CA

PAKISTAN

ISQM Guide
and
Toolkit

Auditing Standards and Ethics Committee

 Page No.

Preface 01

Part I – Adoption of IAASB’s International Quality Management Standards (ISQMs) in Pakistan 03

Part II – About ISQM Guide and Toolkit 05

Part III – Risks and Controls Matrix 07

Quality Component 1: Governance & Leadership 09

Quality Component 2: Relevant Ethical Requirements 43

Quality Component 3: Acceptance and Continuance of Client Relationships and Specific Engagements 55

Quality Component 4: Engagement Performance 63

Quality Component 5: Resources 77

Quality Component 6: Information & Communication 113

Part IV – Evaluating the System of Quality Management 131

Part V – Documentation of SOQM 133

Part VI – Steps that firms can take to design and implement SOQM 135

Appendix A – Overview of ISQM Standards 137

ISQM Guide and Toolkit ISQM Guide and Toolkit

Page 01 of 139
 Part I

Adoption of IAASB’s International Quality

Management Standards (ISQMs) in Pakistan
 Part I - Adoption of IAASB’s International Quality Management Standards (ISQMs) in Pakistan ISQM Guide and Toolkit

Part I - Adoption of IAASB’s International Quality Management Standards (ISQMs) in Pakistan

Effective Dates in Pakistan:

Page 03 of 139
 Part II

About ISQM Guide and Toolkit

 Part II – About ISQM Guide and Toolkit ISQM Guide and Toolkit

How does the ‘ISQM Guide and Toolkit’ help you?

How does the ‘ISQM Guide and Toolkit’ structured?

Page 05 of 139
 Part III

Risks and Controls Matrix

Part III – Risks and Controls Matrix

09

43

55

63

77

113
 Quality Component 1

Governance & Leadership

Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality Objectives as per paragraph 28 of ISQM 1 Quality Risks

Page 9 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality Objectives as per paragraph 28 of ISQM 1 Quality Risks

Page 10 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-02 GOV-QO-01 Adoption of firm's The firm demonstrates a commitment to Applicable The firm adopts the Code of Conduct Senior Periodically/
Code of Conduct quality through leadership actions and to overall which encompasses all relevant legal and Leadership As and
behavior and a culture that recognizes firm level other requirements (or in case of Network when
and reinforces: firm, the applicable or required ethical required
principles required by the Network),
x the firm’s role in serving the public ethical requirements as specified in ICAP
interest by consistently performing Code of Ethics and applicable laws and
quality engagements; regulations etc.
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

GOV-QR-02 GOV-QO-01 Demonstration, The firm demonstrates a commitment to Applicable The senior leadership regularly Senior Monthly
communication quality through leadership actions and to overall demonstrate and communicates, through Leadership
and assessment behavior and a culture that recognizes firm level various media (via emails, publications
of ethical and reinforces: and others etc.) to firm personnel to
behaviour emphasize the importance of an ethical
x the firm’s role in serving the public culture and compliance with the code of
interest by consistently performing conduct, values, the importance of quality
quality engagements; in all we do, and the importance of training
and exchanging information with the firm
x the importance of professional ethics,
and with one another.
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

Page 11 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-02 GOV-QO-01 Firm level The firm demonstrates a commitment to Applicable The firm conducts to: Senior Annually
surveys on ethics quality through leadership actions and to overall Leadership
and code of behavior and a culture that recognizes Firm level x understand and evaluate the
conduct and reinforces: employees’ knowledge and views on
ethics, culture, code of conduct,
x the firm’s role in serving the public values, tone at the top and the
interest by consistently performing learning culture.
quality engagements;
x the importance of professional ethics, x provide the opportunity to raise
values and attitudes; issues and concerns and to hear if
employees are satisfied with the firm
x the responsibility of all personnel for: culture, tone at the top and
environment.
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

GOV-QR-02 GOV-QO-01 Firm level The firm demonstrates a commitment to Applicable The results are considered as an input to Senior N/A
Surveys to quality through leadership actions and to overall evaluate audit quality issues and the root Leadership
evaluate audit behavior and a culture that recognizes firm level causes of those issues, including related
quality and reinforces: to culture and tone at the top analyzed as
an input into RCA (Root Cause Analysis).
x the firm’s role in serving the public
interest by consistently performing
quality engagements;
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

Page 12 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-02 GOV-QO-01 Communication The firm demonstrates a commitment to Applicable The firm communicates to external parties Senior As and
with external quality through leadership actions and to overall about the system of quality management Leadership when
parties regarding behavior and a culture that recognizes Firm level in an external communication. required
SOQM and reinforces:
x the firm’s role in serving the public
interest by consistently performing
quality engagements;
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

GOV-QR-02 GOV-QO-01 Firm learning The firm demonstrates a commitment to Applicable The firm promotes the learning culture Senior As per firm
culture and quality through leadership actions and to overall and adopts the mandatory training Leadership policy
training behavior and a culture that recognizes Firm level materials (in the respective core areas)
and reinforces: (either in their entirety, or translates/
amends for local laws and regulations).
x the firm’s role in serving the public
interest by consistently performing
quality engagements;
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

Page 13 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-02 GOV-QO-01 Compliance The firm demonstrates a commitment to Applicable The firm adopts the requirement that all Senior As per firm's
requirements for quality through leadership actions and to overall personnel shall take training covering Leadership training
firm’s Internal behavior and a culture that recognizes firm level compliance with laws, regulations and policy
trainings and reinforces: professional standards, anti-bribery and
corruption, and reporting suspected or
x the firm’s role in serving the public actual non-compliance.
interest by consistently performing
quality engagements;
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-02 GOV-QO-01 Promoting overall The firm demonstrates a commitment to Applicable The firm establishes and promotes a Senior Annual
professional quality through leadership actions and to overall culture of continuous improvement and Leadership
culture behavior and a culture that recognizes firm level has mechanisms to identify deficiencies
and reinforces: related to the system of quality
management, to perform root cause
x the firm’s role in serving the public analysis and to develop appropriate
interest by consistently performing remedial actions to address these
quality engagements; deficiencies, including those linked to firm
culture and tone at the top.
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

Page 14 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-02 GOV-QO-01 External The firm demonstrates a commitment to Applicable Firm channels for reporting concerns and Senior On going
Communication quality through leadership actions and to overall issues of a sensitive nature are clearly Leadership
on sensitive behavior and a culture that recognizes firm level defined and communicated. The
nature issues and reinforces: existence of, and how to access, firm
Hotline is publicized on firm public
x the firm’s role in serving the public website.
interest by consistently performing
quality engagements;
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

GOV-QR-02 GOV-QO-01 Overall The firm demonstrates a commitment to Applicable Performance feedback: Senior Annually
performance quality through leadership actions and to overall Leadership
feedback behavior and a culture that recognizes firm level x At least [annually], the firm requires
and reinforces: [senior leadership / Individuals with
operational responsibility for SOQM]
x the firm’s role in serving the public to obtain performance feedback,
interest by consistently performing which includes consideration of how
quality engagements; they demonstrate the expected
x the importance of professional ethics, ethics, code of conduct, values and
values and attitudes; audit quality.

x the responsibility of all personnel for: x The results of the performance

feedback are communicated to the
i) exchanging information with the respective individuals and, as
firm and with one another; appropriate, taken into consideration
ii) quality relating to the by the firm in determining the
performance of engagements or individual’s performance evaluation.
activities within the system of
quality management; and
iii) their expected behavior.

Page 15 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-02 GOV-QO-01 Performance The firm demonstrates a commitment to Applicable Annually, the firm seeks input from Senior Annually
feedback from quality through leadership actions and to overall leadership on the performance of that firm Leadership
firm's leadership behavior and a culture that recognizes firm level as part of his or her annual performance
and reinforces: assessment process. The input will be
based on an assessment of the
x the firm’s role in serving the public performance (including his/her personal
interest by consistently performing conduct and the conduct of his/her firm as
quality engagements; a reflection of their leadership) consistent
with firm’s objectives and his/her
x the importance of professional ethics, contribution to the firm organization
values and attitudes; overall, including with respect to matters
of public interest, audit quality and risk
x the responsibility of all personnel for: management activities and, more
specifically, by reference to any role
i) exchanging information with the criteria and key performance indicators
firm and with one another; approved by the firm leadership.

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-04 GOV-QO-01 Design, The firm designs and implements policies Applicable Individual responsible for SOQM checks Individual Annually/ As
implementation and procedures for the firm SOQM. Any to overall and ensures that firm's policies and responsible and when
and change/updation in policies and firm level procedures are adequately and timely for SOQM required
communication of procedures are timely communicated to communicated to staff and personnel and
firm's policies and firm's personnel and engagement teams. engagement teams through email,
procedures internal memos, trainings, website. Any
change in policy required is also ensured
and informed to firm's leadership.

GOV-QR-02 GOV-QO-01 Investigating The firm demonstrates a commitment to Applicable Firm personnel with experience, Senior As and
Complaints and quality through leadership actions and to overall knowledge, and appropriate authority Leadership when
Allegations behavior and a culture that recognizes firm level within the firm; and a direct line of required
and reinforces: communication to the individual(s)
assigned ultimate responsibility and
x the firm’s role in serving the public accountability for the SOQM investigates
interest by consistently performing and documents all relevant reported
quality engagements; matters from the help hotline, and the
proposed actions are assessed and
x the importance of professional ethics, approved by Senior leadership before
values and attitudes; reporting to the (Risk and Compliance
Page 16 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

Committee / AQ Committee / Disciplinary

x the responsibility of all personnel for: Committee / Board / Board equivalent).

i) exchanging information with the

firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-02 GOV-QO-01 Review of The firm demonstrates a commitment to Applicable At least [quarterly], the [firm leadership] Senior Quarterly/
investigated quality through leadership actions and to overall reviews a summary of relevant matters Leadership As per firm's
matters behavior and a culture that recognizes firm level investigated and received through the defined
and reinforces: help hotline, and analyses if there have policy
been any changes in the complaints and
x the firm’s role in serving the public allegations related to culture and tone at
interest by consistently performing the top as compared to previous period.
quality engagements; [Managing Partner] approves action plans
accordingly.
x the importance of professional ethics,
values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-02 GOV-QO-01 Personnel The firm demonstrates a commitment to Applicable The firm adopts performance objective Senior Annually
GOV-QR-05 GOV-QO-02 performance quality through leadership actions and to overall and KPI approach and principles, Leadership
evaluations, behavior and a culture that recognizes firm level containing mandatory baseline
promotions and and reinforces: requirements, to establish a consistent
compensation and fair process to evaluate firm
personnel for their accountabilities,
including the individual(s) assigned
Page 17 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

x the firm’s role in serving the public ultimate accountability for the firm’s
interest by consistently performing system of quality management, and the
quality engagements; individual(s) assigned operational
accountability for elements of the SOQM.
x the importance of professional ethics,
values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-02 GOV-QO-01 Consistency of The firm demonstrates a commitment to Applicable [Annual] personnel performance Senior Annually
GOV-QR-03 GOV-QO-02 individual quality through leadership actions and to overall evaluations, promotion outcomes and Leadership
GOV-QR-05 behaviour with behavior and a culture that recognizes firm level compensation awards reinforce expected
firm's code of and reinforces: standards of behavior, consistent with the
conduct firm's code of conduct and engagement
x the firm’s role in serving the public quality objectives. The firm evaluation
interest by consistently performing process specifically requires that
quality engagements; engagement quality goals are
incorporated into job description of all
x the importance of professional ethics, personnel who participate in audits or
values and attitudes; reviews of financial statements or other
assurance or related services.
x the responsibility of all personnel for:

i) exchanging information with the

firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

Page 18 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-02 GOV-QO-01 Sanction of The firm demonstrates a commitment to Applicable The firm has mechanisms in place to Senior Annually/ As
GOV-QR-03 behaviors not quality through leadership actions and to overall sanction behavior not aligned to the firm's Leadership and when
aligned with Code behavior and a culture that recognizes firm level Code of Conduct. required
of Conduct and reinforces:
x the firm’s role in serving the public
interest by consistently performing
quality engagements;
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

GOV-QR-03 GOV-QO-01 Recruitment and The firm demonstrates a commitment to Applicable The firm has defined recruitment and Senior Initially
onboarding quality through leadership actions and to overall onboarding processes with hiring criteria Leadership developed
process behavior and a culture that recognizes firm level that are approved by the firm leadership. and then
and reinforces: reviewed
periodically
x the firm’s role in serving the public
interest by consistently performing
quality engagements;
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

Page 19 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-03 GOV-QO-01 Disciplinary The firm demonstrates a commitment to Applicable x Firm disciplinary policies and Senior Annually
policies and quality through leadership actions and to overall procedures, including those that Leadership
procedures behavior and a culture that recognizes firm level relate to [personal] independence,
and reinforces: are reviewed [annually] and
approved by the [Head of responsible
x the firm’s role in serving the public group] for appropriateness and as
interest by consistently performing applicable for compliance with the
quality engagements; requirements of the Risk
x the importance of professional ethics, Management policies, ICAP's Code
values and attitudes; of Ethics and applicable regulatory
requirements.
x the responsibility of all personnel for:
x Firm disciplinary policies and
i) exchanging information with the procedures are communicated to the
firm and with one another; personnel.
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

GOV-QR-03 GOV-QO-01 Disciplinary The firm demonstrates a commitment to Applicable On annual basis, as part of the Annual Senior Annual
policies quality through leadership actions and to overall Compliance confirmation, the firm obtains Leadership
confirmation behavior and a culture that recognizes firm level confirmation from personnel that they are
and reinforces: aware and understand the firm
disciplinary policies.
x the firm’s role in serving the public
interest by consistently performing
quality engagements;
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

Page 20 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-03 GOV-QO-01 Review of The firm demonstrates a commitment to Applicable The firm [Disciplinary Committee or Senior As and
misconduct and quality through leadership actions and to overall equivalent] reviews the facts and Leadership when
unethical behavior and a culture that recognizes firm level circumstances for the reported required
behaviour and reinforces: misconduct/unethical behavior or
violations of firm policy and approves the
x the firm’s role in serving the public consequences in accordance with the
interest by consistently performing firm’s disciplinary policy guidelines.
quality engagements;
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

GOV-QR-03 GOV-QO-01 RCA The firm demonstrates a commitment to Applicable The firm performs RCA in accordance Senior Annually
methodology quality through leadership actions and to overall with the firm's RCA policy/ methodology. Leadership
behavior and a culture that recognizes firm level Remediation plans are approved by [firm
and reinforces: leadership] and are monitored for
effectiveness.
x the firm’s role in serving the public
interest by consistently performing
quality engagements;
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

Page 21 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-03 GOV-QO-01 Specific remedial The firm demonstrates a commitment to Applicable The firm monitors the results and has Senior At least
actions and quality through leadership actions and to overall specific remedial actions and Leadership semi-
improvement behavior and a culture that recognizes firm level improvement targets in place for all areas annually
targets and reinforces: of significant concern, including
specifically those related to the questions
x the firm’s role in serving the public identified as being directly relevant to
interest by consistently performing audit quality, governance, leadership and
quality engagements; ethics.
x the importance of professional ethics,
values and attitudes;
x the responsibility of all personnel for:
i) exchanging information with the
firm and with one another;
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

GOV-QR-02 GOV-QO-01 Appointment of The firm demonstrates a commitment to Applicable Appointment of individuals to senior Senior As and
GOV-QR-03 GOV-QO-03 individuals to quality through leadership actions and to overall management roles for accountabilities Leadership when
GOV-QR-07 GOV-QO-05 senior behavior and a culture that recognizes firm level included in the firm senior management required
GOV-QR-15 management and reinforces: role profiles, the [approver] assesses [at
GOV-QR-16 roles the time of appointment] that the
x the firm’s role in serving the public [individuals (or individual/group/third party
interest by consistently performing legal resource in the case of the General
quality engagements; Counsel role)] appointed to the relevant
accountabilities have the appropriate
x the importance of professional ethics,
competency and capability based on their
values and attitudes;
experience and knowledge, and sufficient
x the responsibility of all personnel for: time based on the workload information to
fulfil the accountabilities or adjustments to
i) exchanging information with the workload have been or will be made, if
firm and with one another; necessary to allow for sufficient time.
ii) quality relating to the
performance of engagements or
activities within the system of
quality management; and
iii) their expected behavior.

Page 22 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-07 GOV-QO-03 Commitment to The firm demonstrates a commitment to Applicable The firm's personnel responsible for audit Senior Annually
GOV-QR-15 GOV-QO-05 quality through quality through a culture that recognizes to overall quality reviews [allocated budget / Leadership
GOV-QR-16 culture and reinforces the importance of quality in firm level headcount] received from [CFO] and
the firm’s strategic decisions and actions, confirms to [Managing Partner / Board or
including the firm's financial and equivalent body] that they have
operational priorities. appropriate budget for, and it has been
allocated appropriately to, the Audit
Firm resource needs, including financial Quality initiatives and the annual budget
resources, are planned for and resources is consistent with the function's strategic
are obtained, allocated or assigned in a plan.
manner that is consistent with the firm’s
commitment to quality.

GOV-QR-07 GOV-QO-03 Review of Annual The firm demonstrates a commitment to Applicable Annual budget is reviewed and approved Senior Annually
GOV-QR-15 GOV-QO-05 Budget quality through a culture that recognizes to overall by the [Managing Partner and / or Board Leadership
and reinforces the importance of quality in firm level or equivalent body].
the firm’s strategic decisions and actions,
including the firm's financial and
operational priorities.
Firm resource needs, including financial
resources, are planned for and resources
are obtained, allocated or assigned in a
manner that is consistent with the firm’s
commitment to quality.

GOV-QR-07 GOV-QO-03 Review of The firm demonstrates a commitment to Applicable Subsequent material changes to the Senior As and
GOV-QR-16 GOV-QO-05 Material Changes quality through a culture that recognizes to overall [budgets/reforecasts] are reviewed and Leadership when
and reinforces the importance of quality in firm level approved by the [Managing Partner required
the firm’s strategic decisions and actions, and/or the Board / equivalent body].
including the firm's financial and
operational priorities.
The firm resource needs, including
financial resources, are planned for and
resources are obtained, allocated or
assigned in a manner that is consistent
with the firm’s commitment to quality.

GOV-QR-07 GOV-QO-03 Evaluation of The firm demonstrates a commitment to Applicable Firm has process in place to evaluate new Senior As and
GOV-QR-08 New Clients quality through a culture that recognizes to overall clients prior to the client being accepted. Leadership when
and reinforces the importance of quality in firm level required
the firm’s strategic decisions and actions,
including the firm's financial and
operational priorities.

Page 23 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-07 GOV-QO-03 Review of firm The firm demonstrates a commitment to Applicable The Board or equivalent governance body Senior Annually
GOV-QR-08 GOV-QO-05 Strategic Plan quality through a culture that recognizes to overall reviews and approves the firm strategic Leadership
GOV-QR-15 and reinforces the importance of quality in firm level plan, including assessing that the firm
GOV-QR-16 the firm’s strategic decisions and actions, has, or is committed to obtain, sufficient
including the firm's financial and human, intellectual and technological
operational priorities. resources for the next [xxxx] years to
support audit quality and the
The firm resource needs, including effectiveness of its SOQM.
financial resources, are planned for and
resources are obtained, allocated or
assigned in a manner that is consistent
with the firm’s commitment to quality.

GOV-QR-07 GOV-QO-03 Adoption of firm's The firm demonstrates a commitment to Applicable Firm prepares and develops the Senior Annually
Enterprise Risk quality through a culture that recognizes to overall Enterprise Risk Assessment (ERM) policy Leadership
Assessment and reinforces the importance of quality in firm level to establish, maintain and conduct an
Policy the firm’s strategic decisions and actions, ERM process to identify, assess and
including the firm's financial and manage the firm’s enterprise risks,
operational priorities. (including those related to audit quality).

GOV-QR-10 GOV-QO-03 Internal and The firm demonstrates an attitude of Applicable The individual with ultimate responsibility Senior Monthly/
external improving quality by responding to to overall for the SOQM shall consider each matter Leadership/ quarterly
inspection internal and external inspection findings. firm level raised/ findings, performed the root cause Individual
findings For example, analysis of monitoring analysis and determine the appropriate with ultimate
findings, root cause analysis and remedial course of action. The individual with responsibility
actions are not performed or do not ultimate responsibility for the SOQM shall for the
effectively respond to identified also report back to the informant on the SOQM
deficiencies. results of any investigation and proposed
courses of action.

GOV-QR-05 GOV-QO-02 Adoption of Firm leadership is responsible and Applicable x The firm adopts the firm senior Senior Annually
GOV-QR-15 GOV-QO-05 accountability accountable for quality. to overall management role profiles (as set out Leadership
GOV-QR-16 framework firm level in the firm's defined accountabilities)
Firm resource needs, including financial to support the firm’s commitment to
resources, are planned for and resources quality and the design,
are obtained, allocated or assigned in a implementation and operation of the
manner that is consistent with the Firm’s firm’s system of quality management.
commitment to quality Annually, the firm leadership
determines that for each leadership
role accountability there is an
appointed responsible [individual /
group / third party legal resource] in
the firm.

Page 24 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

x [Annually] for the firm's defined

accountabilities referred to in part A
of this control, the [individual(s)] with
ultimate responsibility and
accountability for the SOQM
determines that there are no conflicts
or risks of self-oversight of an
operational role or that appropriate
mitigations have been put in place.

GOV-QR-05 GOV-QO-02 Accountability of The firm leadership is responsible and Applicable Each individual, who has assigned a key Senior As and
GOV-QR-06 GOV-QO-04 firm's leadership accountable for quality. to overall accountability roles, sets goals relevant to Leadership when
GOV-QR-07 GOV-QO-05 for Quality Firm level one’s profile which are reviewed and required
GOV-QR-16 The firm has an organizational structure approved by their respective Performance
and assignment of roles, responsibilities Manager.
and authority that is appropriate to enable
the design, implementation and operation
of the firm’s system of quality
management.

Firm resource needs, including financial

resources, are planned for and resources
are obtained, allocated or assigned in a
manner that is consistent with the firm’s
commitment to quality.

GOV-QR-08 GOV-QO-04 Establishment of The firm has an organizational structure Applicable x The firm establishes [an SOQM Senior Annually
reporting lines and assignment of roles, responsibilities to overall oversight governance body/ Leadership
and appropriate and authority that is appropriate to enable firm level individuals responsible for ISQM],
authorities the design, implementation and operation reporting lines, and appropriate
of the firm’s system of quality authorities and responsibilities,
management. including assigning executive and
operational responsibility for the
SOQM as a whole and specific
aspects of the SOQM.

x The firm develops and maintains the

terms of reference for the identified
SOQM governance body.

Page 25 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

x The [Managing Partner] reviews and

approves the established structures,
reporting lines, and allocation of
appropriate responsibilities. These
include that:

1) the individuals with operational

responsibility for the system of
quality management;

2) individuals with operational

responsibility for compliance;
and

3) individuals with operational

responsibility for monitoring and
remediation process have a
direct line of communication to
the individual(s) assigned
ultimate responsibility and
accountability for the SOQM.

GOV-QR-05 GOV-QO-02 Operational Firm leadership is responsible and Applicable For the appointment of individuals with: Senior Annually
GOV-QR-13 GOV-QO-04 responsibility for accountable for quality. to overall Leadership
SOQM firm level x Overall operational responsibility for
The firm has an organizational structure the SOQM;
and assignment of roles, responsibilities
and authority that is appropriate to enable x Operational responsibility for specific
the design, implementation and operation aspects of the SOQM including:
of the firm’s system of quality
management. 1) compliance with independence
requirements [firm
Independence leader / ethics
leader], and

2) monitoring and remediation

process [Firm Risk Leader]

The appropriate approver assesses that

the individual has the appropriate
understanding of the role(s) and their
accountability for fulfilling them;
competency and capability based on the
individual's experience, knowledge,
Page 26 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

influence, authority and sufficient time

based on the workload information to fulfill
the assigned responsibility.

GOV-QR-11 GOV-QO-04 Appointment of The firm has an organizational structure Applicable The firm has [policy/ partnership Senior Annually
individuals as and assignment of roles, responsibilities to overall agreement or equivalent] for appointment Leadership
Board members and authority that is appropriate to enable firm level of individuals as Board members,
the design, implementation and operation including non-executive/ independent
of the firm’s system of quality Board members, when applicable.
management.

GOV-QR-11 GOV-QO-04 Board's role on The firm has an organizational structure Applicable x The Board (or equivalent governance Senior As and
governance and and assignment of roles, responsibilities to overall body) has clearly defined terms of Leadership when
leadership and authority that is appropriate to enable firm level reference including, conflict of required
the design, implementation and operation interest, powers, authorities,
of the firm’s system of quality responsibilities, delegation, and
management. requirements. The Board (or
equivalent governance body)
oversees management of the firm
and protects the interests of the
equity partners (or equivalent) as a
whole.

x The length of each terms of

appointment of Board members
should be defined as per firm’s
policy.

x There are [quarterly] meetings of the

Board (or equivalent governance
body). A summary of the meetings,
minutes and attendees is
documented and retained.

GOV-QR-11 GOV-QO-04 Role on The firm has an organizational structure Applicable The firm should develop a policy to define Senior As and
compliance with and assignment of roles, responsibilities to overall an organizational structure and Leadership when
applicable law and authority that is appropriate to enable firm level assignment of roles, responsibilities and required
and regulations the design, implementation and operation authority that is appropriate to enable the
of the firm’s system of quality design, implementation and operation of
management. the firm’s system of quality management.

GOV-QR-12 GOV-QO-04 Organizational The firm has an organizational structure Applicable Before the appointment of the firm Senior As and
GOV-QR-13 Structure and and assignment of roles, responsibilities to overall leadership/quality roles and also before Leadership when
and authority that is appropriate to enable firm level any preferred candidate or shortlist required

Page 27 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

assignment of the design, implementation and operation becomes widely known among firm
roles of the firm’s system of quality partners, firms are required to consult with
management. Senior Leadership.

GOV-QR-12 GOV-QO-04 Organizational The firm has an organizational structure Applicable The firm has a succession planning Senior Annually
Structure and and assignment of roles, responsibilities to overall process for the key leadership roles, (as Leadership
assignment of and authority that is appropriate to enable firm level per the firm's defined roles and
roles the design, implementation and operation responsibilities set out in the
of the firm’s system of quality accountabilities framework). The [firm
management. management committee] develops a
succession plans for assignments of
responsibility for key firm leadership roles.
The Managing Partner reviews and
approves the succession plan annually.

GOV-QR-12 GOV-QO-04 Organizational The firm has an organizational structure Applicable x Annually, the [individual/s assigned Senior Annually
GOV-QR-13 Structure and and assignment of roles, responsibilities to overall operational responsibility for the Leadership
assignment of and authority that is appropriate to enable firm level SOQM monitoring and remediation
roles the design, implementation and operation process/ SOQM lead] reviews and
of the firm’s system of quality approves the evaluation of the
management. severity and pervasiveness of
identified deficiencies, and the
materials provided to the Managing
Partner for purposes of forming an
overall conclusion on the SOQM.

x Annually, the Managing Partner

reviews the results and analysis of
the annual SOQM evaluation and
approves the results based on the
information provided.

GOV-QR-14 GOV-QO-04 Organizational The firm has assigned responsibility of Applicable The individual responsible for the SOQM Senior Annually
Structure and system of quality management to the to overall should have relevant experience, Leadership
assignment of appropriate personnel having experience, firm level knowledge related to the firm’s strategic
roles knowledge and sufficient time to fulfill decisions and actions and business
their assigned responsibilities. operations, including engagements
performed by the firm. He/she must have
influence and authority within the firm,
and sufficient time, to perform his
assigned responsibility. Each year, [the
managing partner or designated person]
shall assess the performance of the firm’s
leaders. If improvement is required, the

Page 28 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

managing partner is responsible for taking

the appropriate action such as requiring
additional training, freeing up the time
required or even replacing the leader. The
individual responsible for firm's SOQM be
accountable and communicate regularly
to the individual with ultimate
responsibility for SOQM and ensure the
firm’s policies and procedures in relation
to the assigned area of responsibility:
x Appropriately designed and
implemented. Policies shall be
sufficient to ensure ongoing
compliance with each relevant
requirement.
x Communicated to all partners and
staff.

x Complied with by all partners and

staff.

x Properly maintained through an

annual review and update.

x The practice aids in use (such as

checklists, software programs, forms,
work programs and template letters)
are up to date and readily accessible
to partners and staff.

x Prepare an annual report to be

submitted to the managing partner
(or partners) on the work performed
and major issues identified along with
their resolution and
recommendations for improvements.

GOV-QR-16 GOV-QO-05 Resource needs Firm resource needs, including financial Applicable The firm plans for its [human] resource Senior Annual
including financial resources, are planned for and resources to overall needs on an annual basis by estimating Leadership
resources are obtained, allocated or assigned in a firm level the expected hours/personnel needed to
manner that is consistent with the Firm’s service its client portfolio.
commitment to quality.

Page 29 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-11 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable Firm Partnership Agreement: Risk Leader As and
commitment to quality through leadership actions and to overall when
quality through behavior and a culture that recognizes firm level x Whenever the firm [Partnership required
leadership action and reinforces: Agreement] is changed, the Risk
and behaviour leader reviews and checks that the
x the firm’s role in serving the public changes do not affect the firm’s
interest by consistently performing ability to comply with its contractual
quality engagements; obligations to firm, as they relate to
its System of Quality Management.
x the importance of professional ethics,
values and attitudes; x Whenever the firm membership
documents are changed, the Risk
x the responsibility of all personnel for: leader reviews and checks that the
firm continues to have the ability to
i) exchanging information with the comply with its contractual
firm and with one another; obligations to firm, as they relate to
its System of Quality Management,
ii) quality relating to the including whether any changes to the
performance of engagements or firm [Partnership Agreement] are
activities within the system of necessary and, if necessary, have
quality management; and been made.

iii) their expected behavior. x Whenever laws and regulations

applying to firm governance are
changed, the Risk leader reviews
and checks that the firm continues to
comply with those laws and
regulations, including whether any
change to the firm [Partnership
Agreement] are necessary and, if
necessary, have been made.

GOV-QR-01 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable The firm developed and maintains a Code Senior As and
commitment to quality through leadership actions and to overall of Conduct consistent with applicable Leadership when
quality through behavior and a culture that recognizes firm level ICAP Code of Ethics and applicable required
leadership action and reinforces: regulatory requirements.
and behaviour
x the firm’s role in serving the public
interest by consistently performing
quality engagements;

Page 30 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

x the importance of professional ethics,

values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-01 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable The Chairman [and other senior Senior As and
commitment to quality through leadership actions and to overall leadership] regularly communicates, Leadership when
quality through behavior and a culture that recognizes firm level through various media (via emails, required
leadership action and reinforces: publications, videos, campaigns, etc.) to
and behaviour firm [leadership] to consistently
x the firm’s role in serving the public emphasize the importance of an ethical
interest by consistently performing culture and compliance with the code of
quality engagements; conduct, values, the importance of quality
in all we do and the importance of training.
x the importance of professional ethics,
values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-01 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable The firm establishes and supports a Senior As and
commitment to quality through leadership actions and to overall learning culture by providing developed Leadership when
quality through behavior and a culture that recognizes firm level training materials (in core areas) and tools required
leadership action and reinforces: to firms (e.g. training framework, tools to
and behaviour create course content)
Page 31 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

x the firm’s role in serving the public

interest by consistently performing
quality engagements;

x the importance of professional ethics,

values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-01 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable The firm analyzes feedback from Senior As and
commitment to quality through leadership actions and to overall monitoring activities as an input to Leadership when
quality through behavior and a culture that recognizes firm level evaluate audit quality issues and the root required
leadership action and reinforces: causes of those issues, including related
and behaviour to culture and tone at the top.
x the firm’s role in serving the public
interest by consistently performing
quality engagements;

x the importance of professional ethics,

values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

Page 32 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-01 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable Annually, the senior leadership reviews Senior Annually
commitment to quality through leadership actions and to overall the ERM documentation submissions Leadership
quality through behavior and a culture that recognizes firm level required to be submitted by firm as per
leadership action and reinforces: Risk Management Manual or policies.
and behaviour
x the firm’s role in serving the public
interest by consistently performing
quality engagements;

x the importance of professional ethics,

values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-01 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable The firm conducts the performance Senior Annually
commitment to quality through leadership actions and to overall evaluations of firm's individuals and Leadership
quality through behavior and a culture that recognizes firm level accordingly takes appropriate actions.
leadership action and reinforces:
and behaviour
x the firm’s role in serving the public
interest by consistently performing
quality engagements;

x the importance of professional ethics,

values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or

Page 33 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

activities within the system of

quality management; and

iii) their expected behavior.

GOV-QR-01 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable Accountability framework - roles and Senior Annually
commitment to quality through leadership actions and to overall responsibility Leadership
quality through behavior and a culture that recognizes firm level
leadership action and reinforces: The firm defines accountabilities (as set
and behaviour out in the accountabilities framework) for
x the firm’s role in serving the public firms to adopt to support their
interest by consistently performing commitment to quality and the design,
quality engagements; implementation and operation of the firm’s
system of quality management.
x the importance of professional ethics,
values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-01 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable The firm establishes minimum policies Senior As and
commitment to quality through leadership actions and to overall and processes that firms are required to Leadership when
quality through behavior and a culture that recognizes firm level follow to evaluate new clients and/or required
leadership action and reinforces: engagements prior to being accepted.
and behaviour
x the firm’s role in serving the public
interest by consistently performing
quality engagements;

x the importance of professional ethics,

values and attitudes;

x the responsibility of all personnel for:

Page 34 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-01 GOV-QO-01 Board's role on The firm demonstrates a commitment to Applicable Board role: Senior Annually
GOV-QR-11 GOV-QO-04 governance and quality through leadership actions and to overall Leadership
leadership behavior and a culture that recognizes firm level x The Board/Governing body of the
and reinforces: firm has specific governance
documents that SOQM-Govern its
x the firm’s role in serving the public activities including, conflicts of
interest by consistently performing interest, its powers, authorities,
quality engagements; responsibilities, delegation and
Board member appointment and
x the importance of professional ethics, terms of office. The Board or its
values and attitudes; authorized delegates exercise all
powers and responsibilities relating
x the responsibility of all personnel for: to the management of firm

i) exchanging information with the x There are at least quarterly meetings

Firm and with one another; of the Board. All decisions taken by
the Board are documented and
ii) quality relating to the retained.
performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-01 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable The Management Team demonstrate Senior Annually
commitment to quality through leadership actions and to overall through their directives, actions and Leadership
quality through behavior and a culture that recognizes firm level behavior the importance of integrity and
leadership action and reinforces: ethical values which is measured through
and behaviour the performance evaluations of those
x the firm’s role in serving the public individuals, and sourcing feedback and
interest by consistently performing analysis of the results from hotline
quality engagements; reports.

Page 35 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

x the importance of professional ethics,

values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-01 GOV-QO-01 Investigating The firm demonstrates a commitment to Applicable Investigating Complaints and Allegations: Senior As and
GOV-QR-02 Complaints and quality through leadership actions and to overall Leadership when
Allegations behavior and a culture that recognizes firm level x Complaints and allegations received required
and reinforces: through the firm Hotline/whistle
blowing channels are appropriately
x the firm’s role in serving the public investigated by firm and
interest by consistently performing documented, and the proposed
quality engagements; actions are assessed and the matters
are appropriately closed by
x the importance of professional ethics, identifying and taking appropriate
values and attitudes; redressal measures.

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-02 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable The firm establishes and supports a Senior As and
commitment to quality through leadership actions and to overall culture of continuous improvement in all Leadership when
quality through behavior and a culture that recognizes firm level the components of the system of quality required
leadership action and reinforces: management by providing developed
and behaviour materials to firms, including instructions
Page 36 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

x the firm’s role in serving the public for conducting monitoring programs and
interest by consistently performing remediation guidance.
quality engagements;

x the importance of professional ethics,

values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-03 GOV-QO-01 Guidance related The firm demonstrates a commitment to Applicable The firm guidance related to disciplinary Senior As and
to disciplinary quality through leadership actions and to overall policies and procedures [included in the Leadership when
policies and behavior and a culture that recognizes firm level Risk Management Manual/policies] is required
procedures and reinforces: reviewed for relevance and reliability by
the Independence leadership, with
x the firm’s role in serving the public appropriate input, and recommended for
interest by consistently performing approval by the Quality & Risk leader.
quality engagements;

x the importance of professional ethics,

values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

Page 37 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-03 GOV-QO-01 Demonstration of The firm demonstrates a commitment to Applicable The firm develops mechanism to Senior As and
commitment to quality through leadership actions and to overall implement minimum disciplinary policies Leadership when
quality through behavior and a culture that recognizes firm level and procedures as set out in the Risk required
leadership action and reinforces: Management Manual/ policies.
and behaviour
x the firm’s role in serving the public
interest by consistently performing
quality engagements;

x the importance of professional ethics,

values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.

GOV-QR-11 GOV-QO-03 Firm’s budget The firm demonstrates a commitment to Applicable The firm’s leadership, based on the firm Senior Annually
allocation quality through a culture that recognizes to overall strategy and their functional analysis Leadership
and reinforces the importance of quality in Firm level prepares and approves budget.
the firm’s strategic decisions and actions,
including the firm's financial and
operational priorities.

GOV-QR-11 GOV-QO-03 Identification of The firm demonstrates a commitment to Applicable Emerging risks are identified, if Senior Periodically/
emerging risks quality through a culture that recognizes to overall applicable, as part of firm quarterly Leadership as per firm
and reinforces the importance of quality in Firm level assessment of its financial health. These policy
the firm’s strategic decisions and actions, risks are escalated to senior leadership
including the firm's financial and and are subject to an ongoing review and
operational priorities. monitoring process to ensure resolution.

GOV-QR-11 GOV-QO-03 Board's review The firm demonstrates a commitment to Applicable As part of the Managing Partner or Senior As and
and approval of quality through a culture that recognizes to overall Board’s review and approval of significant Leadership when
significant and reinforces the importance of quality in Firm level updates to the firm strategy (whether new required
updates the Firm’s strategic decisions and actions, or changes to existing plans), the firm's
including the Firm's financial and Board is satisfied at the time of its
operational priorities. approval that there is sufficient human,

Page 38 of 139
Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

intellectual and technological resources at

the firm level in order to support audit
quality initiatives requiring firm
involvement, taking into account the
anticipated duration of each initiative.

GOV-QR-01 GOV-QO-01 Establishing firm The firm demonstrates a commitment to Applicable Establishing firm structures and Senior Annually
GOV-QR-11 GOV-QO-04 structures and quality through leadership actions and to overall committees: Leadership
GOV-QR-12 committee behavior and a culture that recognizes Firm level
GOV-QR-13 and reinforces: x The firm establishes or ensures that
there are existing structures,
x the Firm’s role in serving the public committees, lines of communication,
interest by consistently performing and appropriate authorities and
quality engagements; responsibilities that support the firm
commitment to quality and the
x the importance of professional ethics, design, implementation and
values and attitudes operation of the system of quality
management:
x the responsibility of all personnel for:
x The firm develops and maintains
i) exchanging information with the terms of reference for each
Firm and with one another [governance body] identified, that
includes the body's responsibilities,
ii) quality relating to the accountability, membership and how
performance of engagements or to be appointed as a member and
activities within the system of reporting requirements and protocols
quality management, and that is reviewed and approved by the
[appropriate governance body].
iii) their expected behavior.

The firm has an organizational structure

and assignment of roles, responsibilities
and authority that is appropriate to enable
the design, implementation and operation
of the Firm’s system of quality
management.

GOV-QR-12 GOV-QO-04 Establishment of The firm has an organizational structure Applicable The firm establishes communication Senior As and
communication and assignment of roles, responsibilities to overall channels and mechanisms for obtaining Leadership when
channels and and authority that is appropriate to enable Firm level information within the firm (such as required
mechanisms the design, implementation and operation implementation progress of new
of the firm’s system of quality initiatives, audit quality issues/findings
management. from within the firm and action plans to
address them).
Page 39 of 139
 Quality Component 1: Governance & Leadership ISQM Guide and Toolkit

Quality
Risk(s)

GOV-QR-11 GOV-QO-04 Development of a The firm has an organizational structure Applicable The firm leadership develops a model for Senior Annually
GOV-QR-12 model for and assignment of roles, responsibilities to overall succession planning, and a succession Leadership
succession and authority that is appropriate to enable Firm level plan, for key firm leadership roles.
planning the design, implementation and operation
of the firm’s system of quality
management.

GOV-QR-01 GOV-QO-01 Demonstration of The Firm demonstrates a commitment to Applicable Before the appointment of the firm Senior As and
commitment to quality through leadership actions and to overall leadership/quality roles and also before Leadership when
quality through behavior and a culture that recognizes Firm level any preferred candidate or shortlist required
leadership action and reinforces: becomes widely known among firm
and behaviour partners, firms are required to consult with
x the firm’s role in serving the public Senior Leadership.
interest by consistently performing
quality engagements;

x the importance of professional ethics,

values and attitudes;

x the responsibility of all personnel for:

i) exchanging information with the

Firm and with one another;

ii) quality relating to the

performance of engagements or
activities within the system of
quality management; and

iii) their expected behavior.



Page 40 of 139
 Quality Component 2

Relevant Ethical Requirements

Quality Component 2: Relevant Ethical Requirements ISQM Guide and Toolkit

Quality Objectives as per paragraph 29 of ISQM 1 Quality Risks

Quality Objectives as per paragraph 28 of ISQM 1 Quality Risk

Page 43 of 139
Quality Component 2: Relevant Ethical Requirements ISQM Guide and Toolkit

Quality Objectives as per paragraph 29 of ISQM 1 Quality Risks

Page 44 of 139
Quality Component 2: Relevant Ethical Requirements ISQM Guide and Toolkit

Quality
Risk(s)

ER-QR-01 ER-QO-01 Understanding of To ensure that firm and its personnel Applicable to x The firm should develop policies and Ethics Throughout the
ER-QR-1A the relevant understand the relevant ethical overall firm procedure related to firm's ethical Leader (EL) year
ER-QR-02 ethical requirements and demonstrate their level requirements that are applicable on
requirements and commitment to ethical behavior. firm and its engagements.
its importance for
SOQM x The firm needs to define roles and
responsibilities for managing
compliance with ethical
requirements and reinforce the firms
values within the firm.

x Appoint an appropriate Ethics

Leader who designs, implements
and controls application of policies &
procedures.

x Firm should have a policy of training

to all staff by the Ethics Leader
including frequency of trainings.

x The firm encourages staff to consult

with the Ethics leader on any ethical
matters and to obtain his/her
assistance in resolving any issues.

x The documented approval of the

Ethics or Risk Management Leader
shall be obtained before any
engagement work commences
where an actual or potential conflict
of interest(s) or threats to
independence have been identified
that require safeguards to be
implemented.

x There should be a control of

dissemination and acceptance /
acknowledgement of understanding
of ethics policy on joining the firm
and thereafter annually or bi-
annually etc.

Page 45 of 139
Quality Component 2: Relevant Ethical Requirements ISQM Guide and Toolkit

Quality
Risk(s)

x The training session by the Ethics

leader / team includes discussion of
the Code, the purpose, the values,
their ethical responsibilities, and
resources where partners and staff
can turn to for ethics issues. The
training sessions include
instructions regarding the Annual
Compliance Confirmations and
Engagement-specific Compliance
Confirmations, both of which include
a section on the Code of Conduct.

ER-QR-05 ER-QO-02 Communication To ensure that proper communication Applicable to x Through regular email communications Ethics Throughout the
and training on has been made to the firm personnel overall firm and training sessions, all partners and Leader year
ethical about ethical responsibilities, business level staff are made aware of the identity of
requirements and conduct and accountability for the work the Ethics Leader. This is to ensure that
business conduct the firm staff are aware of who is
responsible for the overall Ethics
function in the firm. The training
material is developed by the Ethics
Leader and his/her team in line with the
firm's training requirements and
guidance for new hires, experienced
hires, and milestone training (including
new partners and new managers).
x Any additional sessions are
developed based on the needs of
the participants which depends on
their roles in the firm.
x Dissemination of policy should be on
joining and thereafter every six
month and annually.
x The Ethics Leader may develop
supplemental policies and
communicate with staff via the HR
Trainee Manual and HR Employee
Manual. Copies of the Code of
Conduct, Complaints & Allegations
Policy are also shared via email
communications to the entire firm.

Page 46 of 139
Quality Component 2: Relevant Ethical Requirements ISQM Guide and Toolkit

Quality
Risk(s)

ER-QR-01 ER-QO-01 Unclear To ensure that responsibilities and Applicable to Partners and staff may be confused over Ethics Throughout the
ER-QR-03 responsibilities accountability for business conduct and overall firm who has responsibility for ethical Leader year
ER-QR-09 and values are clear level behaviour even though this is regularly
accountability for communicated and reinforced in
business conduct trainings and emails. For this, the firm
and values should communicate to all firm's staff
about who is Ethics Leader at every
quarter. Further, on what matters he/she
can be accessed and through what
channel, should be communicated to firm
level, every quarter.

x One of the responsibilities of the

Ethics Leader is to report to firm
leadership regarding Ethics and
Business Conduct (E&BC)
activities, including reports of
complaints and allegations.

x The Ethics Leader shares the E&BC

annual risk assessment, annual
action plan, and annual action plan
progress report, with the senior
leadership along with the summary
of the Ethics Investigations
conducted on any complaints and
allegations received during the year.
If any investigations resulted in
remedial actions, required to be
undertaken, this is to be shared with
the senior leadership.

ER-QR-01 ER-QO-01 Unclear To ensure that all complaints are Applicable to The Ethics leader/ team must ensures Ethics Throughout the
ER-QR-03 responsibilities investigated promptly. overall firm that all complaints are investigated, Leader year
and level timely resolved and reported to relevant
accountability for stakeholders. If the investigation results
business conduct in recommendations to be made to a
and values partner for their action, these should be
formally communicated by the Ethics
team to the respective Partner.

Page 47 of 139
Quality Component 2: Relevant Ethical Requirements ISQM Guide and Toolkit

Quality
Risk(s)

ER-QR-08 ER-QO-02 Independence The firm personnel conduct a work Applicable to The firm should have policies and Engagement Throughout the
ER-QR-09 requirement for using professional judgment, objectivity overall firm procedures to perform independence Partner, year
client acceptance and due care, ensuring that the level and conflict of interest check prior to Ethics
and continuance independence requirements (for accepting/continuing engagement. The Leader
assurance engagements) has been check should be performed at regular
complied with and conflict of interest interalia cover local
intervals and should interilia
situation does not exist. legal requirements including those of
ICAP Code of Ethics and the Companies
Act, 2017.

ER-QR-08 ER-QO-02 Independence To ensure that auditors rotation required Applicable to Where the engagement partner have Engagement Throughout the
ER-QR-09 requirement for as per ICAP Code of Ethics has been overall firm worked on an engagement for a Partner, year
recurring client made. level prolonged period of time (such as five Ethics
acceptance years or more for listed audit clients), a Leader
familiarity threat can occur. The Ethics
leader working with the engagement
partner(s) is responsible for identifying
and evaluating such threats and applying
appropriate safeguards. In such case,
the ethics leader is required to document
the reasons, the new personnel
assigned, the term of the stand-down
period and any other relevant
information.

ER-QR-06 ER-QO-02 Actions to avoid To ensure that auditors are not pose to Applicable to The firm’s personnel shall not accept any Engagement Event driven
ER-QR-07 self-interest self-interest, threats and not influenced overall firm hospitality, gift, gratuity, discount, or Partner,
threats and gifts by gifts from management or the client level other accommodation from a client Ethics
from clients unless it is clearly inconsequential and Leader
trivial to both parties. For this, the firm
may form a policy related to hospitality,
gifts, gratuity, etc., to reduce the risk of
real or perceived independence. As a
matter of procedure:

x The firm may regularly review,

through inquiry and written
confirmation, that personnel have
not received any gifts, etc.,

Page 48 of 139
Quality Component 2: Relevant Ethical Requirements ISQM Guide and Toolkit

Quality
Risk(s)

x Where the firm personnel have

external roles/activities/business
interests that pose a threat to the
firm's independence through self-
interest or where the self-interest
threat has arisen due to acceptance
of gifts and hospitality from
management that exceed the
acceptable limits, the Ethics leader
note and report the matter to the
senior leadership and also take
timely action to avoid the associated
threats as per the guidance given in
either the firm Code of Conduct/
ICAP Code of Ethics.

x The firm shall have speak-up policy

if any personnel encountered such
issue and all firm staff shall be given
opportunity to be heard and
appropriately guided.

ER-QR-10 ER-QO-02 Complaints and Timely remedial actions against Applicable to The purpose of an ethics investigation is Ethics Event driven
allegations are complaints and allegations overall firm to have an impartial, trained team who leader
properly analyzed level can investigate a complaint and come to
and appropriate a conclusion on the veracity of the
remedial actions complaint, and then provide a
have been taken recommendation for further action if
required. The Ethics team may have
developed training materials on
investigations against complaints and
allegations. These include videos, slide
presentations, and classroom training
sessions. All members of the Ethics
investigation team have either taken part
in the new Ethics Investigations training
or reviewed the training videos/guides
provided by the firm or network firm. The
entire Ethics team has access to all the
firm's Complaints & Investigations
training materials that are on the shared
drive.

Page 49 of 139
Quality Component 2: Relevant Ethical Requirements ISQM Guide and Toolkit

Quality
Risk(s)

The firm may have the Ethics Helpline

and Case Management System (where
can be developed by firm), the likelihood
is assessed as low. Every case is
thoroughly investigated, after
coordinating with the respective partners
to resolve the complaints in an efficient
manner, and share the remedial actions
by the Ethics team. There should be a
time limit within which all the complaints
should be investigated, finalized and
responded to the complainants.

ER-QR-10 ER-QO-02 Complaints and Timely remedial actions against Applicable to At the conclusion of an investigation, any Ethics Event
allegations are complaints and allegations overall firm remediation recommended by the Ethics leader driven/Annually
properly analyzed level Team is shared with the relevant partner check the
and appropriate for their review and action. The Ethics compliance
remedial actions leader will also discuss the matter with
have been taken the respective sector/ Business Unit
leader, when required, and also see
whether the remedial actions have been
taken within timelines decided by firm.

ER-QR-11 ER-QO-02 Resources to To ensure that Ethics team has Applicable to x The firm should have a policy to plan Ethics Throughout the
ER-QR-18 ER-QO-04 effectively sufficient experience and access to overall firm regular in-house trainings for ethics leader/EL year
ER-QR-19 manage territory leadership. The roles and level team on ethical matters as required Team
compliance with responsibilities in the Ethics function are by local laws.
ethical discussed between the Ethics Leader
requirements and Ethics Team, in order to ensure x In case of Network firm, the ethics
compliance with all ethical requirements team should attend the regular
and that the firm's ethical culture is monthly Ethics training calls that are
supported by the firm's business set up by the Network firm/Global.
conduct. The Ethics team is also on the
network/Global Ethics mailing list,
where key updates and resources
are shared directly via email. The
Ethics team has access to the Ethics
SharePoint site, along with access
to all of the Ethics Community
materials on the shared drive. The
Ethics Leader and Ethics team have
a strong relationship with the
Network firm/Global Ethics

Page 50 of 139
Quality Component 2: Relevant Ethical Requirements ISQM Guide and Toolkit

Quality
Risk(s)

personnel, and can reach out to the

Global Ethics team directly for
additional guidance and resources
when needed.

ER-QR-12 ER-QO-02 Firm's The firm does not have a positive Applicable to The purpose of the Ethics classroom Ethics Throughout the
consultation consultation culture which encourages overall firm training sessions is to establish a positive leader/EL year
culture related to partners and staff to discuss threats to level consultation culture in the firm based on Team
complaints, compliance with relevant ethical the firm's Code and Values. In order to
allegations, and requirements including complaints, do this, in each training session, Ethics
breaches of allegations, and breaches of ethical function shares materials such as the
ethical requirements. Code and the Values, and provides
requirements. information regarding responsibilities
with regards to their ethical behaviors.
Copies of the training materials are also
shared with participants via email. The
Ethics team also sends out regular email
communications to the firm that
promotes an ethical culture and potential
threats to compliance.

ER-QR-13 ER-QO-02 Confidentiality of The principle of confidentiality may Applicable to The Ethics leader is responsible for Ethics Throughout the
ER-QR-17 ER-QO-03 Client information apply to the firm’s network, other overall firm ensuring that partners and staff sign a leader year
network firms or service providers, level/Network confidentiality agreement that includes a
when they have access to client /Global non-solicitation clause.
information obtained by the firm
A firm should have an IT based control
which prohibits copying audit files and
client related information from sharing
with unauthorized persons or channels
or email-addresses.

ER-QR-16 ER-QO-03 Understanding of To ensure that Network/Network firms / Applicable to In relation to understanding the relevant Ethics Throughout the
the relevant service providers understand the overall firm ethical requirements, the firm’s Leader of year
ethical relevant ethical requirements, which the level personnel may be subject to regular firm/network
requirements by firm is required to comply. training on the relevant ethical firm/service
Network/Network requirements. For service providers, the provider
firms/service firm may include the specific relevant
providers ethical requirements in the terms of the
contract (e.g., confidentiality
requirements). When component
auditors are involved (in network or out
of network), the relevant ethical

Page 51 of 139
Quality Component 2: Relevant Ethical Requirements ISQM Guide and Toolkit

Quality
Risk(s)

requirements may be included in the

group audit instructions, and in some
circumstances, the group auditor may
determine it appropriate to provide
additional training to component
auditors.

For e.g., the individuals from the network

firm that are assigned to the component
fulfilling the provisions of the Ethical
Code in Jurisdiction A that apply to them
because they qualify as members of the
engagement team in terms of the
definition of engagement team in the
Ethical Code in Jurisdiction A; and the
network firm fulfilling the provisions of the
Ethical Code in Jurisdiction A that apply
to all network firms within the firm’s
network, e.g., independence
requirements and both the network and
service providers will not follow the
Ethical Code B, applicable on network
firm.

ER-QR-17 ER-QO-03 Breach of To ensure that no breachers occur by Applicable to x The firm shall make policy and Ethics Throughout the
relevant ethical Network / Network firms / service overall firm procedure for identifying, Leader of year
requirements by providers about the ethical level communicating, evaluating, and firm /
Network / requirements. reporting any breaches of the network firm
Network firms / relevant ethical requirements and / service
service providers appropriately respond to the causes provider
and consequences of the breaches
in a timely manner. For e.g., the
procedure that can be performed is
that the firm’s partners (or
management committee) review(s)
all reported ethical breaches to
identify remedial actions needed.
The management committee
communicates these actions to the
affected parties and follows up
within 30 days to determine whether
the identified actions have been
performed.

Page 52 of 139
 Quality Component 2: Relevant Ethical Requirements ISQM Guide and Toolkit

Quality
Risk(s)

x The firm obtains information from

the network or other network firms
about clients of other network firms,
where there are independence
requirements that affect the firm.

x Personnel from Network/Network

firms/service providers must attend
the mandatory training on relevant
ethical requirements.

x The firm obtains, at least annually, a

documented confirmation of
compliance with independence
requirements from all personnel
required by relevant ethical
requirements to be independent.

ER-QR-18 ER-QO-04 Use of network To ensure that mandatory resources Applicable to x The firm shall make policy and Ethics Throughout the
firm resources in developed by the network firm for use in overall firm procedure for using, communicating Leader of year
the Ethics the Ethics function have not been level and sharing (through emails and firm /
function implemented. training sessions) the network firm network
resources related to the ethical firm/service
requirements including provider
independence.

x The ethics leader shall ensure that

the firm personnel attend the
mandatory training on relevant
ethical requirements and have
sufficient knowledge and
information about the business
conduct.




Page 53 of 139
 Quality Component 3

Acceptance and Continuance of

Client Relationships and
Specific Engagements
Quality Component 3: Acceptance and Continuance of Client Relationships and Specific Engagements ISQM Guide and Toolkit

Quality Objectives as per paragraph 30 of ISQM 1 Quality Risks

Page 55 of 139
Quality Component 3: Acceptance and Continuance of Client Relationships and Specific Engagements ISQM Guide and Toolkit

Quality
Risk(s)

AC-QR-01 AC-QO-01 Review and To accept or Prospects usually come from: HoA reviews and approves the HoA Monthly
AC-QR-02 approval of continue a client opportunity list prior to audit partner
prospective relationship based x online request meeting on monthly basis.
client on information
relationships obtained about the x referral - group/existing client/staff
integrity and ethical
values of the client x participation in tenders.
(including
management, and, Initially, Managing Partner will notify
when appropriate, the Head of Audit (HoA) and the
those charged with identified client service partner. HoA
governance) that is reviews the opportunity list and
sufficient to support approves it. HoA will obtain client
such judgments. information including information
relating to AML/CFT and complete the
client acceptance questionnaire which
will be approved by the Quality Control
(QC) Partner.

AC-QR-02 AC-QO-01 Request for To accept or To obtain a new client, it is sometimes When the firm is asked to submit a Engagement Monthly
Proposal to continue a client necessary to submit a written proposal, the prospective engagement Partner
prospective relationship based proposal. partner (to be named in the proposal)
client on information shall:
obtained about the Firm must have policy that only
integrity and ethical engagement partner / authorised x Before starting work on preparing
values of the client person may sign and release a the proposal:
(including proposal on behalf of the firm.
management, and, i. Evaluate, based on the firm’s
when appropriate, established criteria in [policy
those charged with reference], whether the
governance) that is engagement could be
sufficient to support undertaken in the event the
such judgments. proposal was successful.

ii. Make inquiries (bankers,

online searches, news
sources, etc.) about the
reputation of the entity and the
character of its directors and
senior management.

Page 56 of 139
Quality Component 3: Acceptance and Continuance of Client Relationships and Specific Engagements ISQM Guide and Toolkit

Quality
Risk(s)

iii. Make inquiries of management

(including a visit to key
locations) to understand the
nature of the entity, how it is
managed and relations with its
predecessor auditor (if any).

iv. Obtain agreement of the

Managing Partner (or
designated partners) on the
amount of any fixed fee(s) that
will be proposed.

x Before the release of the proposal,

be satisfied with the accuracy of the
contents, the nature and
achievability of commitments made
(including fees) and the availability
of the named personnel to perform
the work as requested.

AC-QR-01 AC-QO-01 Review and To keep a track of Before each monthly meetings, HoA updates the list of rejected HoA Monthly
AC-QR-02 approval of prospects which are HoA/HoA delegate updates the List of prospect prior to the Audit Partner
rejected rejected by the firm Rejected Prospects and presents in meeting on monthly basis.
prospects with the reasons for monthly Audit Partner meeting. Audit
rejection. department maintains the List of
Rejected Prospects which includes
reason of rejection, such as high
reputational risk, potential fraud case,
adverse news etc. Audit partner
updates the list of rejected prospect
prior to the audit partner meeting.

AC-QR-06 AC-QO-03 Review and To ensure that audit The engagement partner /client service Managing Partner reviews and Engagement As Needed
approval of fee is appropriate partner (where applicable) determines approves the audit fee proposal before Partner
audit fees keeping in view the the audit fee and presents relevant presenting / sending to the prospective
efforts needed to information to QC, technical team & client.
complete the audit Managing Partner for approval. Once the
resulting in a quality audit fee is approved by the Managing
audit. Partner, the team will present the audit
fee to the prospective client and will
obtain an appointment letter. It is

Page 57 of 139
Quality Component 3: Acceptance and Continuance of Client Relationships and Specific Engagements ISQM Guide and Toolkit

Quality
Risk(s)

important that the acceptance of audit

engagement is subject to the
professional clearance from the previous
auditor in compliance with the local
ethical requirements.

AC-QR-01 AC-QO-01 Global To ensure that there In case where prospective client has The QC Partner reviews the QC Partner As Needed
AC-QR-02 Independence is no conflict in the multinational presence, the QC appropriateness of conflict check
check service offered to the Partner conducts a conflict check processed by audit engagement team.
prospective client globally within all member firms to
ensure that no conflicting service is
provided to the prospective audit client
by any member firm.
After the conflict check process, audit
fee is proposed to the client.

AC-QR-01 AC-QO-01 Local To ensure that there The firm should have a policy to check QC Partner reviews the compliance of QC Partner As Needed
AC-QR-02 Independence is no conflict of the compliance of local laws and local laws and regulations including
check interest in the regulations including ethical ethical requirements documented by
service(s) offered to requirements (such as CA Ordinance the engagement team.
the prospective client 1961, the Companies Act 2017 and the
ICAP Code of Ethics) before accepting
audit client. After the conflict check
process, audit fee is proposed to the
client.

AC-QR-01 AC-QO-01 On-boarding To ensure that AML / In order to perform Customer Due Engagement partner /client service Engagement As Needed
AC-QR-02 of clients CFT and KYC Diligence (CDD), engagement partner partner reviews and ensure the Partner / QC
procedures are duly /client service partner will send client completeness and accuracy of client Partner
completed before on- onboarding forms to the client. The onboarding forms prepared by client
boarding any client engagement partner /client service with reference to business profile, for
partner reviews the completeness of clients which are not rated risky.
client onboarding forms against the For all risky clients, the QC/Risk Partner
supporting documents for the purpose reviews and approves the
of relevant KYC procedures and appropriateness of risk rating of
relevant screening. acceptance and continuance prepared
by engagement team.

Page 58 of 139
Quality Component 3: Acceptance and Continuance of Client Relationships and Specific Engagements ISQM Guide and Toolkit

Quality
Risk(s)

AC-QR-01 AC-QO-01 List of risky To ensure that high- Based upon acceptance and QC/Risk Partner maintains risky client QC Partner / Annually
AC-QR-02 engagements risk clients are continuance questionnaire list and updates it annually. The same Risk Partner
identified and dealt submission, the QC/Risk Partner list will be used for annual monitoring.
with accordingly maintains a list of all risky clients.
In case of risky client, the firm must
have additional controls, such as, to
engage an EQR etc.
Engagement team updates QC/Risk
Partner on the change of risk rating
either from risky to non-risky or non-
risky to risky.

AC-QR-04 AC-QO-02 Engagement To ensure that The engagement letter will be After completion of client acceptance / Engagement As Needed
letter engagement terms approved for signing only when the continuance process, the engagement Partner
are agreed only after client acceptance/ continuance partner will review and signoff the
client acceptance/ questionnaire has been duly approved engagement letter and consent to act
continuance process by the QC/Risk Partner. for the client. The client will need to sign
is duly completed off on the engagement letter and return
it to the firm. The signed scanned copy
will be saved on the server for retention.

AC-QR-03 AC-QO-01 Assignment of To assign adequate At least one suitable qualified partner Upon accepting a new engagement, at HoA As Needed
resources resource to cover the who has sufficient and appropriate least one qualified partner is allocated
risks of the ability, expertise, authority and time to to the engagement by HoA.
underlying carry out his or her role and is well
Assignment of PIE engagement to a
assignment informed of the defined responsibilities
partner is reviewed and approved by
is responsible to lead each
Managing Partner/QC Partner/Other
engagement. HoA will keep a track of
authorised Partner, based on the
the workload and availability of all
recommendation of HoA.
engagement partners. Extra care will
be needed for assignment of PIE It is also to ensured that resources
engagement to a partner. allocated to perform the engagement
(other than Engagement Partner) are
well experienced and adequately
qualified and trained to perform
fieldwork for the engagement.

AC-QR-01 AC-QO-01 Client and To continue with a The decision to continue as auditors Engagement partner reviews and Engagement As Needed
AC-QR-02 engagement client only after will be reviewed by engagement team approves the risk assessment Partner
continuance reassessing its risk at least once a year. The engagement documents (continuance questionnaire,
rating, CFT/AML team will also need to fill in the supporting documentation for risk rating

Page 59 of 139
Quality Component 3: Acceptance and Continuance of Client Relationships and Specific Engagements ISQM Guide and Toolkit

Quality
Risk(s)

information and continuance questionnaire, supporting and CFT/AML documentation and

budget documentation for risk rating including budget) prepared by engagement
CFT/AML information and budget and manager.
submit all the documents to the
engagement partner for their review Where an audit tools are is used, the sign
and approval. If the risk rating for the off is required within the tool.
client remains unchanged, the
decision will be made by the
engagement partner. However, if there
are any changes in the risk rating of the
client, a new acceptance procedure is
required.

AC-QR-07 AC-QO-02 Engagement To ensure that all The QC/Risk Partner performs The QC/Risk Partner reviews the QC/Risk As Needed
letter engagement teams assessment and suggest necessary amendment and put it up for audit Partner
(amendments) use the updated amendment on the Engagement Letter partner's approval during the Monthly
template of template to ensure compliance with Audit Partners Meeting before
Engagement Letter the professional standards and implementation.
applicable legal and regulatory
requirements on annual basis After the amendments approved by the
(minimum requirement) and as and QC Partner, engagement partner
when required. Revised engagement reviews and approves an engagement
letter is shared with technical team for letter prepared by the engagement
audit broadcast and upload. team.

AC-QR-01 AC-QO-01 Resignation To take steps to The firm should have a policy that, Engagement partner reviews and Engagement As Needed
AC-QR-02 ensure that once the firm resign from an approves the resignation letter Partner
resignations at engagement, all the respective heads prepared by engagement manager and
clients are dealt of department should be timely approved by the Managing Partner.
properly informed. The decision should be
made in consultation with QC/Risk The reason of resignation is updated by
Partner, and approval of Managing engagement manager and reviewed by
Partner. engagement partner in the inventory of
lost clients.
Once the decision is made, the client
should be informed in writing. The
The details of these clients are also
resignation letter is reviewed and
notified to other partners for their
approved by the engagement partner.
information and updation of records.
Engagement manager will keep a
record of the client, date of resignation
and reason(s) which will be saved on
the server.

Page 60 of 139
Quality Component 3: Acceptance and Continuance of Client Relationships and Specific Engagements ISQM Guide and Toolkit

Quality
Risk(s)

AC-QR-05 AC-QO-03 Firm financial To ensure that firm The firm should have a new client Engagement Partner and other partners Engagement As Needed
priorities has ability to perform acceptance policy which explicitly (where applicable, involved in client Partner
a high-quality mentions that where firm has acceptance process) ensures that the
engagement in insufficient personnel with required client acceptance decision is in
accordance with knowledge of the specific industry accordance with firm's approved policy,
professional sector and/or insufficient resources based on available firm's resources.
standards and (e.g., technological resources, such
applicable legal and as, IT applications that enable the
regulatory engagement team to perform
requirements, and procedures on the entity’s data) the
the firm decision is firm should not accept such
not based on its engagement despite getting good fee
financial and quote from client.
operational priorities.

AC-QR-08 AC-QO-03 Information To ensure that firm The firm needs to establish policies or Engagement partner ensures that the Engagement As Needed
that becomes takes the right procedures to address circumstances client acceptance or continuance from Partner
known decision to continue when the firm become aware of engagement decision is in accordance
subsequent to or withdraw the information subsequent to accepting or with firm's approved policy, based on
accepting or client, based on the continuing a client relationship or available resources. The decision about
continuing a relevant facts and specific engagement that would have withdrawal from the client will be made
client circumstance, after caused to decline the client after discussing with the appropriate
relationship discussing with the relationship or specific engagement level of the client’s management and
appropriate level of had that information been known prior with those charged with governance.
the client’s to accepting or continuing the client
management and relationship or specific engagement.
with those charged The procedure could be using a
with governance. memorandum or checklist for
engagements, which results in the
documentation of inquiry and
procedures to identify factors related to
the firm’s acceptance and continuance
decisions. Prior to finalizing the
decision, this memorandum or
checklist should be reviewed by
engagement partner and updated as
needed.

Page 61 of 139
 Quality Component 4

Engagement Performance
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality Objectives as per paragraph 31 of ISQM 1 Quality Risks

Page 63 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality Objectives as per paragraph 31 of ISQM 1 Quality Risks

Page 64 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality
Risk(s)

EP-QR-01 EP-QO-01 Resource Engagement teams understand and fulfill Applicable to all Firm establishes a policy that addresses Head of Annually
Planning and their responsibilities in connection with the engagements the following: Audit
Project audit, review or other assurance or related
Management services engagement, including as x Requires all engagements to have an
applicable the overall responsibility of engagement level resource plan,
engagement partners for managing and approved by the engagement partner/
achieving quality on the engagement and engagement leader.
being sufficiently and appropriately
x Establishes minimum requirements of
involved throughout the engagement.
an engagement level resource plan,
including types of resources
(individual roles), amount of resources
(estimated number of hours for each
resource) and when each resource is
expected to be deployed. This will also
include required use of the firm’s
manuals, software tools, forms and
industry/subject matter-specific
materials that have been approved by
the engagement quality leader.

x The point of time when a required

engagement level resource plan
needs to be prepared and approved.
The policy is reviewed and approved
by the individual with significant
authority e.g. Head of Audit. The
policy is communicated to all
engagement managers and above
upon adoption and when changes are
made.

EP-QR-01 EP-QO-01 Resource Engagement teams understand and fulfill Applicable to all The engagement partner/engagement Engagement Recurring
Planning and their responsibilities in connection with the engagements leader reviews and approves the Partner
Project audit, review or other assurance or related engagement level resource plan assessing
Management services engagement, including as whether:
applicable the overall responsibility of
engagement partners for managing and x The planned hours for each of the key
achieving quality on the engagement and roles are appropriate.
being sufficiently and appropriately
involved throughout the engagement. x The increase/decrease in overall
hours from the prior year actual hours
is justified, or for new engagements,
the resource plan is reasonable.

Page 65 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality
Risk(s)

EP-QR-01 EP-QO-01 Resource Engagement teams understand and fulfill Applicable to all Making, implementing and complying with Engagement Periodically/
Planning and their responsibilities in connection with the engagements ‘Monitoring of Audit Engagement Partner/ as per firm
Project audit, review or other assurance or related Performance’ policy including application Audit Quality audit
Management services engagement, including as Monitoring is of the required performance metrics (as Leader/ portfolios
applicable the overall responsibility of mandatory for documented in policy) for the in-scope Head of year-ends
engagement partners for managing and Key Clients / engagements. Audit
achieving quality on the engagement and PIE's and other
being sufficiently and appropriately clients as
involved throughout the engagement. designated by
Head of Audit

EP-QR-01 EP-QO-01 Professional Engagement teams understand and fulfill Applicable to all Annually, the ‘Monitoring of Audit Audit Quality Annually
EP-QR-03 Conduct of their responsibilities in connection with the engagements Engagement Performance’ policy is Leader/
Audit audit, review or other assurance or related reviewed and approved by the Head of Head of
services engagement, including as Audit Quality & Head of Audit prior to Audit
applicable release to firm's staff.
x the overall responsibility of
engagement partners for managing Once approved, the updated ‘Monitoring of
and achieving quality on the Audit Engagement Performance’ policy is
engagement and being sufficiently communicated to the engagement teams.
and appropriately involved throughout
the engagement.
x performing the engagement in
accordance with professional
standards and applicable legal and
regulatory requirements.

EP-QR-07 EP-QO-04 Consultation Consultations on difficult or contentious Applicable to all Audit Documentation (Software) requires Firm Recurring
and pre- matters within audit, review or other engagements engagement team to confirm all Leadership
issuance assurance or related services appropriate consultations have been
reviews engagements are undertaken and the undertaken. This confirmation requires
conclusions agreed are implemented. engagement manager and engagement
partner review sign-off.

EP-QR-07 EP-QO-04 Consultation Consultations on difficult or contentious Applicable to all [Annually] the member firm’s mandatory Technical Annually
and pre- matters within audit, review or other engagements consultation requirements are reviewed Head / Risk
issuance assurance or related services meeting the and proposed modifications are approved leader/
reviews engagements are undertaken and the consultation by the Technical Head or the Risk leader person
conclusions agreed are implemented. criteria / Pre- (as applicable to the consultation). responsible
issuance review for technical
Criteria affairs

Page 66 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality
Risk(s)

EP-QR-08 EP-QO-04 Consultation Consultations on difficult or contentious Applicable to all Audit documentation requires engagement Firm Recurring
and pre- matters within audit, review or other engagements team to confirm all appropriate Leadership
issuance assurance or related services meeting the discussions/consultations during the
reviews engagements are undertaken and the consultation course of the engagement (both within the
conclusions agreed are implemented. criteria / Pre- engagement team and between the
issuance review engagement team and others at the
Criteria appropriate level within the firm) have been
undertaken. This confirmation requires
engagement manager and engagement
partner review sign-off.

EP-QR-07 EP-QO-04 Consultation Consultations on difficult or contentious Applicable to all Firm designs and implements controls to Technical Annually
and pre- matters within audit, review or other consultations / ensure that all consultation requests Head / Risk
issuance assurance or related services pre-issuance received are responded by an individual leader/
reviews engagements are undertaken and the reviews with the appropriate knowledge, seniority person
conclusions agreed are implemented. and experience. responsible
for technical
affairs

EP-QR-08 EP-QO-04 Consultation Consultations on difficult or contentious Applicable to all x At the time of appointing a new Technical Recurring
and pre- matters within audit, review or other Technical staff individual whose responsibilities may Head / Risk
issuance assurance or related services include providing agreement with a leader/
reviews engagements are undertaken and the conclusion reached in a consultation, person
conclusions agreed are implemented. the Technical Head / Risk leader (as responsible
applicable to the consultation) reviews for technical
the assessment of the candidate affairs
against a qualification (knowledge and
experience) criteria defined by the firm.

x [Annually] the Technical Head / Risk Technical Annually

leader (as applicable to the Head / Risk
consultation) reviews the re- leader/
assessment of the candidate against a person
qualification criteria (knowledge and responsible
experience) defined by the firm. for technical
affairs

EP-QR-08 EP-QO-04 Consultation Consultations on difficult or contentious Applicable to all Audit documentation requires the Firm Recurring
EP-QR-09 and pre- matters within audit, review or other engagements engagement team to attach relevant
issuance assurance or related services meeting the documentation relating to the consultation
reviews engagements are undertaken and the consultation including confirmation from the [consulted
conclusions agreed are implemented. criteria / Pre- party] that they agree with the conclusions
issuance review reached. The relevant documentation to be
Criteria reviewed by the engagement manager and

Page 67 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality
Risk(s)

engagement partner and engagement

quality reviewer that the consultation
received has also been implemented,
where applicable.

EP-QR-05 EP-QO-03 Second Audit, review or other assurance or related Applicable to Development and Review of policy Head of Annually
EP-QR-06 Review/Peer services engagement teams exercise selected Audit /Quality
review of appropriate professional judgment and, engagements The Second Review/Peer review policy is Leader
selected when applicable to the type of meeting the to be developed by firm leadership and to
engagements engagement, professional skepticism. criteria in the be reviewed and approved by the Head of
policy and all Audit Quality annually, prior to release to
Second Review/ firm staff.
Peer review
conducted under it

EP-QR-06 EP-QO-03 Second Audit, review or other assurance or related Applicable to Alternative Program Head of Annually
Review/Peer services engagement teams exercise selected x Annually, the Head of Audit and the Audit /Quality
review of appropriate professional judgment and, engagements Risk Leader review the current year Leader (QL)
selected when applicable to the type of meeting the proposed conclusion made by the firm
engagements engagement, professional skepticism. criteria identified that it is not undertaking the Second
under alternative Review/Peer review because the
program (if any) underlying risks have been effectively
managed.

EP-QR-06 EP-QO-03 Second Audit, review or other assurance or related Applicable to x At least annually, the QL approves the QL / Head of Annually
Review/Peer services engagement teams exercise selected engagement selection criteria for the Audit
review of appropriate professional judgment and, engagements firm (subjected to EQC Review)
selected when applicable to the type of meeting the
x The QL checks that approval has been
engagements engagement, professional skepticism. criteria in the
received from the Head of Audit, in
policy and all
consultation with the Risk leader,
active Audit
where appropriate, prior to formal
Quality reviews
communication of EQC review of
conducted under
selected engagements, to the
it.
engagement teams.

EP-QR-06 EP-QO-03 Active Audit Audit, review or other assurance or related Applicable to When there are valid reasons to seek an HOA Recurring
Quality Review services engagement teams exercise selected exemption from performing a review on an
of selected appropriate professional judgment and, engagements engagement originally selected by the
engagements when applicable to the type of meeting the criteria member firm for EQC Review, the Head of
engagement, professional skepticism. in the policy and all Audit, reviews and approves the analysis
active Audit Quality of the reasons to s eek an exemption.
reviews conducted
under it.

Page 68 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality
Risk(s)

EP-QR-06
EP-QR-06 EP-QO-03 Active Audit Audit, review or other assurance or related Applicable to x EQC Review Team Leader reviews and Quality Recurring
Quality Review services engagement teams exercise selected approves the decision made by the Leader
of selected appropriate professional judgment and, engagements EQC reviewer to rebut a minimum
engagements when applicable to the type of meeting the mandatory area of focus, as described
engagement, professional skepticism. criteria in the in EQC Review Policy.
policy and all
Audit Quality x QL in firms reviews and approves the
Defense reviews conclusion that a EQC Review of the
conducted under audit report and / or financial
it. statements is not required as part of the
EQC Review program when review of
and/or scoping the review of [audit
report and/or financial statement
review] is determined by other
complementary programs [such as
consultation / pre-issuance review
policy] that operate in the firm.

EP-QR-06 EP-QO-03 Active Audit Audit, review or other assurance or related Applicable to all QL reviews and approves the following: Quality Annually
Quality Review services engagement teams exercise Audit Quality Leader
of selected appropriate professional judgment and, Defense x Firm criteria for Second Reviewer /
engagements when applicable to the type of reviewer Peer Reviewer selection
engagement, professional skepticism.
x Firm criteria for Second Reviewer /
Peer reviewer of selected
engagements allocation

x Appointment of EQC Reviewer/Peer

reviewer and allocation to specific
engagements

x Assessment of EQC Reviewer / Peer

reviewer.

EP-QR-06 EP-QO-03 Peer Review of Audit, review or other assurance or related Applicable to all Reporting of findings Peer Review Monthly/ As
selected services engagement teams exercise Peer reviews Leader / QL and when
engagements appropriate professional judgment and, A log is maintained by Peer review team required
when applicable to the type of leader, and updated [weekly or as
engagement, professional skepticism. required] that includes:

x An update on progress on all peer

review engagements and a mitigation
plan for completion, if required.

Page 69 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality
Risk(s)

x Non-client specific key observations

and learning points identified by the
peer reviewers.

At least monthly the QL reviews the log of

progress and non-client specific key
observations and:

x Approves the communication of key

common observations to the firm root
cause analysis team and other
relevant monitoring groups for
inclusion as an input to RCA and to the
firm's assessment of additional peer
review areas of focus in the
subsequent year.

x Confirms that an appropriate

mitigation plan for completion,
including the involvement of further
resources, if required, has been put in
place.

EP-QR-10 EP-QO-05 Dispute Differences of opinion within the audit, All disputes A firm designs and implements a policy Technical Annually
EP-QR-11 resolution review or other assurance or related within detailing the steps that should be Head
services engagement team, or between engagement undertaken to resolve differences of
the engagement team and the team, or opinion within the engagement team, or
engagement quality reviewer working on between the between the engagement team and the
audit, review or other assurance or related engagement engagement quality reviewer, or
services engagements, or individuals team and the individuals performing activities within the
performing activities within the firm’s engagement firm’s system of quality management,
system of quality management, are quality reviewer, considering the baseline escalation
brought to the attention of the firm and or individuals protocol in the risk management policy.
resolved. performing This policy is reviewed and approved by
activities within the Technical Head when adopted or
the firm’s system revised and communicated to engagement
of quality teams.
management.
The policy may include that in case of
disagreement, the report shall not be dated
until the matter is resolved.

Page 70 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality
Risk(s)

EP-QR-10 EP-QO-05 Dispute Differences of opinion within the audit, All disputes Audit Documentation requires the Firm As per firm
resolution review or other assurance or related within engagement team to document whether leadership/ policy
services engagement team, or between engagement any disputes have occurred during the Engagement
the engagement team and the team, or engagement and confirm that those Partner
engagement quality reviewer working on between the disputes have been resolved, including the
audit, review or other assurance or related engagement basis for the final resolution of those
services engagements, or individuals team and the disagreements. Audit Documentation
performing activities within the firm’s engagement should require the Engagement Manager
system of quality management, are quality reviewer, and Engagement Partner [and the EQ
brought to the attention of the firm and or individuals reviewer where applicable] to review the
resolved. performing documentation related to dispute
activities within resolution.
the firm’s system
of quality
management.

EP-QR-11 EP-QO-06 Engagement Member firms establish policies or Engagements Review of Policy Head of Annually
Quality Control procedures that address engagement subjected to Audit
Review quality reviews in accordance with ISQM 2, EQC review as x Annually, the ‘EQ Review’ Policy is
Program and perform an engagement quality review per criteria reviewed and approved by the Head of
for: described in the Audit prior to release to firm.
firm's policy
x Audits of financial statements of listed x Substantive changes to the ‘EQ
entities; Review’ Policy are approved by the
[appropriate/authorised individuals].
x Audits or other engagements for
which an engagement quality review Once approved, the updated ‘EQ Review’
is required by law or regulation; and policy is communicated to staff.

x (iii) Audits or other engagements for

which the firm determines that an
engagement quality review is an
appropriate response to address one
or more quality risk(s).

EP-QR-11 EP-QO-06 Engagement Member firms establish policies or Individuals Firm's Head of Audit and Risk Leader Head of Annually/ As
Quality Control procedures that address engagement nominated for reviews the evaluation of competencies Audit and when
Review quality reviews in accordance with ISQM 2, EQ review and capabilities of candidates to be required
Program and perform an engagement quality review program appointed to the role of EQ program
for: leader, and if satisfied assigns appropriate
leadership responsibility for the EQ review
x Audits of financial statements of listed program, which includes the appointment
entities; of EQ reviewer(s), to a suitable partner in
accordance with ‘EQ Review’ policy.

Page 71 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality
Risk(s)

x Audits or other engagements for

which an engagement quality review
is required by law or regulation; and

x (iii) Audits or other engagements for

which the firm determines that an
engagement quality review is an
appropriate response to address one
or more quality risk(s).

EP-QR-11 EP-QO-06 Engagement Member firms establish policies or Individuals Assess EQ reviewer candidates against Head of Recurring
Quality Control procedures that address engagement nominated for appointment criteria. Audit
Review quality reviews in accordance with ISQM 2, EQ review
Program and perform an engagement quality review program The [responsible person] at the time of
for: appointing a new EQ reviewer, reviews the
assessment of the candidate against the
x Audits of financial statements of listed EQ reviewer accreditation and assignment
entities; criteria, set out in the EQ Review Policy.

x Audits or other engagements for

which an engagement quality review
is required by law or regulation; and

x (iii) Audits or other engagements for

which the firm determines that an
engagement quality review is an
appropriate response to address one
or more quality risk(s).

EP-QR-12 EP-QO-06 List of Member firms establish policies or Policy review Risk Leader annually reviews and Risk Leader Annually
engagements procedures that address engagement approves the firm's selection criteria for
selected for quality reviews in accordance with ISQM 2, engagements requiring an EQ review,
EQ review and perform an engagement quality review which at a minimum includes the minimum
for: baseline criteria as per auditing standards
and local laws and regulations and any
x Audits of financial statements of listed other additional firm's criteria necessary to
entities; comply with external regulations. This is
communicated to engagement teams.
x Audits or other engagements for
which an engagement quality review
is required by law or regulation; and

Page 72 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality
Risk(s)

x (iii) Audits or other engagements for

which the firm determines that an
engagement quality review is an
appropriate response to address one
or more quality risk(s).

EP-QR-07 EP-QO-06 List of Member firms establish policies or Appointment of Completeness of list of engagements HOA Annually
engagements procedures that address engagement EQ reviewer for requiring an EQ review
selected for quality reviews in accordance with ISQM 2, the selected
EQ review and and perform an engagement quality review engagements x Firm creates a complete list of
appointment of for: requiring an EQ engagements requiring an EQ review.
EQ reviewer review
x Audits of financial statements of listed x Using the list created in A, the
entities; [responsible person] approves that an
EQ reviewer has been assigned to
x Audits or other engagements for each of the engagements identified.
which an engagement quality review
is required by law or regulation; and

x Audits or other engagements for

which the firm determines that an
engagement quality review is an
appropriate response to address one
or more quality risk(s).

EP-QR-11 EP-QO-06 Training of EQ Member firms establish policies or EQ Reviewers Training of EQ Reviewer HOA / Head Recurring
reviewer procedures that address engagement of Training/
quality reviews in accordance with ISQM 2, x The firm provides all EQ reviewers Authorised
and perform an engagement quality review with relevant training, if applicable, personnel for
for: and the completion of this training on trainings
a timely basis is monitored, with
x Audits of financial statements of listed exceptions reported to the Risk
entities; Leader.

x Audits or other engagements for x Non-completion of training is followed

which an engagement quality review up and resolved in accordance with
is required by law or regulation; and the firm's policy.

x Audits or other engagements for

which the firm determines that an
engagement quality review is an
appropriate response to address one
or more quality risk(s).

Page 73 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality
Risk(s)

EP-QR-11 EP-QO-06 Appointment of Member firms establish policies or EQ Reviewers Assess EQ Reviewer Assistant candidates HOA / QL Recurring
EQ Reviewer procedures that address engagement against appointment criteria (where
Assistant quality reviews in accordance with ISQM 2, necessary)
and perform an engagement quality review
for: At the time of appointing a new EQ
Reviewer Assistant, the [responsible
x Audits of financial statements of listed person] reviews the assessment of the
entities; candidate against the EQ reviewer
assistant eligibility criteria, set out in the
x Audits or other engagements for firm's ‘EQ Review’ policy.
which an engagement quality review
is required by law or regulation; and

x Audits or other engagements for

which the firm determines that an
engagement quality review is an
appropriate response to address one
or more quality risk(s).

EP-QR-15 EP-QO-07 Assembly of Engagement teams understand and fulfill Audit Engagement documentation is assembled Engagement Recurring
EP-QR-17 Audit their responsibilities for all the engagement Documentation on a timely basis and is appropriately Partner
Documentation documentation, assembly, maintenance maintained and retained to meet the needs
and retention to meet the needs of the firm, of the firm and comply with laws,
in compliance with the requirements of regulations, relevant ethical requirements,
laws and regulations. or professional standards.

EP-QR-15 EP-QO-07 Engagement Engagement teams understand and fulfill Audit Audit documentation requires an Engagement Recurring
team their responsibilities for all the engagement Documentation engagement team member to sign-off Partner
responsibilities documentation, assembly, maintenance every work paper and test work as
- sign off and retention to meet the needs of the firm, prepared and an engagement team
working papers in compliance with the requirements of member to mark every documentation and
laws and regulations. attachment as reviewed prior to close out.

EP-QR-09 EP-QO-07 Engagement Engagement teams understand and fulfill Audit Audit Documentation requires a specific Managing Recurring
EP-QR-15 team their responsibilities for all the engagement Documentation member of the engagement team to mark Partner
responsibilities documentation, assembly, maintenance a specific work paper and test work as
- Minimum and retention to meet the needs of the firm, reviewed (as required by minimum review
review in compliance with the requirements of requirements) prior to close out.
requirements laws and regulations.
met

EP-QR-15 EP-QO-07 Engagement Engagement teams understand and fulfill Audit Audit documentation is configured to Managing Recurring
team their responsibilities for all the engagement Documentation populate the engagement file considering Partner
responsibilities documentation, assembly, maintenance the appropriate auditing standards and to

Page 74 of 139
Quality Component 4: Engagement Performance ISQM Guide and Toolkit

Quality
Risk(s)

for and retention to meet the needs of the firm, deliver procedures considering the
documentation in compliance with the requirements of accounting standards based on
laws and regulations. engagement profile.

EP-QR-15 EP-QO-07 Engagement Engagement teams understand and fulfill Audit Access to engagement files is granted on Managing Recurring
EP-QR-16 team their responsibilities for all the engagement Documentation an individual basis to only permit access to Partner/ Risk
responsibilities documentation, assembly, maintenance engagement documentation by the Leader
and retention to meet the needs of the firm, approved individuals.
in compliance with the requirements of
laws and regulations.

EP-QR-15 EP-QO-07 Engagement Engagement teams understand and fulfill Audit Mechanism should be in place to identify Managing Recurring
EP-QR-16 team their responsibilities for all the engagement Documentation work papers and test work which are Partner
responsibilities documentation, assembly, maintenance missing a preparation sign off, a review
and retention to meet the needs of the firm, sign off and/or a minimum review
in compliance with the requirements of requirement sign off.
laws and regulations.
Such mechanism should be applied at
appropriate intervals during performance
of the engagement procedures and at
review stage but prior to sign-off of opinion
so that any opinion issued is duly
supported by an appropriate audit
documentation.

EP-QR-09 EP-QO-04 Engagement Engagement teams understand and fulfill Audit The firm develops a policy for assembly, Managing Recurring
EP-QR-15 team their responsibilities for all the engagement Documentation maintenance and retention of audit working Partner
responsibilities documentation, assembly, maintenance paper files in compliance with the
and retention to meet the needs of the firm, requirements of applicable laws and
in compliance with the requirements of regulations. The firm senior leadership
laws and regulations. should ensure that this policy is also
disseminated to all staff on a timely basis.

Page 75 of 139
Quality Component 5

Resources
Quality Component 5: Resources ISQM Guide and Toolkit

Quality Objectives as per paragraph 32 of ISQM 1

Page 77 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality Objectives as per paragraph 32 of ISQM 1 Quality Risks

RE-QO-09: Personnel demonstrate a commitment to quality RE-QR-15: Fails to appropriately evaluate employee performance
RE-QR-16: Fails to make appropriate promotion decisions

RE-QR-17: Lack of correlation between quality and compensation/ promotion/ other incentives
RE-QR-18: Fails to demonstrate a commitment to quality

RE-QO-10: Obtain individuals from external sources RE-QR-19: Lack of sufficient resources for performance of engagements (Internal - the
Network or other Member Firms)

RE-QO-11: Competent, knowledgeable engagement team members are assigned to firm's RE-QR-20: Firm fails to assign audit engagements with audit team executives (other than
engagement, who can give sufficient time to perform their roles Partner in Charge, Engagement Quality Reviewer and Other Quality Reviewer (i.e., IFRS
Technical Reviewer) within Assurance

RE-QR-21: Firm fails to assign audit engagements with Partner in Charge (PIC), Engagement
Quality Reviewer (EQR) and Other Quality Reviewer (i.e. IFRS Technical Reviewer) within
Assurance

RE-QR-22: Firm fails to assign audit engagements with members (Partner, Associate Partner,
Executive Director, Senior Manager and Manager) that have technology specialized
knowledge and skills (e.g., Financial Audit Information Technology professionals)

RE-QR-23: Firm fails to assign audit engagements members (Partner, Associate Partner,
Executive Director, Senior Manager and Manager) that have specific knowledge and skills as
regards auditing tax accounts, including where appropriate as the tax reviewer, (e.g., Tax
Accounting and Risk Advisory Services professionals)

RE-QR-24: Firm fails to assign audit engagements with Partners, Executive Directors, or
Associate Partners who have specialized knowledge and skills who assist audit teams around
specific issues and situations (e.g., valuation professionals, sector specific, cyber, and other
subject matter professionals)

RE-QR-25: Firm fails to assign engagement PPEDDs (Partners, Executive Directors,

Associate Partners) to non-audit engagements in the scope of ISQM 1

RE-QR-26: Firm fails to address assignment of personnel to engagements that have change
in circumstances

RE-QR-27: Ineffective Change of Audit Partner in Charge (PIC) or Executive in Charge (EIC)

RE-QO-12: Competent individuals are assigned the roles in the firm to maintain the audit RE-QR-28: Fails to define nature and scope of engagement
quality within firm's SOQM
RE-QR-29: Lack of sufficient experiences to develop individuals to perform quality
engagements

Page 78 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality Objectives as per paragraph 32 of ISQM 1 Quality Risks

Technological Resources RE-QR-30: Required or appropriate technological resources are not used.

RE-QO-13: Obtain or develop, implement, maintain, and use technological resources RE-QR-31: Fails to store, safeguard and maintain electronic and paper-based information

RE-QO-14: Maintain the confidentiality, safe custody, integrity, accessibility, and retrievability RE-QR-31a: Fails to restrict access to the audit software and to the electronic engagement
of firm data and engagement documentation. documentation

RE-QR-32: Fails to perform regular back-up routines for electronic documentation stored on
the servers, laptops, and smart phones.

RE-QR-33: Fails to update the system or make necessary changes when required

RE-QR-33a: Fails to retain a copy of all software applications (including the software versions)
and any other technology required to access and retrieve documentation created at any time

Intellectual Resources RE-QR-34: Engagement teams are using out-of-date intellectual resources, such as the use
of policies and procedures, guidance, practice aids, templates, forms or checklists that do not
RE-QO-15: Appropriate intellectual resources are obtained or developed, implemented, reflect revisions to professional standards or firms policies.
maintained, and used, to enable the operation of the firm’s system of quality management and
the consistent performance of quality engagements, and such intellectual resources are RE-QR-35: Firm fails to deploy relevant learnings
consistent with professional standards and applicable legal and regulatory requirements,
where applicable. (Ref: Para. A102–A104) RE-QR-36: Engagement teams do not have appropriate methodologies and technical support
materials to enable the performance of quality engagements

RE-QO-16: Human, technological or intellectual resources from service providers are RE-QR-37: Lack of sufficient resources for performance of engagements (External – service
appropriate for use in the firm’s system of quality management and in the performance of provider)
engagements, taking into account the quality objectives in paragraph 32 (d),(e),(f) and (g).
(Ref: Para. A105–A108) RE-QR-38: Fails to identify, evaluate and respond to threats (Service Providers Personal
Independence)

RE-QR-39: Fails to assess human resources from service providers

RE-QR-40: The audit methodology purchased from a service is not updated to reflect changes
in professional standards and applicable legal and regulatory requirements.

Page 79 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

RE-QR-1 RE-QO-01 Candidate To review and The following are assessed before Interview evaluation forms and CEO / Event Driven
RE-QR-2 evaluation form approve the extending an offer to the candidate, feedback are reviewed to ensure the Managing
RE-QR-3 review and candidates for the whether: candidate has the appropriate Partner
approval (new Partner, considering x Review and interview process is qualifications, competencies and
partner) the qualifications, completed in line with Partner capabilities necessary to fulfil Partner
competencies and recruitment Guide/Policy. responsibilities. Evaluation forms and
capabilities necessary feedback are approved by the
for the fulfillment of x The Interview process, Interview appropriate personnel prior to
responsibilities of the Evaluation Forms are completed extending an offer to the candidate.
Partner. for each candidate to capture
interview feedback.

x The interview form is updated

appropriately for review criteria to
assess the candidate's
qualifications, competencies and
capabilities.

x The reviewer reviews and

approves the evaluation form and
then writes an overall
recommendation, highlighting
their level of support prior to
extending an offer to the
candidate.

RE-QR-16 RE-QO-02 Annual review and To approve proposed For ED roles there is a general The ED roles are determined Managing Annually
approval of new ED roles promotion plan, which can be according to the growth/ revenue Partner
proposed reviewed and adjusted according to plans and affordability and approved
Executive Director affordability throughout the promotion by senior leadership. All new ED roles
(ED) roles process. The ED(s) to be promoted are ultimately approved by Managing
are finalized closer to the final Partner.
approval stage of the promotion
process, by also considering the
successful candidates.

RE-QR-16 RE-QO-02 Final review and To make a final Firm's leadership reviews the The firm's leadership reviews the Managing Annually
approval of decision on successful recommendations approved by the recommendations from the partners Partner
successful ED candidates for ED Partner considering additional and makes final approval of
promotion promotion roles information as necessary. Final successful candidate.
candidates decisions on successful candidates
are approved by the Managing
Partner.

Page 80 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

RE-QR-16 RE-QO-02 Annual review and To identify any When reviewing the ED promotion For ED roles: On an annual basis, the CEO / Annually
approval of revisions to key candidate forms, the firm senior firm senior leadership reviews and Managing
Promotion Forms information that should leadership evaluates whether the approves the Promotion Forms and Partner
be gathered and form addresses specific guidance (such as KPIs of ED).
evaluated as part of competencies and needs by the
the annual ED respective service departments (such
Promotion process as Audit, Tax, consulting etc.), where
applicable and provides feedback and
commentary for updates required.

RE-QR-4 RE-QO-03 Review of To determine that Accreditation requirements are Firm leadership determines the IFRS Firm Annually/ On
RE-QR-5 accreditation accreditation assessed based on the applicable accreditation requirements. leadership regular basis
requirements requirements address financial reporting framework as per firm's
(IFRS/aligned to relevant IFRS (including IFRSs). policy
IFRS) considerations

RE-QR-4 RE-QO-03 Assess and review To identify, evaluate, In instances where a conflict check is The firm must develop IT tool or Firm Event Driven
RE-QR-5 potential conflict of and address threats triggered, the Conflicts sub function alternative method of triggering leadership
interest and relating to conflict of assesses relevant information conflict check by the conflict check.
provide suggested interest documented such as: Where a conflict check has been
safeguards to triggered, the same must be reviewed
mitigate threats to x Details of the main client; and proposed safeguards must be
conflict of interest. considered by the engagement
x Details of additional parties partner.
included in the additional parties
grid (including their role);

x Scope of services;

x Other relevant information

depending on the triggers.

The Conflicts reviewer will assess if

any of the following are present,
where the firm provides a
professional service related to a
particular matter:

x For two or more clients whose

interests with respect to that
matter are in conflict;

Page 81 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

x To a client whose interests could

conflict with the firm’s interests in
that matter.

RE-QR-17 RE-QO-05 Compensation To perform a first line Compensation Reviewer/relevant Annually, a detailed recommendation Compensation Annually
decision details review and approval of responsible Partner performs a first of increase to base and/or incentive Reviewer /
first level review the compensation line review and makes compensation is prepared by the Firm
and approval details as per the recommendation of increase to base Compensation Reviewer / Partner Leadership
compensation plan, and/or incentive compensation before responsible for Compensation review,
prior to sharing with review by the Second Level for the compensations/promotions
the Senior Leadership Compensation Reviewer. The based on the approved compensation
team. detailed compensation plan, which is then reviewed by the
recommendation is determined by Second Level Compensation
considering mainly the following Reviewer / Firm Leadership
factors: Reviewer.

x Performance output from the

evaluation process

x Promotion/ progression

As applicable, the control owner

reviews and verifies that all reports
are complete and accurate.

RE-QR-19 RE-QO-10: Review and To ensure the use of When the need to use partners from Firm leadership reviews and Managing Event Driven
(Obtain approve the Partners from other other country as audit EPs on local approves the EP candidacy, when MF Partner /Firm
individuals appropriateness of countries in the audit engagements are identified, the identifies a need to source partner leadership
from external using partners network as audit EP is Managing Partner reviews and from another MF to be used in a
sources) from other Member appropriate in the approves the appropriateness of the jurisdiction other than the one he is
Firm (MF) as jurisdiction that the EP to serve as a Partner. licensed in. Approval is obtained prior
Engagement firm operates. to assignment of EP to the
Partner (EP) for In evaluating the appropriateness to engagement.
local audits use Partners from other member
practices as audit EP on audit, review
and other assurance engagements,
the following needs to be considered
as a minimum:

x Accreditation and qualification;

Page 82 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

x Qualifications and experience

(years and industry);

x Quality results (internal and

external inspections); and

x Other jurisdictional specific

limitations and requirements.

Firm leadership seeks input to ensure

that legal implications are covered.

RE-QR-28 RE-QO-16: Review and To ensure that the Where applicable, each country Mandatory use of standard contract Firm Event Driven
(Obtain approval of contract entered into based on global guidance/templates template for all third-party contractors. Leadership
resources deviation from between the Country develops and maintains a standard Any deviations from the standard
from service standard contract and the service contract to be used when procuring contract require advance approval
providers) template, if provider is resources from service providers. The from the firm leadership.
required. appropriate. contract must include as a minimum:

x The nature and scope of the

resources to be used;

x Specific risk management

requirements such as
Independence, declarations of
interest, confidentiality etc.; and

x Any other local requirements

determined by the firm
leadership.

Any deviations from the standard

contract needs to be approved by the
firm leadership.

RE-QR-20 RE-QO-11: Competency of To ensure that the Engagement Partner is reviewed with Managing Partner to ensure that EP Managing Annually
RE-QR-21 (Assign Partner in-charge Engagement Partner respect to the below mentioned has sufficient availability and Partner
engagement has enough availability criteria: appropriate competence and
teams) and experience to capabilities to perform the
serve the clients x The appropriate experience and engagement.
he/she is assigned availability;

Page 83 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

x Specialized industrial expertise

for complex engagements, audits
of listed companies/ PIEs audits;

x Knowledge of the individuals

assignments and priorities;

x Workload is appropriately
balanced;

x Consider key metrics such as

total client hours, total hours,
utilization, aggregate number of
clients;

x Challenge the reasonableness of

the current year estimate;

x Consider the time spent on

quality initiatives or other service
line or office responsibilities.

RE-QR-20 RE-QO-11: Review of To facilitate a Firm's Leadership review and Managing Partner reviews and Managing Annually
RE-QR-21 (Assign partner's meaningful incorporate the following activities: verifies information, follow up and Partner
RE-QR-26 engagement anticipated conversation and document any identified exceptions.
teams) workload review of each audit x Evaluate whether the partner has
partner's anticipated the appropriate experience and
workload for the availability to serve in assigned
upcoming fiscal year client roles. Critical focus should
in order to assist in be placed on assignments with
determining that elevated risk, such as
sufficient time is engagements designated as
available throughout complex, audits of listed
the year to execute companies/ PIEs or audits that
quality audits and fulfil may require specialized industry
other responsibilities, expertise.
if any.
x Evaluate the completeness and
accuracy of the individual’s
assignments and priorities for the
financial year xxx.

Page 84 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

x Based on all of the partner's roles

and the audit year-end dates,
assess whether workload is
appropriately balanced to identify
any time compression concerns.

x Whether the above includes

estimates of the time spent on
quality initiatives or other service
line or office responsibilities,
including:

a. Participating in firm
monitoring activities,
including pre-issuance
reviews and practice
reviews and whether that
estimated time is properly
reported in chargeable
monitoring and coaching
activities;

b. Where known, time

expected to be incurred for
participating in inspections;

c. Staying current with

accounting and auditing
matters;

d. Listening to firm webcasts (if

any) and attending relevant
trainings;

e. Mentoring and/or
counselling people;

f. Executing the partner’s non-

client roles and
responsibilities (e.g.,
practice development,
Quality related authorized
projects)

Page 85 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

g. Reach agreement on other

activities that should be
undertaken by the partner
(e.g., recruiting, training,
etc.)

x Through discussion with the

partner, challenge whether
above estimates consider:

a. The need for execution of

quality audits, including
appropriate time for
integrated audits, multi-
location scoping and other
key areas of focus;

b. Significant changes /
transactions anticipated at
clients that would result in
increased hours / effort;

c. Key audit milestone dates;

d. The effect of the client

continuance engagement
risk conclusion on
engagement hours,
particularly for engagements
identified as complex;

e. Travel time if the client is

located outside of the
partner’s office city;

f. The effort necessary to

coordinate, supervise and
review the work of any
component teams;

g. Percentage of audit partner

time on each audit

Page 86 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

engagement and whether

percentage is appropriate
(consider the planned total
partner time in relation to
total audit engagement
hours);

x Consider key metrics such as

total client hours, total hours,
utilization, aggregate number of
clients, number of other roles
(such quality reviewer).

The above control may not be

executed for smaller firms. In this
circumstance, smaller firms will need
to design sufficient controls to
mitigate the quality risk.

RE-QR-5 RE-QO-02 Quality rating for To review and Quality ratings for Assurance Quality ratings for Assurance MP/ Country Annually
RE-QR-15 RE-QO-03 Assurance Partner approve quality ratings Partners are determined, reviewed Partners are determined, reviewed Assurance
RE-QR-17 RE-QO-05 review and for Assurance Partner and approved in reference to the firm and approved in reference to the Talent
RE-QR-18 RE-QO-09 approval in line with firm's policies and procedures/ Global firm's policy/ Global Accountability Leader
policy / Global Accountability Framework in Framework.
Accountability accordance with the prescribed
Framework (where criteria as per firm's policy.
applicable)

RE-QR-28 RE-QO-16: Review of the To ensure On a periodic basis, the IT Team On a periodic basis, the IT team/IT IT team/IT Event Driven
(Obtain reports for ongoing technological reviews the reports for services Security Team reviews the applicable Security
resources technology resources used on performed by 3rd party service reports for services performed by 3rd Team
from service services that are performance of providers. If any control exceptions or party service providers. If any control
providers) used in the year engagements and deficiencies are identified that can exceptions or deficiencies are
within the system of have a direct/indirect impact on the identified that can have a
quality management firm’s quality processes, direct/indirect impact on the firm’s
are appropriate. management takes necessary quality processes, management
actions to remediate and/or mitigate takes necessary actions to remediate
them. and/or mitigate them.

RE-QR-28 RE-QO-16: The IT team / IT To ensure The IT team/IT Security Team verifies The IT Security Team completes an IT Security Event Driven
(Obtain Security Team technological the Inherent Risk Assessment (IRA). IRA and Security Controls due Team /IT
resources reviews the resources procured Where IRA is Medium or High further diligence (if IRA is High or Medium) team
from service documentation from external service security due diligence is required. The for all suppliers that provide products
providers) obtained from 3rd IT Security Team completes the due or services to the firm that store,

Page 87 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

party suppliers and providers are diligence based on the following process, transmit, or access the firm
approves the 3rd appropriate for use. evidence provided (where relevant): or its client information.
party supplier for
future cooperation x Research including existing firm
with the firm records, internet research, and
monitoring tools

x Information Security Architecture

assessments
x Third Party Attestation Reports
assessment

x Security Controls Self-

Assessment

RE-QR-17 RE-QO-09 Compensation To review and A firm leadership reviews and Annually, a firm leadership reviews Firm Annually
decision approve compensation approves the compensation and approves the compensation leadership
consolidation decision by verifying if decisions. The final compensation decisions.
review and the HR team/another decision is approved based on the
approval authorised person allocated budget and the
applied the reward compensation recommendation that
guidelines as agreed has been approved by the HR
during the initial team/another authorised person.
planning phase along
with the performance/ The detailed compensation
promotion data recommendation is determined by
uploaded by HR considering mainly the following
team/another factors:
authorised person into
the compensation tool x Performance output from the
and to perform a evaluation process (i.e. Quality
correlation of the rating, and other quality results)
compensation
recommendation with x Promotion/ progression.
the allocated budget.

RE-QR-5, 6, 7 RE-QO-06 Review of forms / To periodically When reviewing the listing of forms/ At least annually, the Independence Independence Annually
RE-QR-34,
RE-QR-34 35, RE-QO-08 templates / evaluate whether templates/ interpretive materials, the leader/ partner/ 'Global Independence leader/
36
RE-QR-35 RE-QO-15 interpretive Independence forms, independence executive for each Authorized Executive - Firm resource Partner/
RE-QR-36 materials templates and group considers the following: and Materials' reviews the portion of 'Global
interpretive guidance the listing of forms, templates, and Independence
available to the firm's x Are there any forms/ templates/ interpretive materials assigned to his Authorized
interpretive materials they are or her group to determine: Executive -

Page 88 of 139
 Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

professionals is aware of and responsible for that For firm

appropriately updated. are missing from the list? x whether the risk ratings assigned resources and
are appropriate; Materials'
x Are any changes/updates
necessary for the risk ratings x whether revisions are needed or
reflected for each form/ template/ forms, template or materials
?
interpretive materials? should be removed; and

x Are there any updates needed to x when revisions are needed, the
the content of the forms/ revisions planned and timing are
templates/ interpretive materials appropriate.
included in the listing?
Upon completing his or her review,
x Can any forms/ templates/ materials are electronically or
guidance be removed when the manually signed by the respective
content is no longer relevant? reviewers.

RE-QR-69, 10
RE-QR-6,7, RE-QO-06 Engagement Team To proactively avoid Assurance/Audit Team professionals The firms procedures must prohibits Independence Event Driven
RE-QR-7 RE-QO-08 Confirmation potential are unable to access an audit audit engagement team members leader / (when an
RE-QR-9 RE-QO-15 independence engagement file if: (Including Tax and other support) partner / engagement
RE-QR-10 breaches involving from accessing the firm record if they Global team
audit engagement x They have not yet completed the have not confirmed their Independence member
team members prior to independence inquires. independence of the audit client. If a Authorized requests
the individual charging team member indicates that there Executive access).
any time to an audit x They have completed their may be an independence exception,
engagement. independence inquires and he/she will not be able to access the
noted an exception that needs to engagement until the engagement's
be reviewed. Partner, Principal or Executive
Director manually resolves the
Assurance / Audit Team professionals exception and grants the team
are able to access an audit member access (if applicable).
engagement Canvas file:

x Once any exceptions in their

completed independence
inquiries are cleared.

x Once they have completed their

independence inquiries if they
reported no exceptions.

RE-QR-8 RE-QO-09 Relationship To monitor the The Independence Manager / The Independence Manager/ Independence Annually
RE-QR-9 Monitoring – independence Independence Partner/ Partner Independence Partner/ Partner Manager /

Page 89 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

RE-QR-10 Independence considerations related evaluate the applicable criteria related reviews the agreed-upon Independence
considerations and to approved to the agreed-upon independence independence monitoring Partner /
renewal ecosystem monitoring. documentation, and the MP approves Partner
relationships and the firm's Business Relationship,
identify any changes concluding on the permissibility of the
to the facts and relationship.
circumstances that
may pose an
independence threat.

RE-QR-6 RE-QO-06 Independence To review and As part of the independence review Independence Executives/ Partner Independence Event Driven
RE-QR-8 RE-QO-07 Review approve business process, Independence Executives reviews the forms routed to executives/
RE-QR-12 RE-QO-08 relationships by assess the factors to determine Independence for completeness, Partner
concluding on completeness, accuracy, timeliness accuracy, timeliness, and authorized to
permissibility, and permissibility of the proposed permissibility and evaluates the approve
completeness, business relationship as per firm's contents of the form (e.g., general submissions
accuracy and policy. information, counter party
timeliness and prevent information) and any related
entering into business attachments that have been uploaded
relationships that may to the form (e.g., Audit Client Vendor
pose a threat to the form, research, contractual
firm's independence. agreements) in order to concur on the
proposed relationship’s compliance
with the applicable independence
rules. Based on review, the
Independence executive either
approves or rejects the proposed
relationship and reflects the
conclusion and his/her sign off within
the form.

RE-QR-6 RE-QO-06 Consultation To determine that The Independence Partner/ Leader Upon reviewing the formal Independence Event Driven
RE-QR-7 RE-QO-08 Approval appropriate evaluates the contents of the consultation memorandum and other Partner/
RE-QR- 9 conclusions are consultation memo and considers the attachments (if applicable), the Leader
RE-QR-10 reached for all formal following: Independence Partner/ leader
consultations and that evaluates its contents and provides
the fields within the Based on the background information feedback to the engagement team
Independence provided for the client, are the related to any questions, suggested
Consultation Database applicable independence rules edits, etc. that are identified. Once all
record are complete appropriately identified and described items are appropriately addressed by
and accurate. within the memo? the engagement team, the applicable
Independence Partner/ leader
x Is the independence matter evaluates the contents of the related
driving the consultation clearly consultation record (and associated

Page 90 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

articulated by the respective breach / violation record, if applicable)

team? within the Independence Database to
determine that they are complete and
x Are the necessary safeguards accurate and that all applicable team
appropriately reflected in the members have denoted their
memo (as applicable)? approval.

x Is the conclusion reached by the Upon determining that the

team appropriate based on the consultation record (and associated
facts and circumstances breach / violation record, if applicable)
described in the memo is complete and accurate, the
considering applicable policies Independence Partner/ leader
and regulations? approves the record within the
Independence Consultation
The Independence Partner/leader Database.
evaluates the following when
reviewing the record:

x Are the pertinent details of the

completed consultation (e.g.,
company name, consultation
topic, applicable independence
rules, associated breach/
violation fields, etc.) complete
and accurate?

x Are the individuals selected for

approvals listed in the
appropriate roles?

x If the consultation involved a

regulatory/ professional
standards breach or policy
violation, has that breach or
violation record been linked to
the consultation and were the
fields within the breach/violation
record appropriately completed
by the engagement team?

x Has the consultation memo (and

related attachments, including
the Audit Committee

Page 91 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

communication(s), as applicable)
been uploaded to the record, and
does the memo match the final
memo that was agreed-upon
during the consultation process?

RE-QR-10 RE-QO-08 Independence To restrict preparers Subsequent to the approval and After the Independence Database Independence Event Driven
RE-QR-12 Database Record and approvers from completion of an Independence record is finalized, the system Leader/
Edits making inappropriate Database record, the Database restricts the preparer and approvers Independence
changes to completed restricts the preparer from having the from making any modifications to the Partner
Independence ability to edit the record. approved record.
Consultation Database
records.

RE-QR-12 RE-QO-08 Breach To provide a review of The control owners assess the On a regular basis, for each breach in Global Event Driven
RE-QR-13 Independence key data for all following when determining if the the Breaches ready to be released Independence
Database Review regulatory breaches descriptions and related data of the report from the Independence Breach
within the regulatory breaches are appropriately Database, the data reflected in the Partner/
Independence reflected in the Independence breach record (e.g., client name, Independence
Database and Database: breach description, start/end dates) is Partner
determine that reviewed and verified for
breaches are released x Is the jurisdiction in which the completeness and accuracy based on
to the impacted breach took place accurately the consultation memo (if applicable).
partners reflected within the All approvals should be done and
Independence Database record? documented as per firm's policy.

x Is the breach description

included in the Independence
Database record consistent with
the description reflected in the
final consultation memo?

x Are there multiple breaches that

exist for a single record within the
Independence Database? If so,
have all distinct breaches been
properly reflected and referenced
in the consultation?

RE-QR-12 RE-QO-08 Review and To determine that When assessing the appropriateness As part of review of the draft Firm Event Driven
RE-QR-13 Concurrence of regulatory of the draft independence letter consultation memo, the firm Leadership/
Audit Committee independence addressed to the Audit Committee or leadership/ independence leader Independence
Communications breaches are those charged with governance which determines that the draft Leader
appropriately includes communication of regulatory independence letter addressed to the

Page 92 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

communicated to the matter(s), the firm leadership / Audit Committee or those charged
Audit Committee in independence leader considers the with governance describes each
accordance with the following: breach in accordance with the
firm policy and guidance reflected in the applicable
applicable regulatory x Whether the breach is described independence communication
requirements consistent with information template. After following up with the
reflected in the applicable engagement team to address any
consultation memo; questions identified during the review
and determining that the draft letter is
x Whether the date in which the complete and accurate, the firm
engagement team plans to leadership/ independence leader
communicate the breach to the evidences his/her review and
Audit Committee is considered to concurrence by electronically
be timely; approving the applicable
Independence Consultation
x Whether the draft Database record.
communications include a
description of:

R The independence rules the

matter(s) is (are)
inconsistent with;

R The firm’s policies and

procedures relevant to the
breach(es) designed to
provide it with reasonable
assurance that
independence is
maintained, the actions we
have taken or propose to
take to resolve the breach,
and the actions we have
taken or will take to avoid the
risk of future breaches
occurring;

R An analysis of why we
believe the impact of each
breach, and if more than one
breach, all breaches taken
together, do not impair firm's
objectivity and ability to

Page 93 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

exercise impartial judgment

in conducting the audit(s),
and whether a reasonable
investor with knowledge of
all relevant facts and
circumstances would reach
the same conclusion;

R “Except for” statement in the

assertion paragraph within
an annual communication.

RE-QR-8 RE-QO-08 Firm Financial To evaluate and The independence related criteria The respective firm personnel/ Respective On Regularly
RE-QR-12 Investment monitor firm financial being monitored, as per firm's policy, executive for investments monitors firm basis
RE-QR-13 Monitoring investments for is in accordance with applicable laws firm financial investments to review personnel/
continued compliance and regulations. and approve compliance with the firm Executive for
with independence independence requirements on Investments
rules and regulations. regular basis to prevent and identify
potential breaches of the established
independence guidelines. These
monitoring activities include
preparation and/or approval of
internal calculations and analysis
performed to monitor independence
criteria.

RE-QR-8 RE-QO-08 Firm Financial To report firm financial The security/ investment names The Treasury/ Finance personnel Treasury/ Monthly
RE-QR-12 Investment investments within database are compared to the reconciles the investments in the Finance
RE-QR-13 Reporting Account/ Trustee statement for account statement on a monthly basis Personnel
completeness and accuracy. and update the database as
necessary. The procedures
performed are evidenced by notations
and/or signoff on the reconciliation.

RE-QR-4 RE-QO-06 Design and To determine that: When reviewing the outline, the An outline for the independence Independence Event driven
RE-QR-35 RE-QO-15 development of Independence Leadership considers course is first reviewed by the firm Leadership
RE-QR-36 firm's courses (1) independence the following: leadership who evidences his/her
learning content review by providing a signature on the
considers prior x Does the content of the course document.
feedback/course meet the established learning
evaluations and is objectives set? Prior to publishing the final content,
aligned with relevant the firm's leader verifies that
topics where the firm documents of the course content
or network firm (if were reviewed by these subject

Page 94 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

applicable) has noted x Has the content been designed matter resource(s) and evidences that
unfavorable trends in appropriately for the audience these reviews have taken place
regulatory breaches, receiving the course? through a signature on the document.
policy violations or
general need for x Are the topics in the course
increased awareness relevant to what a learner is
of independence rules, encountering?
or new or revised
rules/policies; and x Has prior feedback and course
evaluations been considered in
(2) content design the design of the course?
meets the established
learning objectives x Is the content addressing
and is technically unfavorable trends in regulatory
accurate. breaches or policy violations?

RE-QR-6 RE-QO-02 Independence To verify that When reviewing and verifying the The Independence coordinator Independence Event Driven
RE-QR-18 RE-QO-03 course deployment independence courses population profile for the course, the evidences their review of the Leadership
RE-QR-35 RE-QO-05 and completion are deployed to the Independence coordinator considers deployment of courses and related
monitoring appropriate audience input from stakeholders on the follow-up procedures.
based on the minimum appropriate population for the local
criteria as determined independence course.
by the Independence
coordinator and to
have timely
completion of required
learning programs
monitored.

RE-QR-6 RE-QO-02 New hire To determine the When reviewing the minimum The firm Independence Leader Independence Annually
RE-QR-18 RE-QO-03 independence criteria to be used by deployment “assignment” criteria, the reviews and approves the minimum Leader
RE-QR-35 RE-QO-05 courses the areas/regions to Independence Leader will assess deployment “assignment” criteria for
deployment criteria establish the whether the criteria are consistent the population profile and timing of the
population of with the firm's Independence assignments for the independence
individuals (by Learning Guide, including whether, new hire courses and signs off in the
rank/level) to which for example, a re-hire is required to document as evidence of his / her
the required new hire take the course if they have taken the approval.
independence learning same course or a previous version.
courses are planned
to be deployed is
complete.

Page 95 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

RE-QR-6 RE-QO-02 Annual To have timely The review of the Annual course The Independence leader reviews Independence Weekly /
RE-QR-18 RE-QO-03 independence completion of learning deployment and completion statistics and verifies the completion report Leader Monthly
RE-QR-35 RE-QO-05 course completion programs monitored report, would be as per firm's policy. which assists in monitoring the /Regular
monitoring with necessary follow- progress of annual independence Basis
ups and escalations course completion. Any unusual
for outstanding changes or lack of change in statistics
learners (e.g., unexpected significant increase
or decrease (>5% change from prior
week) in active population or
observing relatively low completion
rate of progress as compared to prior
week’s change) are investigated and
evaluated for any necessary
remediation with the appropriate
learning contacts.

The Independence leader continues

to monitor during the deployment
period in order to follow-up with
learners until a stipulated completion
percentage of the active population
from the initial deployment period for
the course is attained.

The Independence leader also

reviews and affirms the completion
report in order to monitor progress
and provide oversight and provides
evidence through sign-off.

These analysis are performed less

frequently (monthly) after
substantially all offices have attained
the stipulated completion percentage.

RE-QR-6 RE-QO-02 New hire To have timely The review of monthly analysis of The Independence leader/ authorised Independence Monthly
RE-QR-18 RE-QO-03 independence completion of learning compliance reports is done person reviews and verifies a monthly leader/
RE-QR-35 RE-QO-05 courses programs monitored Independence leader/ any other analysis for each office to assess the Authorised
completion with necessary follow- authorised person. Any unusual status of the new hire course person
monitoring ups and escalations changes or lack of change in statistics completion. For any professional(s) to
for outstanding are reviewed and investigated, and which a new hire course was
learners any necessary remediation is deployed that is aging >30 days
overdue, the Independence leader

Page 96 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

determined with the appropriate follows-up with that office

learning contacts. independence team and requests that
they submit a response confirming
they are following-up with the
outstanding learners to complete the
course.

The Independence leader/ authorised

person continues to review and verify
the monthly analysis and also reviews
and affirms the analysis of the active
population assigned, by offices, for
the course.

RE-QR-12 RE-QO-08 Identification of To timely identify The relevant firm executive identifies The firm database places potential Independence Daily /On
RE-QR-13 individuals with Potential Covered Potential Covered Person violations violations in the ‘Covered Person Executive / regular basis
potential Covered Person issues through related to securities/ financial Monitoring’ system on a regular basis. Partner
Person breaches daily monitoring of the relationships/ family relationships The relevant executive identifies
securities, family reported in the database. potential covered person violations
relationships and related to securities or financial
financial relationships relationships reported in the
reported in the data database.
base on the firm’s
defined independence
rules.

RE-QR-7 RE-QO-2 Updates to the To ensure that The Independence Leader/ The Independence Leader/ Independence Event Driven
RE-QO-4 independence updates to be made to authorised person considers the authorised person reviews the drafted Leader/ Firm's
RE-QO-6 confirmations the confirmation for changes required in the confirmation confirmation and provide their Leadership
each confirmation such as whether changes are suggestions. All requests must have
cycle meet the local required as a result of the updates to approval from the firm's leadership.
law, regulation, or a local requirements that affect
demonstrable high-risk Independence.
test and have been
properly approved by
the firm's leadership.

RE-QR-9 RE-QO-8 Reconciliation and To verify that complete When reconciling the potential On a regular basis, the Independence Independence Event Driven
Monitoring of population of potential breaches identified in monitoring to Leader reconciles the potential Leadership
Potential Breaches breaches are timely the breaches reported into breaches. Once the Independence
concluded. Independence database, the Leader confirms that all new potential
Independence leader verifies that breaches within the file have all been
each and every potential breach was reported to the database, he/she

Page 97 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

reviewed and signed off has been manually adds the date (when the
properly reported in the document. potential breach was reported).

When reviewing the aging of potential Monthly or on regular basis, the

breaches that have not yet been Independence Leader reviews the
concluded, the Independence leader potential breaches and prepares an
focuses on the potential breaches that analysis on the aging of incomplete
are (xxx days, as per firm policy) reviews of potential breaches.
reported past that date the potential Potential breaches aged past xxx
breach was included in the database. days are investigated through
outreach by the Independence leader
to the assigned reviewer.

RE-QR-13 RE-QO-08 Independence To properly route Potential breaches are assigned to The Independence program/ Independence Event Driven
programming for potential breaches for the designated reviewer. database places potential breaches Leadership/
Potential Breach approval and to to the reviewer and routes the breach Authorised
Routing and prevent the breaches Potential breaches cannot be for review through each designated person
Finalization from being designated designated as complete until the reviewer, including the Independence
as complete until the reviewer's approval occurs in the leader. The potential breach is
appropriate approvals Independence program/ database. prevented from being designated as
occur. complete in the Independence
program/ database until each
assigned reviewer has approved
whether or not the potential breach is
concluded to be a breach within the
Independence program/ database.

RE-QR-9 RE-QO-08 Review of To determine whether The sampling requirements disclosed The Independence Leader reviews Independence Quarterly
sampling the audit sample in the final approved list are the sample selection summary for Leader
requirements selection throughout considered in reviewing and affirming reasonableness to verify that all
the reporting year is in the audit sample selection based on professionals are considered in audit
accordance with the the firms defined criteria. sampling.
firm's instructions
/Network Firm
instructions

RE-QR-9 RE-QO-08 Approval To prevent audit file’s The required level/authority of the At the completion of an independence Independence Event Driven
signature(s) for status to be moved to signature is based on the firm / compliance audit, a file’s audit status Leadership
audit ‘completion’ “complete” before the member firm policy moves from ‘Communicated’ to
audit file is reviewed ‘Complete’ that shows that all
and approved by required procedures and approval(s)
appropriate firm's have taken place.
personnel

Page 98 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

RE-QR-12 RE-QO-08 Review of To determine whether x Independence leader (or Independence leader (or equivalent Independence Event Driven
RE-QR-13 reconciliation of the Ethics Matters equivalent manager) reviews and manager) reviews the Ethics Matters Leader
Ethics matters report (or equivalent verifies that the draft Ethics Report (or equivalent report) with
report (or report) is complete Matters report (or equivalent names to verify all newly detected
equivalent report) and that the report) agrees exactly to the breaches/violations since the
of personal recommended independent data sources previous Ethics report was prepared.
independence consequences are Independence leader evidences
breaches and appropriate. x Independence Leadership or his/her review via sign off on the
audit findings and designated person expects the assigned tasks on Ethics Matters
proposed consequences to be: Report (or equivalent report).
consequences
o Based on prior precedents;

o In accordance with the

consequence framework;

o Consistent for all

professionals with similar
facts / circumstances.

RE-QR-13 RE-QO-08 Administration of To verify Independence leader: Independence leader (or equivalent) Independence Event Driven
Consequences / consequences/results maintains an Ethics Consequence / leader
results are assigned to the x Reviews and considers the Results record (or equivalent tracker)
appropriate firm consequences monitored and to review the assigned consequences
professional and are are addressed timely (such as (i.e. educational memo, financial
properly executed by xxx number of days) penalty, etc.) and verify that each
the professional (e.g., consequence on the Final Ethics
training) or x If consequences are not Report with Approved Consequences
administered by addressed timely, follow-up with (or equivalent report) is addressed
management team the professional occurs and and completed by the professional or
responsible (e.g., leadership is notified if communicated to the responsible
financial penalties). necessary. management team. The Ethics
Consequence/ Results record is
updated periodically.

RE-QR-34 RE-QO-15 Intellectual To ensure that the Off the shelf package is out-of-date. The Engagement Partner/ Engagement Event driven
RE-QR-40 RE-QO-16 resources from intellectual resources The outdated modules and templates engagement team lead needs to partner /
service providers obtained from service provided by the service provider in the check and ensure that the required engagement
are not appropriate providers (IT Off the shelf package may result in a modules, template, checklist or table team lead
application that is off deficiency in the work performed on available in the off the shelf solution is
the shelf package) are the engagement. updated and contained the necessary
appropriate for use in

Page 99 of 139
Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

the firm’s system of required changes of the law and

quality management professional standards.
and in the
performance of
engagements.

RE-QR-30 RE-QO-13 Team consists of To ensure that right The firm has right people with IT team consists of skilled and IT Team Event Driven
RE-QR-37 experienced people with appropriate skills/ experience for IT experienced resources with a mix of
Resources appropriate skills and tools/application. experience from audit and
experience with technology, who receive appropriate
completing required training on the certification process.
certification for IT
application.

RE-QR-33 RE-QO-13,14
RE-QO-13 Change Testing To ensure that all Proper authorization, testing and All changes to production information IT team Event Driven
RE-QO-14 and Approval changes to the system approval has been done by systems are formally requested,
receive proper authorised person. tested, reviewed and approved.
authorization, testing
and approval prior to
migration into
production.

RE-QR-31 RE-QO-13,14
RE-QO-13 Developer vs user To ensure that there is The key considerations which are Segregation of duties between IT Team Event Driven
RE-QO-14 a segregation of duties kept in mind during the review of this developers and those that can
between the user that control include but are not limited to: implement changes in production is
develops the change enforced.
and the user that x Users who have access to
migrates the change develop changes do not have
into production and access to migrate changes to the
that access is properly application.
restricted.

RE-QR-31 RE-QO-13,14
RE-QO-13 Password To ensure that the The key considerations and Information systems passwords IT Team Event Driven
RE-QO-14 system authentication procedures which are kept in mind settings must comply with the
settings are set during the review of this control approved Information Security
according to the firm's include but are not limited to: Password Policy/ Firm policy
Information Security requirements.
Password Policy. Review that the application's
password policies include the
complexity requirements, such as:

x Password expiration

x Password complexity

Page 100 of 139

Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

x Password changes

x Password history

x Password confidentiality

x Storage and transmission of

passwords

x Temporary passwords

x Account lockout after pre-set

number of failed authentication
attempts during a specified time
period
x Unlocking of locked accounts.

RE-QR-31 RE-QO-14 User Access To ensure that user The key considerations which are Periodic access reviews are IT Team Quarterly /On
Review and privileged user kept in mind during the review of this performed for users with more than regular basis
access entitlements to control include but are not limited to: the baseline/ default access. as per firm's
the system/ records Unauthorized entitlements, identified policy
are regularly reviewed x A process is in place to as part of the review, are revoked in a
for appropriateness periodically review user access timely fashion.
for those who have more than the
baseline (default/ birth right)
access.

x Authorized and appropriate

individual(s) initiated and
performed the user access
review based on the defined
frequency and that this is
sufficiently supported by
evidence (such as email).

x The approval/ recertification of

access was granted by an
authorized individual.

x Any unauthorized entitlements

identified as part of the review
are revoked in a timely fashion,

Page 101 of 139

Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

as logged within the review ticket

or audit log.

x As applicable the control owners

validates the completeness and
accuracy of information used to
execute the control.

RE-QR-33 RE-QO-1314
RE-QO-13, Incident To ensure that there is The key considerations which are Procedures for identifying, IT Team Event Driven
RE-QO-14 Management a process in place to kept in mind during the review of this classifying, responding to and
resolve incidents to control include but are not limited to: communicating incidents to
the system. management are clearly defined and
x A process of raising and implemented. These procedures
identifying incidents and/or job follow the Information Security Policy
failures is in place. and Plan.

x Incidents and/or critical job

failures were addressed by the
appropriate responsible
individuals/ teams (e.g. IT team,
business owners) and resolved in
a timely manner as evidenced by
available documentation.

x If a change is required to be
made for the sample incident or
job failure, the review and
approval required from the
appropriate individuals (such as
via email or IT ticket) were
obtained before moving the
change into production.

RE-QR-31a RE-QO-13
RE-QO-13 New User To ensure that new The key considerations which are A process for granting and/or IT Team Event Driven
Registration user access to the kept in mind during the review of this modifying access to all information
system is properly control include but are not limited to: systems and services is developed,
requested and documented, and followed.
approved prior to x A defined process to request and
provisioning new approve (or reject) user access is
access. in place.

x There is sufficient documentation

of the initiation and approval of

Page 102 of 139

Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

the access request (such as via

email).

x The individual/s who approved

the access request are
authorized/appropriate (e.g. end
user's manager, application
business owner or other
delegates).

RE-QR-31a RE-QO-13 User Access To ensure that user The key considerations which are Periodic access reviews are IT/Technology Annually
Review and privileged user kept in mind during the review of this performed for users with more than Team
access entitlements to control include but are not limited to: the baseline/ default access.
the system are Unauthorized entitlements, identified
regularly reviewed for x A process is in place to as part of the review, are revoked in a
appropriateness. periodically review user access timely fashion.
for those who have more than the
baseline (default/birth right)
access.

x Authorized and appropriate

individual/s initiated and
performed the user access
review based on the defined
frequency and that this is
sufficiently supported by
evidence (such as, via email or
within an IT ticket).

x The approval/ recertification of

access was granted by an
authorized individual.

x Any unauthorized entitlements

identified as part of the review
are revoked in a timely fashion,
as logged within the review ticket
or audit log.

x As applicable, the control owners

validate the completeness and
accuracy of information used to
execute the control.

Page 103 of 139

Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

RE-QR-31a RE-QO-13 Termination To ensure that The key considerations which are A process for revoking access to all IT/ Event Driven
deprovisioning access kept in mind during the review of this information systems and services is Technology
to the system is control include but are not limited to: developed, documented and Team
properly requested followed.
and access is x A defined process is in place to
removed in a timely revoke user access in a timely
manner. manner.

x There is sufficient evidence

showing that user access of
individuals were revoked upon
termination in a timely fashion.

RE-QR-33 RE-QO-1314
RE-QO-13, Appropriate To ensure that the firm The considerations which are kept in The oversight committee or Firm Event Driven
RE-QO-14 governance is in appropriately identifies mind during the performance of this authorised personnel meets regularly leadership
place and prioritizes control include but are not limited to: to identify which technology resource and oversight
technology needs needs should be prioritized and or authorised
necessary to enable x The oversight committee or implemented to enable the effective personnel
ISQM requirements. authorised personnel meeting operation of the firm's system of
should be conducted on a regular quality management or the
basis; performance of quality engagements.

x Meeting notes/results should be

documented and retained;

x Evidence of approvals, if any,

should be retained (this may also
be captured in the minutes of the
meeting)

RE-QR-2 RE-QO-01 Background To validate partner Background investigation reports are Senior Partner/ Executive Board Senior Event Driven
investigation applicant’s reviewed and verified by Senior reviews and verify the results of the Partner/
results / findings education/qualification Partner/ Executive Board. If there are candidates completed background Executive
review and s, experience and red flags on the candidate's report, investigation, prior to onboarding. If Board
verification (New background including Senior Partner/Executive Board will issues are identified then Senior
Partner) criminal history via communicate findings to Risk leader/ Partner/ Executive Board follows up
background Firm Leadership. The criteria for with the candidate and obtains Risk
investigation (if investigation may include: leader/ firm leadership review and
necessary). approval on the finding.
x Type/ severity of criminal findings

x Extent of employment
discrepancies (e.g., inability to

Page 104 of 139

Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

confirm employment, position

discrepancies, date
discrepancies)

Education/ qualification
discrepancies.

RE-QR-2 RE-QO-01 Candidate To ensure that The following are taken into Post interview, the candidate Firm Semi-
evaluation form candidates have the consideration when assessing qualifications, interview evaluation Leadership Annual/As
review and qualifications, whether the candidates have received forms, test assessment results (if per need
approval competencies, and positive ratings: applicable), and other feedback for basis
capabilities necessary the candidate are reviewed to ensure
for fulfillment of Applicant resume/ Candidate the candidate has the appropriate
responsibilities qualifications qualifications, competencies and
capabilities necessary to fulfil
Test assessment (only in certain responsibilities at their level. The HR/
markets) Authorised person processes the
approval of the evaluation forms
Interview evaluation forms based on the hiring recommendations
from the Senior Managers/HR who
Additional feedback provided for are involved in the interview process
candidate for that candidate, on behalf of the
firm leadership.
Based on the hiring recommendation
from the Senior Managers/ HR
involved in the interview process for
that candidate, on behalf of the Firm
Leadership/ Service Line Leader/
Authorised person processes the
approval or rejection of the evaluation
forms.

RE-QR-1
RE-QR-1, 2 RE-QO-01 Background To validate applicant’s Background investigations are The HR/ authorised person reviews the HR/Authorised Semi-Annual/
RE-QR-2
RE-QR-21 investigation education/qualifications, performed for candidates as per firm results of each completed person/Firm As per need
RE-QR-21 results / findings experience and policy. All background investigation background investigation, prior to the leadership basis
review and background including reports are reviewed by HR/ applicant onboarding to the firm
verification criminal history via authorised person even if there have (where local law permits). The
background been no issues identified or flagged. If background investigation is
investigation (if there are red flags on the candidate's performed by an authorised person
necessary). report, the HR/ authorised person will which includes validating the
communicate findings to firm applicant’s education / qualifications,
leadership for appropriate action as experience and background for any
per firm policy. discrepancies and criminal history.

Page 105 of 139

Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

RE-QR-28 RE-QO-02 Review and To evaluate: The firm leadership (Or the When a decision is taken by a firm Firm Event Driven
RE-QR-37 RE-QO-10: approval of use of engagement partner if at an leadership to procure resources from Leadership/
RE-QR-39 (Obtain external resources - The need/motivation engagement level) completes the external service provider, MP
individuals by firm leadership for procuring documentation which includes the engagement team or other requestor
from external resources from an following: completes a necessary
sources) external service documentation, which includes
RE-QO-16: provider; x A description on why there is a evaluation of competence/
(Obtain need to include resources from capabilities, review and approval by
resources - The appropriateness an external service provider in the firm leadership.
from service of the proposed firm's service delivery model;
providers) service provider;
x A description of the nature
- The proposed nature (Human resources, Intellectual
and scope of the resources, Technological
resources. resources) and proposed scope
and use of resources;

x Details of proposed external

service provider;

x Descriptions of the core

competencies (Human
resources) or specifications/
attributes (Intellectual and
technological resources) of the
resources;

x Any other local requirement or

criteria as determined by the MP
or equivalent;

x Results of preliminary risk

assessment/due diligences. This
assessment includes:

R Background checks
(including considerations of
AML, Anti-Bribery and
corruption checks, media
searches);

R Declarations of interests;
and

Page 106 of 139

Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

R Any other activities

prescribed by firm
leadership.

x Overall conclusion of the firm

leadership (Or the engagement
partner if at an engagement
level) on whether the resources
of the proposed external service
provider is appropriate and
responsive to the need identified.

RE-QR-15 RE-QO-02 Employee To review and At year-end, firm leadership meets to At year-end, the firm leadership Firm Annually
RE-QR-18 RE-QO-03 performance / approve employee discuss review and approve reviews and approves employee leadership/
promotion review performance data and employee performance. The purpose performance data through the Review Authorised
and approval evaluate whether of this review is to evaluate whether process, as per firm policy and person
employees are employees are progressing and approves eligible employees for
progressing and developing as expected. promotion.
developing (including
those who did not The following decisions are captured
meet their professional in the review process:
responsibilities), and
approve those x Promotion/ progression;
identified as eligible
for promotion. x Conclusion on Quality, Risk
Management, and Technical
Excellence;

x Tier, Leadership adjustment, and

justification for change;

x Leadership comments

After leadership review decisions are

finalized, the review result is locked
and communicated.

RE-QR-4 RE-QO-03 Learning To review and Key stakeholders review and approve Key stakeholders at the firm level Firm Event Driven/
RE-QR-35 Deployment plan approve the the Learning Deployment Plan to review and approve the Learning Leadership/ Regular
review and appropriateness and ensure appropriateness and Deployment Plan for learning learning basis
approval completeness of completeness annually and as curriculum/programs developed at all team
levels (partners to staff).

Page 107 of 139

Quality Component 5: Resources ISQM Guide and Toolkit

Quality
Risk(s)

Learning Deployment needed for updates during the

Plan. learning cycle.
The firm leadership/ learning team
considers whether appropriate core
curriculum and incremental local
learning object deployment is planned
in an appropriate timeframe aligned
with learners' needs and local
learning policies (accreditation
requirement) where applicable.
Firm leadership/learning team are
responsive to developments in the
learning needs and related curriculum
ensuring plans evolve to enable
timely delivery of the latest learning
content.

RE-QR-4 RE-QO-03 Learning To review and verify Firm's Learning Team defines The Learning Team reviews and Firm's Event Driven/
RE-QR-35 facilitators review selection of skilled and facilitator requirements for relevant verifies accredited/approved pool of Learning Regular
and verification capable trainers/ learning object. Trainers/ facilitator's trainers/ facilitators for selection of Team basis
facilitators. skills and capabilities are reviewed trainers/facilitators for relevant Leader/Firm
against learning object facilitator learning object. leadership
criteria and confirms selection into
facilitator pool to deliver learning
object.

RE-QR-4 RE-QO-03 Firm's learning To review and verify Firm's Learning Team/ Authorised Firm Leadership/ Learning Team Firm's Event Driven/
RE-QR-5 compliance review compliance of learning person review compliance status of reviews the summary compliance Learning Regular
and verification requirements. training plan of the firm and working information for the relevant learning Team basis
with Quality leaders/firm leadership to material and any other identified Leader/ Firm
follow up with non-compliant incremental local learning to verify leadership
individuals. completions against assigned learnings.

RE-QR-4 RE-QO-03 Review of To determine that Accreditation requirements are The firm leadership approves Firm Annually
accreditation accreditation assessed based on the applicable accreditation requirements for Leadership
requirements requirements address accounting framework (such as IFRS/ assurance professionals to address
(Applicable relevant accounting IFRS for SMEs / AFRS for SSEs / the applicable accounting framework.
Accounting framework. NPO Standard). Accreditation
Framework) requirements would be expected to
cover foundation and maintenance
requirements, nature, extent and
timing of training, and special
situations.

Page 108 of 139

Quality Component 5: Resouarces ISQM Guide and Toolkit

Quality
Risk(s)

RE-QR-3 RE-QO-03 Maintenance of To determine that the Reviewer uses all available Firm maintains register of signing Firm On Regular
practice license firm maintains an information from relevant internal and executives and their licensing status Leadership basis as per
records for signing accurate record of the external sources to identify and and performs periodic validation firm policy
executives licensing status of summarize required changes – such checks to identify changes (partner
signing executives sources of information may relate to hiring), promotion, resignation and
which is updated partner hiring, promotion, resignation retirement.
timely for business and retirement.
changes.

RE-QR-5 RE-QO-03 Monitoring of To determine that Reviewer uses pre-determined The firm review compliance data for Firm's Annually
continuous compliance with criteria to identify exceptions to the population of applicable client- Learning
education continuous education continuous education requirements. serving professionals subject to Team
compliance requirements is All instances of non-compliance are continuous education compliance and Leader/ Firm
monitored. escalated to firm leadership for further identifies exceptions to policy for Leadership
action which may affect engagement further action.
assignment as well as performance
evaluation.

RE-QR-7
RE-QR-7 to RE-QO-05 Respond to, To investigate, To investigate, respond and conclude Assigned Reviewer or assigned Risk Event Driven
14
RE-QR-8 RE-QO-08 investigate, and respond and conclude on whether: representative (Responsible Partner) Leader/Firm
RE-QR-9 close all ethics on whether: x The matters reported underwent responds to, investigates, and closes Leadership
RE-QR-10 reports / other appropriate steps or protocols as all ethics reports on steps taken,
RE-QR-11 matters. (Subject - The matters reported per the agreed plan/ scope, sanctions to be applied and/or actions
RE-QR-12 to laws and underwent appropriate including notifying appropriate to be taken on Partners/Employees
RE-QR-13 regulations) steps or protocols as Internal/ external parties as and updates the status and outcome
RE-QR-14 per the agreed deemed appropriate and of the matter to the reporter,
plan/scope. evaluating significance of the considering confidentiality and
breach. sensitivity of the issue, based on
- The reporter was manner agreed upon with appropriate
updated on the status x Quality matters and proposed functions i.e., Risk Leader/ Authorised
and the outcome of actions pertaining to assurance person.
the matter reported to clients and engagements is
the extent appropriate reviewed by authorised person;
and in the manner x Sanctions to be applied and/or
agreed with Risk actions to be taken are
Leader/Authorised appropriate for the nature of the
person. matter and applicable
employment laws/regulations;
x Reporter was updated on the
outcome of the matter reported
as appropriate;
x Appropriate advice was obtained
before updating the reporter

Page 109 of 139

 Quality Component 5: Resouarces ISQM Guide and Toolkit

Quality
Risk(s)

considering the confidentiality /

sensitivity of the issue.
x Considerations in respect of
client confidentiality and whether
reporting such a matter to an
external party would be a breach
of contract or other requirements
of applicable laws and
regulations.

RE-QR-1 RE-QO-01 Business strategy/ To review and approve The review and approval of the multi- Annually, the firm leadership reviews Managing Annually
RE-QR-2 RE-QO-02 vision review and key information as part year business strategy/ vision and approves the content and Partner/
RE-QR-19 RE-QO-10 approval of the annual update to information by the firm leadership/ updates to multi-year business Executive
RE-QR-37 the multi-year business Executive Board. strategy/ vision (i.e. strategic Board
strategy/ vision to allow workforce plan).
for proper workforce
planning


Page 110 of 139

 Quality Component 6

Information & Communication

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality Component 6: Information & Communication

Risk and Control Template

Quality Objectives as per paragraph 33 of ISQM 1 Quality Risks

33. The firm shall establish the following quality objectives that
address obtaining, generating or using information regarding the
system of quality management, and communicating information
within the firm and to external parties on a timely basis to enable the
design, implementation and operation of the system of quality
management: (Ref: Para. A109)

IC-QO-1: a) The information system identifies, captures, processes IC-QR-1: The firm’s manual systems that support information and communication do not allow the identification, capture,
and maintains relevant and reliable information that supports the processing and maintenance of information that is accurate, complete, timely, valid and relevant, based on the source
SOQM, whether from internal or external sources. (Ref: Para. A109) information, to support the SOQM.

(Note: To be tailored by firm for manual systems used in the SOQM - consider client acceptance and continuance systems;
scheduling and resourcing systems; performance management systems; time recording, professional development
systems, etc.)

IC-QR-1A: The firm’s IT systems that support information and communication do not allow the identification, capture,
processing and maintenance of information that is accurate, complete, timely, valid and relevant, based on the source
information, to support the SOQM (Note: To be tailored by member firm for IT systems used in the firm's SOQM).

IC-QR-1B: The firm uses off-the-shelf software that does not allow the customization to provide appropriate information
to support the effective monitoring of the SOQM.

IC-QR-1C: The firm has insufficiently tailored its SOQM to allow the identification, capturing, processing or maintenance
of information that is accurate, complete, timely, valid and relevant, based on source information.

IC-QR-1D: The firm information systems and its client data is not sufficiently protected against potential breach of security.

IC-QR-1E: The firm does not have any mechanisms to receive, investigate and resolve complaints and allegations, or the
mechanism exist but not made available to all stakeholders of the firm.

IC-QO-2: b) The culture of the firm recognizes and reinforces the IC-QR-2A: Failure of firm to create or promote a culture where personnel feel responsible for exchanging information with
responsibility of personnel to exchange information with the firm and the firm and with one another.
with one another. (Ref: Para. A112)
IC-QR-2B: There may be a risk that the information is not passed from top to bottom. Likewise the information captured
by the team is not fully documented and passed to senior levels like partners and EQCR Partner

Page 113 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality Objectives as per paragraph 33 of ISQM 1 Quality Risks

IC-QO-3: c) Relevant and reliable information is exchanged IC-QR-3: Failure of the firm to communicate information to personnel and engagement teams.
throughout the firm and with engagement teams, including: (Ref:
Para. A112) IC-QR-3A: Partners and personnel do not have access to resources and information that is relevant to their responsibilities.

(i) Information is communicated to personnel and engagement IC-QR-3B: Information identified by the firm and changes to existing information that is relevant to specific engagements
teams, and the nature, timing and extent of the information is are not communicated (or not timely communicated) to, and received by, respective engagement teams (e.g., information
sufficient to enable them to understand and carry out their identified during client acceptance).
responsibilities relating to performing activities within the SOQM or
engagements; and IC-QR-3C: Information relevant to the SOQM/changes to SOQM are not communicated or not timely communicated to
the personnel and engagement teams, to the extent that these are relevant to take prompt and appropriate action to fulfil
their responsibilities.

IC-QO-4: (ii) Personnel and engagement teams communicate IC-QR-4: Failure of personnel and engagement teams to communicate information to the firm - to those responsible for
information to the firm when performing activities within the SOQM the SOQM in the firm, or to other teams or people in the firm that may be impacted by the information.
or engagements. (Para 33c of ISQM 1)
IC-QR-4A: Outdated or erroneous information (in firm's and/or network resources material) identified by the engagement
team, is not communicated to the firm/network in a timely manner.

IC-QR-4B: Personnel are not aware of mechanism to make complaints and allegations to those responsible in the firm.

IC-QR-4C: Personnel are not comfortable using mechanisms for making complaints and allegations - may be their
understanding about the process is not clear or due to fear of reprisal.

IC-QO-5: d) Relevant and reliable information is communicated to IC-QR-5: Professionals assigned with SOQM responsibilities are failed to communicate (within the firm OR to external
external parties, including: parties)

(i) Information is communicated by the firm to or within the firm’s IC-QR-5A: The firm does not communicate with regulatory bodies if required to do so, or, consult with legal counsel.
network or to service providers, if any, enabling the network or
service providers to fulfill their responsibilities relating to the network IC-QR-5B: The firm and its personnel do not fully understand what and to whom they are required to report about relevant
requirements or network services or resources provided by them; laws and regulations.
(Ref: Para. A113)
IC-QR-5C: The engagement team does not communicate with those charged with governance when performing an audit
(ii) Information is communicated externally when required by law, of financial statements of listed entities about how the SOQM supports the consistent performance of quality audit
regulation or professional standards, or to support external parties’ engagements.
understanding of the SOQM. (Ref: Para. A114-115)
IC-QR-5D: The engagement team does not communicate with those charged with governance when the results of
regulatory inspections require them to do so.

IC-QR-5E: Non-compliance with laws and regulations (NOCLAR) by an entity is not reported or not reported in a timely
manner to an appropriate authority outside the entity, if required by laws and regulations.

IC-QR-5F: The firm does not have adequate two-way communication with the service providers in relation to mutual
responsibilities or services or resources provided by them.

Page 114 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

IC-QR-1 IC-QO-1 Review and To evaluate When considering the adequacy of Periodically, individual(s) responsible Area/ region Event
IC-QR-2 IC-QO-2 approval of the whether communication channels or for SOQM reviews and approves the Leadership Driven
IC-QR-5 IC-QO-5 adequacy of communication mechanisms for distributing resources, adequacy of firm communication
communication channels or the individual(s) responsible for the channels or mechanisms for
channels or mechanisms are review and approval considers distributing resources that enable
mechanisms adequate in the whether: personnel and engagement teams to
(Area/Region) circumstances. understand and carry out their
x The communication channel or responsibilities relating to performing
mechanism reaches the activities within the SOQM or
appropriate targeted audience; engagements.

x The communication reaches the

target audience in a timely manner
(e.g., timely year-end reminders
sent to personnel after inspection
of completed engagements).

IC-QR-1A IC-QO-1 Support from To ensure that The off-the-shelf software has feature The firm uses off-the-shelf software Individual Event
IC-QR-1B audit software/ audit software to allow customization to provide that allows for customization to provide responsible for Driven
IT to provide which the firm is relevant and reliable information. appropriate information to support the firm's SOQM/
effective using allows effective monitoring of the SOQM. firm
information customization to independence
provide partner/
appropriate engagement
(relevant, updated partner
and reliable)
information to
support the
effective
monitoring of the
SOQM.

IC-QR-1C IC-QO-1 Effectiveness To ensure that the The individual responsible for Periodically, individual(s) responsible Individual Event
IC-QR-2B of SOQM firm's SOQM is designing, operation and for SOQM need to check and ensure responsible for Driven
properly designed implementation SOQM in the firm that the firm's information system is firm's SOQM/
that allow the needs to perform the root cause updated and accurate and that the Firm
identification, analysis to identify the deficiencies/ information is timely communicated to Independence
capturing, gaps in the firm’s information system personnel and engagement team. For Partner/
processing or and accordingly tailor the SOQM. this the firm needs to establish policies Engagement
maintenance of or procedures that address the Partner
information that is information to be provided / shared
accurate, when communicating internally and
externally.

Page 115 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

complete, timely, For example:

valid and relevant.
x The firm's independence check
before the rotation was not done
for other than PIEs client

x Audit teams have not been

informed about the submission of
monthly time sheets within five
days of the previous month.

IC-QR-1D IC-QO-1 Breach of To protect firm The firm’s IT team /engagement team The communication of breaches of the Individual Event
firm's information needs to ensure that data inputs are relevant ethical requirements about responsible for Driven/
information systems and its complete and appropriate and firm's Information System (IS) to firm's SOQM/ IT Monthly or
security client data from confidentiality of the data is preserved. appropriate personnel including: head/ quarterly
system potential breach of engagement trainings
security that may Further, IT controls are in place to x The evaluation of the significance partner/
lead to support the IT application’s continued of a breach and its effect on engagement
unauthorized operation. compliance with relevant ethical team.
access to firm and and any legal requirements;
client data .
x The actions to be taken to
satisfactorily address the
consequences of a breach, as
soon as practicable;

x To determine whether to report a

breach to external parties, such as
software company or an external
oversight authority; and

x To determine the appropriate

actions to be taken in relation to
the individual(s) responsible for the
breach.

x Availability of specialized skilled

staff to use IT application
effectively, including the access
right to individuals for use of IT
application; and

Page 116 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

x There is a need to develop

procedural manuals etc. and also
to conduct staff trainings.

IC-QR-1E IC-QO-1 Complaints To have a The firm needs to establish policies or To investigate, respond and conclude Individual Event
IC-QR-4C IC-QO-4 and allegations mechanism to procedures for dealing with complaints on whether: assigned to Driven/
mechanism receive, and allegations. This may assist the receive, Monthly or
investigate and firm in preventing the issuance of x There is an individual, responsible investigate and quarterly
resolve inappropriate engagement reports and to receive, investigate and resolve resolve reporting to
complaints and to deal with SOQM deficiencies. complaints and allegations, who complaints/ the
allegations has appropriate competence and allegations and leadership
(received from capabilities, including sufficient individual(s) about the
personnel, clients time, to perform the role. assigned resolution
or external ultimate of issues
parties) and what x The matters reported underwent responsibility
steps have been appropriate steps or protocols as and
taken and final per the agreed plan / scope, accountability
outcome of the including notifying appropriate for the SOQM
matter reported. Internal / external parties as
deemed appropriate and
evaluating significance of the
breach;

x Quality matters and proposed

actions pertaining to assurance
clients and engagements are
reviewed by the relevant
authorised individual/ partner of
quality assurance partner, as
appropriate;

x Obtain all relevant facts from both

sides of the matter and then
develop an appropriate plan of
action to address the matter,
supervise the investigation or
inquiry required, document the
findings and conclusions reached.

x Actions to be taken are appropriate

for the nature of the matter and
applicable local employment laws /
regulations;

Page 117 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

x Appropriate advice was obtained

before updating the reporter
considering the confidentiality/
sensitivity of the issue;

x A direct line of communication is

established with the individual(s)
assigned ultimate responsibility for
the SOQM. The individual
responsible for the SOQM shall
also report back to the informant
on the results of any investigation
and proposed courses of action.

x There should be a policy when to

report to the firm's leadership,
when issues are critical.

IC-QR-2 IC-QO-2 Promoting a To promote the The firm may communicate about There are a variety of methods a firm Firm leadership As
IC-QR-4 IC-QO-4 culture of effective two-way external and internal developments, may use to communicate information, (such as CEO/ required/
exchanging communication changes to policies and procedures (for example) direct oral Managing Regular
information and assign the (e.g. of firm’s network or from a service communication, manuals of policies or Partner)/ Intervals
responsibility for provider), information known to procedures, newsletters, alerts, emails, Individual
implementing the leadership that impacts specific intranet or other web-based responsible for
firm’s responses engagement teams. applications, training, presentations, the SOQM, and
to personnel and social media, or webcasts. engagement
engagement From the engagement team, the partners
teams. information obtained during the In determining the most appropriate
performance of an engagement that method(s) and frequency of
may have caused the firm to decline the communication, the firm may take into
client relationship or specific consideration a variety of factors,
engagement had that information been including:
known prior to accepting /continuing
and the operation of SOQM responses x The audience to whom the
(e.g., concerns about the processes for communication is targeted;
assigning personnel to engagements),
which in some cases, may indicate a x The nature and urgency of the
deficiency in the SOQM. information being communicated
(the more important the
communication, the more formal
the communication is likely to be).

Page 118 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

The firm exchange of information with

individuals from within the firm’s
network or service provider may differ
from how the firm exchanges
information with their personnel. For
e.g., the firm’s communication to
component auditors from within the
firm’s network or a service provider
may be via the group auditor.

IC-QR-3A IC-QO-3 Engagement To ensure that x A change or new information about On a quarterly basis, the individual with Firm leadership Event
teams and firm's partners, the firm or its engagements operational responsibility for the SOQM (such as Driven
personnel engagement indicates that additional quality has to review the nature and CEO/Managing
have restricted teams and objectives, or additional or circumstances of the firm and its Partner)/
or no access personnel have modified quality risks or responses engagements to identify any changes Individual
to firm's access to are needed. If information either within the firm or in the external responsible for
/network firm requisite becomes known to the partners or environment. If such information is the SOQM, and
resources and resources and firm's staff, the information should identified, the information will be engagement
required information that is be appropriately communicated to considered and when appropriate: partners
information relevant to their the individuals with ultimate
roles and responsibility for the SOQM who in x Establish additional quality
responsibilities. turn will communicate to the objectives or modify additional
individual with operational quality objectives already
responsibility for the SOQM. established by the firm.

x Firm's communication to staff/ x Identify and assess additional

engagement team about the firm/ quality risks, modify the quality
network firm resources available, risks or reassess the quality risks.
may be through email, newsletters,
memos, trainings. x Design and implement additional
responses, or modify the
responses.

IC-QR-3B IC-QO-3 New To consider the In case of this, the engagement partner Where new information is obtained that Engagement Event
information impact of change needs to determine and discuss the would have caused the firm to decline Partner/ Driven
obtained after in the information plan of action about any professional the engagement had that information Individual
acceptance/ after client's and legal responsibilities. been available earlier, the engagement responsible for
continuance of acceptance or partner shall discuss the matter with the SOQM
client continuance individual(s) with ultimate responsibility
engagements for the SOQM and agree on an
appropriate course of action. This
would include consideration of:

Page 119 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

x Any professional and legal

responsibilities, such as reporting
to the person who made the
appointment or regulatory
authorities.

x Withdrawing from the engagement

or from both the engagement and
the client relationship.

x Whether there is an obligation to

accept or continue an engagement
or is unable to withdraw from an
engagement.

When a plan of action has been

determined, the engagement partner
will:

x Document the nature of the new

information received, the
consultations made, conclusions
reached and the basis for the
conclusions.

x Implement the action plan,

including withdrawal from the
engagement where necessary
after providing reasonable notice.

x If withdrawing from the

engagement, inform the client’s
management and TCWG and the
reasons for the withdrawal.

IC-QR-3B IC-QO-3 Independence To verify that The confirmation period should be As per policy, the system opens the Independence Event
Confirmations independence defined and should be opened for the confirmation period and the Annual Partner/ Driven
Deployment confirmations are following users, at a minimum, during Code of Conduct for a complete and Engagement
properly deployed. the confirmation cycle: accurate population of professionals Partner
once the confirmation cycle is initiated.
x Staff/ Senior Independence
Confirmation

Page 120 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

x Manager/ Senior Manager

Independence Confirmation
Partner Independence
Confirmation

x Partner Independence
Confirmation

x Executive Director Independence

Confirmation.

The confirmation can be done

automatically or manually as per firm's
policy.

IC-QR-3B IC-QO-3 Exceptions To verify all On regular basis as per firm's policy, all As per firm's policy, the Independence Independence Regular
reported in the matters subject to personal independence categories of Partner reviews and verifies that the Partner Basis as
³0DWWHUVWREH review are exceptions reported from the “Matters file/ report contains a complete and per firm
Reported” are properly evaluated to be Reported” are reviewed by the accurate information. policy
reviewed in accordance Independence partner/EP.
with firm
Independence Each review consists of evaluating
policy, in order to comments on the “actions taken” or
enable proper “actions to be taken” and add any
monitoring of commentary with respect to the
reported conclusions made.
information.

IC-QR-3C IC-QO-3 Lack of To ensure that There is regular communication When breaches or non-compliance Individual Event
communication firm's personnel relevant to personnel’s and with the SOQM are identified, then root responsible for Driven/
about the and engagement engagement team’s responsibilities cause analysis should be conducted, to the SOQM Regular
changes to the teams are aware contained in the SOQM including any assess if personnel understand their Basis as
SOQM of the SOQM or changes when they occur. responsibilities and whether per firm
any changes communications about the change was policy
made to the appropriately or timely made.
SOQM to
understand and
fulfill their
responsibilities.

Page 121 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

IC-QR-3C IC-QO-3 Compliance To ensure that The firm must have policy to ensure that Prior to the commencement of every Engagement Event
with relevant firm's partner and the fundamental principles as given in engagement, the engagement partner Partner Driven
ethical staff have done the ICAP Code of Ethics for is required to prepare (or review) the
requirements the independence independence has been followed by client acceptance/continuance form/
check before each partner and the engagement document and identify:
accepting or team.
continuing the x Threats to compliance with
engagement. relevant ethical requirements.

x Safeguards put in place to reduce

the threats to an acceptable level.

Communicate the nature and potential

effect of any unresolved threats to the
individual with ultimate responsibility
over the SOQM in a timely manner.

IC-QR-4 IC-QO-4 Engagement To proactively Engagement team are only able to There must be procedure whereby no Firm Event
Team avoid potential access an audit engagement file: one has access to the audit file unless Independence Driven
Confirmation independence they have confirmed their Partner (when an
breaches x Once any exceptions in their independence of the audit client. If a engageme
involving audit completed independence inquiries team member indicates that there may nt team
engagement team are cleared. be an independence exception, he/she member
members prior to will not be able to access the requests
the individual x Once they have completed their engagement until the engagement access to
charging any time independence inquiries, if they partner or other authorised person audit file).
to an audit reported, no exceptions. resolves the exception and grants the
engagement. team member access.

IC-QR-4 IC-QO-4 Reporting To ensure that all Partners and staff shall immediately The actions taken by Engagement Individual Event
breaches of the breaches to report to the individual with operational Team would include: responsible for Driven
relevant ethical ethical responsibility for the SOQM any breach the SOQM
requirements requirements of the relevant ethical requirements, x Stopping work on any engagement
have been such as impairment of independence or in process until the implications of
reported. possible conflict of interest, who shall the new information can be
inform to the engagement partner about assessed.
the matter(s) reported.
x Evaluating and documenting the
significance of the breach and its
effect on compliance with relevant
ethical requirements.

Page 122 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

x Identifying the actions to be taken

to satisfactorily address the
consequences of the breach.

x Determining whether to report the

breach to external parties, such as
those charged with governance of
the entity to which the breach
relates or an external oversight
authority.

x Determining the actions to be

taken in relation to the individual(s)
responsible for the breach.

IC-QR-4 IC-QO-4 Professional To make sure the The Professional Practice reviews the Prior to submitting a concurrence/ Consulting Event
Practice nature, scope and concurrence/ consultation memorandum to the consulting partner Partner or other Driven
review and conclusion of the memorandum and any supporting (such as Professional Practice Partner) authorised
concurrence of consultations are documentation for accuracy and or other authorised person, the person
formal agreed upon, completeness (i.e., the nature, scope engagement partner discusses the
consultation understood and and conclusion), including whether the matter with and makes inquiries of the
conclusions documented by information presented supports the engagement team to make sure a
both the conclusions reached, prior to approval thorough understanding is obtained of
individual(s) of the concurrence memorandum. the facts and circumstances related to
seeking At a minimum, a concurrence/ the matter under consultation. The
consultation and consultation memorandum should consulting partner or other authorised
the individual(s) include a description of the matter, any person reads the concurrence
consulted. action taken with respect to the matter memorandum and, if necessary,
and the basis for conclusions. Further, provides the engagement team with
management assertions (including the follow-up questions/comments to
names of the person(s) making the clarify his or her understanding of the
assertion) that provide substantive matter and/or the documentation
support for our conclusion should be supporting the consultation.
clearly documented and, if appropriate,
included in management’s letter of Once the engagement team has
representations. provided the final concurrence/
consultation memorandum and any
Finally, the documentation of the supporting documentation, the
concurrence should only include consulting partner or other authorised
information necessary and relevant to person evidences approval of the
the subject matter of the formal concurrence memorandum.
consultation with, and related
concurrence by engagement partner.

Page 123 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

IC-QR-4 IC-QO-4 Consultation To determine that The firm Independence Partner/ Leader Upon reviewing the formal consultation Firm Event
Approval appropriate evaluates the contents of the memorandum, the firm independence Independence Driven
conclusions are consultation memo and considers the partner evaluates and provides Partner
reached for all following: feedback to the engagement team
formal related to any questions, suggested
consultations and x Based on the background edits, etc. that are identified. Once all
that the information provided for the client, items are appropriately addressed by
Independence are the applicable independence the engagement team, the firm
Consultation rules appropriately identified and independence partner evaluates the
Database record described within the memo? contents of the related consultation
are complete and record (and associated
accurate. x Is the independence matter driving breach/violation record, if applicable)
the consultation clearly articulated within the Independence Consultation
by the service line team? Database to determine that they are
complete and accurate and that all
x Are the necessary safeguards applicable team members have
appropriately reflected in the denoted their approval. Upon
memo (as applicable)? determining that the consultation
record is complete and accurate, the
x For instances in which a regulatory firm Independence Partner approves
breach has occurred, based on the the record.
assessment of firm's objectivity
and impartiality included in the
memo and communications with
the Audit Committee (or
governance body), is a formal
submission to the SECP
warranted?

x For regulatory breaches, did the

team draft the Audit Committee
communication that describes the
matter?

x Is the conclusion reached by the

team appropriate, based on the
facts and circumstances described
in the memo?

The Independence Partner evaluates

the following when reviewing the record
created within the Independence
Consultation Database:

Page 124 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

x Are the pertinent details of the

completed consultation (e.g.,
company name, consultation topic,
applicable independence rules,
associated breach/violation fields,
etc.) complete and accurate?

x Are the individuals selected for

approvals listed in the appropriate
roles?

x If the consultation involved a

regulatory / professional standards
breach or policy violation, has that
breach or violation record been
linked to the consultation and the
breach/violation record
appropriately completed by the
engagement team?

x Has the consultation memo (and

related attachments, including the
Audit Committee
communication(s), as applicable)
been attached to the record, and
does the memo match the final
memo that was agreed-upon
during the consultation process?

x Have all attached files been

checked to ensure that draft
watermarks, comments, and other
review marks have been removed?

IC-QR-4 IC-QO-4 Member firm To monitor the When reviewing the listing, the On a regular basis, the Independence Independence Regular
monitoring of professionals that Independence Partner is considering Partner reviews the file listing all Partner basis as
unsigned have not signed whether each individual in the file has professionals who have not signed per firm's
confirmations their required been analyzed and whether the annual confirmation and reviews the policy
and related annual conclusions reached and subsequent actions to investigate and the related
consequences independence actions which may include the conclusions in the file.
confirmation and following:
to enforce

Page 125 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

consequences, or x Professional was on leave and no The individuals that did not sign the
secure the signed further action is needed as per the annual confirmation as a result of being
confirmation. information received from Payroll on leave are reviewed and
Department/ Payroll record; investigated, to determine the
confirmations are completed timely
x Professional was contacted and upon return from leave.
subsequently returned completed
Independence Confirmation; and During the quarter following the close of
the Annual Confirmation, individuals
x Other actions consistent with the that were not excluded due to leave are
firm's policy. analyzed to determine the professional
subsequently completed the
confirmation or other actions were
taken consistent with the firm's policy.

The Independence Partner signs off on

the file of all professionals who have
not signed as evidence of his/her
review.

IC-QR-4 IC-QO-4 Review and To determine if The engagement partner notifies and The individual responsible for SOQM Individual Event
IC-QR-5E IC-QO-5 approval of the firm's obtains approval from the firm's reviews and provides approval on responsible for Driven
further required response to leadership/individual responsible for further actions identified by the SOQM
actions for potential non- SOQM of an identified or suspected engagement team providing services in
instances of compliance by instance of non-compliance by an audit the scope of ISQM.
non-compliance audit clients is client or its staff when it comes under
or suspected sufficient and the NOCLAR provisions contained in
non-compliance appropriate. the applicable ICAP Code of Ethics.
with laws and
regulations On receipt of the notification, the
deemed to be individual responsible for SOQM
more than reviews the details of the matter and
clearly recommends any additional actions to
inconsequential. the engagement partner (including the
impact on the decision to continue the
client/engagement relationship) by
signing off.

IC-QR-5 IC-QO-5 Review and To determine if The firm Independent Partner/ The firm Independent Partner/ Independent Event
approval of the actions taken leadership reviews: leadership reviews and approves the Partner/ Firm Driven
conclusion on by the firm when a proposed decision by the engagement Leadership
whether to client fails to take x The engagement partner’s partner.
report the timely or understanding of the reasons why

Page 126 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

matter to an appropriate the client is not taking timely or

appropriate remedial action in appropriate remedial actions.
external response to
authority to identified or x Considerations in respect of client
comply with suspected confidentiality and whether
relevant ethical NOCLAR, is reporting such a matter to an
requirements. sufficient and external party would be a breach of
appropriate in line contract or other requirements of
with the relevant laws and regulation.
ethical
requirements, as x The firm may consider to consult
set out in the with legal advisor and act
ICAP Code of accordingly.
Ethics.

IC-QR-5A IC-QO-5 Review and To evaluate The individual(s) responsible for the On need basis, an individual/ partner Individual(s) Event
IC-QR-5B approval of whether the review and approval of the reviews and approves the responsible for Driven
communications SOQM communication considers whether: communications about the SOQM that the SOQM
with respect to communication to are required by law, regulation (e.g., communication
SOQM to external parties is x The communication is timely, transparency report) or professional
external parties timely, accurate, accurate, complete and standards, or to support external
complete and appropriate under the parties’ understanding of the SOQM
appropriate in the circumstances (e.g., prepared in (e.g., audit quality report).
circumstances. accordance with regulations);
As part of the review, this individual(s)
x The data and statistics, if evaluates whether the information
applicable, included within the being communicated is accurate,
communication have been through complete and appropriate under the
the appropriate levels of approval; circumstances.

x The communication is made

available to the appropriate
external parties;

x Modifications / amendments to any

requirement have been gone
through the appropriate review and
approval ladder prior to being
communicated (e.g., transparency
report)

Page 127 of 139

Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

IC-QR-5C IC-QO-5 Communication To ensure that the The firm shall communicate to external When communicating in writing about Individual(s) Event
with those firm third parties about the firm’s SOQM the firm’s SOQM, it will be addressed to responsible for Driven
charged with communicates when required, in accordance with law those charged with governance and will the SOQM
governance with those or regulation, such as when performing include how the SOQM supports the communication
(TGWG) charged with an audit of financial statements of listed consistent performance of quality audit
governance when entities. engagements.
performing an
audit of financial Requests from other external third The form of communication will be
statements of parties about the firm’s SOQM will be approved by the individual with ultimate
listed entities evaluated and approved on a case-by- responsibility for the SOQM.
case basis by the individual(s) with
ultimately responsibility for the SOQM.

The following criteria should be

considered when evaluating whether to
communicate with an external third
party regarding the firm’s SOQM:

x The types of engagements

performed by the firm and the
types of entities for which such
engagements are undertaken.

x The nature and circumstances of

the firm, including the nature of its
operating environment.

x Jurisdictional trends and

expectations of stakeholders in the
ILUP¶VMXULVGLFWLRQ

x The extent to which the firm has

already communicated with
external parties in accordance with
law or regulation.

x Information that is already

available to the third parties.

x How external parties may use the

information and their
understanding of matters related to
the firms SOQM.

Page 128 of 139

 Quality Component 6: Information & Communication ISQM Guide and Toolkit

Quality
Risk(s)

x The public interest benefits of

external communication and if they
outweigh the potential costs of
such communication.

When the firm communicates with third

parties about the SOQM, the following
matters will be taken into consideration:

x The information is specific to the

circumstances of the firm.

x The information will be presented

in a clear and understandable
manner.

x The manner of presentation is

neither misleading nor would
inappropriately influence the users
of the communication.

x The information is accurate and

complete and does not contain
information that is misleading.

x The information takes into

consideration the information
needs of the intended users.

The form of communication will be

appropriate in the circumstances.


Page 129 of 139

 Part IV

Evaluating the System of Quality

Management (SOQM)
 Part IV – Evaluating the System of Quality Management (SOQM) ISQM Guide and Toolkit

Part IV – Evaluating the System of Quality Management (SOQM)

Need to establish an oversight committee

Page 131 of 139

 Part V

Documentation of SOQM
 Part V - Documentation of SOQM ISQM Guide and Toolkit

Retention of SOQM Documentation

Page 133 of 139

 Part VI

Steps that firms can take to design and

implement SOQM
Part VI – Steps that firms can take to design and implement SOQM ISQM Guide and Toolkit

Page 135 of 139

 Appendix A

Overview of ISQM Standards

 Appendix A – Overview of ISQM Standards ISQM Guide and Toolkit

Appendix A – Overview of ISQM Standards

Overview of the Quality Management Standards

The new and revised quality management standards have been designed with the objective to strengthen and improve the management of quality at the firm and at engagement level.

The standards introduced a risk-based approach to quality management. The new risk-based approach requires a firm to design, implement and operate a SOQM for audits or reviews of financial
statements, or other assurance or related services engagements, that is responsive to their specific risks.

ISQMs require firms to consider the nature and circumstances of their practices to adopt a risk-based approach to manage audit quality. The proactive risk management approach aims to create
efficiencies in firms by targeting responses that address the specific risks that the firm faces, rather than focusing on responses that are less relevant to the firm’s nature and circumstances. This
is a step-change from the requirements of the extant ISQC 1.

The Firm’s System of Quality Management

ISQM 1 aims to strengthen a firm’s SOQM through a robust, proactive, integrated, scalable and tailored approach on quality management. An effective SOQM at the firm level will drive enhanced
audit quality at the engagement level.

ISQM 1 consists of following eight components (paragraphs 23-33 of ISQM 1) that operate in an integrated manner:

• The Firm’s Risk Assessment process;

• Governance and leadership;

Mo
ss
Governanc and leadership

n it
oce
• Relevant ethical requirements;

o ri n
k a ss e ss me n t p r

g a n d r e m e d ia t io n
• Acceptance and continuance of client relationships and specific engagements; Relevent ethical Acceptance and Engagement
requirements continuance performance
• Engagement performance;
Resources
• Resources;

s
’s ri m
• Information and communication; and Information and communication

Fi r
• Monitoring and remediation process.

The firm’s risk assessment process and monitoring and remediation process sets out specific procedures that the firm is required
to follow. The remaining components comprise quality objectives the firm is required to establish, that form the basis for identifying
and assessing quality risks and designing and implementing responses.

ISQM 1 promotes integrating quality management into the culture of the firm, the firm’s strategy, operational activities (e.g., IT and E VA L U AT E
human resources) and business processes.

ISQM 1 is scalable and requires the firm to tailor the design, implementation and operation of its SOQM based on the nature and
circumstances of the firm and the engagements it performs. This will help the firm in effectively managing the audit quality through
concentrating on what matters most to the firm. Accordingly, paragraph 19 of ISQM 1 requires a firm to exercise professional
judgment in designing, implementing and operating the SOQM.

Page 137 of 139

 Appendix A – Overview of ISQM Standards ISQM Guide and Toolkit

The Firm’s Risk Assessment Process

Page 138 of 139

 Appendix A – Overview of ISQM Standards ISQM Guide and Toolkit

The Need for Additions or Modifications to the Quality Objectives, Quality Risks or Responses

Page 139 of 139

 CA
PAKISTAN

Karachi Head Office ICAP City office Ground Floor, State Life Building Admin Block
Chartered Accountants Avenue Al-Samad Towers, 2nd Floor Thandi Sarak, Near Giddu Chowk Sukkur IBA
Clifton, Karachi-75600 Plot No. SB 33, Block 13-B Hyderabad, Sindh Airport Road
Phone: 0092-21-99251636-39 Gulshan-e-Iqbal Phone: 0092-22-2730161 Sukkur
UAN: 0092-21-111-000-422 Opp. Baitul Mukkarram Masjid Email: [email protected] Phone:0092-71-5804421
Fax: 0092-21-99251626 Karachi Email: [email protected]
Email: [email protected] Ph: 0092-21-99333485, 99333486

ICAP House # 253/163 – B Yusef Jammal Plaza Northern Region Office ICAP City Library Lahore
Near Tareen Bungalow’s Mansehra Road 155-156,West Wood Colony Saeed Alam Towers, 5th Floor
Jinnah Town, Quetta Abbottabad Thokar Niaz Baig 37 Commercial Zone
Phone: 0092-81-2870317 Phone: 0992-405515 Raiwind Road Lahore Liberty Market, Gulberg III Lahore
Email: [email protected] Email: [email protected] Phone: 0092-42-37515910-12 Phone: 0092-42-35752941-3
UAN: 0092-42-111-000-422 Email: [email protected]
Email: [email protected]

G-10/4,Mauve Area ICAP House, 2nd Floor, 3rd Floor, Parklane Tower, P- 3/33 East Canal Road,
Islamabad Gujranwala Business Center, Officers’ Colony, Muhammadi Colony,
Pakistan Opp. Chamber of Commerce, Near Eid Gaah Chowk, Near Govt. College of Commerce
UAN: 0092-51-111-000-422 Main G.T. Road, Gujranwala. Khanewal Road, Multan. Abdullahpur, Faisalabad
Fax: 0092-51-9106095 Phone: 0092-55-3252710 Phone: 0092-61-6510511, 6510611 Phone: 0092-41-8531028
Email: [email protected] Email: [email protected] Fax: 0092-61-6510411 Fax: 0092-41-8712626
Email: [email protected] Email: [email protected]

House No. 30, Old Jamrud Road Basic Health Unit (BHU) Building
University Town Sector D, New City
Peshawar Mirpur
Phone: 0092-91-5851648 Azad Jammu and Kashmir
Fax: 0092-91-5851649 Phone: 05827-487170
Email: [email protected] Email: [email protected]