The firm’s risk assessment process is new to ISQM 1 which is also a key change from extant ISQC 1. The firm needs to follow a risk-based approach to quality management where the risk assessment process needs to focus on the areas below.
Establishing Quality Objectives The firm shall establish the quality objectives set out by ISQM 1 and any additional quality objectives considered necessary by the firm that are relevant to its structure and circumstances to achieve the objectives of the system of quality management. Below are the quality objectives set out by ISQM 1.
The firm is not required but may choose to establish sub-objectives to enhance the firm’s identification and assessment of quality risks and design and implementation of responses.
Identify and assess quality risks
ISQM 1 defined a quality risk as below:
- The risk has a reasonable possibility of occurring
- The risk has a reasonable possibility of individually, or in combination with other risks, adversely affecting the achievement of one or more quality objectives.
The firm exercises professional judgment in determining whether a risk meets the threshold set out in the definition of quality risks. Regardless of whether a firm has sub-objectives, the threshold for identifying quality risks is at the level of the quality objectives in ISQM 1. There may be circumstances when a risk has a reasonable possibility of adversely affecting the achievement of the sub-objective but does not have a reasonable possibility of adversely affecting the achievement of a quality objective, in which case the risk would not be considered a quality risk.
Below is the process in identifying and assessing quality risks set out by ISQM 1.
According to paragraph 25(a) of ISQM 1, the firm shall obtain an understanding of the conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives including:
- the complexity and operating characteristics of the firm;
- the strategic and operational decisions and actions, business processes and business model of the firm;
- the characteristics and management style of leadership;
- the resources of the firm, including the resources provided by service providers;
- law, regulation, professional standards and the environment in which the firm operates;
- the nature and extent of the network requirements and network services;
- the types of engagements performed by the firm and the reports to be issued; and
- the types of entities for which engagements are undertaken
Design and implement responses
ISQM 1 requires the firm to design and implement responses that properly address the quality risks. A number of factors may be considered by the firm in designing the response, particularly as it relates to the nature, timing and extent of the response.
The relationship of responses
Responses may be related in a number of ways, including as follows:
- A response may address multiple quality risks across various components.
- A response may support another response in another component. This is particularly the case for responses related to resources and information and communication because these elements are often needed to support the operation of other responses.
Responses specified by ISQM 1
Paragraph 34 of ISQM 1 includes some specified responses that the firm is required to design and implement. The specified responses are not comprehensive and the firm is expected to design and implement responses in addition to those specified in the standard.
Scalability of responses
Smaller and less complex firms are likely to have different quality risks than larger and more complex firms. As such, the nature, timing and extent of the responses may differ given the circumstances of the firm.
Identify information indicating need for additions or modifications to the quality objectives, quality risks or responses
The quality objectives, quality risks or responses may need to change as a result of:
- Changes in the nature and circumstances of the firm or its engagements; or
- Remedial actions to address deficiencies in the firm’s system of quality management.
ISQM 1 does not prescribe how frequent a firm should re-evaluate its quality objectives, quality risks and responses as these should be proactively modified as at when changes affecting the system of quality management occur or when deficiencies are identified.
