Cover
Navigating the path to audit and attest quality management
Issue 5
December 20, 2024
By Andrea Wright, CPA, and Melanie Barthel, CPA
Four new standards will soon require firms to take a risk-based and scalable approach to designing, implementing, and operating a system of quality management. Here’s some guidance to get you started.
In December 2025, four new interrelated quality management standards will go into effect. The scope of the far-reaching standards will require significant changes to firms’ existing systems of quality control for audit and attest engagements. The new standards include:
- Statement on Quality Management Standards (SQMS) No. 1: “A Firm’s System of Quality Management.”
- SQMS No. 2: “Engagement Quality Reviews.”
- Statement on Auditing Standards No. 146: “Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards.”
- Statement on Standards for Accounting and Review Services No. 26: “Quality Management for an Engagement Conducted in Accordance With Statements on Standards for Accounting and Review Services.”
Primarily, these standards will require a shift from a policies-based approach to a risk-based approach, incorporating a risk assessment and monitoring and remediation process into a firm’s system of quality management (SQM).
No matter where you are on your SQMS implementation journey, now’s the time to devote meaningful thought to the implementation process and developing your roadmap to compliance.
Guidance for firms
In September 2023, the AICPA released a practice aid, “Establishing and Maintaining a System of Quality Management,” to assist firms with their SQMS implementation. The practice aid consists of three files: a guide for sole practitioners, a guide for small- to medium-sized firms, and an example risk assessment (ERA) template. These resources can help firms design a risk-based SQM by establishing quality objectives, identifying quality risks, and designing quality responses. Here’s an overview of each of these terms in the context of the standards.
Quality objectives
Quality objectives are the desired outcomes in relation to the components of a firm’s SQM. Firms will need to establish quality objectives for each component of their SQM (except risk assessment and monitoring and remediation) as follows:
- Governance and Leadership
- Relevant Ethical Requirements
- Acceptance and Continuance
- Engagement Performance
- Resources
- Information and Communication
Each of these SQM components are listed as a separate tab within the ERA template. Certain quality objectives are prescribed by the standard and included within the practice aid. The standards also require firms to establish additional quality objectives as needed to achieve their SQM objective.
Quality risks
Quality risks are essentially things that would prevent a quality objective from being achieved. The practice aid provides certain quality risks for each relevant quality objective. However, it’s important to note that these are just sample risks. Firms will need to complete a thorough risk assessment based on the facts, circumstances, and nature of their practice. Solely utilizing the predefined risks without modification won’t achieve compliance with the standards or be effective in managing your firm’s SQM—risks must be tailored to your firm’s practice.
Within the practice aid, columns are also provided to assess the likelihood and impact of each risk, with a low, medium, and high option for each factor. This is solely to assist firms in identifying whether a quality risk exists—the standard itself doesn’t require a formal risk ranking or assignment of likelihood and impact. Still, it’s a useful tool for firms to gauge the degree of risk in designing an appropriate response. Additionally, the practice aid doesn’t consider risks assessed as low for both likelihood and impact as quality risks. Another key point is quality risks should be evaluated before the effectiveness of controls (like the concept of inherent risk in the audit standards).
Quality responses
Quality responses are the firm’s policies and procedures that address the identified quality risks. Think of these as your firm’s controls in place. Some of these may be part of your firm’s existing system of quality control documentation. The standards also specify certain required responses, which are included in the practice aid, as well as other example policies and procedures. However, like quality risks, you’ll need to tailor responses based on your firm’s circumstances to ensure compliance.
Additionally, the AICPA’s practice aid includes a helpful checklist with tips on how to complete a risk assessment. Particularly, “Practical Tips on Designing and Performing the Risks Assessment Process” may be helpful to firms who haven’t begun or are in the early stages of their implementation journey. Notably, the checklist suggests firms: • Determine who will own and lead the implementation.
- Determine the resources to be involved in the implementation.
- Develop a timeline for implementation.
- Discuss your implementation plan with your peer reviewer.
- Plan risk assessment brainstorming sessions.
- Perform a gap analysis to identify quality risks without an appropriate quality response.
Finally, the practice aid provides guidance on the monitoring and remediation process component, which addresses the evaluation of the design, implementation, and operation of the SQM, including the identification and timely remediation of any identified deficiencies. This information contributes to a firm’s SQM evaluation, which is required to be first performed within one year following December 2025, and then on an annual basis.
With just over a year left until the new standards go into effect, it’s critical for firms to hone their implementation plans now and consider all available resources that’ll support compliance.
Reprinted courtesy of Insight, the magazine of the Illinois CPA Society.