In teaching paper 6 The Audit Framework, quality control is sometimes one of the more difficult subjects to get over to students. It presupposes a fairly mature understanding of how audit firms really work and many students do not work in practice. I try to explain it like this: SAS 240 Quality Control requires that auditors comply with, amongst others things, Auditing Standards. Compliance with SAS 240 therefore means de facto compliance with all other Auditing Standards, and SAS 240 is therefore the most important Auditing Standard. Students generally accept this, but the discussion then turns to what actually goes on within audit practices. Some students simply cannot not believe that audit firms pay any attention to Auditing Standards at all when profitability is at stake. As far as they are concerned, when audits go over-budget, Auditing Standards go out of the window. The fact that the existing SAS 240 says nothing about the problem only serves to reinforce that view. Sometimes I can persuade students that in reality, the issue is more complex, that most firms do make considerable efforts to comply with Auditing Standards, and that firms that operate with a complete disregard for them don’t last that long, but sometimes I can’t. This situation might be about to change.

Exposure draft

In January of this year, the Auditing Practices Board (APB) issued an Exposure Draft, SAS 240 Quality Control (Revised), and its single greatest strength is the fact that it recognises the inherent tension between commercial pressures on audit firms, and the demands of audit quality. It makes it crystal clear that commercial considerations should not take precedence over the quality of audit work and that audit firms do not compromise the demands of audit quality in the interests of financial success. It does not fudge the issue with the specious argument that is sometimes put forward to the effect that the goals of quality and profitability ultimately converge. The requirement is for audit firms to be structured such that audit quality takes precedence. This is an important development in an important Auditing Standard and it sets a precedent; it will almost certainly draw both criticism on the grounds that the APB has no business telling audit firms how to structure and run their businesses, and praise, for exactly the same reason.

Quality control

Quality control, or rather quality assurance, has moved ahead in recent years and the ED reflects the changes. There is more emphasis on built-in audit quality (as opposed to after-the-event monitoring), on team-working and consultation, and on the assumption of personal responsibility by team members, particularly the audit engagement partner. The ED recognises the fact that modern audits rely not only on the audit processes applied, but also on the competencies of the individuals applying those processes and there are new requirements relating to resourcing issues generally and to the acceptance of audit engagements. But the real change in this ED, by comparison with the existing SAS, is in its length, and in the requirements of the black-letter Auditing Standards.

The ED has 13 Auditing Standards, the existing Auditing Standard has two. Of the 13, four amount to a requirement to appoint a senior individual to take responsibility for a particular aspect of quality control. SAS 240.1 requires the appointment of a senior audit partner to take responsibility for establishing and communicating quality control policy and processes. SAS 240.4 requires that an audit engagement partner be appointed to each audit to be responsible for its conduct on behalf of the firm. SAS 240.10 requires that an independent review be conducted for listed companies and other public interest or high-risk entities. SAS 240.13 requires that a senior audit partner or a suitably qualified external consultant be appointed to monitor the quality of audits. And all of this represents a real rise in Auditing Standards. No firm, not even the largest, will be able to say that these proposals merely represent existing best practice and that the firm already complies; all will need to look at their internal structures and processes.

For small firms, on the face of it, this could all be bit of a nightmare. The poor old sole practitioner is expected to appoint himself to establish quality control processes, monitor himself to ensure that he has complied with them, appoint himself as audit engagement partner, consult with himself and then perform independent reviews of his own work. The hat-stand will fall over! The introduction recognises the fact that in small firms, a single individual may perform several roles, but the document itself makes it reasonably clear that the consultation, monitoring and independent review roles may be performed by suitably qualified third parties. Independent partners who were previously engagement partners should have two years off (in order to become sufficiently independent) before they become independent partners and the monitoring role should not be carried out by the individual responsible for establishing quality control policy and processes, ‘wherever possible’. This presumably means that the sole practitioner should feel free to monitor his own work wherever it is too expensive for him to employ someone else to do it. Would there be any value in such self-monitoring? Whilst many sole practitioners do involve third parties very effectively in running their practices, not all do, and to require them to do so will cost money. Will that cost result in any benefits? The ED might be much clearer as to how small firms and sole practitioners are expected to apply its requirements. It might help if the small firm/sole practitioner issue were dealt with in one place, rather than being scattered round the document, as at present.

Independent reviews

For firms of all sizes, the requirement in SAS 240.10 for an independent review is likely to generate the most interest. Partners conducting such reviews are sometimes known as ‘second’ partners, sometimes as ‘review’ partners, and sometimes as ‘concurring’ partners (particularly in the US). Such reviews have been commonplace, particularly in larger firms, for many years. Even for large firms though, the comprehensive scope of the review required by this ED is likely to go beyond what is currently required; it covers, amongst other things, the independence and objectivity of the firm and the audit team, the rigour of the planning process (including the quality of the risk analysis), the results of the work (particularly in high risk areas), and the significance of unadjusted differences. These reviews must be conducted for listed companies, and firms must have a policy for all other audited entities that takes account of the public interest and audit risk. Little guidance is provided for firms of any size here. Whilst the vast majority of firms have no listed clients, a significant number do deal with pension funds (albeit small ones), charities, and other entities in which the public might be construed as having an interest. And how risky does an entity have to be before it warrants an independent review? Terms such as ‘the public interest’ and ‘audit risk’ appear in bold type in Auditing Standards, and a little more guidance would be enormously helpful.

For all of the problems with this ED it is a bold and far-reaching document which will attract much interest. It is only to be hoped that its more radical proposals do not get watered down too much during the consultation process.