Warning

The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:

  • No human verification has been conducted of the converted content.
  • While we strive for accuracy errors or omissions may exist.
  • This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
  • For the official and verified version of the publication, refer to the original PDF document.

If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].

Thematic Review: ISQM(UK)1 Network Resources and Service Providers

Thematic Review: ISQM (UK) 1 Network Resources & Service Providers

The FRC does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any person relying on or otherwise using this document or arising from any omission from it.

Β© The Financial Reporting Council Limited 2024 The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number 2486368. Registered Office: 8th Floor, 125 London Wall, London EC2Y 5AS

Contents

1. Executive summary

This is the first year of implementation of ISQM (UK) 1 and the Tier 1 firms have invested heavily in the implementation and have responded positively to our feedback.

Network resources (such as network independence policies) and service providers (such as external training providers) are relied upon in firms' systems of quality management (SoQMs) and in the performance of engagements. Firms are required to identify and understand any such resources or providers relied on, and to evaluate and monitor if they are appropriate for use.

ISQM (UK) 1 introduced a fundamental change in firms' approaches to quality management. The new standard is a significant change to ISQC (UK) 1, requiring firms to take a more proactive and risk-based approach to responding risks to quality.

Although firms' SoQMs should be individually tailored, we were surprised at the variation both in how firms determined what resources they relied on and how they assessed network resources and service providers that were common across all firms.

We were pleased to see that some firms were proactive in working with their global networks and local process owners in identifying and assessing their resources.

A flow diagram illustrating the four stages of quality management: * Establish quality objectives * Identify and assess quality risks * Design and implement responses * Monitor responses and identify deficiencies

This review supports the FRC's supervision of the firms' implementation of ISQM (UK) 1, particularly the Resources component, covering human, technological, and intellectual resources. This review looked at how network resources and service providers were identified, categorised and assessed by the six Tier 1 audit firms.

The FRC is an improvement regulator. This thematic review is intended to provide insight to all audit firms, by sharing the key concerns and good practice identified from our work at the Tier 1 firms. We expect all audit firms to consider these insights proportionately in the context of their nature and circumstances. For example, smaller firms that rely on more service providers than resources from a network, may find the sections on service providers of particular relevance.

All Tier 1 firms have room to improve in some areas. Firms need to strengthen their assessment approaches for the different types of resources used in their SoQMs, as well as their review and evaluation of the procedures performed at network level to ensure they obtain adequate assurance.

Our approach to supervision of firms' implementation of ISQM (UK) 1 involves undertaking inspections on a risk-focused, rotational basis. This is supported by targeted thematic work on aspects of firms' SoQMs. Where appropriate, we will look to publish thought pieces targeting specific elements of the ISQM (UK) 1 components.

We have summarised the key themes identified from our review in the next section.

Throughout this publication, the following symbols are used:

  • βœ… Represents good practice identified that reflects an innovative or efficient approach to the requirements. Firms should consider whether these are relevant to their circumstances.
  • πŸ‘οΈ Represents thematic observations noted.
  • β–² Represents a finding identified that we would want firms to take note of and remediate.
  • πŸ’‘ Represents what we expect firms to do.

2. Summary of key messages

What should firms do? What have we found? What are the good practices?
Identification - Firms should ensure they identify all the network resources and service providers relied upon in their SoQMs, so these can be understood and assessed. - Firms defined reliance differently. Some firms did not robustly justify why they did not consider that they rely upon certain resources that they use.
- One firm could not provide a list of the human and intellectual network resources, and globally managed service providers it relied upon.
- Another firm had not identified a full list of service providers.		 - Two firms used lists of service providers obtained from their procurement or accounts payable functions to ensure they identified all service providers relied upon.
- One firm required business process owners to identify (three times a year) any new service providers, changes in usage or issues arising, to support the iterative process.
Risk rating - Firms should consider risk rating network resources and service providers to determine appropriate assessment approaches. Ratings should consider factors intrinsic to the resources (e.g. extent of tailoring/customisation) and how they are used in SoQMs. Firms should reassess ratings regularly to reflect changes.
- Firms should plan and tailor assessment procedures based on how network resources and service providers are rated.		 - One firm's risk ratings for service providers did not consider their importance in its SoQM.
- At some firms, it was not clear how all relevant factors were considered or how low-risk ratings were sufficiently justified.
- At some firms, little or no assessment was planned for those rated low-risk, despite these having a role in their SoQMs or in the performance of engagements.		 - One firm issued robust guidance on the extent and type of assessment for service providers with different risk ratings.
What should firms do? What have we found? What are the good practices?
Assessment of network resources - Firms should ensure they receive network reporting in sufficient time to evaluate the extent of assurance provided and the significance of any findings. This will enable them to design and implement timely mitigating actions.
- Firms should ensure network reporting is sufficiently detailed to enable understanding of the scope of the monitoring, the testing performed and the findings identified. Firms should plan and perform sufficient UK testing to ensure adequate overall assurance.
- Firms should ensure they clearly evidence their review and evaluation of network reporting to support the extent of assurance taken. This will enable the identification of where additional UK monitoring is needed.		 - One firm did not receive network reporting in the time frame intended. Two firms received network reporting close to the time of completing their annual evaluations.
- Limitations of different firms' network reporting included: only sharing findings on controls the network deemed relevant to member firms, high-level reporting on the testing of IT controls and reporting only identified findings, not the underlying testing of controls.
- At some firms, there was no, or insufficient, evidence of their review of network reporting and the underlying testing procedures.		 - Two firms received draft reporting from their networks which enabled early sight of emerging findings.
- Three firms received reporting that listed expected member-firm-level controls to complement the network monitoring. This increased clarity on the scope of the network's monitoring.
- One firm clearly evidenced its review of, and the challenges raised with its network about, the planned testing procedures for network control. This enabled the firm to assess if these were appropriate to provide sufficient assurance.
What should firms do? What have we found? What are the good practices?
Assessment of network resources (continued) - Firms should ensure they receive sufficient reporting on other member firms' SoQM evaluations where elements of their own SoQMs rely upon these member firms. - None of the network inter-firm reporting provided specific and consistent detail on other member firms' compliance with the UK's extraterritorial ethical requirements. - One firm received detailed information on offshore delivery centres. This included personal independence compliance testing results and key developments in or changes to the centres' SoQMs.
- One firm issued suggested mitigating responses for teams relying on various member firms with SoQM deficiencies.
Assessment of service providers - Firms should determine the nature of the information needed and available to assess each service provider appropriately, based on the nature and risk rating of the provider.
- Firms should consider using a combination of assessment approaches (e.g., reviewing standardised reports, monitoring of KPIs, independent testing and periodic supplier management activities).		 - The information used to assess common service providers, for similar services, varies between firms. In some instances, firms had not adequately justified the sufficiency of the information obtained and reviewed.
- Some firms have not justified how their assessment approaches provide sufficient assurance based on how service providers are used in their SoQMs.		 - One firm evidenced review of a wide range of information (KPIs, standardised reports, and historic performance) to justify its assessment of these providers. The types of information considered was tailored by provider.
What should firms do? What have we found? What are the good practices?
Assessment of service providers (continued) - Firms should ensure they clearly evidence their review of reports from service providers and any identified findings, to determine any mitigating actions needed. - Some firms did not evidence how they reviewed reports, including Systems and Organisation Controls (SOC) reports, from service providers. - One firm clearly evidenced how it reviewed a standardised report to evaluate findings and understand whether these were relevant to the firm's SoQM by connecting with information obtained elsewhere.

3. Scope

This thematic covers the firms' policies, processes, and procedures in place to:

  • Identify the network resources and service providers they rely upon;
  • Categorise and risk rate the network resources and service providers identified, if applicable;
  • Assess the network resources and service providers relied upon, including by reviewing the reporting and testing from the networks and providers, and the UK-level testing designed; and
  • Monitor the appropriateness of network resources and service providers on an ongoing basis.

4. Introduction to ISQM (UK) 1 requirements

Resources is one of the eight components in a firm's SoQM in ISQM (UK) 1. Resources can be from the firm, the firm's global network, or from an external service provider.

a) What are network resources and service providers?

When a firm is part of a network of firms, services or resources could be provided by either the network centrally, another firm within the network, or another structure or organisation in the network. These are network resources.

A firm may also use resources or services provided by service providers. These are defined as individuals or organisations external to the firm. This includes component auditors from other firms not within the firm's network.

b) How do network resources and service providers fit into a firm's SoQM?

Network resources or a service provider can be part of a firm's response to addressing its quality risks. However, they can also give rise to quality risks that need to be addressed.

Example:

A firm may use a network offshore delivery centre to provide additional human resources for engagement teams. This resource responds to the quality risk of insufficient personnel to perform quality engagements. However, using this resource may create the quality risk that offshore personnel are not appropriately directed and supervised by members of the UK firm.

Smaller firms usually rely on more service providers due to less in-house capacity and capability and fewer economies of scale. The largest firms use fewer service providers, and where they do, they are more likely to be globally managed. This is due to the greater role these firms' global networks play in selecting and managing suppliers providing resources that are used by multiple member firms.

c) Responsibility of a firm under ISQM (UK) 1

Regardless of where resources and services originate, each firm is responsible for the effective design, implementation and operation of its SoQM. ISQM (UK) 1 required firms to identify and understand the network resources and service providers relied upon in their SoQMs, by 15 December 2022, and to implement and operate monitoring processes over these to identify and assess any deficiencies for their annual evaluations, by 15 December 2023 and at least annually thereafter.

5. Introduction to types of network resources and service providers

The Resources component of ISQM (UK) 1 covers human, technological, and intellectual resources. This section describes the various types of resources in each category.

a) Network Resources

Each Tier 1 firm identified a number of different types of human, intellectual and technological network resources in their SoQMs. These are summarised below (with the number within bracket indicating the number of firms identifying each type of resource):

Human Resources Intellectual Resources Technological Resources
Offshore delivery centres (6) Training materials (5) Independence system (6)
Within-network component auditors (3) Audit manual and methodology (4) Audit software, including digital audit tools (6)
Staff from overseas member firms (2) Network policies (2) Document exchange platform (3)
People survey process (1) Engagement inspections system (3)
Attendance tracking tool (1)

β–² Only three firms have included within-network component auditors as network resources although paragraph A175 in ISQM (UK) 1 explicitly used that as an example of network services.

b) Service providers

The different types of service providers identified across firms in their SoQMs providing human, intellectual, or technological resources or services are summarised below (with the number within bracket indicating the number of firms identifying such provider):

Human Resources Intellectual Resources Technological Resources
Recruitment solutions or agencies (5) Professional qualification training providers (5) Audit disclosure checklists (5)
External experts/consultants (3) Professional bodies (a source of resources) (2) IT applications for sending out bank confirmations (5)
Salary bench-marking providers (2) Data providers for independence checks (5)
Law firms (1) Ethics helpline / case documentation service (4)
Non-network component auditors (1) Valuation or hedge accounting tools (3)

β–² Only one firm has included non-network component auditors as service providers, although paragraph A28 in the standard explicitly stated that this should be done. Only three firms have included external experts/specialists/consultants as service providers, although paragraph A105 in the standard explicitly used that as an example of service providers.

β–² As of 15 December 2023, two firms had not completed the identification and evaluation of network resources and service providers. One firm had not fully identified and assessed all service providers and had not assessed certain network resources. Another firm did not complete all elements of the assessment of identified network resources and service providers.

6. Identification of network resources and service providers

The firms have identified network resources and service providers at varying levels of granularity. Firms have also defined the level of reliance differently. Firms should ensure they fully identify network resources and service providers relied upon to enable them to understand the nature of these resources and how they are used in their SoQMs. This will enable them to scope and plan their assessments to obtain the assurance they need.

a) Who is responsible for identifying network resources?

Identification of network resources can be led top down by the network or bottom up by the firm. This may be driven by how centralised the network is and how much commonality there is in resources used by member firms within each network.

The UK firm remains responsible for ensuring it has a complete list of network resources relied upon. Lists provided by network may also include resources that the UK firm does not rely on.

πŸ‘οΈ At two firms, the process of identifying network resources was led by the firm's network. At four firms, this was led by the firm in the UK. Of these, for three firms the list of network resources identified by the firm was confirmed with or reconciled to that maintained at the network.

β–² At one firm, a list of human and intellectual network resources being relied upon was not available at the UK-firm level. Therefore, it is unclear how the firm has met the standard's requirement to identify and understand the network resources used in its SoQM.

b) Who is responsible for identifying service providers?

Identification of service providers can be led top down by the team implementing the SoQM at the UK firm or the network or bottom-up by the business units and process owners who understand the use of service providers in the relevant business processes.

Firms need to perform sufficiently robust completeness checks for the list of providers identified so they can assess all providers relied upon. This may include leveraging the firm's expenses, procurement or supplier management functions and involving those responsible for various SoQM elements and processes.

πŸ‘οΈ At two firms, the process was led by business units and process owners. At one firm, the process was led centrally from the UK firm. At the two remaining firms, the process is led by both the network and the UK firm depending on whether the service providers are globally or locally managed.

πŸ‘οΈ Three firms engaged with their procurement functions, while two firms relied on business process owners' understanding of the various processes to check for completeness of their lists of service providers.

βœ… Three firms cross checked their list of service providers identified against that maintained by their procurement function, of which two firms also obtained a list of invoices/payments for reconciliation. This ensures the completeness of the list of service providers to be relied upon.

b) Who is responsible for identifying service providers? (continued)

β–² One firm has not fully identified all services providers being relied upon in its SoQM. The firm has therefore not obtained an understanding of its service providers, and the quality risks and responses associated with them.

Split between local and global service providers

The contractual relationship with service providers can be held locally or globally. Resources or services provided by globally managed service providers can be treated as a network resource as they are provided via the firm's network. Firms need to ensure that they understand and have assurance over the reliability of all service providers, even if this is through the processes used to assess network resources.

πŸ‘οΈ Four firms split their service providers between locally and globally managed, based on who holds the contractual relationship. This enables the firms to plan how each service provider needs to be assessed.

β–² One firm did not have a list of globally managed service providers. It is unclear how the firm has met the standard's requirement to identify and understand the service providers at the network level being used in the UK firm's SoQM.

c) Levels of granularity in identifying network resources and service providers

Firms should identify network resources and service providers at a sufficient level of granularity to enable them to understand what these resources are and how they are used in their SoQMs. This will enable the firms to scope and plan assessments to obtain the assurance they need to sufficiently mitigate the specific quality risks.

Firms identified their network resources and service providers at varying levels of granularity. Some examples are summarised in the following tables.

Service providers

Type Example Firms' approaches
Human External experts Two firms identified a group of external experts collectively as a single service provider, e.g., valuation specialists, whereas two firms have specifically identified individual suppliers of external experts.

Firms should consider the extent of similarity of the role and nature of the organisation the external experts are from, and therefore risks arising from the use of experts, before identifying them collectively as a single service provider.

c) Levels of granularity in identifying network resources and service providers (continued)

Network resources

Type Example Firms' approaches
Intellectual Network policies, audit methodology and manuals Three firms identified their audit methodology/manual as a standalone network resource without any breakdown. In contrast, one firm has broken down their audit methodology into twenty further resources, with each referring to different policy sections, e.g., group audits, supervision and review.

The granularity in identifying network resources should be aligned with the extent to which these resources are developed, monitored and maintained through the same processes at a firm. This should also be aligned to the granularity at which these resources are assessed.
Intellectual Audit technical publications One firm identified all IFRS financial reporting publications, interpretations and training collectively as an intellectual network resource. Review by a technical audit director has been identified as the basis for the UK's reliance on these network resources.

Given the varying nature of these publications, it is difficult to see how this approach is sufficiently granular for the firm to assess each of these resources under ISQM (UK) 1.
Technological Digital audit tools, not including audit software At two firms, digital audit tools provided by their network were individually identified as network resources, for example, a data analyser for journal entries and a sampling tool.

At two firms, no digital audit tools provided by the network were identified. Both firms concluded that the process of providing assurance over the development and operation of any digital audit tools was captured in its audit approach manual (identified as a network resource).

These firms need to ensure that the assurance obtained over the audit approach manual robustly covers the operating effectiveness and appropriateness of this process, and therefore the reliability of individual digital audit tools.

d) Definition of reliance for service providers

When identifying service providers, firms are required to understand the conditions, events and circumstances relating to those service providers that may adversely affect them meeting quality objectives. Service providers key to a firm's SoQM may not be assessed appropriately under ISQM (UK) 1 if they have been deemed not to be relied upon and thus excluded.

Some examples of the differences in what is included or excluded from service providers being relied upon between firms are summarised in the following tables.

Type of providers Example Observations
Intellectual Data feeds on company information for independence checks One firm has specifically excluded the suppliers providing data feeds into its independence systems.

However, it is not clear how these providers are not being relied upon when the data provided is being used by staff to comply with ethics and independence requirements.
Type of providers Example Observations
Intellectual Asset valuation One firm has excluded the providers used for asset valuation in engagements. The firm considered the services provided as 'off-the-shelf' products used sporadically by audit teams.

However, it is not clear how these providers are not being relied upon as the service enables engagement teams to perform certain audit procedures on asset valuation.
Intellectual Professional qualification training Only one firm has not identified any accountancy professional qualification training providers as service providers, partly based on the training not being bespoke.

However, it is not clear how these providers are not being relied upon as the tuition and training materials provided are key to its personnel developing competence, attaining qualification, and delivering quality engagements.

d) Definition of reliance for service providers (continued)

Type of providers Example Observations
Human Recruitment services One firm has not identified any suppliers of recruitment solutions or agencies as service providers, on the basis that the decision making remains with the firm.

However, it is not clear how these providers are not being relied upon as their services are used to identify and shortlist candidates for the firm to interview and recruit to perform audit engagements.

πŸ‘οΈ For three firms, their definition of a service provider being relied upon was relatively narrow. For example, at one firm, suppliers are not identified as service providers if the resources provided are used at engagement-level and the related assessment procedures have been covered as part of the audit.

πŸ‘οΈ At another firm, suppliers are excluded if they are considered as not directly supporting a key control, e.g., suppliers of data feeds used in independence checks or for valuation work.

β–² Firms in the examples above did not sufficiently justify their exclusion of certain external suppliers as service providers, even though the services or resources appeared to be used in the firms' SoQMs. This meant that these providers were not assessed to ensure they were appropriate under ISQM (UK) 1. Firms must ensure they evidence robust assessments to determine if quality risks arise from non-bespoke or off-the-shelf resources provided. This supports the decision-making regarding what service providers are not relied upon.

7. Ratings

The standard does not require firms to rate network resources or service providers identified by significance or risk. However, if designed appropriately, ratings can help firms to determine an assessment approach proportionate to the level of significance or risk related to the resource. If the rating is performed by a firm's network, the UK firm needs to ensure that it is comfortable with these or modifies them as needed. It is also important for firms to reassess their ratings on an ongoing basis to ensure that changes in the nature and circumstances of the firm and its engagements are reflected in an iterative and timely manner.

a) Rating of Network resources

πŸ‘οΈ Three out of six firms rate their network resources and two of these firms review the ratings annually. In one of these cases, the UK firm reviewed the rating before its global network finalised it. This demonstrates the UK firm's involvement of the process to ensure the rating reflects the level of significance and risk to the UK SoQM.

Firm D Firm E Firm F
Ratings? √ √1 √
Considerations used in ratings Level of significance and risk to the SoQM Significance of risk and impact to the SoQM Significance and relevance to the firm's SoQM
Tier of ratings Three tiers Three tiers Three tiers
Who assigns the ratings? SQM team in the UK firm Network Head of Quality at the UK firm
How does the rating drive the assessment approach? N/A2 Nature/extent of general IT controls (GITCs) needed and scope of GITCs assessed Whether an assessment is performed and the scope of any assessment

b) Rating of Service providers

πŸ‘οΈ Five firms rated their identified service providers. One firm had not yet identified and assessed service providers.

Firm A3 Firm B3 Firm C Firm E Firm F
Considerations used in ratings - Significance of risk and SoQM impact
- Complexity of the service provided
- Frequency of the service provided		 - Significance of risk and SoQM impact
- Spend per annum
- Importance of the provider to the firm's day-to-day operations		 - Significance of risk and SoQM impact
- Nature of reliance upon the service/resource provided		 - Significance of risk and SoQM impact - Significance and relevance to the firm's SoQM
Tier of ratings Two tiers Three tiers Three tiers Three tiers Three tiers
Who assigns the ratings? UK firm's business process owners UK firm's SQM team, and the firm's procurement function UK firm's SQM team, and the firm's supplier management function Network and UK firm's SQM team, depending on the split of globally and locally managed service providers UK firm's Head of Quality
How does the rating drive the assessment approach? Type of evidence required for assessing appropriateness for SoQM use Scope of supplier management activities, type of evidence to support assessment, and frequency of reassessment Scope of assessment, type of evidence required to support assessment, and frequency of reassessment Reliance on baseline procurement process, or assessment on initial appropriateness for SoQM use, and/or reviews of ongoing effectiveness Whether an assessment is performed and the scope of any assessment

Across all five firms, there are broadly two different types of classification of service providers: (i) based on their significance of risk to the firms' SoQMs and (ii) based on their inherent risk considering market reputation, business risk and annual cost. Therefore, there are different approaches to assessing service providers due to the differences in the rating systems across firms.

b) Rating of Service providers (continued)

β–² At one firm, procurement rating, not based on significance to its SoQM, drives the nature and extent of supplier management monitoring and engagement activities. This does not directly address the importance of the service providers within the firm's SoQM.

Network resources

One example of similar network resources rated4 differently across firms is summarised in the table below:

Type of resources Example of resources Firm D Firm E Firm F
Technological Ethics/independence check tool for client acceptance and continuance Amber Red Red

One firm has a dual classification system based on significance and risk of the resource to its SoQM. Significance is based on the extent of use. Risk is based on the extent of tailoring of the resource by the UK firm and the residual risk of using the resource. The firm rated its tool as medium significance and low risk, as it only covers audited entities with international presence and is considered simple and stable to use.

Two firms rated their similar resource as significant to its SoQM, or a critical application mitigating many quality risks. Both firms assigned the highest rating to this network resource.

Both ratings can be reasonable provided the firms have performed a robust and evidence-based assessment that supports determining the appropriate level of assurance required to ascertain that the resource is appropriate to use. Extent of assessment performed varies between these three firms.

c) Differences in how common resources are classified

Firms consider a range of factors when risk rating service providers. There are broadly two categories: (i) factors intrinsic to the resource, for instance complexity, market reputation and extent of tailoring and customisation, and (ii) factors relating to the firm, for instance the frequency of use and extent of reliance on the resource or service, and its significance to the firm meeting its quality objectives.

c) Differences in how common resources are classified (continued)

Service providers

Three examples of similar service providers rated5 differently across firms are summarised in the tables below:

Type of providers Example Firm A Firm B Firm E Firm F
Intellectual Professional qualification training providers Green Red Red Red

For professional qualification training providers:

  • Two firms rated these as lower significance or impact. For one firm this was based on the service mitigating a limited number of quality risks. For the other firm, this was because the tool had gone through its own internal control process for software before release to the practice.
  • Two other firms rated them as having high significance or impact to their SoQMs, with one firm determined they had a significant impact on audit quality, while the other determined they were heavily relied upon in meeting its quality objectives.
  • It is key that firms' conclusions are based on robust analysis of their facts and circumstances, such as where one firm has used historical monitoring activities to determine risk classifications.
Type of providers Example Firm A Firm B Firm E Firm F
Intellectual/ Technological Online audit disclosure checklist Red Green Green Red

For online audit disclosure checklist providers:

  • Two firms rated these as low significance or impact. For one firm this was because the resource mitigated a limited number of quality risks. For the other firm, this was because the tool had gone through its own internal control process for software before release to the practice.
  • Two firms rated them as high significance or impact. One firm considered them as having significant impact on audit quality, while another considered the providers as relevant to a key risk response required to the firm meeting a quality objective.
  • Audit disclosure checklists are a key audit tool used to assess if financial statements disclosures meet financial reporting requirements. Firms need to consider the significance of the risks mitigated by the tool, and the extent to which they were mitigated by other mechanisms. Where firms deem such tools as lower risk this needs to be based on robust justifications.

c) Differences in how common resources are classified (continued)

Service providers (continued)

Type of providers Example Firm A Firm B Firm E Firm F
Technological Electronic audit confirmation tool Green Green Red Red

For electronic audit confirmation tool providers:

  • Two firms rated them as low risk. For one firm, the extent of use of this service is low as it uses an internally developed web-based application for the same purpose. For the other firm, this was because the tool had gone through its own internal control process for software before release to the practice.
  • However, the tools are used to request, receive, and track external confirmations used as audit evidence. Therefore, we would usually expect that these providers are assessed as being of moderate to high significance to firms' SoQMs, unless the extent of use is low or there is robust control over the sign-off process of such tools before they are used by engagement teams.

Firms' rating systems are judgemental and use different criteria. They need to be tailored to how the individual firm uses and relies on these resources. Firms should regularly revisit ratings to reflect any changes in circumstances and therefore how they should be assessed for use in their SoQMs.

πŸ‘οΈ Five firms review the ratings on network resources and service providers annually.

βœ… At one firm, business process owners are required to complete a questionnaire three times a year that includes identifying new service providers, changes in the use of providers, and issues arising about these. The firm's SoQM leadership then reviews the completed questionnaires. This shows how service providers are periodically assessed by individuals who understand the relevant business processes. This demonstrates the iterative nature of the firm's processes for identifying and classifying service providers.

8. Assessment of network resources

Network resources may come from a global or regional network, another firm or provider in the network, or a service provider that is managed within the network.

Examples:

  • Audit software maintained by a global team would be a resource provided by the network.
  • A digital audit tool provided by an external supplier that is contracted and managed by the network, would be a resource provided by a network-managed service provider.
  • A US GAAP disclosure checklist provided by the US member firm, would also be a resource provided by another firm in the network.

Different assessment approaches tend to be used for assessing different types of resources. The three main approaches are:

A. Assessing the controls operated by the network/provider; B. Independent assessment of the resources by the UK firm centrally; and C. UK engagement teams performing their own assessments of the resources they use.

Approach A
Monitor controls		 B
Assess resources independently		 C
Set policies and procedures for how engagement teams should assess resources.
Network ↓
UK firm - Review network reporting of monitoring results, and/or;
- Perform top-up assessment on any UK specific requirements
Engagement teams Engagement teams perform assessments
Example of relevant resources A
Audit software, Audit methodology, Independence systems, Training platform and materials		 B
Audit methodology, Training materials		 C
Network component auditors, Staff at offshore delivery centres

When using a combination of these three approaches, firms need to plan how they will work in tandem to effectively address the relevant risks.

a) Reliance on network controls

This requires networks to identify and monitor their own controls over resources and report to member firms on this monitoring and the findings arising. This is the usual method for technological network resources, where networks provide certification and test general IT control for resources such as audit software. Some firms also gain assurance from network controls over the production and review of intellectual resources, such as audit methodology, or management of human resources based outside the UK.

For this approach, UK firms needs to understand what network resources it relies upon, and what network controls are in place. Firms must then review, and evidence review of, the network reporting to determine what assurance they can get from the network monitoring performed and the impact of any findings on their SoQMs.

Different forms of network reporting

Network reporting should be sufficiently detailed to allow firms to understand the scope and nature of monitoring activities and any monitoring procedures they are expected to perform, so that they can gain assurance over the completeness of the findings identified. Findings should be reported in sufficient detail to allow firms to evaluate their impact and determine mitigating actions.

πŸ‘οΈ No network reporting was available at one firm. For the other five firms, the format and extent of network reporting varied.

Reporting format/Firm A B C E F
Consolidated √ √ √ √
By type of resource/region √

At three firms, there was consolidated network reporting, covering the testing performed for all types of network resources. At one firm, reporting comes from different bodies, based on which resources are provided by global and regional network. At another firm, the reporting is provided by type of resource, i.e., technological, intellectual, automated business processes, and offshore delivery centres.

a) Reliance on network controls (continued)

Different forms of network reporting (continued)

β–² At one firm, the scope of the network reporting is limited, as the network only reported on its monitoring of the controls it deemed relevant to member firms. However, in some instances, the UK firm disagreed with the assessment of which controls were not relevant.

Reporting content/Firm A B C E F
Scope of resources / controls covered √ X √ √ √
Testing approach √ X √* √** √
Member firms' responsibilities V X √ X X
Summary of findings √ √ √ √ √

*Technological resources only **High level only

Examples:

Member firms' responsibilities are where local responses are needed, to complement those at the network-level. Examples are local user access controls for audit software or local review of global audit methodology for jurisdiction-specific requirements.

One firm is not able to retain a copy of its network's report. However, this firm robustly evidenced its review of this report.

πŸ‘οΈ At one firm, the network reporting on technological resources included a list of expected member firm responsibilities, including expected local GITCs and complementary user entity controls (CUECs), to address specified risks. At another firm, the network reporting includes a list of expected member firm-level controls for individual network resources.

This clearly defined the limits of the network testing to enable identification of local responsibilities.

One firm only received high-level reporting on the testing procedures performed for GITCs, and no descriptions of the testing procedures for other types of resources.

Reporting on offshore delivery centres (ODCs)

Firms also received reporting on offshore delivery centres' SoQMs, where these were relied on for engagements. This reporting came from the centres or the member firms that managed the centres.

πŸ‘οΈ Out of the six firms, five firms use ODCs in performing UK audits. One firm did not complete an assessment of the reliability of the ODCs as network resources. The remaining four firms received reporting on their ODCs' SoQM. The level of detail in the reporting varied between the four firms.

a) Reliance on network controls (continued)

Reporting on offshore delivery centres (ODCs) (continued)

Reporting content/Firm A B C E
Mapping of quality risks and control responses X √ √ X
List of member firms that use the delivery centre √ √ √6 X
Member firm's responsibilities X X √ X
Summary of findings √ √ √ √
Corrective actions to be undertaken in response to the findings identified X √ X X

At two firms, the reporting showed the quality risks deemed relevant, the linked controls and responses testing and the findings identified. This clearly reports the scope of testing and which quality risks the findings relate to and facilitates the UK firms identifying or designing local-level mitigating controls to address relevant quality risks as needed.

The extent of assurance a firm needs to get should be connected to the nature and extent of reliance the firm is placing on ODCs, with more needed where a firm is outsourcing a significant number of audit hours and/or outsourcing work over significant audit risks. This is particularly relevant for the extended team model, where offshore individuals work as integrated team members under the direct supervision of UK engagement teams, and may perform audit procedures in areas of significant risks where more judgements are needed.

πŸ‘οΈ At three firms, the extended team model has been introduced at their ODCs. However, only one firm's network report on their ODCs has stated how the quality risks have changed to reflect the use of the extended team model.

At one firm, the report also identified the root causes of the findings and the corrective actions to be undertaken at the offshore delivery centre, which allowed the firm to evaluate the appropriateness of the corrective actions to be implemented.

βœ… At one firm, the reporting includes background information on the ODCs, including the governance structure, people survey results, processes for hiring and retention of staff, and personal independence compliance testing results, and a summary of significant changes to the ODCs. This provides the UK firm a wider range of information on the delivery centres' SoQMs when assessing changes to the quality risks, the findings identified and evaluating their impact on their own SoQM.

a) Reliance on network controls (continued)

Assessment of network and ODCs reporting

Firms must assess if the network monitoring provides sufficient assurance, by reviewing the network reporting (if it sufficiently detailed), reviewing a sample of the underlying testing, or a combination. Firms' approaches should be based on what level of assurance they need, and how detailed the network reporting is. Firms should evidence their assessments to support the reliance taken.

β–² One firm received a summary of the network's findings, but not the underlying testing of the design, implementation and operating effectiveness of controls. The firm discussed the nature and extent of the testing with the network, but minimal evidence of the discussions was retained. This provided insufficient evidence to support the reliance on network resources.

πŸ‘οΈ Firms adopt varied approaches to assessing network reporting:

Approach/Firm A B C D E F
Review of a sample of the network's testing √ √ X X X √
Review of detailed reporting from the network √ √ √ N/A √ √

One firm selected a sample of network digital audit tools and reviewed the network testing over the design, implementation and operating effectiveness of the controls for these tools.

βœ… One firm clearly evidenced its evaluation of findings reported for offshore delivery centres. The firm designed and implemented local remedial actions, as well as following up remedial actions with the delivery centres, to conclude that the risks were sufficiently mitigated.

The UK firm should assess the impact of all reported findings on its SoQM. This may require additional testing, to assess the extent of the impact, considering if there are any mitigating local or network controls, and determining what mitigating actions can be implemented.

Two firms selected a sample of network controls and reviewed the network testing over their design, implementation, and operating effectiveness. At one firm, the selected network controls for sample testing were from each of their ISQM (UK) 1 components and of varying nature, type, and frequencies. For this approach, firms need to understand how the network controls mitigate the risks for the relevant resources.

Examples:

  • At one firm, the network reported deficiencies for the global acceptance and continuance systems. The firm identified local mitigating actions and performed additional testing to assess the significance of these deficiencies for the UK SoQM. Based on this, the firm concluded that the network deficiencies did not impact its SoQM.

a) Reliance on network controls (continued)

Assessment of network and ODCs reporting (continued)

Examples (continued):

  • One firm identified and tested UK mitigating controls to reduce its reliance on network controls, where findings were identified. However, it was unclear how these mitigating controls fully addressed the relevant risks. For instance, a UK annual review of the audit software access management policy was identified as mitigating network findings relating to controls over effective migration from older audit software and implementation of the new audit software.
  • One firm reviewed the planned testing procedures for each network control to assess if these were sufficient and appropriate to provide sufficient assurance. The firm also clearly evidenced the challenges raised with its network when it was not satisfied with the design of the testing procedures.
  • One firm clearly evidenced its evaluation on the impact on its SoQM of the findings identified in network testing. This includes setting out the local mitigating controls in place, and evidencing the inquiries held with relevant business process owners.

β–² One firm did not receive network reporting in time for its annual evaluation. Therefore, the firm independently assessed network resources using previous network testing and local mitigating controls. However, the UK controls did not provide sufficient assurance over technological resources that were developed and maintained globally.

The network reporting may advise member firms on how findings are expected to impact their SoQM or recommend mitigating actions.

πŸ‘οΈ Only one firm's network recommended mitigating and corrective actions. However, the UK firm was responsible for deciding if these were appropriate.

Frequency and timing of network reporting

Firms need sufficient time to review network reporting and evaluate any findings, to enable evaluation of their own SoQMs. The sooner firms are aware of network findings the greater their ability to design and implement remediating or mitigating actions before their annual evaluation. Interim discussions or draft reporting can provide early sight of emerging findings and ensure firms have sufficient time to evaluate and respond to these findings.

πŸ‘οΈ Four of the five firms that received network reporting receive this annually. The remaining firm receives biannual reports, though this may change to annual. Two firms also received draft reporting from their networks on emerging findings.

a) Reliance on network controls (continued)

Frequency and timing of network reporting (continued)

β–² Two firms received network reporting only shortly before completing their annual evaluation of their SoQMs. This creates significant time pressures for the evaluation and reduces opportunities for mitigating findings. One firm received draft reporting on emerging findings, to reduce the challenges arising.

Where the period covered by the network reporting is not aligned with the firm's annual evaluation period, firms must ensure they have assurance over the full period and may need a bridging letter.

Example: At one firm the annual evaluation period is January to December. The firm receives biannual network reports, covering the periods ending in March and September. The firm receives bridging letters from the network, for the three-month periods to June and December, summarising any issues identified. The UK firm evidenced an assessment of these matters.

b) Independent central assessment at the UK firm

An alternative to reliance on network controls is an independent assessment at the UK firm. This approach is often used for intellectual resources, such as audit methodology, work programmes, and training materials. This usually involves:

  1. The UK firm being involved in the review of resources at a network level, and/or
  2. The UK firm performing a separate review before deploying the network resources in the UK. These reviews must be performed by competent individuals on a timely basis.

This approach may also be used for technological resources where firms certify systems and tools.

Examples:

  • One firm has representatives on a network committee which sets the network's audit manual. The network audit methodology is also subject to the same reviews, by the UK audit technical function, as if the methodology was produced in the UK. The firm also mapped the global methodology to the UK ISAs before deploying it for use.
  • At one firm, for any changes implemented to digital audit tools where UK tool owners were involved, the digital audit tools team in the UK is responsible for reviewing, challenging and approving the change management memo prepared and associated testing performed by the tool owners, before the changes to the tool can be deployed.

c) Engagement team-led assessment

The third method of assessment of network resources is engagement team-led. This approach is often used for component auditors or overseas human resources where engagement teams assess the reliability of network component auditors, in line with ISA (UK) 6007, and offshore human resources, when assessing the team's combined capacity and capability. This is often supported by the UK firm's review of inter-firm network reporting on other member firms' SoQM conclusions. Firms should ensure this reporting is sufficient to assess the UK impact.

πŸ‘οΈ Four firms have inter-firm reporting processes on member firms' SoQM. For three firms, there was network monitoring and reporting of member firms' SoQM conclusions. At the remaining firm, all network firms follow the same SoQM methodology and self-report on their conclusions. For all four firms, this reporting was distributed internally, on a restricted basis.

The type of information included in the inter-firm reporting on SoQM conclusions is similar across firms.

Reporting content/Firm A B C E
Member firms' SoQM evaluation conclusions √ √ √ √
High-level description of deficiency √ √ √ √
Recommended mitigating actions X X X X

πŸ‘οΈ Three firms' networks report by exceptions on member firms with adverse conclusions. The remaining firm's network reports member firms' SoQM conclusions, except where an adverse conclusion was reached. These member firms report directly to the relevant UK group audit engagement partners if they were used as component auditors.

πŸ‘οΈ At another firm, the report also included considerations for teams using resources from the member firms where exceptions were noted in their annual evaluation conclusions.

  • At one firm, the inter-firm report received also described the client base for the areas of the member firm where findings arose that drive the adverse conclusion. This provided context for the findings identified to support group engagement partners in assessing the significance of these findings when using component auditors.
  • At another firm, the report included a high-level description of the deficiencies identified, whether the deficiencies had been corrected, any actions taken to reduce the severity or pervasiveness of the deficiencies, and a conclusion on each deficiency's severity and pervasiveness.

c) Engagement team-led assessment (continued)

β–² At the remaining two firms, one firm's network has yet to incorporate ISQM1 into its inter-firm reporting process. The other firm's network has yet to formalise the inter-firm reporting process for SoQM conclusions. This firm also does not have visibility of the findings identified for all network controls that other members firms may have relied upon. This limits the extent that this firm can support engagement teams' assessment of component auditors.

Inter-firm reporting should also cover member firms' compliance with the network ethics and independence requirements. Non-compliance can cause UK ethical breaches so UK attainment of quality objectives for relevant ethical requirements therefore may rely on other member firms' compliance.

β–² At one firm, the inter-firm reporting did not adequately cover member firms' compliance with ethical and independence requirements. At another firm, matters on ethical non-compliance were only reported if they resulted in a SoQM deficiency. It was not clear how this enabled the UK firms to assess if other member firms' non-compliance impacted their SoQMs.

The UK firm should review inter-firm reporting to assess the impact on its SoQM, including for reliance on component auditors or overseas staff. This can be centrally, by the UK firm, and cascaded to engagements teams, or it can be performed by individual engagement teams.

πŸ‘οΈ At two of the four firms, inter-firm reporting is solely reviewed at an engagement team level. At the remaining two firms, there is also central review.

9. Assessment of service providers

Service providers must be assessed in order to conclude whether they are appropriate for use in a firm's SoQM. Globally managed service providers can be assessed through the process for network resources, but the UK firm maintains full responsibility for this assessment.

Example: At one firm, the audit software is provided by a third-party, which is a globally managed service provider. The firm has identified this software as a network resource and has assessed it through the process for network resources by reviewing the network's reporting on its testing approach, instead of directly obtaining and reviewing the information from the provider.

a) Procurement of service providers

Firms' procurement processes will assess potential service providers before a firm starts a new commercial relationship. However, the process to select providers for commercial usage may be different to what needs to be considered from an ISQM (UK) 1 perspective, as a provider may be commercially appropriate but not best suited to supporting a firm's ability to achieving ISQM (UK) 1 quality objectives.

Examples:

  • Externally contracted or offshore human resources could be a commercially attractive option to allow firms to fill in resourcing gaps within a short period of time. However, from an ISQM (UK) 1 perspective firms should focus on the technical competence and quality-focused behaviours of the individuals available from the providers.
  • Externally developed and maintained audit methodology may allow firms to access a standardised audit methodology and audit programme at less cost or effort, but from an ISQM (UK) 1 perspective firms should focus on how the methodology is developed, updated and mandated to ensure it covers all relevant elements of, and changes to, the accounting and auditing standards.

The diagram below provides some examples of the inputs firms use in their procurement processes before an external provider is engaged.

Diagram: Initial assessment of service providers

This diagram shows factors considered during the initial assessment of service providers. The central hexagon is "Initial assessment of service providers". Surrounding hexagons, flowing in, are: * Nature of service to be provided * Financial due diligence * Business continuity risk * Information security, e.g., cyber, data privacy * Market reputation and industry experience * Ethics and independence

b) Assessment of ongoing uses in the SoQM

Firms need to assess service providers on an ongoing basis to ensure the resources provided are appropriate for use in a firm's SoQM, including that the providers comply with any relevant ethical and independence requirements.

The extent of ongoing assessment is driven by the risk ratings assigned to the service providers. The mode of assessment is often driven by the nature of the provider, the service provided, and the information available. For example, the assessment approach would be different between a training materials provider, audit software, or external experts. Firms need to ensure that the manner and extent of assessment are appropriately scoped based on the nature and risk rating of the provider.

The diagram on the right provides some areas of consideration that could be relevant for assessing service providers for ongoing use in a firm's SoQM.

Diagram: Areas of consideration for assessing service providers for ongoing use in a firm's SoQM

This diagram illustrates factors for ongoing assessment. The central hexagon is implied to be "Ongoing assessment". Surrounding hexagons are: * Compliance with laws and regulations * Scope and scale of the service * Governance and oversight within the provider * Accessibility and support for users * Processes to identify and address issues * Controls for creating and maintaining technical content * Competence of personnel * Controls over software development and IT environment

πŸ‘οΈ At three firms, service providers are assessed for ongoing use on an annual basis. At one firm, service providers rated as higher risk are assessed on an annual basis, and on a biennial basis for other service providers. At one firm, only the service providers rated as highest risk are assessed on an ongoing basis.

b) Assessment of ongoing uses in the SoQM (continued)

The diagram below provides some examples on the approaches adopted by firms in performing ongoing assessment and monitoring of different types of services providers.

  • Review of standardised reporting by providers (e.g., SOC reports, ISO certificates): applicable to Tech resources, Intellectual resources, and Human resources.
  • Testing procedures performed internally by the firm: applicable to Tech resources.
  • Periodic supplier management activities: applicable to Human resources.
  • Compliance with Service-Level Agreements (SLAs) and Key Performance Indicators (KPIs): applicable to Tech resources, Intellectual resources, and Human resources.

Review of standardised reporting by providers

When firms obtain reporting directly from service providers about the resources provided, firms need to consider if the scope of assurance provided by the report addresses the way the service provider is relied upon. For example, if a firm is relying on a disclosure checklist online tool being regularly updated and in line with what is required in the accounting standards, a systems and organisation controls (SOC) report that provides assurance over IT resilience and security will not provide assurance. Firms also need to ensure bridging letters are obtained if the reports received do not cover the period being assessed for the firm's SoQM effectiveness.

Firms need robust and timely review processes over these reports, to identify any expected complementary user entity controls (CUECs) for testing, and any findings, so mitigating actions can be undertaken. Reviews should be performed by individuals with good understanding of the resources provided and the business processes involved.

For globally managed service providers, where the network may review the reporting from the providers, the UK firm needs to understand the nature and extent of review performed, and assess if any mitigating actions taken by the network are sufficient to address any findings identified.

b) Assessment of ongoing uses in the SoQM (continued)

Review of standardised reporting by providers (continued)

Example: At one firm, business process owners at the network level obtain the SOC 2 audit report annually from a provider of an online audit confirmation tool. The SOC report and the process owners' documented review of the report are then shared with the UK team for further review and challenge, to assess for any impact on the UK firm's SoQM. This shows how the UK firm reviews the assessment performed by the network, including the network's review of a SOC report obtained from a globally managed service provider.

Testing procedures performed internally by firms

In circumstances where internal testing may be more appropriate and provide the firms with the nature of assurance needed, firms may design and perform their own control testing procedures.

Examples:

  • At one firm, the internal audit team visits the storage sites every three to five years to assess the controls over information management and security at a service provider of offsite physical files storage and management services.
  • At one firm, when assessing third party digital audit tools, the network performed testing over the design and operating effectiveness of key controls, e.g., change management and tool security, for these tools. A sample of the testing results was then reviewed by the UK firm.

Compliance with Service-Level Agreements (SLAs) and Key Performance Indicators (KPIs)

Firms may agree SLAs with service providers and periodically monitor their performance using agreed KPIs. KPIs will be tailored to nature of the service provided, and are useful for benchmarking performances against the market and expectations, and identifying performance gaps. However, some KPIs, such as financial metrics, may be used for commercial, rather than SoQM, monitoring.

Example: At one firm, KPIs and SLAs are used to monitor the performance of a company providing background checks and pre-employment screening for job applicants. The KPIs include monitoring the timeliness of completing pre-employment screening cases and if issues are raised to the firm before a new employee's start date.

Periodic supplier management activities

Providers can also be assessed via periodic supplier management activities, meaning the business processes that manage the lifecycle of a supplier, including regular meetings, receipt and review of management information and review of issue trackers.

b) Assessment of ongoing uses in the SoQM (continued)

Periodic supplier management activities (continued)

Example: At one firm, various supplier management activities are carried out at differing frequency (monthly or quarterly) to provide different level of oversight over the suppliers, based on the procurement rating. The activities include contract management, performance management, risk management and relationship management. Guidelines are in place on which of these activities are mandatory or recommended, based on the procurement rating.

A firm's supplier management function and business process owners are often responsible for performing ongoing assessment and monitoring of service providers. It is crucial for firms to assign appropriate individuals, who have adequate understanding of how the relevant service providers are used in a firm's SoQM, to then review the assessments performed.

βœ… At one firm, different forms of evidence are required to support the assessment of service providers depending on risk rating assigned. For higher-risk providers, evidence is expected to be from independent testing performed by the firm's internal audit team, standardised reports or based on an agreed set of KPIs. For lower-risk providers, evidence can be obtained from periodic meetings with the providers, issues reporting, and the suppliers' market reputation. The assessments are performed by business process owners and reviewed by the firm's central SoQM team to ensure they are robust and in line with the firm's methodology.

c) Approaches seen for common service providers

Firms adopt different approaches to assessing service providers that are common to them, such as providers of professional accountancy qualifications and cloud-based disclosure checklists. The tables below summarise our observations of the assessments performed by the firms for these two common providers.

Professional accountancy qualification training providers:

Assessment approach/Firm A B E
Review of standardised reports √
Internal testing procedures √
Compliance with KPIs and SLAs √
Periodic supplier management activities √
Suppliers' market reputation √

At one firm, monthly service reviews are held with the providers to monitor quality of training and performance level against KPIs, e.g., number of delivery days as stated in the contract.

At another firm, two KPIs (feedback on tutors and exam pass rate) are used to monitor the appropriateness of its training providers. The firm also reviewed an Ofsted inspection report and investigated the reasons behind low feedback scores for some tutors as part of its testing.

The nature of service and resources provided by the training providers are similar across the three firms. For the firm where only the suppliers' market reputation is considered, it is unclear how the provider has been adequately assessed for the tuition and training materials provided to the firm.

c) Approaches seen for common service providers (continued)

Assessment of cloud-based audit disclosure checklist tool:

Assessment approach/Firm A B E F
Review of standardised reports √ √
Internal testing procedures √ √ √ √
Compliance with KPIs and SLAs √
Periodic supplier management activities √
Suppliers' market reputation and position √ √
Network reporting √

At one firm, testing was performed to validate the tool logic and responses, and the completeness and accuracy of the updates made by the provider. The tool was scoped in for network testing, including a review of the SOC 2 report for user access controls. The firm reviewed the network reporting. At another firm, operational service review meetings are held with the provider as needed, to monitor service level and review management information. Any content changes to the tool were also reviewed by the firm's technical experts before it is released for use.

One firm obtained policies from the provider to review for appropriateness ensuring the completeness, accuracy, and timely update of the tool, and that the tool is only released after appropriate levels of review. The firm also obtained an SOC 3 report and an ISO certificate on the information security management system from the provider. However, it is not clear how the firm has evidenced its review of the SOC report to understand the reporting scope and any findings, and identify any mitigating actions needed at the firm. At one firm, the technical experts cross-check the updates made to the tool by the provider against the relevant financial reporting standards. However, this assessment approach is not reviewed for SoQM purposes.

Assessment approaches vary although the firms use the same tool provided. At two firms, the assessment process is driven by their central SoQM team and/or business process owners, whilst at the remaining two firms it is driven by their procurement teams. It is unclear how these two firms have adequately assessed the provider as their assessment approaches may not fully align to how the resource is used in their SoQMs.

10. Incorporating into firms' monitoring and remediation processes

Firms need to undertake monitoring procedures to identify deficiencies in their SoQMs, including where they relied on network resources and service providers. Deficiencies may be identified through the assessment processes outlined above, as well as other monitoring activities, for example:

  • Inspections of in-progress and completed engagements may identify issues on the use of offshore delivery centres, external experts, and global audit methodology or software.
  • Analysing the cause of ethics breaches may identify issues with corporate family tree information from a service provider.
  • Surveys or focus group feedback may identify issues on training from external providers, or challenges with using offshore delivery centres.
  • Internal audit reviews may cover areas that rely on network resources or service providers.

Where network resources are subject to UK controls, firms should ensure that their monitoring of controls sufficiently covers the network resources. For example, where overseas staff are required to complete UK specific training, the firm should then ensure that both overseas and UK staff are covered by any sample testing performed to monitor training completion.

Firms should also assess how the use of network resources and service providers contributes to positive and negative quality events, including through their root cause analysis.

Examples of potential considerations in root cause analysis:

  • Offshore delivery centres as a network resource: Whether insufficient supervision or review of offshore staff, by offshore or UK personnel, contributed to poor quality audit work.
  • Use of digital audit tools from the network resource or a service provider: Whether these tools were appropriately designed and communicated to staff to support audit procedures.

Internal inspections of engagements should be scoped to consider if the usage of network resources and service providers is enabling audit quality or if they are contributing to quality findings. Where firms rely on engagement teams to assess network resources or service providers, as outlined above, inspections should ensure teams comply with the relevant UK audit methodology and utilise the information and work programmes provided by the firm.

βœ… At one firm, direction, supervision, and review of offshore staff is specifically included as a factor to be considered when inspecting engagement files.

βœ… At one firm, inadequate oversight of network resources and service providers is specifically included as a potential causal factor for root cause analysis. This should enable the firm to identify any themes in respect of this.

11. Linkage to annual evaluation process

Firms should ensure they have clear processes to identify and evaluate the severity and pervasiveness of any deficiencies relating to service providers and network resources. These need to be reported to those responsible for performing and concluding on the annual evaluation.

This is particularly important where deficiencies relate to pervasively used resources, such as audit methodology and audit software that are fundamental to the performance of audits.

Sunset view of the River Thames with London's City Hall, The Shard skyscraper, and HMS Belfast in the background.

Financial Reporting Council 8th Floor 125 London Wall London EC2Y 5AS +44 (0)20 7492 230

www.frc.org.uk

Follow us on Linked in or X @FRCnews

Footnotes:

  1. Only technological network resources are subject to classification. ↩

  2. The firm is re-designing its classification framework for network resources for 2024/25, and therefore the approach to network resources based on the classification. ↩

  3. Only those identified as locally managed service providers are risk-rated. ↩↩

  4. Red: high risk and significance to SoQM; Amber: moderate risk and significance to SoQM; Green: low risk and significance to SoQM ↩

  5. Red: high risk and significance to SoQM; Amber: moderate risk and significance to SoQM; Green: low risk and significance to SoQM ↩

  6. Only applies to two of the three reports received. ↩

  7. ISA (UK) 600 (Revised November 2019): Special Considerations – Audits of Group Financial Statements (Including the Work of Component Auditors) ↩

File

Name Thematic Review: ISQM(UK)1 Network Resources and Service Providers
Publication date 06 August 2024
Type Thematic review
Format PDF, 1.0Β MB
Download original
Back to top