Preparing for the new quality management standards: CSQM 1 risk responses
In part three of a four-part series, Kirsten S. Albo of ASK KSA Consulting Inc. explores the design and implementation of risk responses
CSQM 1 applies to all firms — regardless of their size or the engagements they perform, writes Kirsten S. Albo, FCPA, FCA, president of ASK KSA Consulting Inc.
THERE are three steps to the risk assessment process outlined in CSQM 1. The first step is establishing quality objectives, followed by the second step, identifying and assessing quality risks. These steps were addressed in the second article in this four-part series on the new suite of quality management standards  recently approved by the Auditing and Assurance Standards Board (AASB).
The third step is designing and implementing responses to identified quality risks. For Canadian accountants working in public practice, CSQM 1 risk responses will be crucial to your compliance with the new standards. This article, the third in the four-part series, includes examples that will help support accounting firms both large and small.
It is the assessment of quality risks that provides the basis for the design and implementation of responses. That is, what are the policies and procedures needed at your accounting firm to address one or more of the quality risks?
This step is much more than updating your current quality manual, if you have one. For those firms that perform audits and reviews, you should have an existing manual outlining quality policies and procedures. However, as the new Canadian quality management standards now apply to other related services, this will be new to the practitioners who only perform compilation engagements and most likely do not have a formal quality manual.
You will need one.
Unlike the quality objectives stipulated in the standard, there are very few specified responses. Rather, it is up to the firm to identify the appropriate responses to the quality risk. This is where the nature and circumstances of the firm and the engagement it performs comes to the forefront in the risk assessment process. A firm that only performs compilation engagements will have significantly different responses than a firm that performs audit engagements.
As outlined in the second article of this series, quality objectives are required for each of the following components:
- Governance and leadership
- Relevant ethical requirements
- Acceptance and continuance
- Engagement performance
- Information and communication
Responses to quality objectives are required but only for those objectives which have an associated quality risk. This highlights why steps one and two of the risk assessment process are critical. You want to develop and implement the right responses, but you don’t want to do too much work or develop inappropriate responses.
Where a quality risk has been identified, a response is required. Designing and implementing policies and procedures will depend on the nature and circumstances of the firm and its engagements.
Based on my experience with assisting firms working through CSQM 1, quality risks will result in each of the six components identified above but not necessarily for every objective within the component. The effort arises from designing the appropriate response based on the circumstances of your firm.
In certain cases, existing policies and procedures may be adequate but in other cases more robust policies and procedures may be required. Or, in other cases, a policy or procedure may not be required because no quality risk has been identified.
Let’s walk through an example. One of the components is resources. Quality objectives are required related to hiring, developing and retaining personnel. For firms with staff, a quality objective and assessed risk is developing staff competence.
Competence is the ability of an individual to perform a role and goes beyond technical knowledge; it is the integration and application of that technical knowledge along with their professional ethics, values and attitudes. Competence can be developed through a variety of methods and will depend on the nature of your firm. If you are a small firm, the policy related to developing personnel may be as simple as on-the-job training and feedback and review of working papers. In a larger firm, the policy may require a senior staff member always reviews the work of a junior, and formal training programs are provided as staff move through each level.
Other examples of policies and procedures related to hiring, developing and retaining personnel that can vary depending on the nature of your firm may include your firm’s recruiting process; the use of internal or external training programs; and the timing of providing feedback as an evaluation mechanism.
The information and communication component is another area of how a response may vary from firm to firm. In a less complex firm with fewer personnel and direct interaction between staff and leadership, informal communication may be adequate. However, in a large firm with many partners and staff, formal policies and procedures may be required that specify how information should be identified, captured, processed and maintained.
Communication of the new standards and related changes in policies and procedures is the perfect example. How are these changes going to be communicated within your firm?
As you consider what is required in developing your firm’s policies and procedures you will want to take into consideration ethical requirements as outlined in the Professional Code of Conduct. In some cases, a firm may want to include matters in their system of quality management that are more specific than the code of conduct. For example, the firm may prohibit the acceptance of gifts and hospitality from a client, even if the value is trivial and inconsequential.
While the majority of risk responses are left up to the professional judgment of the firm, there are certain responses specified by the standard.
In our profession, it is critical we follow ethical requirements and ensure that practitioners are independent where necessary. A process for identifying, evaluating and addressing threats is required. In addition, a firm must obtain an annual confirmation of compliance with independence from all personnel.
Other specified responses include a policies and procedures for receiving, investigating and resolving complaints and allegations, addressing engagement quality reviews in accordance with CSQM 2 and communicating with Those Charged with Governance (TCWG).
Finally, specified responses are required to address circumstances when the firm becomes aware of information subsequent to accepting or continuing a client relationship that would have caused it to decline the engagement had the information been known prior to accepting or continuing the client relationship.
Conclusion and Next Steps
Designing the responses that are right for your firm is critical. Quality is of utmost importance in all engagements. There is a balance between being effective (having the right responses in place) and being efficient (not doing too much). Developing policies and procedures will take time to develop. The time to start is now.
A good place to start will be to use the tracking sheet you started when setting quality objectives and identifying and assessing risks. Now add a column for your firm’s risk responses. This information can then be used as the basis for drafting required policies and procedures for your firm’s system of quality management. Remember, the design and implementation of the system of quality management is to be completed by December 15, 2022, with the operation of the system to follow after this date.
The evaluation of the system of quality management is stipulated in the monitoring and remediating component of the standard. This will be covered in the last article of this series. Stay tuned.
Read all four articles in this four-part series:
Part One: Preparing for the new quality management standards: An overview for Canadian practitioners
Part Two: Preparing for the new quality management standards: CSQM 1 quality objectives and quality risks
Part Three: Preparing for the new quality management standards: CSQM 1 risk responses
Part Four: Preparing for the new quality management standards: CSQM 1 system evaluation and monitoring
Want more information on the new standards? Sign up for Overview of the New Canadian Quality Management Standards, a free professional development session from Kirsten through ASK KSA PD. Click here to view all professional development courses for Canadian accounting firms from ASK KSA PD.
Quality Management Standards
1. Specifically, the suite of Quality Management Standards is comprised of Canadian Standard on Quality Management (CSQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, Other Assurance or Related Services Engagements; CSQM 2, Engagement Quality Reviews; and CAS 220, Quality Management for an Audit of Financial Statements. These standards replace Canadian Standard of Quality Control (CSQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements.
Kirsten S. Albo, FCPA, FCA is the president of ASK KSA Consulting Inc., which helps SMPs save time and achieve peace of mind through consulting and advisory services related to conducting effective and efficient engagements and meeting the requirements of being in public practice.