In a recent conversation with Julia Penny, JS Penny Consulting, we discussed her experience of the implementation of a system of quality management. Julia’s experience is a great guide for those looking to design and implement a System of Quality Management to address the requirements of the new standards which come into effect later this year.
“In my experience, I spent six months, not full time, but in terms of getting up to speed with the standards and all the requirements, working out what I needed to do in terms of objectives, which are mostly set out in the standard, but you must think for yourself.” Julia Penny
The standard guides you with a specific risk assessment list you must consider as part of your risk assessment. But in my experience, I have to say, it's not that helpful, in the way that it makes you look at it, but you've got to do it. And then, you must come up with the risks, the mitigations, and the responses. So, it's at least six months of work, however, that's something which is at the top of the scale and considers all of the risks.
For a small/medium size practice you may work on at least an afternoon to do a risk workshop to brainstorm risks and you might even prefer a couple of afternoons. Then you need several days to do the detailed work. There is no definitive answer on time, it can be like the proverbial ‘how long is a piece of string’ situation. It will depend on your practice, but if you don't already know the standards in detail, and you're the one that is going to be responsible for them, you'll need to allow a couple of days just to really get up to speed with the standards.
For small/medium firms I would predict it talking at least a week, probably weeks, not necessarily quite full time. If you can use resources from a service provider to fill in lots of those gaps, that will reduce the time needed quite considerably because obviously thinking of, writing, and finding responses for particular risks will take a long time.
There's nothing that says you must do all of that yourself. What you need to do is to consider your risks and make sure that you've got a pre-print mitigation for your risk. And this is naturally going to require the most senior people in the organization, the most technically expertise, if you like. And so those people's time is naturally going to be in demand, whether it's other internal projects that are being run on, or many of those people will also be client facing.
It's quite complicated to document because you've got a list of quality objectives that are set out in the standard, risks, and responses and what will be done to mitigate those. The reality is that a lot of responses might impact several quality objectives. And several of the risks would also be connected with a number of objectives and a number of different responses. So that you've got this complex mix of one to one, one to many, many to one relationship.
To map out these relationships using a spreadsheet or on a piece of paper is quite complicated. You can use a bit of filtering, but this takes time when there are other ways to address it more efficiently.
There are various tools in the marketplace to assist in mapping those relationships. For instance, in the standards, there's a requirement to consider the public interest. All audit partners and staff need to understand how important the audit is in terms of public interest, because the risk of not understanding is that people think, well, it's just a job, it's just audit, it doesn't really matter. Which may mean there is an inclination to take short cuts. That's the logic.
Your risk response might be wanting your staff to confirm, in writing in their annual review to say, I am I fit and proper around my independence and I understand the public interest. Other firms might also want staff to undertake a training course and include this as part of the course.
Therefore, you may have two responses, a training course, and a confirmation that, yes, you understand the public interest from an audit point of view, but that will work across a whole load of objectives. Because if you understand all that, it is important in the public interest, you'd be less likely to do things wrong when you have the ability to realize that you were doing it wrong. If you don't understand, then you have got other risks about knowledge and technical ability, but that can also be mapped. If you can put it all into technology which identifies through mapping where the responses apply, it makes it so much easier than trying to map that on a spreadsheet, which doesn't really work without a lot of repetition.
Things like responses to risk are ultimately going to require accountability across the organization. The ideal would be while the system of quality management needs one person to be accountable for the ownership of the entire system and have that oversight capacity, there is the ability to decentralize some risks to create accountability at various levels. This is another area where technology that can drive accountability by for example providing reminders for reviewing certain risks or tasks that have been set.
Taken from a Conversation with Julia Penny, JS Penny Consulting. To hear more of the conversation and Julia's experience with the Implementation of a System of Quality Management, watch the on-demand recording or download the free guide.
