Log Out

What's the risk?

Updated quality management standards promote a risk-based approach to planning and performing group audits.
July 26, 2023

By Natalya Yashina, CPA, DASM, and Diane Walker, CPA

Maintaining high audit quality is crucial for ensuring public trust in financial reporting, and it involves more than just external audit procedures. CPA firms must comply with a set of quality control standards to ensure the elements of a system of quality control are in place to meet professional standards.

The current standards, particularly those related to technology and business environments, haven't been updated since 2006. In June 2022, the AICPA Auditing Standards Board (ASB) and Review Services Committee issued quality management standards that apply to firms performing engagements in accordance with the SASs, SSARSs and SSAEs. In addition to updating the standards for advances in technology and business environments, the new standards replace the current “one size fits all” model that addresses potential issues with quality, consistency, leadership and governance. The new standards may require significant multi-year efforts to implement. While there is time before they become effective, it's important not to delay implementation.

The standards include:

  • Statement on Quality Management Standards (SQMS) No.1: Addresses the system of quality management and deals with a firm’s responsibility to design, implement, and operate a system of quality management for its accounting and auditing practice. The standard supersedes Statement on Quality Control (SQCS) No. 8, A Firm’s System of Quality Control. In addition, SQMS No.1 requires the systems of quality management be designed and implemented in compliance with the standard by Dec. 15, 2025, and to be evaluated within one year following Dec. 15, 2025.
  • Statement on Quality Management Standards No.2: Deals with engagement quality reviews and affects audits or reviews of financial statements and other engagements in the accounting and auditing practice. SQMS 2 is effective for audits or reviews of financial statements for periods beginning on or after Dec. 15, 2025, and other engagements in the firm’s accounting and auditing practice beginning on or after Dec. 15, 2025.
  • Statement on Auditing Standards (SAS) No.146, Quality Management for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards: Addresses the auditor’s specific responsibilities in regard to quality management at the engagement level for a financial statement audit and the related responsibilities of the engagement partner. SAS 146 is effective for engagements conducted in accordance with Generally Accepted Auditing Standards (GAAS) for periods beginning on or after Dec. 15, 2025.
  • Statement on Standards for Accounting and Review Services (SSARS) No.26, Quality Management for an Engagement Conducted in Accordance with Statements on Standards for Accounting and Review Services: Focuses on standards at the engagement level for accounting and review services and the related responsibilities of the engagement partner. SSARS 26 is effective for engagements performed in accordance with the SSARS for periods ending on or after Dec. 15, 2025.

In March 2023, the ASB issued SQMS No.3, Amendments to QM Sections 10, A Firm’s System of Quality Management, and 20, Engagement Quality Reviews, as well as SAS No. 149, Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors and Audits of Referred-to Auditors). The amendments to QM 10 and 20 conform certain language terms to language used in SAS 149. SAS 149 requires a risk-based approach to planning and performing a group audit, and the group auditor must use their professional judgement in determining over which components further audit procedures need to be performed, based on assessed risks.

SAS 149 is effective for periods ending on or after Dec. 15, 2026, and SQMS No. 3 is effective concurrently with the effective dates provided in QM sections 10 and 20.

What’s new?

The biggest change is a new risk-based approach to quality management, which means the system of quality management should be adaptable to changes in the firm and its engagements. The components of the system have also been revised, with two new components added. There are eight components the system should address:

  1. The firm’s risk assessment process
  2. Governance and leadership
  3. Relevant ethical requirements
  4. Acceptance and continuance of client relationships and specific engagements
  5. Engagement performance
  6. Resources
  7. Information and communication
  8. The monitoring and remediation process

To implement a risk-based approach, firms should follow a three-step process and 1) establish quality objectives, 2) identify and assess risks that may hinder their achievement, and 3) design and implement appropriate responses to address the quality risks. The reality is that firms are now required to perform a gap analysis on their systems of quality, similar to the process used to assess compliance of internal controls under the COSO Framework.
Other key changes include increased requirements for governance and leadership, enhanced monitoring and remediation processes, and new requirements for networks and service providers.

Here are some of these key changes in more detail.

Information and communication

The information and communication component of the new system of quality management has no equivalent in prior quality standards. This new component emphasizes the importance of establishing information and communication processes that support the system of quality management. The focus here is on the flow of information and communication which is linked to the firm’s culture, and internal and external communication. The firm’s information system needs to include relevant and reliable information that is accurate, complete, timely, and valid and which supports the system of quality management.

Governance and leadership

The standards contain more robust requirements for governance and leadership in setting the tone at the top, including appropriate qualifications and accountability. Quality should be a key consideration in the firm's strategic decisions and actions, such as financial and operational priorities.

Monitoring and remediation

An enhanced monitoring and remediation process emphasizes identification and remediation of issues on a timely basis. There is more transparency in what is required to be considered in determining the nature, timing, and extent of the monitoring activities. The standard also introduces the new term “findings,” which can be accumulated from monitoring or other activities or relevant sources, i.e., external inspections. The firms are required to evaluate these findings and determine whether deficiencies exist. The establishment of policies and procedures for monitoring activities is important, including the qualifications of those who perform such activities. These individuals should be competent, objective, and have enough time to complete their tasks. Identifying deficiencies and designing remedial actions should involve evaluating severity and pervasiveness through root cause analysis.

There are many resources offered by the AICPA to assist with the implementation of the new quality management standards. The first step: Review and understand the standards and develop a timeline for implementation. Use the AICPA tool, "Quality Management Standards: What's Changing and What You Should Be Doing Now," which includes examples of timelines and a detailed comparison of differences between QS section 10 and the current quality control standards. You can find that tool at https://www.aicpa-cima.com.

Though there is still time before the standards become effective, the extended implementation period is there for a reason! The updated standards will be a big change for some firms and may require additional time and resources to address identified gaps, findings and deficiencies, and ensure compliance with the deadline.

Natalya Yashina, CPA, DASM, is the founder and CEO of Capital Accounting Advisory, LLC, where she and her team provide training, project management, training needs assessment, team performance improvement, and strategy and visioning services to audit firms and non-profit organizations. Prior to expanding her firm’s offerings, Natalya focused on technical accounting and financial reporting services. She was the 2020–2021 chair of the VSCPA Accounting & Auditing Advisory Committee, which she has served on since 2018.

Diane Walker, CPA, is a partner with Johnson Lambert LLP where she is in charge of the firm’s Quality Management function and leads the employee benefit plan practice. Johnson Lambert LLP is a multi-office, niche-focused firm that provides audit, tax and advisory services to insurance entities, employee benefit plans and nonprofit organizations. She previously served terms on the AICPA’s Employee Benefit Plan Audit Quality Center Executive Committee and Employee Benefit Plan Expert Panel.