Quality management standards: How to identify risks and design responses
July 18, 2023
In June 2022, the AICPA's Auditing Standards Board (ASB) and Accounting and Review Services Committee (ARSC) issued four interrelated final standards on quality management intended to clarify and improve existing quality processes for audit and attest engagements.
These standards establish a new risk-based approach for CPA firms to use to implement systems of quality management tailored specifically to their practices. Because the new standards are risk-based, they are much less prescriptive and more scalable than the current quality control standards, which are policies-based.
Overview of the standards
The new standards will apply to all firms that conduct any audits, attest examinations, financial statement or attest reviews, compilations, or agreed-upon-procedure engagements. Here's a rundown of the new standards with a brief definition of each:
Statement of Quality Management Standard (SQMS) No. 1, A Firm's System of Quality Management, introduces a new risk-based assessment process and requires firms to design, implement, and operate a system of quality management customized to their practice and engagements. This includes establishing quality objectives, assessing the specific risks to quality, and designing and implementing responses to address those risks. In addition, firm leadership must evaluate annually whether the firm's system of quality management is meeting its objectives. The approach calls for continuous improvement and ongoing remediation over time. SQMS No. 1 supersedes Statement on Quality Control Standards No. 8, A Firm's System of Quality Control.
SQMS No. 2, Engagement Quality Reviews, applies when a firm decides that an engagement quality (EQ) review is an applicable response to address its engagement performance quality management objective. This new standard addresses the appointment and eligibility of the engagement quality reviewer (whether inside or outside of the firm) and performance of the EQ reviews.
Statement on Auditing Standards (SAS) No. 146, Quality Management for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards, focuses on quality management for audits at the engagement level, including the engagement partner's responsibility for managing engagements to achieve quality, and the importance of quality to all members of the engagement team.
Statement on Standards for Accounting and Review Services (SSARS) No. 26, Quality Management for an Engagement Conducted in Accordance With Statements on Standards for Accounting and Review Services, amends SSARS to conform with SQMS Nos. 1 and 2.
Other significant changes include two new components of systems of quality management (the risk assessment process and the information and communication component), more robust requirements for leadership and governance, enhanced monitoring and remediation processes, and new requirements for networks and service providers.
Systems of quality management in compliance with SQMS No. 1 are required to be designed and implemented by Dec. 15, 2025. The required evaluation of the system must be performed within one year following implementation.
SQMS No. 2 is effective for audits or reviews of financial statements for periods beginning on or after Dec. 15, 2025, and other engagements in the firm's accounting and auditing practice beginning on or after Dec. 15, 2025.
SAS No. 146 is effective for engagements for periods beginning on or after Dec. 15, 2025. Firms that do not perform audits, and therefore do not apply SAS No. 146, would still apply SQMS No. 1.
Early adoption is permitted if all three standards are implemented at the same time.
Although December 2025 may seem far away, it is important for firms to get started now. The first step is to review the new standards and understand how to perform the required risk assessment.
"I'm a small firm, and I perform peer reviews of small firms," said Rick Reeder, CPA, owner, Reeder & Associates, PA, and a member of the SQMS No. 2/AU-C 200 Task Force. "The smaller the firm, the more the new quality management standards may not be top of mind for them because their QM system does not need to be implemented until 2025. But it's essential to get moving."
Reeder notes that firms of all sizes are included in the scope of the standards because engagement quality is important for all firms. The firm's size, based on numbers of staff, clients, and offices, will affect the time it takes to implement the standards. "Larger firms will likely have more unusual risks than smaller firms, and they may also need to identify risks and responses by industry and even by office," he said. "This process is not as insurmountable as many firms may think from what they have heard about the standards, especially for small firms, because the risk assessment is tailored to each firm's practice."
On the other hand, according to Reeder, the process is not as simple as just implementing the existing quality control standards, because the risks and responses must be specific to each firm. "Today, many firms use third-party practice aids that give them boilerplate answers and things they need to do in areas like client acceptance and continuance policy, engagement performance, hiring, and staffing," he said. "Under the new standards, they will have to think about why they are doing things and whether it makes sense based on what can go wrong at their firm."
Develop an implementation plan
As with any other firmwide change or adoption of new standards, it is important to develop an overall implementation plan and processes. This should include who will lead the effort, how information will be documented, what resources will be needed, and a timeline with milestones.
Reeder recommends that the person responsible for quality control at the firm take the lead in developing the plan, with others in the firm carrying out parts of the process. Although a quality management partner may lead the plan development, SQMS No. 1 requires that the ultimate responsibility and authority be with the firm's managing partner, with operational responsibility assigned to appropriate individuals within the firm.
Firms may want to discuss their implementation plan with their peer reviewer, Reeder suggested, although the peer reviewer cannot develop the firm's risks and responses.
How to identify risks
Firms are required to design and implement a risk assessment process. This is a three-step process:
- Establish quality objectives.
- Identify and assess risks to the achievement of those objectives.
- Design and implement responses to address the quality risks.
The firm considers the nature and circumstances of both the firm and the engagements performed by the firm that may adversely affect the achievement of the quality objectives to identify and assess quality risks. Under the standards, a quality risk is a risk that has a reasonable possibility of occurring, and individually, or in combination with other risks, adversely affecting the achievement of one or more quality objectives.
"The quality management standards provide the quality objectives, so firms do not have to come up with them by themselves," Reeder noted.
Quality risks can apply to more than one objective.
"Risks are what I think could go wrong in my firm, in the areas and industries I practice in, if I don't have an appropriate response," Reeder said.
This includes risks related to engagement acceptance and continuance, staff competence and continuing education, and having the appropriate tools, technologies, and resources (including third-party service providers) to carry out engagements effectively and efficiently and issue the appropriate report in the circumstances. It also includes risks arising from lack of compliance with GAAP, GAAS, or the unique compliance requirements for ERISA and single audit engagements.
"A good way for many firms to get started in their risk identification is to think of their practice and write down what they do, especially for smaller firms with smaller audit practices and less complex environments than large regional, national, or international firms," Reeder said. "Don't be afraid to state the obvious about some of the things you do, because a simple statement about your process could be the answer to the risk you identified. Ask yourself why you do the things you do now and whether you will continue to do them."
The risk assessment process is iterative, and quality risks will be revisited throughout and after the implementation process. Having a risk assessment process and team in place will facilitate the ongoing evaluation of risks under the standards and the identification of new risks in the future that will require new or revised responses.
How to design responses
Based on quality risks identified, the next step is for firms to identify responses to those risks and perform a gap analysis. Current quality controls, policies, and procedures are mapped as responses to quality risks. When a quality risk doesn't map to an existing control, new responses are needed. Conversely, there may be current quality controls that don't map to identified risks and are therefore no longer necessary.
"Responses are what your firm does to minimize its risks," Reeder said, adding that the response can be as concise as a sentence or paragraph describing a procedure. "If your firm does not have a robust existing quality control policy document today, look at the quality management objectives in the standards and your current policies and procedures and ask, 'What are the risks in my practice that these are the answer to?'"
SQMS No. 1 requires written documentation of the firm's quality objective and quality risks, and a description of the responses and how the firm's responses address the quality risks. "Once you are done, take a step back and see whether your documentation addresses your firm's risks," Reeder suggests. "If it does, that's when you will know the documentation is ready."
On an ongoing basis, there is a requirement for monitoring and adding new risks and responses, so the documentation will continue to evolve.
"Your peer reviewer will review this documentation as they do for your other quality control documents, and peer review findings could lead you to revise your risk identification and responses over time," Reeder noted.
Once they take effect, the standards will require the firm's managing partner to evaluate at least annually whether the system of quality management is meeting its objectives.
[Journal of Accountancy]