Quality Control Measures In An Audit Practice

Practice What You Preach!


It is universally agreed that the audit profession has reached pinnacle heights in enforcing professional standards, Code of Ethics, Regulatory Visits, etc. all in a frenzied attempt to protect the public interest. At the forefront comes a standard which defines the audit firm-level quality control elements, International Standard on Quality Control (ISQC 1). It is not clear why standard-setters suffixed ISQC with number 1. Presumably, there are more quality standards in the pipeline. But what is all this hype about this standard? Why are standard setters dedicating more and more resources on audit quality?


In the aftermath of the financial crisis, the environment within which audit firms operate underwent significant transformation, and the focus on quality intensified markedly. A practical way of addressing a firm’s quality control system is to benchmark it against a typical internal control system, wherein the key elements identified in ‘ISA 315 – Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment’, can be replicated at the audit firm level. The Internal control components encompassing control environment, risk assessment, information systems, control activities and monitoring are cornerstones for the effective management of any entity. So much so that auditors carry out audit procedures, designed to help them understand how their client operates, the key business risks and whether reliance could be placed on the internal control system. Auditors should therefore be adept to practice what they preach and implement their recommendations to clients on their internal procedures.

Rules for achieving quality control at firm level

The following diagram maps the quality control elements outlined in ISQC 1 and ISA 220 to the five internal control components contained in ISA 315, which are applicable to entities being audited.

Internal Control Elements (ISA 315) Firm-Level QC Elements (ISQC 1) Engagement Level QC Elements (ISA 220)
Control Environment (Tone at the Top)
  • Leadership Responsibilities for quality within the firm
  • Relevant ethical requirements
  • Human resources
  • Leadership Responsibilities for quality on audit
  • Relevant ethical requirements
  • Assignment of engagement teams
Risk Assessment (What Could Go Wrong?)
  • Acceptance and continuance of client relationships and specific engagements
  • Acceptance and continuance of client relationships and audit engagements
  • Risks that the report might not be appropriate in the circumstances
Information Systems (Tracking performance)
  • Quality control system documentation
  • Audit documentation
Control Activities (Prevent & detect/correct controls)
  • Engagement performance
  • Engagement performance
Monitoring (Are the firm’s/ engagement’s objectives being met?)
  • Ongoing monitoring of the firm’s quality control policies and procedures
  • Applying results of ongoing monitoring to specific audit engagements

Table 1 – Quality control elements 1

Control Environment (Tone at the Top)

1. Leading by example… relentlessly without fail

When carrying out audit procedures, auditors often note that the people managing the company may not necessarily be the same people indicated on the memorandum and articles of association. A father may be the shareholder and director of the company but his eldest son is administering the business on a day-to-day basis. Unfortunately, this eldest son’s behaviour goes haywire, putting the father’s own business into disrepute… and who is to blame? The father of course!

On parallel grounds, in an audit firm structure, one would expect to find that all staff employed by the firm are aware of the person/s leading the firm. But are members and staff, including subcontractors, aware of the internal structure of the audit firm? Oddly enough, people at lower levels of the firm’s hierarchy get so enshrined in the internal processes of the firm, that there is limited time, if any, to get the bigger picture of the audit practice. And this is risky! If this is not addressed immediately the audit firm may find itself in a great deal of trouble. What if an audit junior becomes aware of an anti-money laundering issue and does not communicate it to the person in charge? Leadership responsibilities should be clearly assigned and communicated identifying the person/s responsible for compliance, audit engagement, human resource elements, independence, considerations among others.


Figure 1 – Leadership Responsibility Pyramid 2

Everyone knows that a critical part of any audit practice, irrespective of its size is communication. Every employee should clearly understand the vision and values that represent the audit firm. This includes critical engagements carried out, direction, and goals. If these are deeply embedded in the company culture, employees will use them to make smart business decisions – to the benefit of all!

2. Professional and ethical stature

Failure is human. Big, mid-tier and small firms alike can fail. But failing one’s professional and ethical test is grave and has a profound and devastating effect that may cause irreparable and irreversible damage not only to the persons involved but also to the audit practice, network firm and the whole profession.

Failing your professional and ethical test = disrepute to your name = disrepute to your audit practice = disrepute to audit practice network = disrepute to audit profession = lack of trust by the general public.

3. Treating employees as you would like them to treat you

Employees are the cornerstone of all business activity and can therefore make or break an organisation. This is further accentuated in an employee oriented organisation, such as an audit firm. The success of each business venture is closely intertwined with the competence, experience and work-life balance of the staff. Albeit very often lacking on the latter attribute!

A quality audit is dependent on attracting qualified staff but also on retaining competent people. Staff is recruited because they are experts in the field. Consequently they should be encouraged to voice their opinions and lead projects that may occasionally be outside their comfort zone. Accountability provides an incentive, giving an opportunity to otherwise timid employees. Fair performance appraisals giving due recognition and reward to hard-working and committed staff are indispensable. Retention of staff also involves adequate training. CPE should not be viewed as an obligation, but should focus on the needs of the individual as well as the firm. Last but not least, consideration to an individual’s right to have an adequate work-life balance should be respected.


Figure 2 – Recruitment and retention principles 3

Risk Assessment (What could go wrong?)

4. Client selection.

In a continual strive to consolidate the financial standing in such market havoc, one may get associated with the wrong clients. Let us for a moment put aside the auditor’s independence and focus on the client’s integrity. Who would like to issue an opinion that the financial statements are free from fraud and error, if the person or persons behind this company have a criminal track record? There are a number of indicators that the client may lack integrity. Here are some examples as extracted from Chartered Accountants, Australia and New Zealand 4:

  • Frequent changes of auditors can mean an organisation is opinion shopping.

  • Poor financial history such as a failed business or bankruptcy point to a person who might like to take too big a risk.

  • Work and business track record. One would watch out for frequent changes in address or employment.

  • Overly litigious as a plaintiff or defendant signals a party who is not afraid to sue and who presents a risk of non-payment or who may not honour their agreements.

  • High management turnover can indicate a lack of internal stability.

  • Short operating history – where were the management team before they were at the current organisation?

  • Foreign operations/plants – complex business structures may be concealing something.

  • Reluctance to provide references – if they are reluctant to disclose information now, how will they be once they are a client?

  • Pressure to start work quickly can be a sign that the clients do not want you looking into their background.

  • Regulatory actions indicate a poor internal control environment where management ignores internal controls.

Another important consideration, sometimes overlooked at the engagement stage, is whether the practice has the necessary technical expertise and sufficient resources (including time and access to experts) to carry out the engagement. The tendency is that some auditors think that they are competent in all areas. Statutory audits of gaming companies, public interest entities, banks, insurance companies or listed entities should be carried out only if the auditor possesses the necessary skills.

The process of handling audit client acceptance and continuance should provide the audit practice with information to judge whether the potential client meets or exceeds the necessary standards of integrity and whether the auditor has the capacity to perform a quality audit.

Recruitment and Retention

Figure 3 – Recruitment and retention principles 5

Following this ‘a priori’ exercise based on deduction, pure reason and definitely supported by due diligence evidence, auditors are likewise required to carry ‘a posteriori’ exercise on recurring audit engagements to ensure that clients are still acceptable.

Information Systems (Tracking Performance)

5. Document… and document… and document… wisely

Can one imagine going to a hospital and finding that his personal health file does not include recent X-rays? MRI tests? Blood tests? Medical History? Or even worse, includes medical records of another patient? This is clearly unacceptable.

Similarly most firms have well-developed information systems for keeping track of clients, time and billing, expenditures, staff, and engagement file management. However, information systems that track the quality of work produced and quality control compliance are often not as well developed. The firm should maintain a practice manual which includes policies and procedures tailored to suit its requirements. Audit firms should have adequate documentation of matters such as independence confirmations, performance evaluations and the results of monitoring inspections. Additionally, and perhaps most importantly, once the established policies and procedures are enshrined in the audit practice’s ‘Book of Books’, these need to be communicated to all members and staff and implemented at the audit practice.

Control Activities (Prevent and Detect/Correct Controls)

6. Implement consistent methodologies in your audit engagements

Imagine a factory producing sports cars. Supervisors, line managers, technicians and engineers, are all involved in the assembly of the product. The critical part throughout this entire process, is that all the scheduling, works, operations, supervision, testing and other procedures all work in harmony. At a later stage one also expects to find the Quality Control Department, whose remit is to test whether the car conforms to the required standards. The same applies to an audit engagement.

Assembly line Audit engagement
Supervisors Supervisors
Line manager Engagement partner review
Technicians / engineers Specialists
Quality control Engagement quality control reviews

Table 2 – The assembly line analogy to quality control in an audit firm

Every audit practice can achieve this by establishing its own modus operandi often accomplished through written or electronic manuals, software tools or other forms of standardised documentation, and industry- or subject matter-specific guidance materials. An important prerequisite is supervision, ensuring that a person is being monitored and coached adequately. Furthermore if specialised financial reporting or auditing knowledge are required, the auditor should refer to specialist technical assistance.

Then comes the fire test! The Engagement Quality Control Review (EQCR) which is mandatory for all public interest entities and for other ‘high-risk’ engagements where an audit opinion should not be issued unless both the EQCR reviewer and the engagement partner are in agreement.

Monitoring (Are the firm’s engagement’s objectives being met?)

7. Assess and improve on your methodology

Audit quality is a journey not a destination. There is no such thing as 100% quality assured. Issues may arise on what is considered to be 100% full-proof today.

In an attempt to take cognisance of the different firm sizes, in February 2011, the Quality Assurance Oversight Committee issued its own interpretation on the frequency and appointment of the reviewers. And this is a minimum requirement.

Summary Audit Compliance Review
Whole Practice Review Cold File Review
Sole practitioner with no audit staff Frequency Once every 3 years (minimum) Once every 3 years (minimum)
Reviewer Internal or External External (not EQCR reviewer)
Sole practitioner with audit staff Frequency Annually Once every 3 years (minimum)
Reviewer Internal or External Internal or external (reviewer not involved on audit/EQCR)
Firm with no audit staff Frequency Annually Annually (each partner once every 3 years – minimum)
Reviewer Internal or External Internal or external (reviewer not involved on audit/EQCR)
Summary Audit Compliance Review
Whole Practice Review Cold File Review
Firm with audit staff Frequency Annually Annually (each partner once every 3 years – minimum)
Reviewer Internal or External Internal or external (reviewer not involved on audit/EQCR)

Table 3 – Review frequency 6

An Audit Compliance Review is divided in two major parts.

  1. Whole firm matters as per ISQC 1 Manual of Policies and Procedures, including professional indemnity, staff appraisals, what level of CPE hours are being attended by members and staff, whether reviews are being carried out, etc.
  2. Gap identification between the professional requirements (ISAs and applicable financial reporting framework) and what is documented in the audit file. Issues that may arise relate to the soundness of financial statement presentation and disclosures, appropriateness of judgements made, documentation of audit procedures carried out, whether the risk assessment is sufficiently documented to identify audit and business risks, etc.

Carrying reviews and identifying issues is only the first step of monitoring. The second step is to learn from these mistakes and not repeat these in future audits! The process of filling in the gaps and updating one’s policies and procedures to align further with ISA requirements is a never ending task.


The number of similarities that exist between ISQC 1, complemented by ISA 220, addressing quality at the engagement level, and suitable internal controls (ISA 315) are endless. Internal controls play an integral role in the success of any type of organisation. ISQC1 and ISA 220 provide the foundation for an effective system of quality control and are therefore an essential prerequisite for successfully managing the firm. In other words, ISQC 1 and ISA 220 challenge us to practice what we preach!


  • 1 SMP ISA Audit Guide Volume 1, Small-and Medium-Sized Practices, Small and Medium Practices Committee of the International Federation of Accountants (IFAC), page 24
  • 2 Guide to Quality Control for Small-and Medium-Sized Practices, Small and Medium Practices Committee of the International Federation of Accountants (IFAC), page 7
  • 3 Guide to Quality Control for Small-and Medium-Sized Practices, Small and Medium Practices Committee of the International Federation of Accountants (IFAC), page 28
  • 4 Source: http://www.nzica.com/News/Archive/2014/April/Client-acceptance-and-continuance.aspx
  • 5 Guide to Quality Control for Small-and Medium-Sized Practices, Small and Medium Practices Committee of the International Federation of Accountants (IFAC), page 21
  • 6 Guidance Note on Compliance Reviews under ‘Clarified’ ISQC 1, Quality Assurance Oversight Committee.
5.00 avg. rating (92% score) - 1 vote