The Path to Quality Management: Quality Past, Quality Present, Quality Management
June 01, 2023
I want start off by reminding everyone that the new Quality Management Standards affect every firm with an audit or accounting practice, not just firms that have a peer review. Every firm performing engagements in accordance with the SASs, SSARSs and SSAEs must follow these new standards.
As promised in the first article, we will be diving into the Statements on Quality Standards (SQMS) No. 1 and No. 2 in this installment of the Path to Quality Management. I will not address the accompanying Statement on Auditing Standards (SAS) 146 “Quality Management for Engagements Performed in Accordance with Generally Accepted Auditing Standards” in this piece.
At times, I will be referring to the old Statements on Quality Control Standards (SQCS) No. 8 (AICPA, Professional Standards, QC sec. 10) that was effective as of January 1, 2012. However, I don’t want to confuse anyone, so as a reminder SQCS = Quality Control, which were the old set of standards, and SQMS = Quality Management, which are the new standards.
Quality Past:
The last significant change to the Quality standards came in 2006 when the SQCS No. 7 was issued. SQCS No. 8, issued in 2010, applied to the AICPA’s clarity standards. In the time since 2010 our practice has changed greatly, and I bet you have seen many changes in your practice as well.
We have all experienced the power and use of technology. Technological changes have not only enhanced our auditing and accounting practices, but have also helped transform our client’s businesses and organizations. We have all experienced the increased expectation of regulators- for example the DOL and GAO inspections. We have seen the rise of remote working and have accepted Zoom or other online collaboration tools as the new norm. The accelerations in artificial intelligence and other computer learning platforms simply make my head spin. I grew up in a world where movies like WarGames and Terminator were entertainment, not real life.
Not all of the changes have been positive. I experienced the 100% remote audit and performed 100% remote peer reviews… not a fan. We all experienced the Pandemic and all the regulations and rules surrounding the funding that came with it. Over the last decade, there have been negative peer review results, and studies from the DOL and the GAO have shown a lack in quality in our work. Some of the quality issues noted in the last decade include consistency in planning and performing engagements, over-reliance on practice aides that have not been tailored to the engagement, challenges of firms not being able to apply the standards, and the need to improve the tone at the top of firms.
We as a profession have taken steps to right the ship. Part of making our profession better is embracing the upgraded standards.
Quality Present:
As a reminder to everyone, SQMS No. 1 supersedes Statement on Quality Control Standards (SQCS) No. 8, A Firm’s System of Quality Control (QC section 10). Also, SAS No. 146, Quality Management for Engagements Performed in Accordance with Generally Accepted Auditing Standards, supersedes SAS No. 122, Statements on Auditing Standards: Clarification and Recodification, as amended, section 220, Quality Control for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards (AU-C section 220). SSARS No. 26 updated language to be sure it conforms to SQMS No. 1, and there were changes to the Statement on Standards for Attest Engagements (SSAE) to update the language as well. The language changes to the SSARS and the SSAEs did not change the requirements of those standards. The QM Standards must be in place and operating by December 15, 2025, and SSARS 26 is effective for engagements performed for periods beginning on or after December 15, 2025.
New Quality Management standards, SQMS, are affectionately called “squims” (pronounced like “swims” but with a Q) at the AICPA. The old SQCS were affectionately called “squash” so weird either way.
SQMS No. 1 A Firm’s System of Quality Management sets the foundation for Quality Management. This standard drives quality management at the firm level. SQMS No. 2 Engagement Quality Reviews (EQR) is a new standard, but the content is not completely new. There were elements of EQR in both SQCS 8 and SAS 122.
If your firm performs audits, you may have utilized an engagement quality control review. An EQR is similar, but significantly upgraded. SAS No. 146 clarifies that the engagement partner is ultimately responsible for the engagement even though that person may assign certain tasks to others within the engagement team. SAS No. 146 states that the engagement partner needs to be sufficiently and appropriately involved throughout the engagement as this is fundamental to providing the engagement leadership required to achieve high-quality audits. Recent studies of audit quality have shown a positive correlation between partner engagement and engagement quality.
For a visual reference I have included the AICPAs figure depicting these three standards fitting together to complete the engagement quality puzzle:
Figure one: The Engagement Quality Puzzle
SQMS No. 1 A Firm’s System of Quality Management:
SQMS No. 1 (QM1) lays out quality management at the firm level. QM1 focuses on quality management, not quality control, and underscores the responsibility of firm leadership to have a proactive approach to managing quality. There is an emphasis on scalability. Firms must customize and tailor their systems to their unique circumstances. Very few firms are exactly alike in this profession. QM1 seems to underline this fact and use it stress that complex firms should have a more complex system of quality management, and simpler firms should have simpler systems of quality management.
There is a real focus on have an integrated and iterative approach to designing your systems. The AICPA has stressed a focus on achieving quality objectives through identifying quality risks and responding to quality risks. Firms should have more robust leadership and governance requirements, improve informaiton and communication and enhance their monitoring and remediation processes. You will probably get tired of seeing this diagram, but it was designed as a visual aid to layout the system and its components as QM1 intended.
Figure two: Demonstrates the components of the system of quality and how they work together to achieve the goal of quality management. This demonstrates the iterative and integrated process necessary for quality management. You'll notice the components are not siloed, but rather are interconnected.
The objective of QM1 includes the objective of the firm to design, implement and operate a system of quality management that provides the firm with reasonable assurance that the objectives of its system were achieved. Reasonable assurance is intended to be obtained through the operation of the system as a whole.
Each firm’s system of quality management must be designed to achieve the following two objectives:
- The firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements and conduct engagements in accordance with such standards and requirements.
- Engagement reports issued by the firm are appropriate in the circumstances.
Following is a brief discussion of the eight requirements of a quality management system:
- Firm’s risk assessment process (new)
- Governance and leadership (adapted from the leadership responsibilities for quality within the firm component in QC 10)
- Relevant ethical requirements (same name as component in QC 10)
- Acceptance and continuance of client relationships and specific engagements (same name as component in QC 10)
- Engagement performance (same name as component in QC 10)
- Resources (adapted from the human resources component in QC 10)
- Information and communication (new)
- The monitoring and remediation process (adapted from the monitoring in QC 10)
As noted, some requirements have not changed, some have changed and some are new. I will discuss some of the key changes and new concepts now and then move on to QM2.
QM1 introduces the risk assessment to the quality process. This is new to the quality environment and is a three-step process that consists of establishing quality objectives, identifying and assessing quality risks to the achievement of the quality objectives and designing and implementing responses to address the assessed quality risks. I will devote a significant amount of time to this concept in later articles.
Governance and leadership establishes the environment in which your system operates and was adapted from the leadership responsibilities for quality within the firm component in QC 10.
There is a new focus on the role a firm’s governance and leadership play in establishing an environment and culture that support each firm’s system of quality management. Leadership is not only responsible and accountable for quality, but also expected to demonstrate a commitment to quality through its actions and behaviors.
Ultimate accountability for your system of quality management must be assigned to the firm’s CEO, managing partner or managing board of directors. Also, a firm must designate an individual to have operational responsibility for the system of quality management and an individual who will have operational responsibility for specific aspects of the system, including compliance with independence requirements and monitoring and remediation process. The same person can be responsible for both roles.
Resources were adapted from the human resources component in QC 10. This requirement was expanded the most. One new requirement is for firms to hire, develop and retain personnel with the competence and capabilities to perform activities or carry out responsibilities within the system of quality management. Also, firms must obtain individuals from external sources or services when the firm does not have sufficient or appropriate personnel to manage their system or perform engagements. The resources requirement covers technological resources, audit tools and other IT applications used by the firm for independence monitoring. Requirements for intellectual resources, for example, the firm’s methodology, guidance, templates, or tools were also expanded.
QM1 introduces the information and communication requirement. Firms must establish information and communication processes that incorporate reliable information from internal and external sources. The firm’s culture must reinforce the responsibility of personnel to share information with one another and the firm. Information should be exchanged throughout the firm so that personnel and engagement teams can understand and perform activities related to the system and the engagements.
The monitoring and remediation process was adapted from the monitoring section of QC 10. Firms must establish policies or procedures that address the objectivity of those performing monitoring activities. In
designing the system, leadership must consider the nature, timing and extent of monitoring activities by considering how the system is designed, the nature and circumstances of the firm and the engagements it performs, the extent of changes to the system, as well as the results of previous monitoring activities or external inspections. QM1 introduces the term “findings” in relation to information about the system of quality management, and firms must evaluate the severity and pervasiveness of identified deficiencies using a root cause analysis and design remedial actions that are responsive to the root cause analysis. This part of the system must allow the firm to take appropriate actions to respond to identified deficiencies and remediate those risks timely.
SQMS No. 2 Engagement Quality Reviews:
SQMS No. 2 (QM2) addresses the appointment and eligibility of the engagement quality reviewer and the performance of engagement quality reviews (EQR). As this is a new standard, I find myself asking why?
The AICPA published an executive summary on their website at https://www.aicpa.org/topic/audit-assurance/quality-management. In this summary the AICPA explains that the current requirements for quality reviews are included in QC section 10 and AU-C section 220, which are going away. The AICPA also describes that having a separate standard will provide certain benefits like “clarifying that an EQR can be a response to quality risks for any type of engagement — not only audit engagements” and “increasing the scalability of QM No. 1…”
The objective of QM2 is to drive the performance of an objective review of the engagement team’s significant judgments and the conclusions reached thereon (that is, an EQR). The EQR must be performed within the context of professional standards and legal and regulatory requirements. However, the review is not intended to evaluate whether the entire engagement complies with professional standards.
Who can perform an EQR? An engagement quality reviewer cannot be a member of the engagement team. This person can be from either inside or outside the firm. QM2 sets the requirements for the appointment and eligibility of the reviewer. To start the reviewer is not a member of the engagement team, and the reviewer is not required to obtain evidence.
Ultimately the engagement partner maintains ultimate responsibility for the engagement, and QM2 reinforces this fact. The engagement partner must evaluate the competence and capabilities of the reviewer and be sure to provide sufficient time for the reviewer to perform the EQR appropriately. The requirements of QM2 also address compliance with relevant ethical requirements, including that threats to objectivity of the reviewer are eliminated or reduced to an acceptable level.
In performing an EQR, the reviewer should focus their attention on significant judgments and significant matters of the engagement. The standard includes a requirement for the reviewer to determine if the performance requirements of the SQMS with respect to the performance of the EQR have been fulfilled. After completing the review, and the reviewer has made this determination, only then can the reviewer inform the engagement partner that the EQR is complete.
An effective EQR can only be achieved when the reviewer is involved at appropriate points in the engagement. In the past, an engagement quality control review would be performed at the end of an audit. QM2 requires that the significant matters and judgments made in planning, performing and reporting on the engagement must be discussed at the appropriate time. The reviewer must be involved when significant judgments are being made by the engagement team. Having discussions with the engagement partner, and others, during planning, or while the engagement is being wrapped up is key. Doing so helps to facilitate the resolution of issues in a timely manner.
QM2 includes a specific requirement for engagement quality reviewers to take responsibility for documentation of the review and adds the requirement that the documentation be filed with the engagement documentation. As is the case in any engagement the documentation of the engagement quality review must be sufficient to enable an experienced practitioner — having no previous connection to the engagement — to understand the nature, timing and extent of the procedures performed.
For more information and to stay up-to-date on the QM standards visit the following link: https://www.aicpa.org/topic/audit-assurance/quality-management
In the next article (to be published in the July/August issue of CPAFocus), I will go into more detail on some of the requirements of SQMS No. 1, mainly the new risk assessment process.
Ross H. Roye, CPA, is a shareholder of Gray, Blodgett & Company, PLLC, and has been with the firm since 2006. He currently serves as the chair of the OSCPA Peer Review Committee. Roye has previously served on the OSCPA board of directors as an at-large director, as well as the Society’s New CPA, Financial Literacy and the Accounting Careers Committees. He was honored as an OSCPA Trailblazer in 2012. Roye is a Past President of the OSCPA’s Norman Chapter and was selected as the Chapter’s Distinguished CPA in 2014.