LeftMenu

Search Under HKSQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements and HKSQM 2 Engagement Quality Reviews

HKSQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements and HKSQM 2 Engagement Quality Reviews

The Questions and Answers (Q&As) below are prepared and updated by staff at the Institute's Standard Setting Department and do not necessarily reflect the views of the Standard Setting Department, the Institute, the Council or any of its committees. The Institute takes official positions only after extensive review, in accordance with the Institute's due process.

The Standard Setting Department welcomes your comments and feedback, which should be sent to commentletters@hkicpa.org.hk.

The Q&As are intended for general guidance only. The Institute DOES NOT accept any responsibility or liability, and DISCLAIMS all responsibility and liability, in respect of the Q&As and any consequences that may arise from any person acting or refraining from action as a result of any materials in the Q&As.

HKSQM 1 and HKSQM 2

Q1.

Is a non-listed subsidiary of a listed entity within the scope of paragraph 34(f)(i) under HKSQM 1 for engagement quality review? Furthermore, does the nature of the subsidiary—for example, being dormant, immaterial (e.g., representing less than 5% of the holding company’s assets/liabilities), or a significant component—affect whether an engagement quality review is required under that paragraph?

HKSQM 1 paragraph 34(f)(i) states that engagement quality reviews are required for audits of financial statement of listed entities.
For entities other than listed entities (e.g. a subsidiary of a listed group), the firm should refer to the following requirements of HKSQM 1 to determine if an engagement quality review is needed:
- Audits or other engagements for which an engagement quality review is required by law or regulation, for examples, audit engagements for entities that: (Ref: Paragraphs 34(f)(ii), A133)
  - Are public interest entities as defined in a particular jurisdiction¹;
  - Operate in the public sector or which are recipients of government funding, or entities with public accountability;
  - Operate in certain industries (e.g., financial institutions such as banks, insurance companies and pension funds);
  - Meet a specified asset threshold; or
  - Are under the management of a court or judicial process (e.g., liquidation).
    
    (¹In the Financial Reporting Council Ordinance (Cap. 588) (FRC Ordinance), a “public interest entity” means (a) a listed corporation (equity); or (b) a listed collective investment scheme. There is no provision in the FRC Ordinance requiring an engagement quality review to be performed for audit engagements of particular types of entities. Practitioners are to comply with the requirements in HKSQM 1 for the purposes determining audit engagements requiring an engagement quality review, and section 325, Chapter A of the Code in relation to the objectivity of an engagement quality reviewer.)
- Audits or other engagements for which the firm determines that an engagement quality review is an appropriate response to address one or more quality risk(s). The firm’s understanding of the conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives, as required by paragraph 25(a)(ii), relates to the nature and circumstances of the engagements performed by the firm. In designing and implementing responses to address one or more quality risk(s), the firm may determine that an engagement quality review is an appropriate response based on the reasons for the assessments given to the quality risks. Examples of conditions, events, circumstances, actions or inactions giving rise to one or more quality risk(s) for which an engagement quality review may be an appropriate response include: (Ref: Paragraphs 34(f)(iii), A134)
  - Engagements that involve a high level of complexity or judgment, such as (i) audits of financial statements for entities for which uncertainties exist related to events or conditions that may cast significant doubt on their ability to continue as a going concern; audits of financial statements for entities operating in an industry that typically has accounting estimates with a high degree of estimation uncertainty (e.g., certain large financial institutions or mining entities); or assurance engagements that require specialized skills and knowledge in measuring or evaluating the underlying subject matter against the applicable criteria (e.g., a greenhouse gas statement in which there are significant uncertainties associated with the quantities reported therein).
  - Entities in emerging industries, or for which the firm has no previous experience.
  - …… (Refer to paragraph A134 for more examples.)
- In some cases, the firm may determine that there are no audits or other engagements for which an engagement quality review is needed. (Ref: Paragraph A136) However, the requirement in HKSQM 1 to establish policies or procedures addressing engagement quality reviews would still apply to the firm. The nature and circumstances of engagements the firm performs may be such that they do not require an engagement quality review in accordance with the firm’s policies or procedures. (Ref: ISQM 1: First Time Implementation Guide, p.62)
- The nature and circumstances of public sector entities (e.g., due to their size and complexity, the range of their stakeholders, or the nature of the services they provide) may give rise to quality risks. In these circumstances, the firm may determine that an engagement quality review is an appropriate response to address such quality risks. Law or regulation may establish additional reporting requirements for the auditors of public sector entities (e.g., a separate report on instances of non-compliance with law or regulation to the legislature or other governing body or communicating such instances in the auditor’s report on the financial statements). In such cases, the firm may also consider the complexity of such reporting, and its importance to users, in determining whether an engagement quality review is an appropriate response. (Ref: Paragraph A137)
- HKSQM 2 paragraph A33 further states that in some cases, an engagement quality reviewer may be appointed for an audit of an entity or business unit that is part of a group, for example, when such an audit is required by law, regulation or other reasons. In these circumstances, communication between the engagement quality reviewer for the group audit and the engagement quality reviewer for the audit of that entity or business unit may help the group engagement quality reviewer in fulfilling the responsibilities in accordance with paragraph 21(a). For example, this may be the case when the entity or business unit has been identified as a component for purposes of the group audit and significant judgments related to the group audit have been made at the component level.

Q2.	Is there any guidance available that illustrates examples of quality risk and responses?

Yes. The HKICPA Quality Management Manual provides guidance aligned with HKSQM 1 and HKSQM 2, including illustrative examples of quality risks and suggested responses. In addition:

The IFAC Quality Management Toolkit for Small- and Medium-Sized Firms and Illustrative Risk Matrix:

Includes illustrative documents, policies, checklists, sample letters, and forms to support the application of ISQMs
Helps SMPs establish their quality objectives, identify and assess quality risks, and design and implement responses to those risks
Adapts to SMP’s specific nature, circumstances, and engagements for firms to develop their SOQM through a unique process

HKICPA Resource Centre hosts practical tools and updates, including:

E-learning courses on HKSQM
Locally developed FAQ and guidance for applying HKSQMs in the Hong Kong context
Resources from overseas professional bodies offering insights and support for implementing ISQMs

Q3.	Are there specific definition for ‘larger firms’ and ‘smaller firms’ for purpose of scalability in HKSQMs?

HKSQM 1 does not provide a definition of larger and smaller firms. HKSQM 1 mentions that the nature, timing and extent of the responses is driven by the quality risks, which are affected by the nature and circumstances of the firm and its engagements. Smaller and less complex firms are likely to have different quality risks than larger and more complex firms, thereby requiring a different response. For quality risks that are common across all firms of varying size and complexity, the nature, timing and extent of the responses may differ given the circumstances of the firm. (Ref: ISQM 1: First Time Implementation Guide, p.30)

HKSQM 1 states that:

Paragraph 7: The firm is required to apply a risk-based approach in designing, implementing and operating the components of the system of quality management in an interconnected and coordinated manner such that the firm proactively manages the quality of engagements performed by the firm. (Ref: Paragraph A4)
Paragraph 10: In applying a risk-based approach, the firm is required to take into account (a) the nature and circumstances of the firm; and (b) the nature and circumstances of the engagements performed by the firm. Accordingly, the design of the firm’s system of quality management, in particular the complexity and formality of the system, will vary. For example, a firm that performs different types of engagements for a wide variety of entities, including audits of financial statements of listed entities, will likely need to have a more complex and formalized system of quality management and supporting documentation, than a firm that performs only reviews of financial statements or compilation engagements.

Q4.	Is the firm required to communicate details regarding its system of quality management to clients?

HKSQM 1 requires that:

Paragraph 33(d)(ii): Information is communicated externally when required by law, regulation or professional standards, or to support external parties’ understanding of the system of quality management. Examples of when law, regulation or professional standards may require the firm to communicate information to external parties: (Ref: Paragraph A114)
- The firm becomes aware of non-compliance with laws and regulations by a client, and relevant ethical requirements require the firm to report the non-compliance with laws and regulations to an appropriate authority outside the client entity, or to consider whether such reporting is an appropriate action in the circumstances.
- Law or regulation requires the firm to publish a transparency report and specifies the nature of the information that is required to be included in the transparency report.
- Securities law or regulation requires the firm to communicate certain matters to those charged with governance.
Paragraph 34(e)(i): Communication with those charged with governance when performing an audit of financial statements of listed entities about how the system of quality management supports the consistent performance of quality audit engagements.
Paragraph A128: HKSA 260 (Revised) states that in some circumstances, it may be appropriate to communicate with those charged with governance of entities other than listed entities (or when performing other engagements), for example, entities that may have public interest or public accountability characteristics, such as entities that hold a significant amount of assets in a fiduciary capacity for a large number of stakeholders including financial institutions, such as certain banks, insurance companies, and pension funds; entities with a high public profile, or whose management or owners have a high public profile; entities with a large number and wide range of stakeholders.

Q5.	For communications across the firm and with external parties under HKSQM 1, would it be more efficient to establish a single source of communication to ensure consistency of the message delivered?

According to HKSQM 1, the public interest is served by the consistent performance of quality engagements. The design, implementation and operation of the system of quality management enables the consistent performance of quality engagements by providing the firm with reasonable assurance that the objectives of the system of quality management are achieved. The firm is required to establish responses to ensure the information are communicated consistently across the firm and to external parties in order to support consistent implementation and operation of the responses to achieve consistent performance of quality engagements. (Ref: Paragraphs A126, A205)

There are a variety of methods a firm may use to communicate information, for example, direct oral communication, manuals of policies or procedures, newsletters, alerts, emails, intranet or other web-based applications, training, presentations, social media, or webcasts. In determining the most appropriate method(s) and frequency of communication, the firm may take into consideration a variety of factors, including:

The audience to whom the communication is targeted; and
The nature and urgency of the information being communicated. In some circumstances, the firm may determine it necessary to communicate the same information through multiple methods in order to achieve the objective of the communication.

In such cases, the consistency of the information communicated is important. (Ref: ISQM 1: First Time Implementation Guide, p.57)

Practically, a firm may have a single source of information (e.g. an internal webpage) and have multiple methods to deliver the same source of information (e.g. oral or email reminders referring to the internal webpage) to ensure consistency.

Q6.	Does ‘service providers’ in HKSQM 1 encompass all kinds of service providers, or is only limited to professional service providers related to engagements?

HKSQM 1 paragraph 16(v) defines “service provider” in the context of this HKSQM as an individual or organization external to the firm that provides a resource that is used in the system of quality management or in the performance of engagements*. Service providers exclude the firm’s network, other network firms or other structures or organizations in the network. (Ref: Paragraphs A28, A105)
*Engagements include audits or review of financial statements, or other assurance or related services engagements.

HKSQM 1 paragraph 32(h) further explains that human, technological or intellectual resources from service providers that are appropriate for use in the firm’s system of quality management and in the performance of engagements, shall take into account the quality objectives in paragraph 32 (d), (e), (f) and (g). (Ref: Paragraphs A105–A108)

Q7.	Can an individual with operational responsibility for the SOQM also hold operational responsibility for specific aspects of the SOQM?

HKSQM 1 paragraph 21 states that in assigning the roles in paragraph 20, the firm shall determine that the individual(s):

(a) has the appropriate experience, knowledge, influence and authority within the firm, and sufficient time, to fulfill their assigned responsibility; and (b) understands their assigned roles and that they are accountable for fulfilling them.

HKSQM 1 paragraph A35 gives a scalability example to demonstrate how assigning roles and responsibilities in a less complex firm may be undertaken. In a less complex firm, ultimate responsibility and accountability for the system of quality management may be assigned to a single managing partner with sole responsibility for the oversight of the firm. This individual may also assume responsibility for all aspects of the system of quality management, including operational responsibility for the system of quality management, compliance with independence requirements and the monitoring and remediation process.

Q8.	HKSQM 1 does not mention the quality objectives for risk assessment process and monitoring and remediation process. Are firms expected to establish quality objectives for these two components?

HKSQM 1 sets out quality objectives for six components, namely governance and leadership, relevant ethical requirements, acceptance and continuance, engagement performance, resources and information and communication. A firm is required to establish quality objectives for these components.

There are no quality objectives for the firm’s risk assessment process and the monitoring and remediation process because these components are processes. Rather, HKSQM 1 sets out specific requirements of how these processes should be applied. (Ref: ISQM 1: First Time Implementation Guide, p.19)

Although HKSQM 1 does not require quality objectives to be established for these two processes, a firm can still consider whether additional quality objectives are established.

Q9.	How long should firms keep their engagement documentation?

How long should firms keep their engagement documentation?

Paragraph 14 of HKSQM 1 requires firms to design, implement and operate a system of quality management for audits or reviews of financial statements, or other assurance or related services engagements performed by the firm. Under paragraph 31(f) of HKSQM 1, this includes maintaining and retaining engagement documentation appropriately to meet the needs of the firm and comply with law, regulation, relevant ethical requirements, or professional standards. According to HKSQM 1, engagement documentation is the record of work performed, results obtained, and conclusions the practitioner reached (terms such as “working papers” or “work papers” are sometimes used). Practitioners should also refer to HKSA 230, Audit Documentation for requirements and guidance on an auditor’s responsibility to prepare audit documentation for an audit of financial statements. It should be noted that audit documentation includes the auditor’s report containing the opinion on the financial statements.

Paragraph A85 of HKSQM 1 states that in the case of engagements conducted under the HKSAs or HKSAEs, the retention period is ordinarily no shorter than five years from the date of the engagement report, or, if later, the date of the auditor’s report on the group financial statements, when applicable.

While HKSQM 1 specifies the minimum length for retaining engagement documentation of audit and assurance engagements, the actual length will be a matter of judgement for the firm’s determination based on the firm’s needs, those of the client and requirements such as laws or regulations. Currently there is no other legislative or regulatory requirement in Hong Kong prescribing the documentation retention period of audit or review engagements, or other assurance or related services engagements performed by the firm. If the retention period is not prescribed, the firm may consider the nature of the engagements performed and the firm’s circumstances to determine it appropriately.

The following is a non-exhaustive list of factors for consideration:

whether laws or regulations specify any retention period of engagement documentation by auditors - practitioners whose clients are subject to regulations or those that receive funding from government agencies may be subject to alternative retention periods. In such cases, firms may be required to retain records for a stipulated period of time as provided by the agency or based on the applicable funding or engagement agreement.

reference to the statutory retention period on books and records that applies to the clients – for example
- Section 377 of the Companies Ordinance (Cap. 622) requires a company to preserve the records, or the accounts and returns, for 7 years after the end of the financial year to which the last entry made or matter recorded in the records, or the accounts and returns, relates.
- Section 51C of the Inland Revenue Ordinance (Cap. 112) requires that every person carrying on a trade, profession or business in Hong Kong shall keep sufficient records in the English or Chinese language of his income and expenditure to enable the assessable profits of such trade, profession or business to be readily ascertained and shall retain such records for a period of not less than 7 years after the completion of the transactions, acts or operations to which they relate.
- Section 10 of the Securities and Futures (Keeping of Records) Rules (Cap. 571O) requires an intermediary, or an associated entity of an intermediary to retain specified records for a period of not less than 7 years.
legal statutes of limitation - in the event of a professional liability claim, engagement records and workpapers provide essential evidence of the work performed for clients. In Hong Kong, the statute of limitations for claims related to contracts is 6 years from the date when the cause of action accrued. Firms should consult with a legal advisor to understand the laws that govern the firm and its engagements.

internal organisational needs

HKSQM 1 applies to all firms performing audits or reviews of financial statements, or other assurance or related services engagements. While paragraph A85 of HKSQM 1 only refers to engagements conducted under HKSAs or HKSAEs, firms should also design and implement the retention period for engagement documentation on other engagements, such as agreed-upon procedures engagements or engagements to review historical financial information performed under the relevant professional standards.

Given the factors described above, firms may identify different retention periods for different clients and/or services. As a practical matter, firms may select the longest retention period and apply it consistently to all records to reduce the administrative complexities.

Total: Bookmarks

Bookmark(s) Click icon to add bookmark(s) to my profile

User Profile Bookmark(s)

Total: Bookmarks

Click icon to add bookmark(s) to my profile

Bookmark(s)

User Profile Bookmark(s)

HKSQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements and HKSQM 2 Engagement Quality Reviews