PES 3

Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements

Mandatory Date:
{{ matches.count }} matches for: {{ matches.query }}

Statement of Authority

PROFESSIONAL AND ETHICAL STANDARD 3

Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements (PES 3)

This Standard was issued on 8 July 2021 by the New Zealand Auditing and Assurance Standards Board of the External Reporting Board pursuant to section 12(b) of the Financial Reporting Act 2013.

This Standard is a disallowable instrument for the purposes of the Legislation Act 2012, and pursuant to section 27(1) of the Financial Reporting Act 2013 takes effect on 5 August 2021.

Systems of quality management in compliance with this Professional and Ethical Standard are required for application from 15 December 2022. However, early adoption is permitted.

In finalising this Standard, the New Zealand Auditing and Assurance Standards Board has carried out appropriate consultation in accordance with section 22(1) of the Financial Reporting Act 2013.

This Standard has been issued as a result of International Standard on Quality Management (ISQM) 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements being revised.

This Standard, when applied, supersedes Professional and Ethical Standard 3 (Amended), Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements.

This compilation was prepared in June 2023 and incorporates amendments up to and including June 2022.

 

Copyright

© External Reporting Board (“XRB”) 2021

This XRB standard contains copyright material and reproduces, with the permission of the International Federation of Accountants (IFAC), parts of the corresponding international standard issued by the International Auditing and Assurance Standards Board (“IAASB”), and published by IFAC. Reproduction within New Zealand in unaltered form (retaining this notice) is permitted for personal and non-commercial use subject to the inclusion of an acknowledgement of the source.

Requests and enquiries concerning reproduction and rights for commercial purposes within New Zealand should be addressed to the Chief Executive, External Reporting Board at the following email address: enquiries@xrb.govt.nz

All existing rights (including copyrights) in this material outside of New Zealand are reserved by IFAC, with the exception of the right to reproduce for the purposes of personal use or other fair dealing. Further information can be obtained from IFAC at www.ifac.org or by writing to permissions@ifac.org

ISBN 978-1-99-100507-6

Table of pronouncements – Professional and Ethical Standard 3 (PES 3) Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements

This table lists the pronouncements establishing and amending PES 3.

Pronouncements

Date approved

Effective date

Professional and Ethical Standard 3 (PES 3)

July 2021

This professional and ethical standard is effective from 15 December 2022.

Conforming and Consequential Amendments to ISAs (NZ) and Other Pronouncements arising from ISA (NZ) 600 (Revised)

June 2022

Effective for audits of group financial statements for periods beginning on or after 15 December 2023.

 

Table of Amended Paragraphs in PES 3

Paragraph affected

How affected

By…[date]

A96, A112.

Amended

Conforming and Consequential Amendments to ISAs (NZ) and Other Pronouncements arising from ISA (NZ) 600 (Revised) [June 2022]

 

How to Read this Standard

Professional and Ethical Standard (PES) 3, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements, should be read in conjunction with the External Reporting Board Standard Au 1 Application of Auditing and Assurance Standards

Scope of this Professional and Ethical Standard

1. This Professional and Ethical Standard (PES) deals with a firm’s responsibilities to design, implement and operate a system of quality management for audits or reviews of financial statements, or other assurance or related services engagements.

2. Engagement quality reviews form part of the firm’s system of quality management and:

  1. This PES deals with the firm’s responsibility to establish policies or procedures addressing engagements that are required to be subject to engagement quality reviews.

  2. PES 41 deals with the appointment and eligibility of the engagement quality reviewer, and the performance and documentation of the engagement quality review.

3. Other pronouncements of the New Zealand Auditing and Assurance Standards Board (NZAuASB):

  1. Are premised on the basis that the firm is subject to PES 3 and PES 4 or to national requirements that are at least as demanding;2 and

  2. Include requirements for engagement partners and other engagement team members regarding quality management at the engagement level. For example, ISA (NZ) 220 (Revised) deals with the specific responsibilities of the auditor regarding quality management at the engagement level for an audit of financial statements and the related responsibilities of the engagement partner. (Ref: Para. A1)

4. This PES is to be read in conjunction with relevant ethical requirements. Law, regulation or relevant ethical requirements may establish responsibilities for the firm’s management of quality beyond those described in this PES. (Ref: Para. A2)

5. This PES applies to all firms performing engagements governed by the Standards of the XRB (including audits or reviews of financial statements, or other assurance or related services3 engagements) (i.e., if the firm performs any of these engagements, this PES applies and the system of quality management that is established in accordance with the requirements of this PES enables the consistent performance by the firm of all such engagements).

The Firm’s System of Quality Management

6. A system of quality management operates in a continual and iterative manner and is responsive to changes in the nature and circumstances of the firm and its engagements. It also does not operate in a linear manner. However, for the purposes of this PES, a system of quality management addresses the following eight components: (Ref: Para. A3)

  1. The firm’s risk assessment process;

  2. Governance and leadership;

  3. Relevant ethical requirements;

  4. Acceptance and continuance of client relationships and specific engagements;

  5. Engagement performance;

  6. Resources;

  7. Information and communication; and

  8. The monitoring and remediation process.

7. This PES requires the firm to apply a risk-based approach in designing, implementing and operating the components of the system of quality management in an interconnected and coordinated manner such that the firm proactively manages the quality of engagements performed by the firm. (Ref: Para. A4)

8. The risk-based approach is embedded in the requirements of this PES through:

  1. Establishing quality objectives. The quality objectives established by the firm consist of objectives in relation to the components of the system of quality management that are to be achieved by the firm. The firm is required to establish the quality objectives specified by this PES and any additional quality objectives considered necessary by the firm to achieve the objectives of the system of quality management.

  2. Identifying and assessing risks to the achievement of the quality objectives (referred to in this standard as quality risks). The firm is required to identify and assess quality risks to provide a basis for the design and implementation of responses.

  3. Designing and implementing responses to address the quality risks. The nature, timing and extent of the firm’s responses to address the quality risks are based on and are responsive to the reasons for the assessments given to the quality risks.

9. This PES requires that, at least annually, the individual(s) assigned ultimate responsibility and accountability for the system of quality management, on behalf of the firm, evaluates the system of quality management and concludes whether the system of quality management provides the firm with reasonable assurance that the objectives of the system, stated in paragraph 14(a) and (b), are being achieved. (Ref: Para. A5)

Scalability

10. In applying a risk-based approach, the firm is required to take into account:

  1. The nature and circumstances of the firm; and

  2. The nature and circumstances of the engagements performed by the firm.

Accordingly, the design of the firm’s system of quality management, in particular the complexity and formality of the system, will vary. For example, a firm that performs different types of engagements for a wide variety of entities, including audits of financial statements of listed entities, will likely need to have a more complex and formalised system of quality management and supporting documentation, than a firm that performs only reviews of financial statements or agreed-upon procedures engagements.

Networks and Service Providers

11. This PES addresses the firm’s responsibilities when the firm:

  1. Belongs to a network, and the firm complies with network requirements or uses network services in the system of quality management or in the performance of engagements; or

  2. Uses resources from a service provider in the system of quality management or in the performance of engagements.

Even when the firm complies with network requirements or uses network services or resources from a service provider, the firm is responsible for its system of quality management.

Authority of this Professional and Ethical Standard

12. Paragraph 14 contains the objective of the firm in following this PES. This PES contains: (Ref: Para. A6)

  1. Requirements designed to enable the firm to meet the objective in paragraph 14; (Ref: Para. A7)

  2. Related guidance in the form of application and other explanatory material; (Ref: Para. A8)

  3. Introductory material that provides context relevant to a proper understanding of this PES; and

  4. Definitions. (Ref: Para. A9)

Effective Date

13. Systems of quality management in compliance with this PES are required to be designed and implemented by 15 December 2022, and the evaluation of the system of quality management required by paragraphs 53–54 of this PES is required to be performed within one year following 15 December 2022.

NZ13.1 This Standard supersedes PES 3 (Amended) Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements issued in 2013.

1 Professional and Ethical Standard 4, Engagement Quality Reviews

2See, for example, International Standard on Auditing (ISA) (NZ) 220 (Revised), Quality Management for an Audit of Financial Statements (Revised), paragraph 3

3 As defined by XRB Au1 Application of Auditing and Assurance Standards (Legislative Update)

14. The objective of the firm is to design, implement and operate a system of quality management for audits or reviews of financial statements, or other assurance or related services engagements performed by the firm, that provides the firm with reasonable assurance that:

  1. The firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements, and conduct engagements in accordance with such standards and requirements; and

  2. Engagement reports issued by the firm or engagement partners are appropriate in the circumstances.

15. The public interest is served by the consistent performance of quality engagements. The design, implementation and operation of the system of quality management enables the consistent performance of quality engagements by providing the firm with reasonable assurance that the objectives of the system of quality management, stated in paragraph 14(a) and (b), are achieved. Quality engagements are achieved through planning and performing engagements and reporting on them in accordance with professional standards and applicable legal and regulatory requirements. Achieving the objectives of those standards and complying with the requirements of applicable law or regulation involves exercising professional judgement and, when applicable to the type of engagement, exercising professional scepticism.

16. For purposes of this PES, the following terms have the meanings attributed below:

(a) Deficiency in the firm’s system of quality management (referred to as “deficiency” in this PES)

This exists when: (Ref: Para. A10, A159–A160)

  1. A quality objective required to achieve the objective of the system of quality management is not established;
  2. A quality risk, or combination of quality risks, is not identified or properly assessed; (Ref: Para. A11)
  3. A response, or combination of responses, does not reduce to an acceptably low level the likelihood of a related quality risk occurring because the response(s) is not properly designed, implemented or operating effectively; or
  4. Any other aspect of the system of quality management is absent, or not properly designed, implemented or operating effectively, such that a requirement of this PES has not been addressed. (Ref: Para. A12)
(b) Engagement documentation The record of work performed, results obtained, and conclusions the practitioner reached (terms such as “working papers” or “work papers” are sometimes used).
(c) Engagement partner4

The partner or other individual, appointed by the firm, who is responsible for the engagement and its performance, and for the report that is issued on behalf of the firm, and who, where required, has the appropriate authority from a professional, legal or regulatory body.

[NZ] Public Sector Considerations - Engagement partner includes an employee of the Auditor-General, whom the Auditor- General has appointed under the Public Audit Act 2001 to act as an auditor and who:

  1. Is responsible for the engagement and its performance, and for the report that is issued on behalf of the Auditor-General; and

  2. Where required, has the appropriate authority from a professional, legal or regulatory body.

(d) Engagement quality review An objective evaluation of the significant judgements made by the engagement team and the conclusions reached thereon, performed by the engagement quality reviewer and completed on or before the date of the engagement report.
(e) Engagement quality reviewer A partner, other individual in the firm, or an external individual, appointed by the firm to perform the engagement quality review.
(f) Engagement team  All partners and staff performing the engagement, and any other individuals who perform procedures on the engagement, excluding an external expert5 and internal auditors who provide direct assistance on an engagement. (Ref: Para. A13)
(g) External inspections Inspections or investigations, undertaken by an external oversight authority, related to the fi rm’s system of quality management or engagements performed by the firm. (Ref: Para. A14)
(h) Findings (in relation to a system of quality management) Information about the design, implementation and operation of the system of quality management that has been accumulated from the performance of monitoring activities, external inspections and other relevant sources, which indicates that one or more deficiencies may exist. (Ref: Para. A15–A17)
(i) Firm

A sole practitioner, partnership or corporation or other entity of assurance practitioners, or public sector equivalent. (Ref: Para. A18)

[NZ] Public Sector Considerations - Firm includes the Auditor-General as defined in section 10(1) of the Public Audit Act 2001.

(j) Listed entity [Deleted by the NZAuASB. Refer to NZ16.2]]
(k) Network firm A firm or entity that belongs to the firm’s network.
(l) Network

A larger structure: (Ref: Para. A19)

  1. That is aimed at cooperation; and

  2. That is clearly aimed at profit or cost-sharing or shares common ownership, control or management, common quality management policies or procedures, common business strategy, the use of a common brand name, or a significant part of professional resources.

(m) Partner [Deleted by the NZAuASB. Refer to NZ16.3]
(n) Personnel Partners and staff in the firm. (Ref: Para. A20–A21)
(o) Professional judgement The application of relevant training, knowledge and experience, within the context of professional standards, in making informed decisions about the courses of action that are appropriate in the design, implementation and operation of the firm’s system of quality management.
(p)   [Amended by the NZAuASB. Refer to NZ16.3]
(q) Quality objectives  The desired outcomes in relation to the components of the system of quality management to be achieved by the firm.
(r) Quality risk

A risk that has a reasonable possibility of:

  1. Occurring; and

  2. Individually, or in combination with other risks, adversely affecting the achievement of one or more quality objectives.

(s) Reasonable assurance In the context of the PES 3 and PES 4, a high, but not absolute, level of assurance.
(t) Relevant ethical requirements Principles of professional ethics and ethical requirements that are applicable to assurance practitioners when undertaking engagements that are audits or reviews of financial statements or other assurance or related services engagements. Relevant ethical requirements ordinarily comprise the provisions of the Professional and Ethical Standard 16related to audits or reviews of financial statements, or other assurance or related services engagements, together with national requirements that are more restrictive. (Ref: Para. A22–A24, A62)
(u) Response (in relation to a system of quality management)

Policies or procedures designed and implemented by the firm to address one or more quality risk(s): (Ref: Para. A25–A27, A50)

  1. Policies are statements of what should, or should not, be done to address a quality risk(s). Such statements may be documented, explicitly stated in communications or implied through actions and decisions.

  2. Procedures are actions to implement policies.

  3. Service provider (in the context of this PES) – An individual or organisation external to the firm that provides a resource that is used in the system of quality management or in the performance of engagements. Service providers exclude the firm’s network, other network firms or other structures or organisations in the network. (Ref: Para. A28, A105)

(v) Service provider (in the context of this PES) An individual or organisation external to the firm that provides a resource that is used in the system of quality management or in the performance of engagements. Service providers exclude the firm’s network, other network firms or other structures or organisations in the network. (Ref: Para. A28, A105)
(w) Staff

Professionals, other than partners, including any experts the firm employs.

  1. System of quality management – A system designed, implemented and operated by a firm to provide the firm with reasonable assurance that:

  2. The firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements, and conduct engagements in accordance with such standards and requirements; and

  3. Engagement reports issued by the firm or engagement partners are appropriate in the circumstances.

(x)

System of quality management

 A system designed, implemented and operated by a firm to provide the firm with reasonable assurance that:

  1. The firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements, and conduct engagements in accordance with such standards and requirements; and

  2. Engagement reports issued by the firm or engagement partners are appropriate in the circumstances.

 

NZ16.1 Assurance practitioner – a person or an organisation, whether in public practice, industry, commerce or the public sector, appointed or engaged to undertake assurance engagements or related services.

NZ16.2 FMC reporting entity considered to have a higher level of public accountability7 – A FMC reporting entity or a class of FMC reporting entity that is considered to have a higher level of public accountability than other FMC reporting entities:

  • under section 461K of the Financial Markets Conduct Act 2013; or

  • by notice issued by the Financial Markets Authority () under section 461L(1)(1) of the Financial Markets Conduct Act 2013.

NZ16.3 Partner – Any individual with authority to bind the firm with respect to the performance of an engagement governed by the Standards of the XRB (including audits or reviews of financial statements, or other assurance or related services8 engagements).

[NZ] Public Sector Considerations Partner includes an employee of the Auditor-General with authority to bind the Auditor-General with respect to the performance of an engagement governed by the Standards of the XRB (including audits or reviews of financial statements, or other assurance or related services engagements).

NZ16.4 Professional standards – The standards issued by the External Reporting Board or the New Zealand Auditing and Assurance Standards Board.

NZ16.5 Related services – services to perform agreed-upon procedures or other non-assurance work that may ordinarily be carried out by an audit or assurance practitioner.

4Engagement partner” and “partner” is to be read as referring to their public sector equivalents where relevant.

5ISA (NZ) 620, Using the Work of an Auditor’s Expert, paragraph 6(a), defines the term “auditor’s expert.”

7 Where this PES refers to a FMC reporting entity with a higher level of public accountability, for the purposes of this standard this shall include any listed entity, an entity whose shares, stock or debt are quoted or listed on recognised stock exchange, or are marketed under the regulations of a recognised stock exchange or other equivalent body, whether listed in New Zealand or in another jurisdiction.

8 As defined by XRB Au1 Application of Auditing and Assurance Standards (Legislative Update)

Applying, and Complying with, Relevant Requirements

17. The firm shall comply with each requirement of this PES unless the requirement is not relevant to the firm because of the nature and circumstances of the firm or its engagements. (Ref: Para. A29)

18. The individual(s) assigned ultimate responsibility and accountability for the firm’s system of quality management, and the individual(s) assigned operational responsibility for the firm’s system of quality management shall have an understanding of this PES, including the application and other explanatory material, to understand the objective of this PES and to apply its requirements properly.

System of Quality Management

19. The firm shall design, implement and operate a system of quality management. In doing so, the firm shall exercise professional judgement, taking into account the nature and circumstances of the firm and its engagements. The governance and leadership component of the system of quality management establishes the environment that supports the design, implementation and operation of the system of quality management. (Ref: Para. A30–A31)

Responsibilities

20. The firm shall assign: (Ref: Para. A32–A35)

  1. Ultimate responsibility and accountability for the system of quality management to the firm’s chief executive officer or the firm’s managing partner (or equivalent) or, if appropriate, the firm’s managing board of partners (or equivalent);

  2. Operational responsibility for the system of quality management;

  3. Operational responsibility for specific aspects of the system of quality management, including:

    1. Compliance with independence requirements; and (Ref: Para. A36)

    2. The monitoring and remediation process.

21. In assigning the roles in paragraph 20 the firm shall determine that the individual(s): (Ref: Para. A37)

  1. Has the appropriate experience, knowledge, influence and authority within the firm, and sufficient time, to fulfill their assigned responsibility; and (Ref: Para. A38)

  2. Understands their assigned roles and that they are accountable for fulfilling them.

22. The firm shall determine that the individual(s) assigned operational responsibility for the system of quality management, compliance with independence requirements and the monitoring and remediation process, have a direct line of communication to the individual(s) assigned ultimate responsibility and accountability for the system of quality management.

The Firm’s Risk Assessment Process

23. The firm shall design and implement a risk assessment process to establish quality objectives, identify and assess quality risks and design and implement responses to address the quality risks. (Ref: Para. A39–A41)

24. The firm shall establish the quality objectives specified by this PES and any additional quality objectives considered necessary by the firm to achieve the objectives of the system of quality management. (Ref: Para. A42–A44)

25. The firm shall identify and assess quality risks to provide a basis for the design and implementation of responses. In doing so, the firm shall:

  1. Obtain an understanding of the conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives, including: (Ref: Para. A45–A47)

    1. With respect to the nature and circumstances of the firm, those relating to:

      1. The complexity and operating characteristics of the firm;

      2. The strategic and operational decisions and actions, business processes and business model of the firm;

      3. The characteristics and management style of leadership;

      4. The resources of the firm, including the resources provided by service providers;

      5. Law, regulation, professional standards and the environment in which the firm operates; and

      6. In the case of a firm that belongs to a network, the nature and extent of the network requirements and network services, if any.

    2. With respect to the nature and circumstances of the engagements performed by the firm, those relating to:

      1. The types of engagements performed by the firm and the reports to be issued; and

      2. The types of entities for which such engagements are undertaken.

  2. Take into account how, and the degree to which, the conditions, events, circumstances, actions or inactions in paragraph 25(a) may adversely affect the achievement of the quality objectives. (Ref: Para. A48)

26. The firm shall design and implement responses to address the quality risks in a manner that is based on, and responsive to, the reasons for the assessments given to the quality risks. The firm’s responses shall also include the responses specified in paragraph 34. (Ref: Para. A49– A51)

27. The firm shall establish policies or procedures that are designed to identify information that indicates additional quality objectives, or additional or modified quality risks or responses, are needed due to changes in the nature and circumstances of the firm or its engagements. If such information is identified, the firm shall consider the information and when appropriate: (Ref: Para. A52–A53)

  1. Establish additional quality objectives or modify additional quality objectives already established by the firm; (Ref: Para. A54)

  2. Identify and assess additional quality risks, modify the quality risks or reassess the quality risks; or

  3. Design and implement additional responses, or modify the responses.

Governance and Leadership

28. The firm shall establish the following quality objectives that address the firm’s governance and leadership, which establishes the environment that supports the system of quality management:

  1. The firm demonstrates a commitment to quality through a culture that exists throughout the firm, which recognises and reinforces: (Ref: Para. A55–A56)

    1. The firm’s role in serving the public interest by consistently performing quality engagements;

    2. The importance of professional ethics, values and attitudes;

    3. The responsibility of all personnel for quality relating to the performance of engagements or activities within the system of quality management, and their expected behaviour; and

    4. The importance of quality in the firm’s strategic decisions and actions, including the firm’s financial and operational priorities.

  2. Leadership is responsible and accountable for quality. (Ref: Para. A57)

  3. Leadership demonstrates a commitment to quality through their actions and behaviours. (Ref: Para. A58)

  4. The organisational structure and assignment of roles, responsibilities and authority is appropriate to enable the design, implementation and operation of the firm’s system of quality management. (Ref: Para. A32, A33, A35, A59)

  5. Resource needs, including financial resources, are planned for and resources are obtained, allocated or assigned in a manner that is consistent with the firm’s commitment to quality. (Ref: Para. A60–A61)

Relevant Ethical Requirements

29. The firm shall establish the following quality objectives that address the fulfillment of responsibilities in accordance with relevant ethical requirements, including those related to independence: (Ref: Para. A62–A64, A66)

  1. The firm and its personnel:

    1. Understand the relevant ethical requirements to which the firm and the firm’s engagements are subject; and (Ref: Para. A22, A24)

    2. Fulfill their responsibilities in relation to the relevant ethical requirements to which the firm and the firm’s engagements are subject.

  2. Others, including the network, network firms, individuals in the network or network firms, or service providers, who are subject to the relevant ethical requirements to which the firm and the firm’s engagements are subject:

    1. Understand the relevant ethical requirements that apply to them; and (Ref: Para. A22, A24, A65)

    2. Fulfill their responsibilities in relation to the relevant ethical requirements that apply to them.

Acceptance and Continuance of Client Relationships and Specific Engagements

30. The firm shall establish the following quality objectives that address the acceptance and continuance of client relationships and specific engagements:

  1. Judgements by the firm about whether to accept or continue a client relationship or specific engagement are appropriate based on:

    1. Information obtained about the nature and circumstances of the engagement and the integrity and ethical values of the client (including management, and, when appropriate, those charged with governance) that is sufficient to support such judgements; and (Ref: Para. A67–A71)

    2. The firm’s ability to perform the engagement in accordance with professional standards and applicable legal and regulatory requirements. (Ref: Para. A72)

  2. The financial and operational priorities of the firm do not lead to inappropriate judgements about whether to accept or continue a client relationship or specific engagement. (Ref: Para. A73–A74)

Engagement Performance

31. The firm shall establish the following quality objectives that address the performance of quality engagements:

  1. Engagement teams understand and fulfill their responsibilities in connection with the engagements, including, as applicable, the overall responsibility of engagement partners for managing and achieving quality on the engagement and being sufficiently and appropriately involved throughout the engagement. (Ref: Para. A75)

  2. The nature, timing and extent of direction and supervision of engagement teams and review of the work performed is appropriate based on the nature and circumstances of the engagements and the resources assigned or made available to the engagement teams, and the work performed by less experienced engagement team members is directed, supervised and reviewed by more experienced engagement team members. (Ref: Para. A76–A77)

  3. Engagement teams exercise appropriate professional judgement and, when applicable to the type of engagement, professional scepticism. (Ref: Para. A78)

  4. Consultation on difficult or contentious matters is undertaken and the conclusions agreed are implemented. (Ref: Para. A79–A81)

  5. Differences of opinion within the engagement team, or between the engagement team and the engagement quality reviewer or individuals performing activities within the firm’s system of quality management are brought to the attention of the firm and resolved. (Ref: Para. A82)

  6. Engagement documentation is assembled on a timely basis after the date of the engagement report, and is appropriately maintained and retained to meet the needs of the firm and comply with law, regulation, relevant ethical requirements, or professional standards. (Ref: Para. A83–A85)

Resources

32. The firm shall establish the following quality objectives that address appropriately obtaining, developing, using, maintaining, allocating and assigning resources in a timely manner to enable the design, implementation and operation of the system of quality management: (Ref: Para. A86–A87)

Human Resources
  1. Personnel are hired, developed and retained and have the competence and capabilities to: (Ref: Para. A88–A90)

    1. Consistently perform quality engagements, including having knowledge or experience relevant to the engagements the firm performs; or

    2. Perform activities or carry out responsibilities in relation to the operation of the firm’s system of quality management.

  2. Personnel demonstrate a commitment to quality through their actions and behaviours, develop and maintain the appropriate competence to perform their roles, and are held accountable or recognised through timely evaluations, compensation, promotion and other incentives. (Ref: Para. A91–A93)

  3. Individuals are obtained from external sources (i.e., the network, another network firm or a service provider) when the firm does not have sufficient or appropriate personnel to enable the operation of firm’s system of quality management or performance of engagements. (Ref: Para. A94)

  4. Engagement team members are assigned to each engagement, including an engagement partner, who have appropriate competence and capabilities, including being given sufficient time, to consistently perform quality engagements. (Ref: Para. A88–A89, A95–A97)

  5. Individuals are assigned to perform activities within the system of quality management who have appropriate competence and capabilities, including sufficient time, to perform such activities.Technological Resources

  6. Appropriate technological resources are obtained or developed, implemented, maintained, and used, to enable the operation of the firm’s system of quality management and the performance of engagements. (Ref: Para. A98–A101, A104)Intellectual Resources

  7. Appropriate intellectual resources are obtained or developed, implemented, maintained, and used, to enable the operation of the firm’s system of quality management and the consistent performance of quality engagements, and such intellectual resources are consistent with professional standards and applicable legal and regulatory requirements, where applicable. (Ref: Para. A102–A104)Service Providers 

  8. Human, technological or intellectual resources from service providers are appropriate for use in the firm’s system of quality management and in the performance of engagements, taking into account the quality objectives in paragraph 32 (d),(e),(f) and (g). (Ref: Para. A105–A108)

Information and Communication

33. The firm shall establish the following quality objectives that address obtaining, generating or using information regarding the system of quality management, and communicating information within the firm and to external parties on a timely basis to enable the design, implementation and operation of the system of quality management: (Ref: Para. A109)

  1. The information system identifies, captures, processes and maintains relevant and reliable information that supports the system of quality management, whether from internal or external sources. (Ref: Para. A110–A111)

  2. The culture of the firm recognises and reinforces the responsibility of personnel to exchange information with the firm and with one another. (Ref: Para. A112)

  3. Relevant and reliable information is exchanged throughout the firm and with engagement teams, including: (Ref: Para. A112)

    1. Information is communicated to personnel and engagement teams, and the nature, timing and extent of the information is sufficient to enable them to understand and carry out their responsibilities relating to performing activities within the system of quality management or engagements; and

    2. Personnel and engagement teams communicate information to the firm when performing activities within the system of quality management or engagements.

  4. Relevant and reliable information is communicated to external parties, including:

    1. Information is communicated by the firm to or within the firm’s network or to service providers, if any, enabling the network or service providers to fulfill their responsibilities relating to the network requirements or network services or resources provided by them; and (Ref: Para. A113)

    2. Information is communicated externally when required by law, regulation or professional standards, or to support external parties’ understanding of the system of quality management. (Ref: Para. A114–A115)

Specified Responses

34. In designing and implementing responses in accordance with paragraph 26, the firm shall include the following responses: (Ref: Para. A116)

  1. The firm establishes policies or procedures for:

    1. Identifying, evaluating and addressing threats to compliance with the relevant ethical requirements; and (Ref: Para. A117)

    2. Identifying, communicating, evaluating and reporting of any breaches of the relevant ethical requirements and appropriately responding to the causes and consequences of the breaches in a timely manner. (Ref: Para. A118–A119)

  2. The firm obtains, at least annually, a documented confirmation of compliance with independence requirements from all personnel required by relevant ethical requirements to be independent.

  3. The firm establishes policies or procedures for receiving, investigating and resolving complaints and allegations about failures to perform work in accordance with professional standards and applicable legal and regulatory requirements, or non- compliance with the firm’s policies or procedures established in accordance with this PES. (Ref: Para. A120–A121)

  4. The firm establishes policies or procedures that address circumstances when:

    1. The firm becomes aware of information subsequent to accepting or continuing a client relationship or specific engagement that would have caused it to decline the client relationship or specific engagement had that information been known prior to accepting or continuing the client relationship or specific engagement; or (Ref: Para. A122–A123)

    2. The firm is obligated by law or regulation to accept a client relationship or specific engagement. (Ref: Para. A123)

  5. [Amended by the NZAuASB]

NZ34(e) The firm establishes policies or procedures that: (Ref: Para. A124–A126)

  1. Require communication with those charged with governance when performing an audit of financial statements of FMC reporting entities considered to have a higher level of public accountability about how the system of quality management supports the consistent performance of quality audit engagements; (Ref: Para. A127–A129)

  2. Address when it is otherwise appropriate to communicate with external parties about the firm’s system of quality management; and (Ref: Para. A130)

  3. Address the information to be provided when communicating externally in accordance with paragraphs 34(e)(i) and 34(e)(ii), including the nature, timing and extent and appropriate form of communication. (Ref: Para. A131–A132)

  1. [Amended by the NZAuASB]

NZ34(f) The firm establishes policies or procedures that address engagement quality reviews in accordance with PES 4, and require an engagement quality review for:

  1. Audits of financial statements of FMC reporting entities considered to have a higher level of public accountability;

  2. Audits or other engagements for which an engagement quality review is required by law or regulation9; and (Ref: Para. A133)

  3. Audits or other engagements for which the firm determines that an engagement quality review is an appropriate response to address one or more quality risk(s). (Ref: Para. A134-A137)

Monitoring and Remediation Process

35. The firm shall establish a monitoring and remediation process to: (Ref: Para. A138)

  1. Provide relevant, reliable and timely information about the design, implementation and operation of the system of quality management.

  2. Take appropriate actions to respond to identified deficiencies such that deficiencies are remediated on a timely basis.

Designing and Performing Monitoring Activities

36. The firm shall design and perform monitoring activities to provide a basis for the identification of deficiencies.

37. In determining the nature, timing and extent of the monitoring activities, the firm shall take into account: (Ref: Para. A139–A142)

  1. The reasons for the assessments given to the quality risks;

  2. The design of the responses;

  3. The design of the firm’s risk assessment process and monitoring and remediation process; (Ref: Para. A143–A144)

  4. Changes in the system of quality management; (Ref: Para. A145)

  5. The results of previous monitoring activities, whether previous monitoring activities continue to be relevant in evaluating the firm’s system of quality management and whether remedial actions to address previously identified deficiencies were effective; and (Ref: Para. A146–A147)

  6. Other relevant information, including complaints and allegations about failures to perform work in accordance with professional standards and applicable legal and regulatory requirements or non-compliance with the firm’s policies or procedures established in accordance with this PES, information from external inspections and information from service providers. (Ref: Para. A148–A150)

38. The firm shall include the inspection of completed engagements in its monitoring activities and shall determine which engagements and engagement partners to select. In doing so, the firm shall: (Ref: Para. A141, A151–A154)

  1. Take into account the matters in paragraph 37;

  2. Consider the nature, timing and extent of other monitoring activities undertaken by the firm and the engagements and engagement partners subject to such monitoring activities; and

  3. Select at least one completed engagement for each engagement partner on a cyclical basis determined by the firm.

39. The firm shall establish policies or procedures that:

  1. Require the individuals performing the monitoring activities to have the competence and capabilities, including sufficient time, to perform the monitoring activities effectively; and

  2. Address the objectivity of the individuals performing the monitoring activities. Such policies or procedures shall prohibit the engagement team members or the engagement quality reviewer of an engagement from performing any inspection of that engagement. (Ref: Para. A155–A156)

Evaluating Findings and Identifying Deficiencies

40. The firm shall evaluate findings to determine whether deficiencies exist, including in the monitoring and remediation process. (Ref: Para. A157–A162)

Evaluating Identified Deficiencies

41. The firm shall evaluate the severity and pervasiveness of identified deficiencies by: (Ref: Para. A161, A163–A164)

  1. Investigating the root cause(s) of the identified deficiencies. In determining the nature, timing and extent of the procedures to investigate the root cause(s), the firm shall take into account the nature of the identified deficiencies and their possible severity. (Ref: Para. A165–A169)

  2. Evaluating the effect of the identified deficiencies, individually and in aggregate, on the system of quality management.

Responding to Identified Deficiencies

42. The firm shall design and implement remedial actions to address identified deficiencies that are responsive to the results of the root cause analysis. (Ref: Para. A170–A172)

43. The individual(s) assigned operational responsibility for the monitoring and remediation process shall evaluate whether the remedial actions:

  1. Are appropriately designed to address the identified deficiencies and their related root cause(s) and determine that they have been implemented; and

  2. Implemented to address previously identified deficiencies are effective.

44. If the evaluation indicates that the remedial actions are not appropriately designed and implemented or are not effective, the individual(s) assigned operational responsibility for the monitoring and remediation process shall take appropriate action to determine that the remedial actions are appropriately modified such that they are effective.

Findings About a Particular Engagement

45. The firm shall respond to circumstances when findings indicate that there is an engagement(s) for which procedures required were omitted during the performance of the engagement(s) or the report issued may be inappropriate. The firm’s response shall include: (Ref: Para. A173)

  1. Taking appropriate action to comply with relevant professional standards and applicable legal and regulatory requirements; and

  2. When the report is considered to be inappropriate, considering the implications and taking appropriate action, including considering whether to obtain legal advice.

Ongoing Communication Related to Monitoring and Remediation

46. The individual(s) assigned operational responsibility for the monitoring and remediation process shall communicate on a timely basis to the individual(s) assigned ultimate responsibility and accountability for the system of quality management and the individual(s) assigned operational responsibility for the system of quality management: (Ref: Para. A174)

  1. A description of the monitoring activities performed;

  2. The identified deficiencies, including the severity and pervasiveness of such deficiencies; and

  3. The remedial actions to address the identified deficiencies.

47. The firm shall communicate the matters described in paragraph 46 to engagement teams and other individuals assigned activities within the system of quality management to enable them to take prompt and appropriate action in accordance with their responsibilities.

Network Requirements or Network Services

48. When the firm belongs to a network, the firm shall understand, when applicable: (Ref: Para. A19, A175)

  1. The requirements established by the network regarding the firm’s system of quality management, including requirements for the firm to implement or use resources or services designed or otherwise provided by or through the network (i.e., network requirements);

  2. Any services or resources provided by the network that the firm chooses to implement or use in the design, implementation or operation of the firm’s system of quality management (i.e., network services); and

  3. The firm’s responsibilities for any actions that are necessary to implement the network requirements or use network services. (Ref: Para. A176)

The firm remains responsible for its system of quality management, including professional judgements made in the design, implementation and operation of the system of quality management. The firm shall not allow compliance with the network requirements or use of network services to contravene the requirements of this PES. (Ref: Para. A177)

49. Based on the understanding obtained in paragraph 48, the firm shall:

  1. Determine how the network requirements or network services are relevant to, and are taken into account in, the firm’s system of quality management, including how they are to be implemented; and (Ref: Para. A178)

  2. Evaluate whether and, if so, how the network requirements or network services need to be adapted or supplemented by the firm to be appropriate for use in its system of quality management. (Ref: Para. A179–A180)

Monitoring Activities Undertaken by the Network on the Firm’s System of Quality Management

50. In circumstances when the network performs monitoring activities relating to the firm’s system of quality management, the firm shall:

  1. Determine the effect of the monitoring activities performed by the network on the nature, timing and extent of the firm’s monitoring activities performed in accordance with paragraphs 36–38;

  2. Determine the firm’s responsibilities in relation to the monitoring activities, including any related actions by the firm; and

  3. As part of evaluating findings and identifying deficiencies in paragraph 40, obtain the results of the monitoring activities from the network in a timely manner. (Ref: Para. A181)

Monitoring Activities Undertaken by the Network Across the Network Firms

51. The firm shall:

  1. Understand the overall scope of the monitoring activities undertaken by the network across the network firms, including monitoring activities to determine that network requirements have been appropriately implemented across the network firms, and how the network will communicate the results of its monitoring activities to the firm;

  2. At least annually, obtain information from the network about the overall results of the network’s monitoring activities across the network firms, if applicable, and: (Ref: Para. A182–A184)

    1. Communicate the information to engagement teams and other individuals assigned activities within the system of quality management, as appropriate, to enable them to take prompt and appropriate action in accordance with their responsibilities; and

    2. Consider the effect of the information on the firm’s system of quality management.

Deficiencies in Network Requirements or Network Services Identified by the Firm

52. If the firm identifies a deficiency in the network requirements or network services, the firm shall: (Ref: Para. A185)

  1. Communicate to the network relevant information about the identified deficiency; and

  2. In accordance with paragraph 42, design and implement remedial actions to address the effect of the identified deficiency in the network requirements or network services. (Ref: Para. A186)

Evaluating the System of Quality Management

53. The individual(s) assigned ultimate responsibility and accountability for the system of quality management shall evaluate, on behalf of the firm, the system of quality management. The evaluation shall be undertaken as of a point in time, and performed at least annually. (Ref: Para. A187–A189)

54. Based on the evaluation, the individual(s) assigned ultimate responsibility and accountability for the system of quality management shall conclude, on behalf of the firm, one of the following: (Ref: Para. A190, A195)

  1. The system of quality management provides the firm with reasonable assurance that the objectives of the system of quality management are being achieved; (Ref: Para. A191)

  2. Except for matters related to identified deficiencies that have a severe but not pervasive effect on the design, implementation and operation of the system of quality management, the system of quality management provides the firm with reasonable assurance that the objectives of the system of quality management are being achieved; or (Ref: Para. A192)

  3. The system of quality management does not provide the firm with reasonable assurance that the objectives of the system of quality management are being achieved. (Ref: Para. A192–A194)

55. If the individual(s) assigned ultimate responsibility and accountability for the system of quality management reaches the conclusion described in paragraph 54(b) or 54(c), the firm shall: (Ref: Para. A196)

  1. Take prompt and appropriate action; and

  2. Communicate to:

    1. Engagement teams and other individuals assigned activities within the system of quality management to the extent that it is relevant to their responsibilities; and (Ref: Para. A197)

    2. External parties in accordance with the firm’s policies or procedures required by paragraph 34(e). (Ref: Para. A198)

56. The firm shall undertake periodic performance evaluations of the individual(s) assigned ultimate responsibility and accountability for the system of quality management, and the individual(s) assigned operational responsibility for the system of quality management. In doing so, the firm shall take into account the evaluation of the system of quality management. (Ref: Para. A199–A201)

Documentation

57. The firm shall prepare documentation of its system of quality management that is sufficient to: (Ref: Para. A202–A204)

  1. Support a consistent understanding of the system of quality management by personnel, including an understanding of their roles and responsibilities with respect to the system of quality management and the performance of engagements;

  2. Support the consistent implementation and operation of the responses; and

  3. Provide evidence of the design, implementation and operation of the responses, to support the evaluation of the system of quality management by the individual(s) assigned ultimate responsibility and accountability for the system of quality management.

58. In preparing documentation, the firm shall include:

  1. The identification of the individual(s) assigned ultimate responsibility and accountability for the system of quality management and operational responsibility for the system of quality management;

  2. The firm’s quality objectives and quality risks; (Ref: Para. A205)

  3. A description of the responses and how the firm’s responses address the quality risks;

  4. Regarding the monitoring and remediation process:

    1. Evidence of the monitoring activities performed;

    2. The evaluation of findings, and identified deficiencies and their related root cause(s);

    3. Remedial actions to address identified deficiencies and the evaluation of the design and implementation of such remedial actions; and

    4. Communications about monitoring and remediation; and

  5. The basis for the conclusion reached pursuant to paragraph 54.

59. The firm shall document the matters in paragraph 58 as they relate to network requirements or network services and the evaluation of the network requirements or network services in accordance with paragraph 49(b). (Ref: Para. A206)

60. The firm shall establish a period of time for the retention of documentation for the system of quality management that is sufficient to enable the firm to monitor the design, implementation and operation of the firm’s system of quality management, or for a longer period if required by law or regulation.

9 In New Zealand, the Auditor Regulation Act (Prescribed Minimum Standards and Conditions for Licensed Auditors and Registered Audit Firms) Notice 2020 require an engagement quality review for all FMC Reporting Entities including FMC Reporting Entities with lower public accountability.

Scope of this Professional and Ethical Standard (Ref: Para. 3–4)

A1. Other pronouncements of the NZAuASB, including ISRE (NZ) 2400 (Revised)10 and ISAE (NZ) 3000 (Revised),11 also establish requirements for the engagement partner for the management of quality at the engagement level.

A2. Professional and Ethical Standard 1 contains requirements and application material for assurance practitioners that enable assurance practitioners to meet their responsibility to act in the public interest. As indicated in paragraph 15, in the context of engagement performance as described in this PES, the consistent performance of quality engagements forms part of the assurance practitioner’s responsibility to act in the public interest.

The Firm’s System of Quality Management (Ref: Para. 6–9)

A3. The firm may use different terminology or frameworks to describe the components of its system of quality management.

A4. Examples of the interconnected nature of the components include the following:

  • The firm’s risk assessment process sets out the process the firm is required to follow in implementing a risk-based approach across the system of quality management.

  • The governance and leadership component establishes the environment that supports the system of quality management.

  • The resources and information and communication components enable the design, implementation and operation of the system of quality management.

  • The monitoring and remediation process is a process designed to monitor the entire system of quality management. The results of the monitoring and remediation process provide information that is relevant to the firm’s risk assessment process.

  • There may be relationships between specific matters, for example, certain aspects of relevant ethical requirements are relevant to accepting and continuing client relationships and specific engagements.

A5. Reasonable assurance is obtained when the system of quality management reduces to an acceptably low level the risk that the objectives stated in paragraph 14(a) and (b) are not achieved. Reasonable assurance is not an absolute level of assurance, because there are inherent limitations of a system of quality management. Such limitations include that human judgement in decision making can be faulty and that breakdowns in a firm’s system of quality management may occur, for example, due to human error or behaviour or failures in information technology (IT) applications.

Authority of this Professional and Ethical Standard (Ref: Para. 12)

A6. The objective of this PES provides the context in which the requirements of this PES are set, establishes the desired outcome of this PES and is intended to assist the firm in understanding what needs to be accomplished and, where necessary, the appropriate means of doing so.

A7. The requirements of this PES are expressed using “shall.”

A8. Where necessary, the application and other explanatory material provides further explanation of the requirements and guidance for carrying them out. In particular, it may:

  • Explain more precisely what a requirement means or is intended to cover; and

  • Include examples that illustrate how the requirements might be applied.

While such guidance does not in itself impose a requirement, it is relevant to the proper application of the requirements. The application and other explanatory material may also provide background information on matters addressed in this PES. Where appropriate, additional considerations specific to public sector audit organisations are included within the application and other explanatory material. These additional considerations assist in the application of the requirements in this PES. They do not, however, limit or reduce the responsibility of the firm to apply and comply with the requirements in this PES.

A9. This PES includes, under the heading “Definitions,” a description of the meanings attributed to certain terms for purposes of this PES. These definitions are provided to assist in the consistent application and interpretation of this PES, and are not intended to override definitions that may be established for other purposes, whether in law, regulation or otherwise. Explanatory Guide (EG) Au4 Glossary of Terms issued by the NZAuASB includes the terms defined in this PES. EG Au4 also includes descriptions of other terms found in the PES 3 and PES 4 to assist in common and consistent interpretation and translation.

Definitions

Deficiency (Ref: Para. 16(a))

A10. The firm identifies deficiencies through evaluating findings. A deficiency may arise from a finding, or a combination of findings.

A11. When a deficiency is identified as a result of a quality risk, or combination of quality risks, not being identified or properly assessed, the response(s) to address such quality risk(s) may also be absent, or not appropriately designed or implemented.

A12. The other aspects of the system of quality management consist of the requirements in this PES addressing:

  • Assigning responsibilities (paragraphs 20–22);

  • The firm’s risk assessment process;

  • The monitoring and remediation process; and

  • The evaluation of the system of quality management.

Examples of deficiencies related to other aspects of the system of quality management

  • The firm’s risk assessment process fails to identify information that indicates changes in the nature and circumstances of the firm and its engagements and the need to establish additional quality objectives, or modify the quality risks or responses.

  • The firm’s monitoring and remediation process is not designed or implemented in a manner that:

  • Provides relevant, reliable and timely information about the design, implementation and operation of the system of quality management.

  • Enables the firm to take appropriate actions to respond to identified deficiencies such that deficiencies are remediated on a timely basis.

  • The individual(s) assigned ultimate responsibility and accountability for the system of quality management does not undertake the annual evaluation of the system of quality management.

Engagement Team (Ref: Para. 16(f))

A13. ISA (NZ) 220 (Revised)12 provides guidance in applying the definition of engagement team in the context of an audit of financial statements.

External Inspections (Ref: Para. 16(g))

A14. In some circumstances, an external oversight authority may undertake other types of inspections, for example, thematic reviews that focus on, for a selection of firms, particular aspects of audit engagements or firm-wide practices.

Findings (Ref: Para. 16(h))

A15. As part of accumulating findings from monitoring activities, external inspections and other relevant sources, the firm may identify other observations about the firm’s system of quality management, such as positive outcomes or opportunities for the firm to improve, or further enhance, the system of quality management. Paragraph A158 explains how other observations may be used by the firm in the system of quality management.

A16. Paragraph A148 provides examples of information from other relevant sources.

A17. Monitoring activities include monitoring at the engagement level, such as inspection of engagements. Furthermore, external inspections and other relevant sources may include information that relates to specific engagements. As a result, information about the design, implementation and operation of the system of quality management includes engagement- level findings that may be indicative of findings in relation to the system of quality management.

Firm (Ref: Para. 16(i))

A18. The definition of “firm” in relevant ethical requirements may differ from the definition set out in this PES.

Network (Ref: Para. 16(l), 48)

A19. Networks and the firms within the network may be structured in a variety of ways. For example, in the context of a firm’s system of quality management:

  • The network may establish requirements for the firm related to its system of quality management, or provide services that are used by the firm in its system of quality management or in the performance of engagements;

  • Other firms within the network may provide services (e.g., resources) that are used by the firm in its system of quality management or in the performance of engagements; or

  • Other structures or organisations within the network may establish requirements for the firm related to its system of quality management, or provide services.

For the purposes of this PES, any network requirements or network services that are obtained from the network, another firm within the network or another structure or organisation in the network are considered “network requirements or network services.”

Personnel (Ref: Para. 16(n))

A20. In addition to personnel (i.e., individuals in the firm), the firm may use individuals external to the firm in performing activities in the system of quality management or in the performance of engagements. For example, individuals external to the firm may include individuals from other network firms (e.g., individuals in a service delivery centre of a network firm) or individuals employed by a service provider (e.g., a component auditor from another firm not within the firm’s network).

A21. Personnel also includes partners and staff in other structures of the firm, such as a service delivery centre in the firm.

Relevant Ethical Requirements (Ref: Para. 16(t), 29)

A22. The relevant ethical requirements that are applicable in the context of a system of quality management may vary, depending on the nature and circumstances of the firm and its engagements. The term “assurance practitioner” may be defined in relevant ethical requirements. For example, the PES 1 defines the term “assurance practitioner” and further explains the scope of provisions in the PES 1 that apply to individual assurance practitioners in public practice and their firms.

A23. PES 1 addresses circumstances when law or regulation precludes the assurance practitioner from complying with certain parts of the PES 1. It further acknowledges that some jurisdictions might have provisions in law or regulation that differ from or go beyond those set out in the PES 1 and that assurance practitioners in those jurisdictions need to be aware of those differences and comply with the more stringent provisions, unless prohibited by law or regulation.

A24. Various provisions of the relevant ethical requirements may apply only to individuals in the context of the performance of engagements and not the firm itself. For example:

  • Part 2 of PES 1 applies to individuals who are assurance practitioners in public practice when they are performing professional activities pursuant to their relationship with the firm, whether as a contractor, employee or owner, and may be relevant in the context of the performance of engagements.

  • Certain requirements in Parts 3 and 4 of PES 1 also apply to individuals who are assurance practitioners in public practice when they are performing professional activities for clients.

Compliance with such relevant ethical requirements by individuals may need to be addressed by the firm’s system of quality management.

Example of relevant ethical requirements that are applicable only to individuals and not the firm, and which relate to the performance of engagements

Part 2 of PES 1 addresses pressure to breach the fundamental principles, and includes requirements that an individual shall not:

  • Allow pressure from others to result in a breach of compliance with the fundamental principles; or

  • Place pressure on others that the accountant knows, or has reason to believe, would result in the other individuals breaching the fundamental principles.

For example, circumstances may arise when, in performing an engagement, an individual considers that the engagement partner or another senior member of the engagement team has pressured them to breach the fundamental principles.

Response (Ref: Para. 16(u))

A25. Policies are implemented through the actions of personnel and other individuals whose actions are subject to the policies (including engagement teams), or through their restraint from taking actions that would conflict with the firm’s policies.

A26. Procedures may be mandated, through formal documentation or other communications, or may result from behaviours that are not mandated but are rather conditioned by the firm’s culture. Procedures may be enforced through the actions permitted by IT applications, or other aspects of the firm’s IT environment.

A27. If the firm uses individuals external to the firm in the system of quality management or in the performance of engagements, different policies or procedures may need to be designed by the firm to address the actions of the individuals. ISA (NZ) 220 (Revised)13 provides guidance when different policies or procedures may need to be designed by the firm to address the actions of individuals external to the firm in the context of an audit of financial statements.

Service Provider (Ref: Para. 16(v))

A28. Service providers include component auditors from other firms not within the firm’s network.

Applying, and Complying with, Relevant Requirements (Ref: Para. 17)

A29. Examples of when a requirement of this PES may not be relevant to the firm

  • The firm is a sole practitioner. For example, the requirements addressing the organisational structure and assigning roles, responsibilities and authority within the firm, direction, supervision and review and addressing differences of opinion may not be relevant.

  • The firm only performs engagements that are related services engagements. For example, if the firm is not required to maintain independence for related services engagements, the requirement to obtain a documented confirmation of compliance with independence requirements from all personnel would not be relevant.

System of Quality Management

Design, Implement and Operate a System of Quality Management (Ref: Para. 19)

A30. Quality management is not a separate function of the firm; it is the integration of a culture that demonstrates a commitment to quality with the firm’s strategy, operational activities and business processes. As a result, designing the system of quality management and the firm’s operational activities and business processes in an integrated manner may promote a harmonious approach to managing the firm, and enhance the effectiveness of quality management.

A31. The quality of professional judgements exercised by the firm is likely to be enhanced when individuals making such judgements demonstrate an attitude that includes an inquiring mind, which involves:

  • Considering the source, relevance and sufficiency of information obtained about the system of quality management, including information related to the nature and circumstances of the firm and its engagements; and

  • Being open and alert to a need for further investigation or other action.

Responsibilities (Ref: Para. 20–21, 28(d))

A32. The governance and leadership component includes a quality objective that the firm has an organisational structure and assignment of roles, responsibilities and authority that is appropriate to enable the design, implementation and operation of the firm’s system of quality management.

A33. Notwithstanding the assignment of responsibilities related to the system of quality management in accordance with paragraph 20, the firm remains ultimately responsible for the system of quality management and holding individuals responsible and accountable for their assigned roles. For example, in accordance with paragraphs 53 and 54, although the firm assigns the evaluation of the system of quality management and conclusion thereon to the individual(s) assigned ultimate responsibility and accountability for the system of quality management, the firm is responsible for the evaluation and conclusion.

A34. An individual(s) assigned responsibility for the matters in paragraph 20 is typically a partner of the firm so that they have appropriate influence and authority within the firm, as required by paragraph 21. However, based on the legal structure of the firm, there may be circumstances when an individual(s) may not be a partner of the firm but the individual(s) has the appropriate influence and authority within the firm to perform their assigned role because of formal arrangements made by the firm or the firm’s network.

A35. How the firm assigns roles, responsibilities and authority within the firm may vary and law or regulation may impose certain requirements for the firm that affect the leadership and management structure or their assigned responsibilities. An individual(s) assigned responsibility for a matter(s) in paragraph 20 may further assign roles, procedures, tasks or actions to other individuals to assist them in fulfilling their responsibilities. However, an individual(s) assigned responsibility for a matter(s) in paragraph 20 remains responsible and accountable for the responsibilities assigned to them.

Scalability example to demonstrate how assigning roles and responsibilities may be undertaken

  • In a less complex firm, ultimate responsibility and accountability for the system of quality management may be assigned to a single managing partner with sole responsibility for the oversight of the firm. This individual may also assume responsibility for all aspects of the system of quality management, including operational responsibility for the system of quality management, compliance with independence requirements and the monitoring and remediation process.

  • In a more complex firm, there may be multiple levels of leadership that reflect the organisational structure of the firm, and the firm may have an independent governing body that has non-executive oversight of the firm, which may comprise external individuals. Furthermore, the firm may assign operational responsibility for specific aspects of the system of quality management beyond those specified in paragraph 20(c), such as operational responsibility for compliance with ethical requirements or operational responsibility for managing a service line.

A36. Compliance with independence requirements is essential to the performance of audits, or reviews of financial statements, or other assurance engagements, and is an expectation of stakeholders relying on the firm’s reports. The individual(s) assigned operational responsibility for compliance with independence requirements is ordinarily responsible for the oversight of all matters related to independence so that a robust and consistent approach is designed and implemented by the firm to deal with independence requirements.

A37. Law, regulation or professional standards may establish additional requirements for an individual assigned responsibility for a matter(s) in paragraph 20, such as requirements for professional licensing, professional education or continuing professional development.

A38. The appropriate experience and knowledge for the individual(s) assigned operational responsibility for the system of quality management ordinarily includes an understanding of the firm’s strategic decisions and actions and experience with the firm’s business operations.

The Firm’s Risk Assessment Process (Ref: Para. 23)

A39. How the firm designs the firm’s risk assessment process may be affected by the nature and circumstances of the firm, including how the firm is structured and organised.

Scalability examples to demonstrate how the firm’s risk assessment process may differ

  • In a less complex firm, the individual(s) assigned operational responsibility for the system of quality management may have a sufficient understanding of the firm and its engagements to undertake the risk assessment process. Furthermore, the documentation of the quality objectives, quality risks and responses may be less extensive than for a more complex firm (e.g., it may be documented in a single document).

  • In a more complex firm, there may be a formal risk assessment process, involving multiple individuals and numerous activities. The process may be centralised (e.g., the quality objectives, quality risks and responses are established centrally for all business units, functions and service lines) or decentralised (e.g., the quality objectives, quality risks and responses are established at a business unit, function or service line level, with the outputs combined at the firm level). The firm’s network may also provide the firm with quality objectives, quality risks and responses to be included in the firm’s system of quality management.

A40. The process of establishing quality objectives, identifying and assessing quality risks and designing and implementing responses is iterative, and the requirements of this PES are not intended to be addressed in a linear manner. For example:

  • In identifying and assessing quality risks, the firm may determine that an additional quality objective(s) needs to be established.

  • When designing and implementing responses, the firm may determine that a quality risk was not identified and assessed.

A41. Information sources that enable the firm to establish quality objectives, identify and assess quality risks and design and implement responses form part of the firm’s information and communication component and include:

  • The results of the firm’s monitoring and remediation process (see paragraphs 42 and A171).

  • Information from the network or service providers, including:

  • Information about network requirements or network services (see paragraph 48); and

  • Other information from the network, including information about the results of monitoring activities undertaken by the network across the network firms (see paragraphs 50–51).

Other information, both internal or external, may also be relevant to the firm’s risk assessment process, such as:

  • Information regarding complaints and allegations about failures to perform work in accordance with professional standards and applicable legal and regulatory requirements, or non-compliance with the firm’s policies or procedures established in accordance with this PES.

  • The results of external inspections.

  • Information from regulators about the entities for whom the firm performs engagements which is made available to the firm, such as information from a securities regulator about an entity for whom the firm performs engagements (e.g., irregularities in the entity’s financial statements or non-compliance with securities regulation).

  • Changes in the system of quality management that affect other aspects of the system, for example, changes in the firm’s resources.

  • Other external sources, such as regulatory actions and litigation against the firm or other firms in the jurisdiction that may highlight areas for the firm to consider.

Establish Quality Objectives (Ref: Para. 24)

A42. Law, regulation or professional standards may establish requirements that give rise to additional quality objectives. For example, a firm may be required by law or regulation to appoint non-executive individuals to the firm’s governance structure and the firm considers it necessary to establish additional quality objectives to address the requirements.

A43. The nature and circumstances of the firm and its engagements may be such that the firm may not find it necessary to establish additional quality objectives.

A44. The firm may establish sub-objectives to enhance the firm’s identification and assessment of quality risks, and design and implementation of responses.

Identify and Assess Quality Risks (Ref: Para. 25)

A45. There may be other conditions, events, circumstances, actions or inactions not described in paragraph 25(a) that may adversely affect the achievement of a quality objective.

A46. A risk arises from how, and the degree to which, a condition, event, circumstance, action or inaction may adversely affect the achievement of a quality objective. Not all risks meet the definition of a quality risk. Professional judgement assists the firm in determining whether a risk is a quality risk, which is based on the firm’s consideration of whether there is a reasonable possibility of the risk occurring, and individually, or in combination with other risks, adversely affecting the achievement of one or more quality objectives.

Examples of the firm’s understanding of the conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives

Examples of quality risks that may arise

  • The strategic and operational decisions and actions, business processes and business model of the firm: The firm’s overall financial goals are overly dependent on the extent of services provided by the firm not within the scope of this PES.

In the context of governance and leadership, this may give rise to a number of quality risks such as:

  • Resources are allocated or assigned in a manner that prioritises the services not within the scope of this PES and may negatively affect the quality of engagements within the scope of this PES.

  • Decisions about financial and operational priorities do not fully or adequately consider the importance of quality in the performance of engagements within the scope of this PES.

  • The characteristics and management style of leadership: The firm is a smaller firm with a few engagement partners with shared authority.

In the context of governance and leadership, this may give rise to a number of quality risks such as:

  • Leadership’s responsibilities and accountability for quality are not clearly defined and assigned.

  • The actions and behaviours of leadership that do not promote quality are not questioned.

  • The complexity and operating characteristics of the firm: The firm has recently completed a merger with another firm.

In the context of resources, this may give rise to a number of quality risks including:

  • Technological resources used by the two merged firms may be incompatible.

  • Engagement teams may use intellectual resources developed by a firm prior to the merger, which are no longer consistent with the new methodology being used by the new merged firm.

A47. Given the evolving nature of the system of quality management, the responses designed and implemented by the firm may give rise to conditions, events, circumstances, actions or inactions that result in further quality risks. For example, the firm may implement a resource (e.g., a technological resource) to address a quality risk, and quality risks may arise from the use of such resource.

A48. The degree to which a risk, individually, or in combination with other risks may adversely affect the achievement of a quality objective(s) may vary based on the conditions, events, circumstances, actions or inactions giving rise to the risk, taking into account, for example:

  • How the condition, event, circumstance, action or inaction would affect the achievement of the quality objective.

  • How frequently the condition, event, circumstance, action or inaction is expected to occur.

  • How long it would take after the condition, event, circumstance, action or inaction occurred for it to have an effect, and whether in that time the firm would have an opportunity to respond to mitigate the effect of the condition, event, circumstance, action or inaction.

  • How long the condition, event, circumstance, action or inaction would affect the achievement of the quality objective once it has occurred.

The assessment of quality risks need not comprise formal ratings or scores, although firms are not precluded from using them.

Design and Implement Responses to Address the Quality Risks (Ref: Para. 16(u), 26)

A49. The nature, timing and extent of the responses are based on the reasons for the assessment given to the quality risks, which is the considered occurrence and effect on the achievement of one or more quality objectives.

A50. The responses designed and implemented by the firm may operate at the firm level or engagement level, or there may be a combination of responsibilities for actions to be taken at the firm and engagement level.

Example of a response designed and implemented by the firm that operates at both the firm and engagement level

The firm establishes policies or procedures for consultation which include with whom consultation should be undertaken by engagement teams and the specific matters for which consultation is required. The firm appoints suitably qualified and experienced individuals to provide the consultations. The engagement team is responsible for identifying when matters for consultation occur and initiating consultation, and implementing the conclusions from consultation.14

A51. The need for formally documented policies or procedures may be greater for firms that have many personnel or that are geographically dispersed, in order to achieve consistency across the firm.

Changes in the Nature and Circumstances of the Firm or its Engagements (Ref: Para. 27)

A52. Scalability example to demonstrate how policies or procedures for identifying information about changes in the nature and circumstances of the firm and its engagements may vary

  • In a less complex firm, the firm may have informal policies or procedures to identify information about changes in the nature and circumstances of the firm or its engagements, particularly when the individual(s) responsible for establishing quality objectives, identifying and assessing quality risks and designing and implementing responses is able to identify such information in the normal course of their activities.
  • In a more complex firm, the firm may need to establish more formal policies or procedures to identify and consider information about changes in the nature and circumstances of the firm or its engagements. This may include, for example, a periodic review of information relating to the nature and circumstances of the firm and its engagements, including ongoing tracking of trends and occurrences in the firm’s internal and external environment.

A53. Additional quality objectives may need to be established, or quality risks and responses added to or modified, as part of the remedial actions undertaken by the firm to address an identified deficiency in accordance with paragraph 42.

A54. The firm may have established quality objectives in addition to those specified by this PES. The firm may also identify information that indicates that additional quality objectives already established by the firm are no longer needed, or need to be modified.

Governance and Leadership

Commitment to Quality (Ref: Para. 28(a))

A55. The firm’s culture is an important factor in influencing the behaviour of personnel. Relevant ethical requirements ordinarily establish the principles of professional ethics, and are further addressed in the relevant ethical requirements component of this PES. Professional values and attitudes may include:

  • Professional manner, for example, timeliness, courteousness, respect, accountability, responsiveness, and dependability.

  • A commitment to teamwork.

  • Maintaining an open mind to new ideas or different perspectives in the professional environment.

  • Pursuit of excellence.

  • A commitment to continual improvement (e.g., setting expectations beyond the minimum requirements and placing a focus on continual learning).

  • Social responsibility.

A56. The firm’s strategic decision-making process, including the establishment of a business strategy, may include matters such as the firm’s decisions about financial and operational matters, the firm’s financial goals, how financial resources are managed, growth of the firm’s market share, industry specialisation or new service offerings. The firm’s financial and operational priorities may directly or indirectly affect the firm’s commitment to quality, for example, the firm may have incentives that are focused on financial and operational priorities that may discourage behaviours that demonstrate a commitment to quality.

Leadership (Ref: Para. 28(b) and 28(c))

A57. The responses designed and implemented by the firm to hold leadership responsible and accountable for quality include the performance evaluations required by paragraph 56.

A58. Although leadership establishes the tone at the top through their actions and behaviours, clear, consistent and frequent actions and communications at all levels within the firm collectively contribute to the firm’s culture and demonstrates a commitment to quality.

Organisational Structure (Ref: Para. 28(d))

A59. The organisational structure of the firm may include operating units, operational processes, divisions or geographical locations and other structures. In some instances, the firm may concentrate or centralise processes or activities in a service delivery centre, and engagement teams may include personnel from the firm’s service delivery centre who perform specific tasks that are repetitive or specialised in nature.

Resources (Ref: Para. 28(e))

A60. The individual(s) assigned ultimate responsibility and accountability or operational responsibility for the system of quality management is in most cases able to influence the nature and extent of resources that the firm obtains, develops, uses and maintains, and how those resources are allocated or assigned, including the timing of when they are used.

A61. As resource needs may change over time it may not be practicable to anticipate all resource needs. The firm’s resource planning may involve determining the resources currently required, forecasting the firm’s future resource needs, and establishing processes to deal with unanticipated resource needs when they arise.

Relevant Ethical Requirements (Ref: Para. 16(t), 29)

A62. PES 1 sets out the fundamental principles of ethics that establish the standards of behaviour expected of an assurance practitioner and establishes the International Independence Standards (New Zealand). The fundamental principles are integrity, objectivity, professional competence and due care, confidentiality and professional behaviour. PES 1 also specifies the approach that an assurance practitioner is required to apply to comply with the fundamental principles and, when applicable, the International Independence Standards (New Zealand). In addition, PES 1 addresses specific topics relevant to complying with the fundamental principles. Law or regulation in a jurisdiction may also contain provisions addressing ethical requirements, including independence, such as privacy laws affecting the confidentiality of information.

A63. In some cases, the matters addressed by the firm in its system of quality management may be more specific than, or additional to, the provisions of relevant ethical requirements.

Examples of matters that a firm may include in its system of quality management that are more specific than, or additional to, the provisions of relevant ethical requirements

  • The firm prohibits the acceptance of gifts and hospitality from a client, even if the value is trivial and inconsequential.

  • The firm sets rotation periods for all engagement partners, including those performing other assurance or related services engagements, and extends the rotation periods to all senior engagement team members.

A64. Other components may affect or relate to the relevant ethical requirements component.

Examples of relationships between the relevant ethical requirements component and other components

  • The information and communication component may address the communication of various matters related to relevant ethical requirements, including:

  • The firm communicating the independence requirements to all personnel and others subject to independence requirements.

  • Personnel and engagement teams communicating relevant information to the firm without fear of reprisals, such as situations that may create threats to independence, or breaches of relevant ethical requirements.

  • As part of the resources component, the firm may:

  • Assign individuals to manage and monitor compliance with relevant ethical requirements or to provide consultation on matters related to relevant ethical requirements.

  • Use IT applications to monitor compliance with relevant ethical requirements, including recording and maintaining information about independence.

A65. The relevant ethical requirements that apply to others depend on the provisions of the relevant ethical requirements and how the firm uses others in its system of quality management, or in the performance of engagements.

Examples of relevant ethical requirements that apply to others

  • Relevant ethical requirements may include requirements for independence that apply to network firms or employees of network firms, for example, PES 1 includes independence requirements that apply to network firms.

  • Relevant ethical requirements may include a definition of engagement team or other similar concept, and the definition may include any individual who performs assurance procedures on the engagement (e.g., a component auditor or a service provider engaged to attend a physical inventory count at a remote location). Accordingly, any requirements of the relevant ethical requirements that apply to the engagement team as defined in the relevant ethical requirements, or other similar concept, may also be relevant to such individuals.

  • The principle of confidentiality may apply to the firm’s network, other network firms or service providers, when they have access to client information obtained by the firm.

Public Sector Considerations

A66. In achieving the quality objectives in this PES related to independence, public sector auditors may address independence in the context of the public sector mandate and statutory measures.

Acceptance and Continuance of Client Relationships and Specific Engagements

The Nature and Circumstances of the Engagement and the Integrity and Ethical Values of the Client (Ref: Para. 30(a)(i))

A67. The information obtained about the nature and circumstances of the engagement may include:

  • The industry of the entity for which the engagement is being undertaken and relevant regulatory factors;

  • The nature of the entity, for example, its operations, organisational structure, ownership and governance, its business model and how it is financed; and

  • The nature of the underlying subject matter and the applicable criteria, for example, in the case of integrated reporting:

  • The underlying subject matter may include social, environmental or health and safety information; and

  • The applicable criteria may be performance measures established by a recognised body of experts.

A68. The information obtained to support the firm’s judgements about the integrity and ethical values of the client may include the identity and business reputation of the client’s principal owners, key management, and those charged with its governance.

Examples of factors that may affect the nature and extent of information obtained about the integrity and ethical values of the client

  • The nature of the entity for which the engagement is being performed, including the complexity of its ownership and management structure.

  • The nature of the client’s operations, including its business practices.

  • Information concerning the attitude of the client’s principal owners, key management and those charged with its governance towards such matters as aggressive interpretation of accounting standards and the internal control environment.

  • Whether the client is aggressively concerned with maintaining the firm’s fees as low as possible.

  • Indications of a client-imposed limitation in the scope of work.

  • Indications that the client might be involved in money laundering or other criminal activities.

  • The reasons for the proposed appointment of the firm and non-reappointment of the previous firm.

  • The identity and business reputation of related parties.

A69. The firm may obtain the information from a variety of internal and external sources, including:

  • In the case of an existing client, information from current or previous engagements, if applicable, or inquiry of other personnel who have performed other engagements for the client.

  • In the case of a new client, inquiry of existing or previous providers of professional accountancy services to the client, in accordance with relevant ethical requirements.

  • Discussions with other third parties, such as bankers, legal counsel and industry peers.

  • Background searches of relevant databases (which may be intellectual resources). In some cases, the firm may use a service provider to perform the background search.

A70. Information that is obtained during the firm’s acceptance and continuance process may often also be relevant to the engagement team when planning and performing the engagement. Professional standards may specifically require the engagement team to obtain or consider such information. For example, ISA (NZ) 220 (Revised)15 requires the engagement partner to take into account information obtained in the acceptance and continuance process in planning and performing the audit engagement.

A71. Professional standards or applicable legal and regulatory requirements may include specific provisions that need to be addressed before accepting or continuing a client relationship or specific engagement and may also require the firm to make inquiries of an existing or predecessor firm when accepting an engagement. For example, when there has been a change of auditors, ISA (NZ) 30016 requires the auditor, prior to starting an initial audit, to communicate with the predecessor auditor in compliance with relevant ethical requirements. PES 1 also includes requirements for the consideration of conflicts of interests in accepting or continuing a client relationship or specific engagement and communication with the existing or predecessor firm when accepting an engagement that is an audit or review of financial statements.

The Firm’s Ability to Perform the Engagement (Ref: Para. 30(a)(ii))

A72. The firm’s ability to perform the engagement in accordance with professional standards and applicable legal and regulatory requirements may be affected by:

  • The availability of appropriate resources to perform the engagement;

  • Having access to information to perform the engagement, or to the persons who provide such information; and

  • Whether the firm and the engagement team are able to fulfill their responsibilities in relation to the relevant ethical requirements.

Examples of factors the firm may consider in determining whether appropriate resources are available to perform the engagement

  • The circumstances of the engagement and the reporting deadline.

  • The availability of individuals with the appropriate competence and capabilities, including sufficient time, to perform the engagement. This includes having:

  • Individuals to take overall responsibility for directing and supervising the engagement;

  • Individuals with knowledge of the relevant industry or the underlying subject matter or criteria to be applied in the preparation of the subject matter information and experience with relevant regulatory or reporting requirements; and

  • Individuals to perform audit procedures on the financial information of a component for purposes of an audit of group financial statements.

  • The availability of experts, if needed.

  • If an engagement quality review is needed, whether there is an individual available who meets the eligibility requirements in PES 4.

  • The need for technological resources, for example, IT applications that enable the engagement team to perform procedures on the entity’s data.

  • The need for intellectual resources, for example, a methodology, industry or subject matter-specific guides, or access to information sources.

The Firm’s Financial and Operational Priorities (Ref: Para. 30(b))

A73. Financial priorities may focus on the profitability of the firm, and fees obtained for the performance of engagements have an effect on the firm’s financial resources. Operational priorities may include strategic focus areas, such as growth of the firm’s market share, industry specialisation or new service offerings. There may be circumstances when the firm is satisfied with the fee quoted for an engagement but it is not appropriate for the firm to accept or continue the engagement or client relationship (e.g., when the client lacks integrity and ethical values).

A74. There may be other circumstances when the fee quoted for an engagement is not sufficient given the nature and circumstances of the engagement, and it may diminish the firm’s ability to perform the engagement in accordance with professional standards and applicable legal and regulatory requirements. PES 1 addresses fees and other types of remuneration, including circumstances that may create a threat to compliance with the fundamental principle of professional competence and due care if the fee quoted for an engagement is too low.

Engagement Performance

Responsibilities of the Engagement Team and Direction, Supervision and Review (Ref: Para. 31(a) and 31(b))

A75. Professional standards or applicable legal and regulatory requirements may include specific provisions regarding the overall responsibility of the engagement partner. For example, ISA (NZ) 220 (Revised) deals with the overall responsibility of the engagement partner for managing and achieving quality on the engagement and for being sufficiently and appropriately involved throughout the engagement, including having responsibility for appropriate direction and supervision of the engagement team and review of their work.

A76. Examples of direction, supervision and review

  • Direction and supervision of the engagement team may include:

  • Tracking the progress of the engagement;

  • Considering the following with respect to members of the engagement team:

  • Whether they understand their instructions; and

  • Whether the work is being carried out in accordance with the planned approach to the engagement;

  • Addressing matters arising during the engagement, considering their significance and modifying the planned approach appropriately; and

  • Identifying matters for consultation or consideration by more experienced engagement team members during the engagement.

  • A review of work performed may include considering whether:

  • The work has been performed in accordance with the firm’s policies or procedures, professional standards and applicable legal and regulatory requirements;

  • Significant matters have been raised for further consideration;

  • Appropriate consultations have been undertaken and the resulting conclusions have been documented and implemented;

  • There is a need to revise the nature, timing and extent of planned work;

  • The work performed supports the conclusions reached and is appropriately documented;

  • The evidence obtained for an assurance engagement is sufficient and appropriate to support the report; and

  • The objectives of the engagement procedures have been achieved.

A77. In some circumstances, the firm may use personnel from a service delivery centre in the firm or individuals from a service delivery centre in another network firm to perform procedures on the engagement (i.e., the personnel or other individuals are included in the engagement team). In such circumstances, the firm’s policies or procedures may specifically address the direction and supervision of the individuals and review of their work, such as:

  • What aspects of the engagement may be assigned to individuals in the service delivery centre;

  • How the engagement partner, or their designee, is expected to direct, supervise and review the work undertaken by individuals in the service delivery centre; and

  • The protocols for communication between the engagement team and individuals in the service delivery centre.

Professional Judgement and Professional Scepticism (Ref: Para. 31(c))

A78. Professional scepticism supports the quality of judgements made on an assurance engagement and, through these judgements, the overall effectiveness of the engagement team in performing the assurance engagement. Other pronouncements of the NZAuASB may address the exercise of professional judgement or professional scepticism at the engagement level. For example, ISA (NZ) 220 (Revised)17 provides examples of impediments to the exercise of professional scepticism at the engagement level, unconscious auditor biases that may impede the exercise of professional scepticism, and possible actions that the engagement team may take to mitigate such impediments.

Consultation (Ref: Para. 31(d))

A79. Consultation typically involves a discussion at the appropriate professional level, with individuals within or outside the firm who have specialised expertise, on difficult or contentious matters. An environment that reinforces the importance and benefit of consultation and encourages engagement teams to consult may contribute to supporting a culture that demonstrates a commitment to quality.

A80. Difficult or contentious matters on which consultation is needed may either be specified by the firm, or the engagement team may identify matters that require consultation. The firm may also specify how conclusions are to be agreed and implemented.

A81. ISA (NZ) 220 (Revised)18 includes requirements for the engagement partner related to consultation.

Differences of Opinion (Ref: Para. 31(e))

A82. The firm may encourage that differences of opinion are identified at an early stage, and may specify the steps to be taken in raising and dealing with them, including how the matter is to be resolved and how the related conclusions should be implemented and documented. In some circumstances, resolving differences of opinion may be achieved through consulting with another practitioner or firm, or a professional or regulatory body.

Engagement Documentation (Ref: Para. 31(f))

A83. Law, regulation or professional standards may prescribe the time limits by which the assembly of final engagement files for specific types of engagements are to be completed. Where no such time limits are prescribed in law or regulation, the time limit may be determined by the firm. In the case of engagements conducted under the ISAs (NZ), ISAEs (NZ) or SAEs, an appropriate time limit within which to complete the assembly of the final engagement file is ordinarily not more than 60 days after the date of the engagement report.

A84. The retention and maintenance of engagement documentation may include managing the safe custody, integrity, accessibility or retrievability of the underlying data and the related technology. The retention and maintenance of engagement documentation may involve the use of IT applications. The integrity of engagement documentation may be compromised if it is altered, supplemented or deleted without authorisation to do so, or if it is permanently lost or damaged.

A85. Law, regulation or professional standards may prescribe the retention periods for engagement documentation. If the retention periods are not prescribed, the firm may consider the nature of the engagements performed by the firm and the firm’s circumstances, including whether the engagement documentation is needed to provide a record of matters of continuing significance to future engagements. In the case of engagements conducted under the ISAs (NZ), ISAEs (NZ) or SAEs, the retention period is ordinarily no shorter than five years from the date of the engagement report, or, if later, the date of the auditor’s report on the group financial statements, when applicable.

Resources (Ref: Para. 32)

A86. Resources for the purposes of the resources component include:

  • Human resources.

  • Technological resources, for example, IT applications.

  • Intellectual resources, for example, written policies or procedures, a methodology or guides.

Financial resources are also relevant to the system of quality management because they are necessary for obtaining, developing and maintaining the firm’s human resources, technological resources and intellectual resources. Given that the management and allocation of financial resources is strongly influenced by leadership, the quality objectives in governance and leadership, such as those that address financial and operational priorities, address financial resources.

 

A87. Resources may be internal to the firm, or may be obtained externally from the firm’s network, another network firm or service provider. Resources may be used in performing activities within the firm’s system of quality management, or in the performance of engagements as part of operating the system of quality management. In circumstances when a resource is obtained from the firm’s network or another network firm, paragraphs 48–52 form part of the responses designed and implemented by the firm in achieving the objectives in this component.

Human Resources
Hiring, Developing and Retaining Personnel and Personnel Competence and Capabilities (Ref: Para. 32(a), 32(d))

A88. Competence is the ability of the individual to perform a role and goes beyond knowledge of principles, standards, concepts, facts, and procedures; it is the integration and application of technical competence, professional skills, and professional ethics, values and attitudes. Competence can be developed through a variety of methods, including professional education, continuing professional development, training, work experience or coaching of less experienced engagement team members by more experienced engagement team members.

A89. Law, regulation or professional standards may establish requirements addressing competence and capabilities, such as requirements for the professional licensing of engagement partners, including requirements regarding their professional education and continuing professional development.

A90. Examples of policies or procedures relating to hiring, developing and retaining personnel

The policies or procedures designed and implemented by the firm relating to hiring, developing and retaining personnel may address:

  • Recruiting individuals who have, or are able to develop, appropriate competence.

  • Training programs focused on developing the competence of personnel and continuing professional development.

  • Evaluation mechanisms that are undertaken at appropriate intervals and include competency areas and other performance measures.

  • Compensation, promotion and other incentives, for all personnel, including engagement partners and individuals assigned roles and responsibilities related to the firm’s system of quality management.

Personnel’s Commitment to Quality and Accountability and Recognition for Commitment to Quality (Ref: Para. 32(b))

A91. Timely evaluations and feedback help support and promote the continual development of the competence of personnel. Less formal methods of evaluation and feedback may be used, such as in the case of firms with fewer personnel.

A92. Positive actions or behaviours demonstrated by personnel may be recognised through various means, such as through compensation, promotion, or other incentives. In some circumstances, simple or informal incentives that are not based on monetary rewards may be appropriate.

A93. The manner in which the firm holds personnel accountable for actions or behaviours that negatively affect quality, such as failing to demonstrate a commitment to quality, develop and maintain the competence to perform their role or implement the firm’s responses as designed, may depend on the nature of the action or behaviour, including its severity and frequency of occurrence. Actions the firm may take when personnel demonstrate actions or behaviours that negatively affect quality may include:

  • Training or other professional development.

  • Considering the effect of the matter on the evaluation, compensation, promotion or other incentives of those involved.

  • Disciplinary action, if appropriate.

Individuals Obtained from External Sources (Ref: Para. 32(c))

A94. Professional standards may include responsibilities for the engagement partner regarding the appropriateness of resources. For example, ISA (NZ) 220 (Revised)19 addresses the responsibility of the engagement partner for determining that sufficient and appropriate resources to perform the engagement are assigned or made available to the engagement team in a timely manner in accordance with the firm’s policies or procedures.

Engagement Team Members Assigned to Each Engagement (Ref: Para. 32(d))

A95. Engagement team members may be assigned to engagements by:

  • The firm, including assigning personnel from a service delivery centre in the firm.

  • The firm’s network or another network firm when the firm uses individuals from the firm’s network or another network firm to perform procedures on the engagement (e.g., a component auditor or a service delivery centre of the network or another network firm).

  • A service provider when the firm uses individuals from a service provider to perform procedures on the engagement (e.g., a component auditor from a firm that is not within the firm’s network).

A96. ISA (NZ) 220 (Revised)20 addresses the responsibility of the engagement partner to determine that members of the engagement team, and any auditor’s external experts and internal auditors who provide direct assistance who are not part of the engagement team, collectively have the appropriate competence and capabilities, including sufficient time, to perform the engagement. ISA (NZ) 600 (Revised)21 expands on how ISA (NZ) 220 (Revised) is to be applied in relation to an audit of group financial statements. The responses designed and implemented by the firm to address the competence and capabilities of engagement team members assigned to the engagement may include policies or procedures that address:

  • Information that may be obtained by the engagement partner and factors to consider in determining that the engagement team members assigned to the engagement, including those assigned by the firm’s network, another network firm or service provider, have the competence and capabilities to perform the engagement.

  • How concerns about the competence and capabilities of engagement team members, in particular those assigned by the firm’s network, another network firm or service provider, may be resolved.

A97. The requirements in paragraphs 48–52 are also applicable when using individuals from the firm’s network or another network firm on an engagement, including component auditors (see, for example, paragraph A179).

Technological Resources (Ref: Para. 32(f))

A98. Technological resources, which are typically IT applications, form part of the firm’s IT environment. The firm’s IT environment also includes the supporting IT infrastructure and the IT processes and human resources involved in those processes:

  • An IT application is a program or a set of programs that is designed to perform a specific function directly for the user or, in some cases, for another application program.

  • The IT infrastructure is comprised of the IT network, operating systems, and databases and their related hardware and software.

  • The IT processes are the firm’s processes to manage access to the IT environment, manage program changes or changes to the IT environment and manage IT operations, which includes monitoring the IT environment.

A99. A technological resource may serve multiple purposes within the firm and some of the purposes may be unrelated to the system of quality management. Technological resources that are relevant for the purposes of this PES are:

  • Technological resources that are directly used in designing, implementing or operating the firm’s system of quality management;

  • Technological resources that are used directly by engagement teams in the performance of engagements; and

  • Technological resources that are essential to enabling the effective operation of the above, such as, in relation to an IT application, the IT infrastructure and IT processes supporting the IT application.

Scalability examples to demonstrate how the technological resources that are relevant for the purposes of this PES may differ

  • In a less complex firm, the technological resources may comprise a commercial IT application used by engagement teams, which has been purchased from a service provider. The IT processes that support the operation of the IT application may also be relevant, although they may be simple (e.g., processes for authorising access to the IT application and processing updates to the IT application).

  • In a more complex firm, the technological resources may be more complex and may comprise:

  • Multiple IT applications, including custom developed applications or applications developed by the firm’s network, such as:

  • IT applications used by engagement teams (e.g., engagement software and automated audit tools).

  • IT applications developed and used by the firm to manage aspects of the system of quality management (e.g., IT applications to monitor independence or assign personnel to engagements).

  • The IT processes that support the operation of these IT applications, including the individuals responsible for managing the IT infrastructure and IT processes and the firm’s processes for managing program changes to the IT applications.

A100. The firm may consider the following matters in obtaining, developing, implementing and maintaining an IT application:

  • The data inputs are complete and appropriate;

  • Confidentiality of the data is preserved;

  • The IT application operates as designed and achieves the purpose for which it is intended;

  • The outputs of the IT application achieve the purpose for which they will be used;

  • The general IT controls necessary to support the IT application’s continued operation as designed are appropriate;

  • The need for specialised skills to utilise the IT application effectively, including the training of individuals who will use the IT application; and

  • The need to develop procedures that set out how the IT application operates.

A101. The firm may specifically prohibit the use of IT applications or features of IT applications until such time that it has been determined that they operate appropriately and have been approved for use by the firm. Alternatively, the firm may establish policies or procedures to address circumstances when the engagement team uses an IT application that is not approved by the firm. Such policies or procedures may require the engagement team to determine that the IT application is appropriate for use prior to using it on the engagement, through considering the matters in paragraph A100. ISA (NZ) 220 (Revised)22 addresses the engagement partner’s responsibilities for engagement resources.

Intellectual Resources (Ref: Para. 32(g))

A102. Intellectual resources include the information the firm uses to enable the operation of the system of quality management and promote consistency in the performance of engagements.

Examples of intellectual resources

Written policies or procedures, a methodology, industry or subject matter-specific guides, accounting guides, standardised documentation or access to information sources (e.g., subscriptions to websites that provide in-depth information about entities or other information that is typically used in the performance of engagements).

A103. Intellectual resources may be made available through technological resources, for example, the firm’s methodology may be embedded in the IT application that facilitates the planning and performance of the engagement.

Use of Technological and Intellectual Resources (Ref: Para. 32(f)–32(g))

A104. The firm may establish policies or procedures regarding the use of the firm’s technological and intellectual resources. Such policies or procedures may:

  • Require the use of certain IT applications or intellectual resources in the performance of engagements, or relating to other aspects of the engagement, such as in archiving the engagement file.

  • Specify the qualifications or experience that individuals need to use the resource, including the need for an expert or training, for example, the firm may specify the qualifications or expertise needed to use an IT application that analyses data, given that specialised skills may be needed to interpret the results.

  • Specify the responsibilities of the engagement partner regarding the use of technological and intellectual resources.

  • Set out how the technological or intellectual resources are to be used, including how individuals should interact with an IT application or how the intellectual resource should be applied, and the availability of support or assistance in using the technological or intellectual resource.

Service Providers (Ref: Para. 16(v), 32(h))

A105. In some circumstances, the firm may use resources that are provided by a service provider, particularly in circumstances when the firm does not have access to the appropriate resources internally. Notwithstanding that a firm may use resources from a service provider, the firm remains responsible for its system of quality management.

Examples of resources from a service provider

  • Individuals engaged to perform the firm’s monitoring activities or engagement quality reviews, or to provide consultation on technical matters.
  • A commercial IT application used to perform audit engagements.
  • Individuals performing procedures on the firm’s engagements, for example, component auditors from other firms not within the firm’s network or individuals engaged to attend a physical inventory count at a remote location.
  • An auditor’s external expert used by the firm to assist the engagement team in obtaining audit evidence.

A106. In identifying and assessing quality risks, the firm is required to obtain an understanding of the conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives, which includes conditions, events, circumstances, actions or inactions relating to service providers. In doing so, the firm may consider the nature of the resources provided by service providers, how and the extent to which they will be used by the firm, and the general characteristics of the service providers used by the firm (e.g., the varying types of other professional services firms that are used), in order to identify and assess quality risks related to the use of such resources.

A107. In determining whether a resource from a service provider is appropriate for use in the firm’s system of quality management or in the performance of engagements, the firm may obtain information about the service provider and the resource they provide from a number of sources. Matters the firm may consider include:

  • The related quality objective and quality risks. For example, in the case of a methodology from a service provider, there may be quality risks related to the quality objective in paragraph 32(g), such as a quality risk that the service provider does not update the methodology to reflect changes in professional standards and applicable legal and regulatory requirements.

  • The nature and scope of the resources, and the conditions of the service (e.g., in relation to an IT application, how often updates will be provided, limitations on the use of the IT application and how the service provider addresses confidentiality of data).

  • The extent to which the resource is used across the firm, how the resource will be used by the firm and whether it is suitable for that purpose.

  • The extent of customisation of the resource for the firm.

  • The firm’s previous use of the service provider.

  • The service provider’s experience in the industry and reputation in the market.

A108. The firm may have a responsibility to take further actions in using the resource from a service provider so that the resource functions effectively. For example, the firm may need to communicate information to the service provider in order for the resource to function effectively, or, in relation to an IT application, the firm may need to have supporting IT infrastructure and IT processes in place.

Information and Communication (Ref: Para. 33)

A109. Obtaining, generating or communicating information is generally an ongoing process that involves all personnel and encompasses the dissemination of information within the firm and externally. Information and communication is pervasive to all components of the system of quality management.

The Firm’s Information System (Ref: Para. 33(a))

A110. Reliable and relevant information includes information that is accurate, complete, timely and valid to enable the proper functioning of the firm’s system of quality management and to support decisions regarding the system of quality management.

A111. The information system may include the use of manual or IT elements, which affect the manner in which information is identified, captured, processed, maintained and communicated. The procedures to identify, capture, process, maintain and communicate information may be enforced through IT applications, and in some cases may be embedded within the firm’s responses for other components. In addition, digital records may replace or supplement physical records.

Scalability example to demonstrate how the information system may be designed in a less complex firm

Less complex firms with fewer personnel and direct involvement of leadership may not need rigorous policies and procedures that specify how information should be identified, captured, processed and maintained.

Communication Within the Firm (Ref: Para. 33(b), 33(c))

A112. The firm may recognise and reinforce the responsibility of personnel and engagement teams to exchange information with the firm and with one another by establishing communication channels to facilitate communication across the firm.

Examples of communication among the firm, personnel and engagement teams

  • The firm communicates the responsibility for implementing the firm’s responses to personnel and engagement teams.

  • The firm communicates changes to the system of quality management to personnel and engagement teams, to the extent that the changes are relevant to their responsibilities and enables personnel and engagement teams to take prompt and appropriate action in accordance with their responsibilities.

  • The firm communicates information that is obtained during the firm’s acceptance and continuance process that is relevant to engagement teams in planning and performing engagements.

  • Engagement teams communicate to the firm information about:

  • The client that is obtained during the performance of an engagement that may have caused the firm to decline the client relationship or specific engagement had that information been known prior to accepting or continuing the client relationship or specific engagement.

  • Engagement teams communicate information to the engagement quality reviewer or individuals providing consultation.

  • The group auditor communicates matters to component auditors in accordance with the firm’s policies or procedures, including matters related to quality management at the engagement level.

  • The individual(s) assigned operational responsibility for compliance with independence requirements communicates to relevant personnel and engagement teams changes in the independence requirements and the firm’s policies or procedures to address such changes.

  • The operation of the firm’s responses (e.g., concerns about the firm’s processes for assigning personnel to engagements), which in some cases, may indicate a deficiency in the firm’s system of quality management.
Communication with External Parties
Communication to or within the Firm’s Network and to Service Providers (Ref: Para. 33(d)(i))

A113. In addition to the firm communicating information to or within the firm’s network or to a service provider, the firm may need to obtain information from the network, a network firm or a service provider that supports the firm in the design, implementation and operation of its system of quality management.

Example of information obtained by the firm from within the firm’s network

The firm obtains information from the network or other network firms about clients of other network firms, where there are independence requirements that affect the firm.

Communication with Others External to the Firm (Ref: Para. 33(d)(ii))

A114. Examples of when law, regulation or professional standards may require the firm to communicate information to external parties

  • The firm becomes aware of non-compliance with laws and regulations by a client, and relevant ethical requirements require the firm to report the non-compliance with laws and regulations to an appropriate authority outside the client entity, or to consider whether such reporting is an appropriate action in the circumstances.
  • Law or regulation requires the firm to publish a transparency report and specifies the nature of the information that is required to be included in the transparency report.
  • Securities law or regulation requires the firm to communicate certain matters to those charged with governance.

A115. In some cases, law or regulation may preclude the firm from communicating information related to its system of quality management externally.

Examples of when the firm may be precluded from communicating information externally

  • Privacy or secrecy law or regulation prohibits disclosure of certain information.
  • Law, regulation or relevant ethical requirements include provisions addressing the duty of confidentiality.

Specified Responses (Ref: Para. 34)

A116. The specified responses may address multiple quality risks related to more than one quality objective across different components. For example, policies or procedures for complaints and allegations may address quality risks related to quality objectives in resources (e.g., personnel’s commitment to quality), relevant ethical requirements and governance and leadership. The specified responses alone are not sufficient to achieve the objectives of the system of quality management.

Relevant Ethical Requirements (Ref: Para. 34(a))

A117. Relevant ethical requirements may contain provisions regarding the identification and evaluation of threats and how they are to be addressed. For example, PES 1 provides a conceptual framework for this purpose and, in applying the conceptual framework, requires that the firm use the reasonable and informed third party test.

A118. Relevant ethical requirements may specify how the firm is required to respond to a breach. For example, PES 1 sets out requirements for the firm in the event of a breach of PES 1 and includes specific requirements addressing breaches of the International Independence Standards, which includes requirements for communication with external parties.

A119. Matters the firm may address relating to breaches of the relevant ethical requirements include:

  • The communication of breaches of the relevant ethical requirements to appropriate personnel;
  • The evaluation of the significance of a breach and its effect on compliance with relevant ethical requirements;
  • The actions to be taken to satisfactorily address the consequences of a breach, including that such actions be taken as soon as practicable;
  • Determining whether to report a breach to external parties, such as those charged with governance of the entity to which the breach relates or an external oversight authority; and
  • Determining the appropriate actions to be taken in relation to the individual(s) responsible for the breach.
Complaints and Allegations (Ref: Para. 34(c))

A120. Establishing policies or procedures for dealing with complaints and allegations may assist the firm in preventing engagement reports from being issued that are inappropriate. It also may assist the firm in:

  • Identifying and dealing with individuals, including leadership, who do not act or behave in a manner that demonstrates a commitment to quality and supports the firm’s commitment to quality; or
  • Identifying deficiencies in the system of quality management.

A121. Complaints and allegations may be made by personnel, or others external to the firm (e.g., clients, component auditors or individuals within the firm’s network).

Information That Becomes Known Subsequent to Accepting or Continuing a Client Relationship or Specific Engagement (Ref: Para. 34(d))

A122. Information that becomes known subsequent to accepting or continuing a client relationship or specific engagement may:

  • Have existed at the time of the firm’s decision to accept or continue the client relationship or specific engagement and the firm was not aware of such information; or
  • Relate to new information that has arisen since the decision to accept or continue the client relationship or specific engagement.

Examples of matters addressed in the firm’s policies or procedures for circumstances when information becomes known subsequent to accepting or continuing a client relationship or specific engagement that may have affected the firm’s decision to accept or continue a client relationship or specific engagement

  • Undertaking consultation within the firm or with legal counsel.
  • Considering whether there is a professional, legal or regulatory requirement for the firm to continue the engagement.
  • Discussing with the appropriate level of the client’s management and with those charged with governance or the engaging party the action that the firm might take based on the relevant facts and circumstances.
  • When it is determined that withdrawal is an appropriate action:
  • Informing the client’s management and those charged with governance or the engaging party of this decision and the reasons for the withdrawal.
  • Considering whether there is a professional, legal or regulatory requirement for the firm to report the withdrawal from the engagement, or from both the engagement and the client relationship, together with the reasons for the withdrawal, to regulatory authorities.

A123. In some circumstances, jurisdictional law or regulation may impose an obligation on the firm to accept or continue a client engagement, or in the case of the public sector, the firm may be appointed through statutory provisions.

Example of matters addressed in the firm’s policies or procedures in circumstances when the firm is obligated to accept or continue an engagement or the firm is unable to withdraw from an engagement, and the firm is aware of information that would have caused the firm to decline or discontinue the engagement

  • The firm considers the effect of the information on the performance of the engagement.
  • The firm communicates the information to the engagement partner, and requests the engagement partner to increase the extent and frequency of the direction and supervision of the engagement team members and review of their work.
  • The firm assigns more experienced personnel to the engagement.
  • The firm determines that an engagement quality review should be performed.
Communication with External Parties (Ref. Para: 34(e))

A124. The firm’s ability to maintain stakeholder confidence in the quality of its engagements may be enhanced through relevant, reliable and transparent communication by the firm about the activities that it has undertaken to address quality, and the effectiveness of those activities.

A125. External parties who may use information about the firm’s system of quality management, and the extent of their interest in the firm’s system of quality management, may vary based on the nature and circumstances of the firm and its engagements.

Examples of external parties who may use information about the firm’s system of quality management

  • Management or those charged with governance of the firm’s clients may use the information to determine whether to appoint the firm to perform an engagement.
  • External oversight authorities may have indicated a desire for the information to support their responsibilities in monitoring the quality of engagements across a jurisdiction and in understanding the work of firms.
  • Other firms who use the work of the firm in the performance of engagements (e.g., in relation to a group audit) may have requested such information.
  • Other users of the firm’s engagement reports, such as investors who use engagement reports in their decision making, may have indicated a desire for the information.

A126. The information about the system of quality management provided to external parties, including information communicated to those charged with governance about how the system of quality management supports the consistent performance of quality engagements, may address such matters as:

  • The nature and circumstances of the firm, such as the organisational structure, business model, strategy and operating environment.
  • The firm’s governance and leadership, such as its culture, how it demonstrates a commitment to quality, and assigned roles, responsibilities and authority with respect to the system of quality management.
  • How the firm fulfills its responsibilities in accordance with relevant ethical requirements, including those related to independence.
  • Factors that contribute to quality engagements, for example, such information may be presented in the form of engagement quality indicators with narrative to explain the indicators.
  • The results of the firm’s monitoring activities and external inspections, and how the firm has remediated identified deficiencies or is otherwise responding to them.
  • The evaluation undertaken in accordance with paragraphs 53–54 of whether the system of quality management provides the firm with reasonable assurance that the objectives of the system are being achieved and the conclusion thereon, including the basis for the judgements made in undertaking the evaluation and concluding.
  • How the firm has responded to emerging developments and changes in the circumstances of the firm or its engagements, including how the system of quality management has been adapted to respond to such changes.
  • The relationship between the firm and the network, the overall structure of the network, a description of network requirements and network services, the responsibilities of the firm and the network (including that the firm is ultimately responsible for the system of quality management), and information about the overall scope and results of network monitoring activities across the network firms.
Communication with Those Charged with Governance (Ref. Para: 34(e)(i))

A127. How the communication with those charged with governance is undertaken (i.e., by the firm or the engagement team) may depend on the firm’s policies or procedures and the circumstances of the engagement.

A128. [Amended by the NZAuASB]

NZA128.1 ISA (NZ) 260 (Revised) deals with the auditor’s responsibility to communicate with those charged with governance in an audit of financial statements, and addresses the auditor’s determination of the appropriate person(s) within the entity’s governance structure with whom to communicate23 and the communication process.24 In some circumstances, it may be appropriate to communicate with those charged with governance of entities other than FMC reporting entities considered to have a higher level of public accountability (or when performing other engagements), for example, entities that may have public interest or public accountability characteristics, such as:

  • Entities that hold a significant amount of assets in a fiduciary capacity for a large number of stakeholders including financial institutions, such as certain banks, insurance companies, and pension funds.
  • Entities with a high public profile, or whose management or owners have a high public profile.
  • Entities with a large number and wide range of stakeholders.
Public sector considerations

A129. The firm may determine it is appropriate to communicate to those charged with governance of a public sector entity about how the firm’s system of quality management supports the consistent performance of quality engagements, taking into account the size and complexity of the public sector entity, the range of its stakeholders, the nature of the services it provides, and the role and responsibilities of those charged with governance.

Determining When it is Otherwise Appropriate to Communicate with External Parties (Ref. Para: 34(e)(ii))

A130. The firm’s determination of when it is appropriate to communicate with external parties about the firm’s system of quality management is a matter of professional judgement and may be influenced by matters such as:

  • The types of engagements performed by the firm, and the types of entities for which such engagements are undertaken.
  • The nature and circumstances of the firm.
  • The nature of the firm’s operating environment, such as customary business practice in the firm’s jurisdiction and the characteristics of the financial markets in which the firm operates.
  • The extent to which the firm has already communicated with external parties in accordance with law or regulation (i.e., whether further communication is needed, and if so, the matters to be communicated).
  • The expectations of stakeholders in the firm’s jurisdiction, including the understanding and interest that external parties have expressed about the engagements undertaken by the firm, and the firm’s processes in performing the engagements.
  • Jurisdictional trends.
  • The information that is already available to external parties.
  • How external parties may use the information, and their general understanding of matters related to firms’ system of quality management and audits or reviews of financial statements, or other assurance or related services engagements.
  • The public interest benefits of external communication and whether it would reasonably be expected to outweigh the costs (monetary or otherwise) of such communication.

The above matters may also affect the information provided by the firm in the communication, and the nature, timing and extent and appropriate form of communication.

 

Nature, Timing and Extent and Appropriate Form of Communication with External Parties (Ref. Para: 34(e)(iii))

A131. The firm may consider the following attributes in preparing information that is communicated to external parties:

  • The information is specific to the circumstances of the firm. Relating the matters in the firm’s communication directly to the specific circumstances of the firm may help to minimise the potential that such information becomes overly standardised and less useful over time.
  • The information is presented in a clear and understandable manner, and the manner of presentation is neither misleading nor would inappropriately influence the users of the communication (e.g., the information is presented in a manner that is appropriately balanced towards positive and negative aspects of the matter being communicated).
  • The information is accurate and complete in all material respects and does not contain information that is misleading.
  • The information takes into consideration the information needs of the users for whom it is intended. In considering the information needs of the users, the firm may consider matters such as the level of detail that users would find meaningful and whether users have access to relevant information through other sources (e.g., the firm’s website).

A132. [Amended by the NZAuASB]

NZA132.1 The firm uses professional judgement in determining, in the circumstances, the appropriate form of communication with the external party, including communication with those charged with governance when performing an audit of financial statements of FMC reporting entities considered to have a higher level of public accountability, which may be made orally or in writing. Accordingly, the form of communication may vary.

Examples of form of communication to external parties

  • A publication such as a transparency report or audit quality report.
  • Targeted written communication to specific stakeholders (e.g., information about the results of the firm’s monitoring and remediation process).
  • Direct conversations and interactions with the external party (e.g., discussions between the engagement team and those charged with governance).
  • A webpage.
  • Other forms of digital media, such as social media, or interviews or presentations via webcast or video.
Engagements Subject to an Engagement Quality Review
Engagement Quality Review Required by Law or Regulation (Ref: Para. 34(f)(ii))

A133. Law or regulation may require an engagement quality review to be performed, for example, for audit engagements for entities that:

  • Are public interest entities as defined in a particular jurisdiction;
  • Operate in the public sector or which are recipients of government funding, or entities with public accountability;
  • Operate in certain industries (e.g., financial institutions such as banks, insurance companies and pension funds);
  • Meet a specified asset threshold; or
  • Are under the management of a court or judicial process (e.g., liquidation).
Engagement Quality Review as a Response to Address One or More Quality Risk(s) (Ref: Para. 34(f)(iii))

A134. The firm’s understanding of the conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives, as required by paragraph 25(a)(ii), relates to the nature and circumstances of the engagements performed by the firm. In designing and implementing responses to address one or more quality risk(s), the firm may determine that an engagement quality review is an appropriate response based on the reasons for the assessments given to the quality risks.

Examples of conditions, events, circumstances, actions or inactions giving rise to one or more quality risk(s) for which an engagement quality review may be an appropriate response

Those relating to the types of engagements performed by the firm and reports to be issued:

  • Engagements that involve a high level of complexity or judgement, such as:
    • Audits of financial statements for entities operating in an industry that typically has accounting estimates with a high degree of estimation uncertainty (e.g., certain large financial institutions or mining entities), or for entities for which uncertainties exist related to events or conditions that may cast significant doubt on their ability to continue as a going concern.
    • Assurance engagements that require specialised skills and knowledge in measuring or evaluating the underlying subject matter against the applicable criteria (e.g., a greenhouse gas statement in which there are significant uncertainties associated with the quantities reported therein).
  • Engagements on which issues have been encountered, such as audit engagements with recurring internal or external inspection findings, unremediated significant deficiencies in internal control, or a material restatement of comparative information in the financial statements.
  • Engagements for which unusual circumstances have been identified during the firm’s acceptance and continuance process (e.g., a new client that had a disagreement with its previous auditor or assurance practitioner).
  • Engagements that involve reporting on financial or non-financial information that is expected to be included in a regulatory filing, and that may involve a higher degree of judgement, such as pro forma financial information to be included in a prospectus.

Those relating to the types of entities for which engagements are undertaken:

  • Entities in emerging industries, or for which the firm has no previous experience.
  • Entities for which concerns were expressed in communications from securities or prudential regulators.
  • Entities other than FMC reporting entities considered to have a higher level of public accountability that may have public interest or public accountability characteristics, for example:
  • Entities that hold a significant amount of assets in a fiduciary capacity for a large number of stakeholders including financial institutions, such as certain banks, insurance companies, and pension funds for which an engagement quality review is not otherwise required by law or regulation.
  • Entities with a high public profile, or whose management or owners have a high public profile.
  • Entities with a large number and wide range of stakeholders.

A135. The firm’s responses to address quality risks may include other forms of engagement reviews that are not an engagement quality review. For example, for audits of financial statements, the firm’s responses may include reviews of the engagement team’s procedures relating to significant risks, or reviews of certain significant judgements, by personnel who have specialised technical expertise. In some cases, these other types of engagement reviews may be undertaken in addition to an engagement quality review.

A136. In some cases, the firm may determine that there are no audits or other engagements for which an engagement quality review or another form of engagement review is an appropriate response to address the quality risk(s).

Public sector considerations

A137. The nature and circumstances of public sector entities (e.g., due to their size and complexity, the range of their stakeholders, or the nature of the services they provide) may give rise to quality risks. In these circumstances, the firm may determine that an engagement quality review is an appropriate response to address such quality risks. Law or regulation may establish additional reporting requirements for the auditors of public sector entities (e.g., a separate report on instances of non-compliance with law or regulation to the legislature or other governing body or communicating such instances in the auditor’s report on the financial statements). In such cases, the firm may also consider the complexity of such reporting, and its importance to users, in determining whether an engagement quality review is an appropriate response.

Monitoring and Remediation Process (Ref: Para. 35–47)

A138. In addition to enabling the evaluation of the system of quality management, the monitoring and remediation process facilitates the proactive and continual improvement of engagement quality and the system of quality management. For example:

  • Given the inherent limitations of a system of quality management, the firm’s identification of deficiencies is not unusual and it is an important aspect of the system of quality management, because prompt identification of deficiencies enables the firm to remediate them in a timely and effective manner, and contributes to a culture of continual improvement.
  • The monitoring activities may provide information that enables the firm to prevent a deficiency through responding to a finding that could, over a period of time, lead to a deficiency.
Designing and Performing Monitoring Activities (Ref: Para. 37–38)

A139. The firm’s monitoring activities may comprise a combination of ongoing monitoring activities and periodic monitoring activities. Ongoing monitoring activities are generally routine activities, built into the firm’s processes and performed on a real-time basis, reacting to changing conditions. Periodic monitoring activities are conducted at certain intervals by the firm. In most cases, ongoing monitoring activities provide information about the system of quality management in a timelier manner.

A140. Monitoring activities may include the inspection of in-process engagements. Inspections of engagements are designed to monitor that an aspect of the system of quality management is designed, implemented and operating in the manner intended. In some circumstances, the system of quality management may include responses that are designed to review engagements while they are in the process of being performed that appear similar in nature to an inspection of in-process engagements (e.g., reviews that are designed to detect failures or shortcomings in the system of quality management so that they can prevent a quality risk from occurring). The purpose of the activity will guide its design and implementation, and where it fits within the system of quality management (i.e., whether it is an inspection of an in-process engagement that is a monitoring activity or a review of an engagement that is a response to address a quality risk).

A141. The nature, timing and extent of the monitoring activities may also be affected by other matters, including:

  • The size, structure and organisation of the firm.
  • The involvement of the firm’s network in monitoring activities.
  • The resources that the firm intends to use to enable monitoring activities, such as the use of IT applications.

A142. When performing monitoring activities, the firm may determine that changes to the nature, timing and extent of the monitoring activities are needed, such as when findings indicate the need for more extensive monitoring activities.

The Design of the Firm’s Risk Assessment Process and Monitoring and Remediation Process (Ref: Para. 37(c))

A143. How the firm’s risk assessment process is designed (e.g., a centralised or decentralised process, or the frequency of review) may affect the nature, timing and extent of the monitoring activities, including monitoring activities over the firm’s risk assessment process.

A144. How the firm’s monitoring and remediation process is designed (i.e., the nature, timing and extent of the monitoring and remediation activities, taking into account the nature and circumstances of the firm) may affect the monitoring activities undertaken by the firm to determine whether the monitoring and remediation process is achieving the intended purpose as described in paragraph 35.

Scalability example to demonstrate the monitoring activities for the monitoring and remediation process

  • In a less complex firm, the monitoring activities may be simple, since information about the monitoring and remediation process may be readily available in the form of leadership’s knowledge, based on their frequent interaction with the system of quality management, of the nature, timing and extent of the monitoring activities undertaken, the results of the monitoring activities, and the firm’s actions to address the results.
  • In a more complex firm, the monitoring activities for the monitoring and remediation process may be specifically designed to determine that the monitoring and remediation process is providing relevant, reliable and timely information about the system of quality management, and responding appropriately to identified deficiencies.
Changes in the System of Quality Management (Ref: Para. 37(d))

A145. Changes in the system of quality management may include:

  • Changes to address an identified deficiency in the system of quality management.
  • Changes to the quality objectives, quality risks or responses as a result of changes in the nature and circumstances of the firm and its engagements.

When changes occur, previous monitoring activities undertaken by the firm may no longer provide the firm with information to support the evaluation of the system of quality management and, therefore, the firm’s monitoring activities may include monitoring of those areas of change.

 

Previous Monitoring Activities (Ref: Para. 37(e))

A146. The results of the firm’s previous monitoring activities may indicate areas of the system where a deficiency may arise, particularly areas where there is a history of identified deficiencies.

A147. Previous monitoring activities undertaken by the firm may no longer provide the firm with information to support the evaluation of the system, including on areas of the system of quality management that have not changed, particularly when time has elapsed since the monitoring activities were undertaken.

Other Relevant Information (Ref: Para. 37(f))

A148. In addition to the sources of information indicated in paragraph 37(f), other relevant information may include:

  • Information communicated by the firm’s network in accordance with paragraphs 50(c) and 51(b) about the firm’s system of quality management, including the network requirements or network services that the firm has included in its system of quality management.
  • Information communicated by a service provider about the resources the firm uses in its system of quality management.
  • Information from regulators about the entities for whom the firm performs engagements, which is made available to the firm, such as information from a securities regulator about an entity for whom the firm performs engagements (e.g., irregularities in the entity’s financial statements).

A149. The results of external inspections or other relevant information, both internal and external, may indicate that previous monitoring activities undertaken by the firm failed to identify a deficiency in the system of quality management. This information may affect the firm’s consideration of the nature, timing and extent of the monitoring activities.

A150. External inspections are not a substitute for the firm’s internal monitoring activities. Nevertheless, the results of external inspections inform the nature, timing and extent of the monitoring activities.

Engagement Inspections (Ref: Para. 38)

A151. Examples of matters in paragraph 37 that may be considered by the firm in selecting completed engagements for inspection

  • In relation to the conditions, events, circumstances, actions or inactions giving rise to the quality risks:
    • The types of engagements performed by the firm, and the extent of the firm’s experience in performing the type of engagement.
    • The types of entities for which engagements are undertaken, for example:
      • Entities that are FMC reporting entities considered to have a higher level of public accountability.
      • Entities operating in emerging industries.
      • Entities operating in industries associated with a high level of complexity or judgement.
      • Entities operating in an industry that is new to the firm.
    • The tenure and experience of engagement partners.
  • The results of previous inspections of completed engagements, including for each engagement partner.
  • In relation to other relevant information:
    • Complaints or allegations about an engagement partner.
    • The results of external inspections, including for each engagement partner.
    • The results of the firm’s evaluation of each engagement partner’s commitment to quality.

A152. The firm may undertake multiple monitoring activities, other than inspection of completed engagements, that focus on determining whether engagements have complied with policies or procedures. These monitoring activities may be undertaken on certain engagements or engagement partners. The nature and extent of these monitoring activities, and the results, may be used by the firm in determining:

  • Which completed engagements to select for inspection;
  • Which engagement partners to select for inspection;
  • How frequently to select an engagement partner for inspection; or
  • Which aspects of the engagement to consider when performing the inspection of completed engagements.

A153. The inspection of completed engagements for engagement partners on a cyclical basis may assist the firm in monitoring whether engagement partners have fulfilled their overall responsibility for managing and achieving quality on the engagements they are assigned to.

Example of how a firm may apply a cyclical basis for the inspection of completed engagements for each engagement partner

The firm may establish policies or procedures addressing the inspection of completed engagements that:

  • Set forth the standard period of the inspection cycle, such as the inspection of a completed engagement for each engagement partner performing audits of financial statements once every three years, and for all other engagement partners, once every five years;
  • Set out the criteria for selecting completed engagements, including that for an engagement partner performing audits of financial statements, the engagement(s) selected include an audit engagement;
  • Address selecting engagement partners in a manner that is unpredictable; and
  • Address when it is necessary or appropriate to select engagement partners more, or less, frequently than the standard period set out in the policy, for example:
    • The firm may select engagement partners more frequently than the standard period set out in the firm’s policy when:
      • Multiple deficiencies have been identified by the firm that have been evaluated as severe, and the firm determines that a more frequent cyclical inspection is needed across all engagement partners.
      • The engagement partner performs engagements for entities operating in a certain industry where there are high levels of complexity or judgement.
      • An engagement performed by the engagement partner has been subject to other monitoring activities, and the results of the other monitoring activities were unsatisfactory.
      • The engagement partner has performed an engagement for an entity operating in an industry in which the engagement partner has limited experience.
      • The engagement partner is a newly appointed engagement partner, or has recently joined the firm from another firm or another jurisdiction.
  • The firm may defer the selection of the engagement partner (e.g., deferring for a year beyond the standard period set out in the firm’s policy) when:
    • Engagements performed by the engagement partner have been subject to other monitoring activities during the standard period set out in the firm’s policy; and
    • The results of the other monitoring activities provide sufficient information about the engagement partner (i.e., performing the inspection of completed engagements would unlikely provide the firm with further information about the engagement partner).

A154. The matters considered in an inspection of an engagement depend on how the inspection will be used to monitor the system of quality management. Ordinarily, the inspection of an engagement includes determining that responses that are implemented at the engagement level (e.g., the firm’s policies and procedures in respect of engagement performance), have been implemented as designed and are operating effectively.

Individuals Performing the Monitoring Activities (Ref: Para. 39(b))

A155. The provisions of relevant ethical requirements are relevant in designing the policies or procedures addressing the objectivity of the individuals performing the monitoring activities. A self-review threat may arise when an individual who performs:

  • An inspection of an engagement was:
    • In the case of an audit of financial statements, an engagement team member or the engagement quality reviewer of that engagement or an engagement for a subsequent financial period; or
    • For all other engagements, an engagement team member or the engagement quality reviewer of that engagement.
  • Another type of monitoring activity had participated in designing, executing or operating the response being monitored.

A156. In some circumstances, for example, in the case of a less complex firm, there may not be personnel who have the competence, capabilities, time or objectivity to perform the monitoring activities. In these circumstances, the firm may use network services or a service provider to perform the monitoring activities.

Evaluating Findings and Identifying Deficiencies (Ref: Para. 16(a), 40–41)

A157. The firm accumulates findings from the performance of monitoring activities, external inspections and other relevant sources.

A158. Information accumulated by the firm from the monitoring activities, external inspections and other relevant sources may reveal other observations about the firm’s system of quality management, such as:

Actions, behaviours or conditions that have given rise to positive outcomes in the context of quality or the effectiveness of the system of quality management; or

  • Similar circumstances where no findings were noted (e.g., engagements where no findings were noted, and the engagements have a similar nature to the engagements where findings were noted).

  • Other observations may be useful to the firm as they may assist the firm in investigating the root cause(s) of identified deficiencies, indicate practices that the firm can support or apply more extensively (e.g., across all engagements) or highlight opportunities for the firm to enhance the system of quality management.

A159. The firm exercises professional judgement in determining whether findings, individually or in combination with other findings give rise to a deficiency in the system of quality management. In making the judgement, the firm may need to take into account the relative importance of the findings in the context of the quality objectives, quality risks, responses or other aspects of the system of quality management to which they relate. The firm’s judgements may be affected by quantitative and qualitative factors relevant to the findings. In some circumstances, the firm may determine it appropriate to obtain more information about the findings in order to determine whether a deficiency exists. Not all findings, including engagement findings, will be a deficiency.

A160. Examples of quantitative and qualitative factors that a firm may consider in determining whether findings give rise to a deficiency

Quality Risks and Responses

  • If the findings relate to a response:

    • How the response is designed, for example, the nature of the response, the frequency of its occurrence (if applicable), and the relative importance of the response to addressing the quality risk(s) and achieving the quality objective(s) to which it relates.

    • The nature of the quality risk to which the response relates, and the extent to which the findings indicate that the quality risk has not been addressed.

    • Whether there are other responses that address the same quality risk and whether there are findings for those responses.

  • Nature of the Findings and Their Pervasiveness

    • The nature of the findings. For example, findings related to leadership actions and behaviours may be qualitatively significant, given the pervasive effect this could have on the system of quality management as a whole.

    • Whether the findings, in combination with other findings, indicate a trend or systemic issue. For example, similar engagement findings that appear on multiple engagements may indicate a systemic issue.

  • Extent of Monitoring Activity and Extent of Findings

    • The extent of the monitoring activity from which the findings arose, including the number or size of the selections.

    • The extent of the findings in relation to the selection covered by the monitoring activity, and in relation to the expected deviation rate. For example, in the case of inspection of engagements, the number of engagements selected where the findings were identified, relative to the total number of engagements selected, and the expected deviation rate set by the firm.

A161. Evaluating findings and identifying deficiencies and evaluating the severity and pervasiveness of an identified deficiency, including investigating the root cause(s) of an identified deficiency, are part of an iterative and non-linear process.

Examples of how the process of evaluating findings and identifying deficiencies, evaluating identified deficiencies, including investigating the root cause(s) of identified deficiencies, is iterative and non-linear

  • In investigating the root cause(s) of an identified deficiency, the firm may identify a circumstance that has similarities to other circumstances where there were findings that were not considered a deficiency. As a result, the firm adjusts its evaluation of the other findings and classifies them as a deficiency.
  • In evaluating the severity and pervasiveness of an identified deficiency, the firm may identify a trend or systemic issue that correlates with other findings that are not considered deficiencies. As a result, the firm adjusts its evaluation of the other findings and also classifies them as deficiencies.

A162. The results of monitoring activities, results of external inspections and other relevant information (e.g., network monitoring activities or complaints and allegations) may reveal information about the effectiveness of the monitoring and remediation process. For example, the results of external inspections may provide information about the system of quality management that has not been identified by the firm’s monitoring and remediation process, which may highlight a deficiency in that process.

Evaluating Identified Deficiencies (Ref: Para. 41)

A163. Factors the firm may consider in evaluating the severity and pervasiveness of an identified deficiency include:

  • The nature of the identified deficiency, including the aspect of the firm’s system of quality management to which the deficiency relates, and whether the deficiency is in the design, implementation or operation of the system of quality management;

  • In the case of identified deficiencies related to responses, whether there are compensating responses to address the quality risk to which the response relates;

  • The root cause(s) of the identified deficiency;

  • The frequency with which the matter giving rise to the identified deficiency occurred; and

  • The magnitude of the identified deficiency, how quickly it occurred and the duration of time that it existed and had an effect on the system of quality management.

A164. The severity and pervasiveness of identified deficiencies affects the evaluation of the system of quality management that is undertaken by the individual(s) assigned ultimate responsibility and accountability for the system of quality management.

Root Cause of the Identified Deficiencies (Ref: Para. 41(a))

A165. The objective of investigating the root cause(s) of identified deficiencies is to understand the underlying circumstances that caused the deficiencies to enable the firm to:

  • Evaluate the severity and pervasiveness of the identified deficiency; and
  • Appropriately remediate the identified deficiency.
  • Performing a root cause analysis involves those performing the assessment exercising professional judgement based on the evidence available.

A166. The nature, timing and extent of the procedures undertaken to understand the root cause(s) of an identified deficiency may also be affected by the nature and circumstances of the firm, such as:

  • The complexity and operating characteristics of the firm.

  • The size of the firm.

  • The geographical dispersion of the firm.

  • How the firm is structured or the extent to which the firm concentrates or centralises its processes or activities.

Examples of how the nature of identified deficiencies and their possible severity and the nature and circumstances of the firm may affect the nature, timing and extent of the procedures to understand the root cause(s) of the identified deficiencies

  • The nature of the identified deficiency: The firm’s procedures to understand the root cause(s) of an identified deficiency may be more rigorous in circumstances when an engagement report related to an audit of financial statements of a FMC reporting entity considered to have a higher level of public accountability was issued that was inappropriate or the identified deficiency relates to leadership’s actions and behaviours regarding quality.

  • The possible severity of the identified deficiency: The firm’s procedures to understand the root cause(s) of an identified deficiency may be more rigorous in circumstances when the deficiency has been identified across multiple engagements or there is an indication that policies or procedures have high rates of non- compliance.

  • Nature and circumstances of the firm:

    • In the case of a less complex firm with a single location, the firm’s procedures to understand the root cause(s) of an identified deficiency may be simple, since the information to inform the understanding may be readily available and concentrated, and the root cause(s) may be more apparent.

    • In the case of a more complex firm with multiple locations, the procedures to understand the root cause(s) of an identified deficiency may include using individuals specifically trained on investigating the root cause(s) of identified deficiencies, and developing a methodology with more formalised procedures for identifying root cause(s).

A167. In investigating the root cause(s) of identified deficiencies, the firm may consider why deficiencies did not arise in other circumstances that are of a similar nature to the matter to which the identified deficiency relates. Such information may also be useful in determining how to remediate an identified deficiency.

Example of when a deficiency did not arise in other circumstances of a similar nature, and how this information assists the firm in investigating the root cause(s) of identified deficiencies

The firm may determine that a deficiency exists because similar findings have occurred across multiple engagements. However, the findings have not occurred in several other engagements within the same population being tested. By contrasting the engagements, the firm concludes that the root cause of the identified deficiency is a lack of appropriate involvement by the engagement partners at key stages of the engagements.

A168. Identifying a root cause(s) that is appropriately specific may support the firm’s process for remediating identified deficiencies.

Example of identifying a root cause(s) that is appropriately specific

The firm may identify that engagement teams performing audits of financial statements are failing to obtain sufficient appropriate audit evidence on accounting estimates where management’s assumptions have a high degree of subjectivity. While the firm notes that these engagement teams are not exercising appropriate professional scepticism, the underlying root cause of this issue may relate to another matter, such as a cultural environment that does not encourage engagement team members to question individuals with greater authority or insufficient direction, supervision and review of the work performed on the engagements.

A169. In addition to investigating the root cause(s) of identified deficiencies, the firm may also investigate the root cause(s) of positive outcomes as doing so may reveal opportunities for the firm to improve, or further enhance, the system of quality management.

Responding to Identified Deficiencies (Ref: Para. 42)

A170. The nature, timing and extent of remedial actions may depend on a variety of other factors, including:

  • The root cause(s).

  • The severity and pervasiveness of the identified deficiency and therefore the urgency with which it needs to be addressed.

  • The effectiveness of the remedial actions in addressing the root cause(s), such as whether the firm needs to implement more than one remedial action in order to effectively address the root cause(s), or needs to implement remedial actions as interim measures until the firm is able to implement more effective remedial actions.

A171. In some circumstances, the remedial action may include establishing additional quality objectives, or quality risks or responses may be added or modified, because it is determined that they are not appropriate.

A172. In circumstances when the firm determines that the root cause of an identified deficiency relates to a resource provided by a service provider, the firm may also:
  • Consider whether to continue using the resource provided by the service provider.

  • Communicate the matter to the service provider.

The firm is responsible for addressing the effect of the identified deficiency related to a resource provided by a service provider on the system of quality management and taking action to prevent the deficiency from recurring with respect to the firm’s system of quality management. However, the firm is not ordinarily responsible for remediating the identified deficiency on behalf of the service provider or further investigating the root cause of the identified deficiency at the service provider.

Findings About a Particular Engagement (Ref: Para. 45)

A173. In circumstances when procedures were omitted or the report issued is inappropriate, the action taken by the firm may include:

  • Consulting with appropriate individuals regarding the appropriate action.
  • Discussing the matter with management of the entity or those charged with governance.
  • Performing the omitted procedures.

The actions taken by the firm do not relieve the firm of the responsibility to take further actions relating to the finding in the context of the system of quality management, including evaluating the findings to identify deficiencies and when a deficiency exists, investigating the root cause(s) of the identified deficiency.

Ongoing Communication Related to the Monitoring and Remediation (Ref: Para. 46)
A174. The information communicated about the monitoring and remediation to the individual(s) assigned ultimate responsibility and accountability for the system of quality management may be communicated on an ongoing basis or periodically. The individual(s) may use the information in multiple ways, for example:
  • As a basis for further communications to personnel about the importance of quality.

  • To hold individuals accountable for their roles assigned to them.

  • To identify key concerns about the system of quality management in a timely manner.

The information also provides a basis for the evaluation of the system of quality management, and conclusion thereon, as required by paragraphs 53–54.

 

Network Requirements or Network Services (Ref: Para. 48)

A175. In some circumstances, the firm may belong to a network. Networks may establish requirements regarding the firm’s system of quality management or may make services or resources available that the firm may choose to implement or use in the design,

Examples of network requirements

  • Requirements for the firm to include additional quality objectives or quality risks in the firm’s system of quality management that are common across the network firms.

  • Requirements for the firm to include responses in the firm’s system of quality management that are common across the network firms. Such responses designed by the network may include network policies or procedures that specify the leadership roles and responsibilities, including how the firm is expected to assign authority and responsibility within the firm, or resources, such as network developed methodologies for the performance of engagements or IT applications.

  • Requirements that the firm be subject to the network’s monitoring activities. These monitoring activities may relate to network requirements (e.g., monitoring that the firm has implemented the network’s methodology appropriately), or to the firm’s system of quality management in general.

Examples of network services

  • Services or resources that are optional for the firm to use in its system of quality management or in the performance of engagements, such as voluntary training programs, use of component auditors or experts from within the network, or use of a service delivery centre established at the network level, or by another network firm or group of network firms.

  • implementation and operation of its system of quality management. Such requirements or services may be intended to promote the consistent performance of quality engagements across the firms that belong to the network. The extent to which the network will provide the firm with quality objectives, quality risks and responses that are common across the network will depend on the firm’s arrangements with the network.

A176. The network may establish responsibilities for the firm in implementing the network requirements or network services.

Examples of responsibilities for the firm in implementing network requirements or network services

  • The firm is required to have certain IT infrastructure and IT processes in place to support an IT application provided by the network that the firm uses in the system of quality management.
  • The firm is required to provide firm-wide training on the methodology provided by the network, including when updates are made to the methodology.

A177. The firm’s understanding of the network requirements or network services and the firm’s responsibilities relating to the implementation thereof may be obtained through inquiries of, or documentation provided by, the network about matters such as:

  • The network’s governance and leadership.

  • The procedures undertaken by the network in designing, implementing and, if applicable, operating, the network requirements or network services.

  • How the network identifies and responds to changes that affect the network requirements or network services or other information, such as changes in the professional standards or information that indicates a deficiency in the network requirements or network services.

How the network monitors the appropriateness of the network requirements or network services, which may include through the network firms’ monitoring activities, and the network’s processes for remediating identified deficiencies.

Network Requirements or Network Services in the Firm’s System of Quality Management (Ref: Para. 49)

A178. The characteristics of the network requirements or network services are a condition, event, circumstance, action or inaction in identifying and assessing quality risks.

Example of a network requirement or network service that gives rise to a quality risk

The network may require the firm to use an IT application for the acceptance and continuance of client relationships and specific engagements that is standardised across the network. This may give rise to a quality risk that the IT application does not address matters in local law or regulation that need to be considered by the firm in accepting and continuing client relationships and specific engagements.

A179. The purpose of the network requirements may include the promotion of consistent performance of quality engagements across the network firms. The firm may be expected by the network to implement the network requirements, however, the firm may need to adapt or supplement the network requirements such that they are appropriate for the nature and circumstances of the firm and its engagements.

Examples of how the network requirements or networks services may need to be adapted or supplemented

Network Requirement or Network Service

How the Firm Adapts or Supplements the Network Requirement or Network Service

The network requires the firm to include certain quality risks in the system of quality management, so that all firms in the network address the quality risks.

As part of identifying and assessing quality risks, the firm includes the quality risks that are required by the network.

The firm also designs and implements responses to address the quality risks that are required by the network.

The network requires that the firm design and implement certain responses.

As part of designing and implementing responses, the firm determines:

  • Which quality risks the responses address.
  • How the responses required by the network will be incorporated into the firm’s system of quality management, given the nature and circumstances of the firm. This may include tailoring the response to reflect the nature and circumstances of the firm and its engagements (e.g., tailoring a methodology to include matters related to law or regulation).

The firm uses individuals from other network firms as component auditors. Network requirements are in place that drive a high degree of commonality across the network management. The network requirements include specific criteria that apply to individuals assigned to work on a component for a group audit.

The firm establishes policies or procedures that require the engagement team to confirm with the component auditor (i.e., the other network firm) that the individuals assigned to the component meet the specific criteria set out in the network requirements.

A180. In some circumstances, in adapting or supplementing the network requirements or network services, the firm may identify possible improvements to the network requirements or network services and may communicate these improvements to the network.

Monitoring Activities Undertaken by the Network on the Firm’s System of Quality Management (Ref: Para. 50(c))

A181. The results of the network’s monitoring activities of the firm’s system of quality management may include information such as:

  • A description of the monitoring activities, including their nature, timing and extent;

  • Findings, identified deficiencies, and other observations about the firm’s system of quality management (e.g., positive outcomes or opportunities for the firm to improve, or further enhance, the system of quality management); and

  • The network’s evaluation of the root cause(s) of the identified deficiencies, the assessed effect of the identified deficiencies and recommended remedial actions.

Monitoring Activities Undertaken by the Network Across the Network Firms (Ref: Para. 51(b))

A182. The information from the network about the overall results of the network’s monitoring activities undertaken across the network firms’ systems of quality management may be an aggregation or summary of the information described in paragraph A181, including trends and common areas of identified deficiencies across the network, or positive outcomes that may be replicated across the network. Such information may:

  • Be used by the firm:

    • In identifying and assessing quality risks.

    • As part of other relevant information considered by the firm in determining whether deficiencies exist in the network requirements or network services used by the firm in its system of quality management.

  • Be communicated to group engagement partners, in the context of considering the competence and capabilities of component auditors from a network firm who are subject to common network requirements (e.g., common quality objectives, quality risks and responses).

A183. In some circumstances, the firm may obtain information from the network about deficiencies identified in a network firm’s system of quality management that affects the firm. The network may also gather information from network firms regarding the results of external inspections over network firms’ systems of quality management. In some instances, law or regulation in a particular jurisdiction may prevent the network from sharing information with other network firms or may restrict the specificity of such information.

A184. In circumstances when the network does not provide the information about the overall results of the network’s monitoring activities across the network firms, the firm may take further actions, such as:

  • Discussing the matter with the network; and

  • Determining the effect on the firm’s engagements, and communicating the effect to engagement teams.

Deficiencies in Network Requirements or Network Services Identified by the Firm (Ref: Para. 52)

A185. As network requirements or network services used by the firm form part of the firm’s system of quality management, they are also subject to the requirements of this PES regarding monitoring and remediation. The network requirements or network services may be monitored by the network, the firm, or a combination of both.

Example of when a network requirement or network service is monitored by both the network and the firm

A network may undertake monitoring activities at a network level for a common methodology. The firm also monitors the application of the methodology by engagement team members through performing engagement inspections.

A186. In designing and implementing the remedial actions to address the effect of the identified deficiency in the network requirements or network services, the firm may:

  • Understand the planned remedial actions by the network, including whether the firm has any responsibilities for implementing the remedial actions; and

  • Consider whether supplementary remedial actions need to be taken by the firm to address the identified deficiency and the related root cause(s), such as when:

  • The network has not taken appropriate remedial actions; or

  • The network’s remedial actions will take time to effectively address the identified deficiency.

Evaluating the System of Quality Management (Ref: Para. 53)

A187. The individual(s) assigned ultimate responsibility and accountability for the system of quality management may be assisted by other individuals in performing the evaluation. Nevertheless, the individual(s) assigned ultimate responsibility and accountability for the system of quality management remains responsible and accountable for the evaluation.

A188. The point in time at which the evaluation is undertaken may depend on the circumstances of the firm, and may coincide with the fiscal year end of the firm or the completion of an annual monitoring cycle.

A189. The information that provides the basis for the evaluation of the system of quality management includes the information communicated to the individual(s) assigned ultimate responsibility and accountability for the system of quality management in accordance with paragraph 46.

Scalability examples to demonstrate how the information that provides the basis for the evaluation of the system of quality management may be obtained

  • In a less complex firm, the individual(s) assigned ultimate responsibility and accountability for the system of quality management may be directly involved in the monitoring and remediation and will therefore be aware of the information that supports the evaluation of the system of quality management.

  • In a more complex firm, the individual(s) assigned ultimate responsibility and accountability for the system of quality management may need to establish processes to collate, summarise and communicate the information needed to evaluate the system of quality management.

Concluding on the System of Quality Management (Ref: Para. 54)

A190. In the context of this PES, it is intended that the operation of the system as a whole provides the firm with reasonable assurance that the objectives of the system of quality management are being achieved. In concluding on the system of quality management, the individual(s) assigned ultimate responsibility and accountability for the system of quality management may, in using the results of the monitoring and remediation process, consider the following:

  • The severity and pervasiveness of identified deficiencies, and the effect on the achievement of the objectives of the system of quality management;
  • Whether remedial actions have been designed and implemented by the firm, and whether the remedial actions taken up to the time of the evaluation are effective; and
  • Whether the effect of identified deficiencies on the system of quality management have been appropriately corrected, such as whether further actions have been taken in accordance with paragraph 45.

A191. There may be circumstances when identified deficiencies that are severe (including identified deficiencies that are severe and pervasive) have been appropriately remediated and the effect of them corrected at the point in time of the evaluation. In such cases, the individual(s) assigned ultimate responsibility and accountability for the system of quality management may conclude that the system of quality management provides the firm with reasonable assurance that the objectives of the system of quality management are being achieved.

A192. An identified deficiency may have a pervasive effect on the design, implementation and operation of the system of quality management when, for example:

  • The deficiency affects several components or aspects of the system of quality management.
  • The deficiency is confined to a specific component or aspect of the system of quality management, but is fundamental to the system of quality management.
  • The deficiency affects several business units or geographical locations of the firm.
  • The deficiency is confined to a business unit or geographical location, but the business unit or location affected is fundamental to the firm overall.
  • The deficiency affects a substantial portion of engagements that are of a certain type or nature.

Example of an identified deficiency that may be considered severe but not pervasive

The firm identifies a deficiency in a smaller regional office of the firm. The identified deficiency relates to non-compliance with many firm policies or procedures. The firm determines that the culture in the regional office, particularly the actions and behaviour of leadership in the regional office which were overly focused on financial priorities, has contributed to the root cause of the identified deficiency. The firm determines that the effect of the identified deficiency is:

  • Severe, because it relates to the culture of the regional office and overall compliance with firm policies or procedures; and
  • Not pervasive, because it is limited to the smaller regional office.

A193. The individual(s) assigned ultimate responsibility and accountability for the system of quality management may conclude that the system of quality management does not provide the firm with reasonable assurance that the objectives of the system of quality management are being achieved in circumstances when identified deficiencies are severe and pervasive, actions taken to remediate the identified deficiencies are not appropriate, and the effect of the identified deficiencies have not been appropriately corrected.

Example of an identified deficiency that may be considered severe and pervasive

The firm identifies a deficiency in a regional office, which is the largest office of the firm and provides financial, operational and technical support for the entire region. The identified deficiency relates to non-compliance with many firm policies or procedures. The firm determines that the culture in the regional office, particularly the actions and behaviour of leadership in the regional office which were overly focused on financial priorities, has contributed to the root cause of the identified deficiency. The firm determines that the effect of the identified deficiency is:

  • Severe, because it relates to the culture of the regional office and overall compliance with firm policies or procedures; and
  • Pervasive, because the regional office is the largest office and provides support to many other offices, and the non-compliance with firm policies or procedures may have had a broader effect on the other offices.

A194. It may take time for the firm to remediate identified deficiencies that are severe and pervasive. As the firm continues to take action to remediate the identified deficiencies, the pervasiveness of the identified deficiencies may be diminished and it may be determined that the identified deficiencies are still severe, but no longer severe and pervasive. In such cases, the individual(s) assigned ultimate responsibility and accountability for the system of quality management may conclude that, except for matters related to identified deficiencies that have a severe but not pervasive effect on the design, implementation and operation of the system of quality management, the system of quality management provides the firm with reasonable assurance that the objectives of the system of quality management are being achieved.

A195. This PES does not require the firm to obtain an independent assurance report on its system of quality management, or preclude the firm from doing so.

Taking Prompt and Appropriate Action and Further Communication (Ref: Para. 55)

A196. In circumstances when the individual(s) assigned ultimate responsibility and accountability for the system of quality management reaches the conclusion described in paragraph 54(b) or 54(c), the prompt and appropriate action taken by the firm may include:

  • Taking measures to support the performance of engagements through assigning more resources or developing more guidance and to confirm that reports issued by the firm are appropriate in the circumstances, until such time as the identified deficiencies are remediated, and communicating such measures to engagement teams.
  • Obtaining legal advice.

A197. In some circumstances the firm may have an independent governing body that has non- executive oversight of the firm. In such circumstances, communications may include informing the independent governing body.

A198. Examples of circumstances when it may be appropriate for the firm to communicate to external parties about the evaluation of the system of quality management

  • When the firm belongs to a network.
  • When other network firms use the work performed by the firm, for example, in the case of a group audit.
  • When a report issued by the firm is determined by the firm to be inappropriate as a result of the failure of the system of quality management, and management or those charged with governance of the entity need to be informed.
  • When law or regulation requires the firm to communicate to an oversight authority or a regulatory body.
Performance Evaluations (Ref: Para. 56)

A199. Periodic performance evaluations promote accountability. In considering the performance of an individual, the firm may take into account:

  • The results of the firm’s monitoring activities for aspects of the system of quality management that relate to the responsibility of the individual. In some circumstances, the firm may set targets for the individual and measure the results of the firm’s monitoring activities against those targets.
  • The actions taken by the individual in response to identified deficiencies that relate to the responsibility of that individual, including the timeliness and effectiveness of such actions.

Scalability examples to demonstrate how the firm may undertake the performance evaluations

  • In a less complex firm, the firm may engage a service provider to perform the evaluation, or the results of the firm’s monitoring activities may provide an indication of the performance of the individual.
  • In a more complex firm, the performance evaluations may be undertaken by an independent non-executive member of the firm’s governing body, or a special committee overseen by the firm’s governing body.

A200. A positive performance evaluation may be rewarded through compensation, promotion and other incentives that focus on the individual’s commitment to quality, and reinforce accountability. On the other hand, the firm may take corrective actions to address a negative performance evaluation that may affect the firm’s achievement of its quality objectives.

Public Sector Considerations

A201. In the case of the public sector, it may not be practicable to perform a performance evaluation of the individual(s) assigned ultimate responsibility and accountability for the system of quality management, or to take actions to address the results of the performance evaluation, given the nature of the individual’s appointment. Nevertheless, performance evaluations may still be undertaken for other individuals in the firm who are assigned operational responsibility for aspects of the system of quality management.

Documentation (Ref: Para. 57–59)

A202. Documentation provides evidence that the firm complies with this PES, as well as law, regulation or relevant ethical requirements. It may also be useful for training personnel and engagement teams, ensuring the retention of organisational knowledge and providing a history of the basis for decisions made by the firm about its system of quality management. It is neither necessary nor practicable for the firm to document every matter considered, or judgement made, about its system of quality management. Furthermore, compliance with this PES may be evidenced by the firm through its information and communication component, documents or other written materials, or IT applications that are integral to the components of the system of quality management.

A203. Documentation may take the form of formal written manuals, checklists and forms, may be informally documented (e.g., e-mail communication or postings on websites), or may be held in IT applications or other digital forms (e.g., in databases). Factors that may affect the firm’s judgements about the form, content and extent of documentation, including how often documentation is updated, may include:

  • The complexity of the firm and the number of offices;
  • The nature and complexity of the firm’s practice and organisation;
  • The nature of engagements the firm performs and the nature of the entities for whom engagements are performed;
  • The nature and complexity of the matter being documented, such as whether it relates to an aspect of the system of quality management that has changed or an area of greater quality risk, and the complexity of the judgements relating to the matter; and
  • The frequency and extent of changes in the system of quality management.

In a less complex firm, it may not be necessary to have documentation supporting matters communicated because informal communication methods may be effective. Nevertheless, a less complex firm may determine it appropriate to document such communications in order to provide evidence that they occurred.

A204. In some instances, an external oversight authority may establish documentation requirements, either formally or informally, for example, as a result of the outcome of external inspection findings. Relevant ethical requirements may also include specific requirements addressing documentation, for example, PES 1 requires documentation of particular matters, including certain situations related to conflicts of interest, non-compliance with laws and regulations and independence.

A205. The firm is not required to document the consideration of every condition, event, circumstance, action or inaction for each quality objective, or each risk that may give rise to a quality risk. However, in documenting the quality risks and how the firm’s responses address the quality risks, the firm may document the reasons for the assessment given to the quality risks (i.e., the considered occurrence and effect on the achievement of one or more quality objectives), in order to support the consistent implementation and operation of the responses.

A206. The documentation may be provided by the network, other network firms, or other structures or organisations within the network.

10 International Standard on Review Engagements (ISRE) (NZ) 2400 (Revised), Engagements to Review Historical Financial Statements

11 International Standard on Assurance Engagements (ISAE) (NZ) 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information

12 ISA (NZ) 220 (Revised), paragraphs A15–A25

13 ISA (NZ) 220 (Revised), paragraphs A23–A25

14 ISA 220 (Revised), paragraphs 35

15 ISA (NZ) 220 (Revised), paragraph 23

16ISA (NZ) 300, Planning an Audit of Financial Statements, paragraph 13(b)

17 ISA (NZ) 220 (Revised), paragraphs A34–A36

18 ISA (NZ) 220 (Revised), paragraph 35

19 ISA (NZ) 220 (Revised), paragraph 25

20ISA (NZ) 220 (Revised), paragraph 26

21ISA (NZ) 600 (Revised), Special Considerations–Audits of Group Financial Statements (Including the Work of Component Auditors), paragraph 26

22 ISA 220 (Revised), paragraphs 25–28

23ISA 260 (Revised), Communication with Those Charged with Governance, paragraphs 11–13

24 ISA 260 (Revised), paragraphs 18–22

This conformity statement accompanies but is not part of PES 3.

Conformity with International Standards on Quality Management

This Professional and Ethical Standard conforms with International Standard on Quality Management (ISQM) 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements, issued by the International Auditing and Assurance Standards Board (IAASB), an independent standard-setting board of the International Federation of Accountants (IFAC), in respect of audits and reviews of financial statements and other assurance engagements.

Requirements and application material that has been added to or amended from this Professional and Ethical Standard (and does not appear / appear differently in/from the text of the equivalent ISQM 1) are identified with the prefix “NZ”.

The following introductory paragraphs and definitions are additional to or have been amended from ISQM 1:

Paragraph

Summary of Change

NZ16.1 to NZ 16.3

Additional to ISQM 1, to include definitions of ‘Assurance practitioner’, ‘FMC reporting entity considered to have a higher level of public accountability’ and ‘Professional standards”, within PES 3.

NZ16 (c), NZ

16 (i) and NZ 16 (m)

Additional to ISQM 1 to include public sector specific definitions within PES 3 that applies to New Zealand public sector audits.

This Professional and Ethical Standard incorporates terminology and definitions used in New Zealand. Requirements that apply to listed entities have been broadened to apply to FMC reporting entities considered to have a higher level of public accountability in New Zealand. This applies to the engagement quality management review requirements. (Ref: Para NZ34(e), NZ34(f), NZA128.1 and NZA132.1)

Compliance with this Professional and Ethical Standard enables compliance with ISQM 1, to the extent that ISQM 1 applies to audits and reviews of financial statements, and other assurance and related services engagements.

Comparison with Australian Standards on Quality Management

In Australia, the Australian Auditing and Assurance Standards Board (AUASB) has issued Auditing Standard ASQM 1 Quality Management for Firms that perform Audits or Reviews of Financial Reports or Other Financial Information, or Other Assurance Engagements.

ASQM 1 also conforms with ISQM 1.

ASQM1 is amended where there is reference to direct assistance by internal auditors which is prohibited in Australia. There are no such amendments in PES 3 as New Zealand requirements for assistance from internal auditors align with the IAASB standards.

The equivalent requirements and related application and other explanatory material included in ISQM 1 and PES 3 in respect of relevant ethical requirements, are included in another Auditing Standard, ASA 102 Compliance with Ethical Requirements when Performing Audits, Reviews and Other Assurance Engagements. There is no international or New Zealand equivalent to ASA 102.