The shape and size of audit firms vary and similar roles within a practice have different names. The term ‘management team’ refers to those ultimately responsible for the quality and profitability of all the practice’s audit work. This contrasts with the ‘responsible individual’ accountable to the management team for the quality and profitability of a particular assignment.
Internal monitoring requirements cause difficulties for many practitioners because they fail to recognise it as quality assurance and cannot understand what they have to do. There is a mistaken belief that concern for the quality of outputs is something new. This could not be further from the truth.
Records indicate this was an essential feature of the trade guilds in 16th century London. A well-known example, continued to this day, is the hallmarking of gold and silver to indicate the purity of the materials.
SAS 240.1 states that ‘quality control policies and procedures should be implemented both at the level of the audit firm and on individual audits’.
Regarding ‘the level of the audit firm’, ensuring quality control regulations are met is the responsibility of audit practice management.
Audit Regulation (AR) 3.14 requires a practice, at least annually, to monitor how effectively it is complying with the rules. This is also a practice management responsibility but it is wider than SAS 240.1 because it includes competence and continued eligibility for registration.
Sound practice
The requirement to meet quality standards is not an unnecessary imposition but a recognition of sound business practice. It is critical in managing the client to match the quality of service provided with the client’s perception of added value. This makes it necessary to review each assignment in order to verify that the work has been carried out in accordance with the specification and that the final opinion is appropriate and soundly based.
However, an audit practice does not consist of just one client. Periodically, practitioners need to sit back and review the whole audit practice to ascertain that audit assignments will be completed according to specification and add value to the practice.
This review is a form of risk assessment – something with which auditors should be familiar. The risk AR 3.14 highlights is non-compliance with the regulations which, to use a previous analogy, would be the risk of losing the right to use the hallmark ‘registered auditor’.
Many practices have developed quality control procedures across the whole range of practice services and these form part of overall practice management.
Firms have gone down this route because they have realised that quality assurance assists in making profits and in retaining both clients and the human resources necessary to service those clients.
Compliance principal
AR 15 requires firms, other than sole practitioners, to appoint an ‘audit compliance principal’. This person has a wide-ranging role because of all the factors that can adversely affect the quality of audit work. The audit compliance principal’s sphere of responsibility extends beyond the audit work of ‘responsible individuals’ to the internal services provided to the auditors – technical, human resources and administrative.
The selection of the best person to be compliance principal may depend on the definition of the role. Additional competences will be required if that person is not only to be responsible for discovering a problem but also for ensuring the solution abides by the ‘continue to comply’ requirement of AR 15(a). I believe the appointee should:
be a member of the management team so that compliance implications are considered in formulating policy;
have sufficient natural authority to enable others to be persuaded to change their ways when necessary;
have current experience of being an active audit client partner so that suggested changes are practical and not theoretical;
have an understanding of, but not executive responsibility for, the support functions to be reviewed (for example, technical or human resources).
Under AR 3.15, accountability for annual internal monitoring remains with the sole practitioner or audit compliance principal even if some of the work is delegated to outsiders. While the monitoring review of client assignments can be performed by an outsider, it is difficult to believe that they can successfully carry out, for example, staff appraisals.
Some aspects have to be performed within the practice. In practical terms, the audit compliance principal is accountable to the management team which is itself accountable to the owners for overall control of the practice.
The main forms of control are similar whether used to manage the whole practice or a single assignment. The normal assignment controls and how they might apply to the practice are:
Planning. The practice needs to know where it is going or face being diverted by external events over which it has no control. There must be some broad policy goals to enable consistent decisions to be made;
Division of responsibilities. The practice needs to allocate work to people who will be accountable for that work to the management team;
Sectionalising the work. For assignment principals, each client would be the equivalent of a section that needed completion. This would be evidenced by the regular submission of final fee notes (rather than applications for payments on account);
Setting aims for each work section. Aims should be set by management so those charged with responsibilities know what is required of them and can check it has been achieved;
Using memory joggers. Detailed work schedules are inappropriate for the most senior people in a practice because of the varied and unpredictable nature of their work – it is impossible to pre-plan when a client will write or make a telephone enquiry. However, in ordinary life, most people make personal ‘to do’ lists to organise their priorities. Practices should use the same principle to ensure tasks are completed on time;
Review. The management team reviews the attainment of practice aims through the reports and the management data it receives (for example, clients gained, the quality control review, work-in-progress and debtor levels or profits on billing, the review of practice profitability).
Many cases of sub-standard work appear to be the result of poor management skills. Accountants are taught about business in their education and training but not ‘the art and craft’ of management. Some pick it up from observing their successful clients while others concentrate on being able to carry out the detailed professional work better than their subordinates. Management of a practice demands appropriate skills and proper attention if the practice is to be profitable and meet the aspirations of its owners.
When all the internal monitoring work has been completed and findings have been discussed with those responsible, a report should be prepared.
That report should be addressed to the management team and, as a minimum, contain: conclusions about compliance with the firm’s processes; SAS; audit regulations and ethical guidance; and a reassessment of risk with recommendations to overcome any actual or potential problems (and conversely that the cost of some existing controls outweigh the benefits).
Recommendations
Internal monitoring looks at how the practice is managing its audit work.
The report’s recommendations can address and affect every aspect of audit practice management, including profitability. The range of possible subjects for recommendations is almost limitless and could include:
changes in management style to reduce self-inflicted risk;
a redistribution of responsibilities;
a strengthened review prior to accepting an appointment or reappointment so planning takes specific risks into account;
the practice ceasing to act for certain clients;
additional controls to be built into the audit process;
improved procedures to assess the competence of individuals;
strengthened controls to ensure persons allocated to assignments have the necessary competences;
matters to be taken into account in the next appraisals of individual principals and/or staff;
changes to the contents of training programmes or switching to different course providers.
There are similarities between auditing and quality assurance. A benefit frequently stated for an external audit requirement is that the scrutiny of individuals’ work improves adherence to the company’s controls. If this is correct, it is effectively acting as their conscience and the same should be true of internal monitoring and quality control.
The risk-based auditing approach can also be applied to internal monitoring which seeks to ensure that the controls critical to maintaining quality, as laid down in theory, are actually observed in practice.
The responsibilities of the audit compliance principal are enormous.
The practice is relying on that person to prevent unnecessary risks being taken in the future. The function is an essential part of practice management and should be performed by someone with appropriate skills and experience.