across the network firms (see paragraphs 50–51). Other information, both internal or external, may also be relevant to the firm’s risk assessment process, such as: Information regarding complaints and allegations about failures to perform work in accordance with professional standards and applicable legal and regulatory requirements, or non- compliance with the firm’s policies or procedures established in accordance with this ISQM. The results of external inspections. Information from regulators about the entities for whom the firm performs engagements which is made available to the firm, such as information from a securities regulator about an entity for whom the firm performs engagements (e.g., irregularities in the entity’s financial statements or non-compliance with securities regulation). Changes in the system of quality management that affect other aspects of the system, for example, changes in the firm’s resources. Other external sources, such as regulatory actions and litigation against the firm or other firms in the jurisdiction that may highlight areas for the firm to consider. Establish Quality Objectives (Ref: Para. 24) A42. Law, regulation or professional standards may establish requirements that give rise to additional quality objectives. For example, a firm may be required by law or regulation to appoint non-executive individuals to the firm’s governance structure and the firm considers it necessary to establish additional quality objectives to address the requirements. A43. The nature and circumstances of the firm and its engagements may be such that the firm may not find it necessary to establish additional quality objectives. A44. The firm may establish sub-objectives to enhance the firm’s identification and assessment of quality risks, and design and implementation of responses. Identify and Assess Quality Risks (Ref: Para. 25) A45. There may be other conditions, events, circumstances, actions or inactions not described in paragraph 25(a) that may adversely affect the achievement of a quality objective. A46. A risk arises from how, and the degree to which, a condition, event, circumstance, action or inaction may adversely affect the achievement of a quality objective. Not all risks meet the definition of a quality risk. Professional judgment assists the firm in determining whether a risk is a quality risk, which is based on the firm’s consideration of whether there is a reasonable possibility of the risk Page 29 of 73 ISQM 1 occurring, and individually, or in combination with other risks, adversely affecting the achievement of one or more quality objectives. Examples of the firm’s understanding of the Examples of quality risks that may arise conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives The strategic and operational In the context of governance and leadership, this decisions and actions, business may give rise to a number of quality risks such as: processes and business model of the Resources are allocated or assigned in a firm: The firm’s overall financial goals manner that prioritizes the services not within are overly dependent on the extent of the scope of this ISQM and may negatively services provided by the firm not affect the quality of engagements within the within the scope of this ISQM. scope of this ISQM. Decisions about financial and operational priorities do not fully or adequately consider the importance of quality in the performance of engagements within the scope of this ISQM. The characteristics and management In the context of governance and leadership, this style of leadership: The firm is a may give rise to a number of quality risks such as: smaller firm with a few engagement Leadership’s responsibilities and partners with shared authority. accountability for quality are not clearly defined and assigned. The actions and behaviors of leadership that do not promote quality are not questioned. The complexity and operating In the context of resources, this may give rise to a characteristics of the firm: The firm number of quality risks including: has recently completed a merger with Technological resources used by the two another firm. merged firms may be incompatible. Engagement teams may use intellectual resources developed by a firm prior to the merger, which are no longer consistent with the new methodology being used by the new merged firm. A47. Given the evolving nature of the system of quality management, the responses designed and implemented by the firm may give rise to conditions, events, circumstances, actions or inactions that result in further quality risks. For example, the firm may implement a resource (e.g., a technological resource) to address a quality risk, and quality risks may arise from the use of such resource. Page 30 of 73 ISQM 1 A48. The degree to which a risk, individually, or in combination with other risks may adversely affect the achievement of a quality objective(s) may vary based on the conditions, events, circumstances, actions or inactions giving rise to the risk, taking into account, for example: How the condition, event, circumstance, action or inaction would affect the achievement of the quality objective. How frequently the condition, event, circumstance, action or inaction is expected to occur. How long it would take after the condition, event, circumstance, action or inaction occurred for