Preparing for the new quality management standards: CSQM 1 quality objectives and quality risks
In part two of a four-part series, Kirsten S. Albo of ASK KSA Consulting looks at CSQM 1 and its quality management process for all firms, regardless of size
CSQM 1 applies to all firms — regardless of their size or the engagements they perform, writes Kirsten S. Albo, FCPA, FCA, president of ASK KSA Consulting Inc.
AS I WROTE in the first article of this four-part series, this is a critical time in the Canadian accounting profession for chartered professional accountants in public practice. Whether you’re a sole practitioner or a partner in a mid-sized firm, you will be challenged by the new suite of quality management standards recently approved by the Auditing and Assurance Standards Board (AASB).
These standards strengthen overall proficiency of firms in public practice and the engagements they perform by promoting a robust, proactive and scalable approach to quality management. Preparing for their implementation should be a priority for Canadian accountants, as some of the new standards are effective December 15, 2022.
CSQM 1 sets out three steps to the risk assessment process. The first step is establishing quality objectives, followed by identifying and assessing quality risks, which provide the basis for the design and implementation of responses, the final step. In this, the second article of the series, I will focus on the first two steps of the risk assessment process.
As you undertake the risk assessment process, ensure you have appointed the individual in your firm who has the ultimate authority for the system of quality management along with the individual who has operational responsibility. These individuals should have the appropriate experience, knowledge and influence to fulfil these roles. In a small firm, this could be the same person whereas, in a large firm, the roles may be split.
The first step in the risk assessment process is establishing the quality objectives to be achieved. That is, the desired outcomes in your system of quality management. The quality objectives to be achieved are specified in CSQM 1, therefore the first part of this step is not overly complex.
The quality objectives cover the following six components of the standard.
Governance and leadership. These establish the firm environment and its commitment to quality through its culture and actions of leaders. A strong culture can be demonstrated through professional manner, teamwork and continuous improvement.
Relevant ethical requirements. These relate to relevant ethical requirements to which the firm and its engagements are subject. The fundamental principles of ethics set out in the Professional Code of Conduct establish the standard of behaviour expected by firms and practitioners, including rules addressing independence.
Acceptance and continuance. These address judgments made by the firm about whether to accept or continue with a client and are based on such things as the complexity and organizational structure of a client. A firm must also ensure it can perform the engagement. For example, it would challenging for a sole practitioner who typically audits not-for-profit entities to accept a client who reports under IFRS.
Engagement performance. These establish the overarching requirements of performing quality engagements. For example, in all cases, engagement teams must understand and fulfill their responsibilities and exercise appropriate professional judgment. These objectives also relate to supervision and review of work performed — a different level of involvement is required with a new staff member versus an experienced staff.
Resources. Resources include human resources along with technological and intellectual resources. Human resources are the staff you work with, technological resources are the systems you employ, and the intellectual resources are the tools you use, such as a methodology, to conduct engagements. Quality objectives detail the appropriate use of all three.
Information and communication. Whether information is communicated within the firm or with external parties, it should be relevant, reliable, and on a timely basis. In a firm with fewer personnel and direct involvement of leadership there may not be the need for formal communication policies.
The quality objectives specified in CSQM 1 are required for all firms and all engagements, unless clearly not applicable. For example, if you are a sole practitioner, you do not need quality objectives related to the direction and supervision of staff. If you are not part of a network of firms, you do not need quality objectives related to information and communication within the network.
The final question to address in this step is based to the nature and circumstances of your firm, are there any additional quality objectives required in your system of quality management. In a less complex firm, additional quality objectives would not be expected.
Identify and Assess Risk
The second step in the risk assessment process is to identify and assess the risks of achieving of the quality objective, that is, what are the quality risks in your firm. The definition of a quality risk is a risk “that has a reasonable possibility of occurring.”
In identifying a quality risk, think about the conditions, events circumstances, actions or inaction that may have an adverse impact on your firm’s ability to achieve its quality objectives. Take, for example, a quality objective related to governance and leadership. The firm recognizes and reinforces the importance of quality in the firm’s strategic decision and actions. However, the firm may also have incentives that are focused on financial and operational priorities, which may discourage behaviours that demonstrate a commitment to quality resulting in a quality risk.
In working through this step of the process, think about the complexity and operating characteristics of your firm. Are there only two partners who make decisions together or are there many partners led by a managing partner? Another factor to consider is the strategic and operational decisions of the firm. Is the firm in growth mode and aggressively looking for new clients and staff, or maintaining the status quo? The responses to these questions will help determine whether a quality risk exists.
In certain cases, due to the nature of your firm, a quality risk may not exist. For example, a quality objective related to information and communication is relevant and reliable information is exchanged throughout the firm and with engagement teams. If you operate a very small firm, with only two staff members, there is most likely ongoing communication and therefore due to this frequent, albeit informal, process, a quality risk does not exist.
In determining quality risks, you must also consider the types of engagements you perform, your clients and the industries in which they operate. Quality risks may result based on the nature of your clients.
The risk assessment process is not linear but rather iterative in nature. When identifying and assessing risk, a firm may determine an additional quality objective needs to be established; or, when designing and implementing responses, the firm may determine a quality risk was not identified and assessed. This will be an ongoing process, especially as you work through implementing the requirements of the standard.
Conclusion and Next Steps
CSQM 1 applies to all firms — regardless of their size or the engagements they perform. Even if you only perform compilation engagements, you must establish quality objectives and identify and assess quality risks. However, the standard does focus on scalability throughout the risk assessment process. The nature and circumstances of a firm, the engagements it performs, and resulting quality objectives and risks will be unique in each circumstance.
For example, one simple document may be adequate to document quality objectives and quality risks and responses as compared to a large firm with many partners. In this case a more formal and complex manual may be required.
There are several approaches to establishing quality objectives and assessing risks. One simple idea is to start a tracking spreadsheet. List the quality objectives specified in the standard, describe factors related to the nature and circumstances of your firm, identify any risks and assess whether this ultimately leads to a quality risk. Any quality risks that are identified are the basis of the designing and implementing risks responses. This topic will be covered in the next article so stay tuned. The final article in this series will detail the evaluation of the system of quality management.
Read all four articles in this four-part series:
Part One: Preparing for the new quality management standards: An overview for Canadian practitioners
Part Two: Preparing for the new quality management standards: CSQM 1 quality objectives and quality risks
Part Three: Preparing for the new quality management standards: CSQM 1 risk responses
Part Four: Preparing for the new quality management standards: CSQM 1 system evaluation and monitoring
Want more information on the new standards? Sign up for Overview of the New Canadian Quality Management Standards, a free professional development session from Kirsten through ASK KSA PD. Click here to view all professional development courses for Canadian accounting firms from ASK KSA PD.
Quality Management Standards
1. Specifically, the suite of Quality Management Standards is comprised of Canadian Standard on Quality Management (CSQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, Other Assurance or Related Services Engagements; CSQM 2, Engagement Quality Reviews; and CAS 220, Quality Management for an Audit of Financial Statements. These standards replace Canadian Standard of Quality Control (CSQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements.
Kirsten S. Albo, FCPA, FCA is the president of ASK KSA Consulting Inc., which helps SMPs save time and achieve peace of mind through consulting and advisory services related to conducting effective and efficient engagements and meeting the requirements of being in public practice.