Getting ready for the new quality management standard CSQM1
CSQM 1 is written in such a way that it can be adopted by a firm of any size—even as small as one or two partners (Getty Images / Pekic)
Firms that are currently applying the Canadian Standard on Quality Control (CSQC) 1 likely have December 15, 2022 marked prominently on their calendar. That’s because it is the effective date for Canadian Standard on Quality Management (CSQM) 1. This means firms will need to have implemented their risk-based system of quality management for audits or reviews of financial statements or other assurance engagements by that date. (The effective date for CSQM 1 for other related services engagements is deferred by one year to December 15, 2023.)
The Auditing and Assurance Standards Board (AASB) has approved three quality management standards. CSQM 1 applies broadly to all firms that perform audits or reviews or other assurance engagements as well as related services engagements. CSQM 2 applies when an engagement quality review is required and Canadian Auditing Standard (CAS) 220 sets out specific responsibilities of the auditor for quality management at the engagement level for an audit of financial statements.
Given that CSQM 1 deals with the overall objectives and establishment of a system of quality management, it’s important to understand the principles behind it. Here are some important facts about this new standard.
WHAT’S DIFFERENT ABOUT CSQM 1?
The most significant change with the new standard is the adoption of a risk-based approach. In designing a system of quality management (SOQM), firms must use a risk-assessment process that is tailored to the firm’s nature and circumstances, as well as the engagements it performs (e.g., establishing quality objectives; identifying and assessing risks to achieving those objectives; designing and implementing policies or procedures; and monitoring).
“It’s a significant transformational move to quality management versus quality control,” says Bob Bosshard, CPA, chair of the AASB and retired partner in the audit and assurance group at PwC Canada. “Quality control focuses on what has been accomplished by practitioners in the execution of their audits. The starting point for the new standard is very much around the practitioner and ecosystem in which they operate. Now, they must look at their human resources, technology and other resources as key components in the execution of a quality audit.”
In a rapidly evolving and complex world, the need for a new standard became increasingly apparent, says Mark Lam, CPA, director, technical assurance and accounting (A&A) training and quality assurance reviews, national risk management at BDO Canada. “Business news has recurring stories on fraud, collusion and accounting firms falling under scrutiny. This quality management standard governs how we operate as an accounting firm. It makes us look at things that are not second nature to accounting and speak to other departments to see how they are managed. The standards provide a lot more guidance on risk assessment, monitoring and remediation.”
For the most part, firms such as BDO Canada that had previously implemented CSQC 1 have already established a system of quality control they can leverage to meet the new standards. “We already have a lot of quality control processes and controls in place,” says Lam. “The minute we got hold of that standard, we started the mapping process to identify any gaps and what areas require more attention or redesign, so we could focus our efforts accordingly.”
SCALE YOUR PROCESSES
Quality control was fairly formulaic and mechanical in that it set out standard policies and procedures that all firms had to establish regardless of the firm’s size and the type of engagements performed. But application of the new standard, CSQM 1, is very different in that it can be tailored to the size, nature and circumstances of a firm and its engagements.
“The beauty of the standard [CSQM 1] is that it is written in a way that it can be adopted by a firm of any size—even as small as one or two partners,” says Lam. “It tells you to scope in what risks are relevant to your organization. As long as you do a proper risk assessment, it’s entirely scalable.”
Bosshard adds that, if an area is not relevant, small practitioners don’t need to spend much time on it. “The documentation required is relatively straightforward. In some cases, they may be able to capture the system of quality management in a page or two, if they have considered the risks of their practices, their clients, where they operate and if they understand their people and their competencies.”
While risk profiles for smaller firms may be easier to understand, Bosshard points out that the dynamics of management and audit processes will be a bit different for larger firms. However, they will need to be guided by the same framework and standards. “Any shortcomings will require a root-cause analysis to understand the reasons and should drive practice modifications required around a particular function or project.”
MONITOR AND RESPOND
Another unique aspect about CSQM 1 is that the SOQM is a living framework. “The SOQM is subject to periodic review with changes made when required,” says Bosshard. “Twelve months or two years later it may look very different than the system implemented on day one.”
This isn’t something where you can block off a Friday and get it done, cautions Lam. “It’s a very involved process that requires dialogue with others and a lot of focus. We have an internal inspection program that was in place even before the new standard was announced. I have heard that some smaller firms have banded together to run inspection programs on each other or are turning to consultants to help them do this type of work, with the understanding the firm retains full responsibility for the SOQM.”
Bosshard notes that organizations need to pay particular attention to the technology resources required. “Technology has an additional role in the execution of a quality audit. You have to ensure that the technology you have is fit for purpose. While those [firms] on the smaller end of the spectrum may have limited use of technology, they will at least be required to understand its functionality.”
Moving forward, Bosshard says the SOQM will evolve over time as a practice develops and people become more familiar with the requirements of the standard. “Because it is a living process, it would be appropriate to periodically revisit your SOQM in early days to make sure the practice is comfortable with what you have captured. Evaluate what you think you may have overlooked and make sure you address it.”
Lam sees the new quality management standards as a positive for the industry. “It’s not forcing us to change but encouraging us to get better and help protect our profession over the longer term.”
QUALITY MANAGEMENT: A CONTINUOUS PROCESS
To support implementation of the new standards, CPA Canada has developed a quality management resources page where you will find an overview, a series of practitioner's alerts and audit and assurance alerts, including an alert on moving from quality control to quality management. You’ll also find blog articles, an implementation tool and webinars.
Links to implementation support resources developed by the International Auditing and Assurance Standards Board (IAASB) are also included on the quality management resource page.