Skip to main content

Is Your Firm’s New Quality Management System on Target for December 2025?

November 12, 2024

Firms that offer audit and accounting services still have time to successfully implement the new quality management standards, but they must start now to be ready when the standards take effect December 15, 2025. Keep in mind that firms whose peer review year ends after this date (many reviews are to be performed starting in 2026) will have their systems reviewed under the new quality management standards — firms that fail to comply may not pass their peer review!

You may be feeling overwhelmed and unsure of where to begin and how to bridge the gaps from the current policy-based quality control standards to the new risk-based quality management standards. (See “Overview of the New Standards” section.) There is a lot to do and limited time to do it – now is the time to start if your firm hasn’t already.

So, how do you make this significant task achievable? This article provides advice on how to do that in several key areas.

Developing an Approach to Implementation

There is no one correct answer in developing an approach to implementation. Some practical approaches include:

  • Component-by-component — Start with a component that your firm feels is already well established and develop the quality objectives, quality risks, and responses for that component before moving on to another component.
  • Step-by-step — Develop all quality objectives first, assessing all quality risks, and then design and implement responses to quality risks.

Caution: One response could address multiple quality risks across various components, and one quality risk could require more than one response. Implementation of the quality management standards will be iterative and may require reevaluating the risk assessment, gap analysis, and responses.

Determining a Documentation Approach

The form, content, and extent of documentation may be influenced by the complexity of the firm and the nature and circumstances of its practice areas and organization. Documentation of the firm’s system of quality management should:

  • Support a consistent understanding of the system of quality management by personnel, including their roles and responsibilities when performing engagements.
  • Support consistent implementation and operation of the responses.
  • Provide evidence of the response’s design, implementation, and operation to support the system of quality management by the responsible individual(s).

The AICPA developed an Example Risk Assessment template that firms may use to facilitate the documentation of quality objectives, quality risks, and responses during the implementation of the quality management standards as part of the practice aid "Establishing and Maintaining a System of Quality Management for a CPA Firm’s Accounting and Auditing Practice".

The Risk Assessment Process

The risk assessment process is a new component firms will design and implement as part of their system of quality management. It consists of establishing quality objectives, identifying and assessing quality risks that could adversely affect achieving quality objectives, and designing and implementing responses to address the assessed quality risks.

Establishing Quality Objectives

Statement on Quality Management Standards (SQMS) No. 1A Firm’s System of Quality Management, specifies quality objectives that the firm should establish. Quality objectives are the desired outcomes in relation to the components of the system of quality management to be achieved by the firm. Firms should establish specified quality objectives for:

  • Governance and leadership
  • Relevant ethical requirements
  • Acceptance and continuance of client relationships and specific engagements
  • Engagement performance
  • Resources
  • Information and communication

The quality objectives required to be established by the firm are considered sufficiently comprehensive such that it is unlikely that the firm would need to establish additional quality objectives. A firm may establish sub-objectives to enhance the firm’s identification and assessment of risks and responses.

What is a Quality Risk?

A quality risk is a risk that has a reasonable possibility of:

  • Occurring, and
  • Individually, or in combination with other risks, adversely affecting the achievement of one or more quality objectives.

Quality risks should be specific to your firm; therefore, obtaining an understanding of the conditions, events, circumstances, actions, or inactions that may adversely affect the achievement of the quality objectives is imperative.

Consider a firm brainstorming session to kick-start the documentation of identified risks. Write down what your firm does and what could go wrong in the absence of controls. If your firm is a small practice with less complex clients, don’t assume you don’t have any risks. Think about the procedures you perform during client acceptance and continuance to mitigate client risk, how you stay up to date with professional standards, how you shield yourself from self-review threats, and how you exercise professional skepticism.

Designing and Implementing Responses

The nature, timing, and extent of responses should be based on the reasons for the assessments given to the quality risks.

Your firm’s current quality control policies and procedures are a good place to start when designing and implementing responses.

Based on the identified quality risks, map your current controls or, as SQMS No. 1 calls them, “responses to quality risks.” Modify the policies and procedures as necessary to appropriately respond to the identified quality risks.

Perform a gap analysis to identify quality risks without appropriate responses and responses without corresponding quality risks. Then, evaluate whether all quality objectives are appropriately addressed and determine whether all specified responses from paragraph 35 in SQMS No. 1 have been included. Based on the gap analysis, create new policies or procedures to address quality risks, as needed, and consider eliminating any policies or procedures that are not effective.

Tips, Taps, and Insights by Component

Most of the necessary components are not new to your firm’s system of quality control, but when your firm transitions to a system of quality management, you will need to consider new and more robust requirements during implementation.

Governance and Leadership

The governance and leadership component, commonly referred to as the “tone at the top,” is not a new element of firm quality control, but the new quality management standards have more robust requirements. There is a focus on the firm’s environment and culture that support quality, including an expectation that leadership will demonstrate a commitment to quality and that the firm will deploy resources consistent with its commitment to quality. Engage with your firm’s staff and discuss the following:

  • How does your firm assign individuals to engagement teams?
  • Does your firm have a tracking mechanism to ensure personnel, including partners, have the competence and capacity, including time, to complete their assigned roles?
  • When making strategic decisions, how does the firm account for audit and accounting quality?
  • Does your firm clearly inform all personnel of their responsibilities to the system of quality management?

Relevant Ethical Requirements

Under this updated component, the firm is required to specify an individual who is responsible for ensuring compliance with independence requirements. This individual will need the right knowledge, skill, ability, capacity, and authority to address these issues — not just be a senior person in the firm. Joe Lynch, CPA, managing director at Johnson Global Accountancy and AICPA Quality Management Implementation Task Force member, suggests firms consider these questions as they explore how to adapt current processes:

  • How is your firm dealing with relevant ethical requirements now, and will you need to make changes to comply with the quality management standards?
  • Do you have a system in place for personnel to report any violations?
  • Do you have someone in your organization who is an expert on applicable independence and ethics rules and can take on this role?
  • Should there be two separate roles in the quality management function — one for the creation of the policies and procedures and the other for monitoring the compliance of those policies and procedures?
  • How is your firm determining the existence and completeness of firm relationships (e.g., with vendors)?

Acceptance and Continuance of Clients and Specific Engagements

Some firms have said that they don’t have any risks because their client base is not risky. Let’s turn this comment into a question: Why do you think your clients are not risky? Some potential answers to this question could be that your firm only accepts clients in an industry it has the competence to specialize in, your clients’ organizational structures or business models are not complex, or your clients have good business reputations and ethical values. These are all examples of acceptance and continuance criteria to include in your firm’s policies and procedures. Some other questions to consider include:

  • Is your firm’s approval over acceptance and continuance aligned with risk assessment and tone at the top?
  • What could have changed at the client from previous acceptance or continuance decisions to next year’s decisions (which could be harder to know during economic turbulence)?
  • What if information becomes known after your firm’s acceptance decision has been made that could’ve impacted that decision if it had been known at the time? What kind of information would that be?

Engagement Performance

This may be a good component to start with since your firm likely has a good understanding of the engagement performance component’s objectives. Take stock of your current engagement performance policies and procedures and evaluate what is or is not working for your firm. There are several new or enhanced requirements that can help tailor your policies and procedures. For example, there’s a new requirement that engagement teams understand and fulfill their professional responsibilities, including an engagement partner’s overall responsibility for managing and achieving quality and being sufficiently and appropriately involved throughout an engagement.

Increasing partner involvement throughout the engagement has proven to enhance audit quality. Consider how your firm can improve its current supervision and review policies to be clear, concise, and actionable.

Resources

The resources component in a firm’s system of quality management now includes requirements related to technological and intellectual resources, in addition to enhanced human resources requirements. Technological resources are essentially IT applications the firm uses to support the system of quality management and engagement performance. Depending on the complexity of the firm, the processes could be relatively simple and focus on authorizing access and processing updates to the IT application. In more complex firms, the processes could cover multiple IT resources and programming considerations. Intellectual resources include a firm’s methodologies, accounting guides, and written policies or procedures.

Here are some questions to assess whether the firm meets the resources objectives:

  • How does your firm evaluate personnel performance? Does it include recognition for positive actions or behaviors?
  • Does your firm require the use of certain software applications in performing engagements? How does your firm archive engagement files?
  • How does your firm train personnel in the use of intellectual or technological resources?
  • Does your firm have policies and procedures for organizing engagement files (e.g., a numbering convention)?
  • Does your firm use a service provider to support the applications?

Information and Communication

The information and communication component is new under the quality management standards, but your firm likely has communication procedures in place. You may also find you have policies and procedures in other components that could be responsive to risks in this component. For example, as part of relevant ethical requirements, your firm should have a policy or procedure describing how your firm’s system of quality management is documented and communicated throughout the firm.

To develop quality risks and responses related to information and communication, consider the following questions:

  • How is information shared within the firm?
  • If your firm has a website, who is responsible for the information conveyed and how frequently is it updated?
  • How does your firm communicate information to engagement teams, so they understand and perform the engagement in compliance with applicable professional standards?
  • How does your firm track required external communications?
  • If you use resources from service providers, how do you communicate each other’s responsibilities? For example, how often does your firm receive updated quality control materials?

The Monitoring and Remediation Process

The operation of the responses and monitoring activities is required to be implemented by Dec. 15, 2025. Firms then have another year to perform the evaluation of the system of quality management.

There is expanded and enhanced guidance throughout this component. Key changes include a focus on monitoring the entire system of quality management, a new framework for evaluating findings, identifying deficiencies and evaluating identified deficiencies, and more robust remediation.

Monitoring activities for the monitoring and remediation process may differ in firms of different complexity. For example, a sole practitioner’s monitoring activities may be simpler because the practitioner interacts with the system of quality management frequently and information may be more readily available.

Tip: A new requirement in SQMS No. 1 is for a firm leader to evaluate, at least annually, whether the system of quality management provides reasonable assurance that the objectives of the system of quality management are being met. The effective date for this evaluation is within one year of Dec. 15, 2025.

Firm leadership is required to make this evaluation even in a peer review year. It is comparable to management’s assertion about its system of internal control over financial reporting (ICFR), which remains management’s responsibility regardless of whether an audit of an entity’s system of ICFR is performed.

Resources to Help You

If your firm hasn’t started the transition from a system of quality control to a system of quality management, you’re late to the game, but you still can finish on time. Implementation of the new QM standards is required by Dec. 15, 2025, which is around the corner. (See the “How to Keep Implementation of the Quality Management Standards on Track” section.)

Resources and information to support quality management implementation are available at aicpa-cima.com/auditqm. Among other content, you’ll find:

  • A free interactive practice aid with an accompanying Example Risk Assessment template tool to help you implement SQMS No. 1 (AICPA membership is needed to unlock this content)
  • A document mapping the current system of quality control (SQCS No. 8) to the new system of quality management (SQMS No. 1)
  • Quality management standards and related guidance
  • A to-do checklist for firms

How to Keep Implementation of the Quality Management Standards on Track

Every firm that performs engagements in accordance with the Statements on Auditing Standards (SASs), Statements on Standards for Accounting and Review Services (SSARSs), and Statements on Standards for Attestation Engagements (SSAEs) should have some understanding of the new quality management standards. To keep implementation on track:

  • Prioritize your firm’s efforts.
  • Schedule time to read the standards.
  • Add a recurring meeting to your calendar and invite others in your firm to participate.
  • Consider attending webinars or perusing industry publications to learn from other firms and hear different perspectives on how firms are implementing the new requirements.
  • Engage in conversations internally and externally.

Overview of the New Standards

The new standards will apply to all firms that conduct any audits, attest examinations, financial statement or attest reviews, compilations, or agreed-upon-procedures engagements. Here’s a rundown of the new standards with a brief description of each:

  • Statement on Quality Management Standards (SQMS) No. 1A Firm’s System of Quality Management, introduces a new risk-based assessment process and requires firms to design, implement, and operate a system of quality management customized to their practice and engagements. This includes establishing quality objectives, assessing the specific risks to quality, and designing and implementing responses to address those risks. In addition, firm leadership is required to evaluate annually whether the firm’s system of quality management is meeting its objectives. The approach calls for continuous improvement and ongoing remediation over time. SQMS No. 1 supersedes Statement on Quality Control Standards No. 8, A Firm’s System of Quality Control.
  • SQMS No. 2Engagement Quality Reviews, applies when a firm decides that an engagement quality (EQ) review is an applicable response to address its engagement performance quality management objective. This new standard addresses the appointment and eligibility of the EQ reviewer (whether inside or outside of the firm) and performance of the EQ reviews.
  • SQMS No. 3Amendments to QM Sections 10, A Firm’s System of Quality Management, and 20, Engagement Quality Reviews:
    • Amends QM sections 10 and 20 to conform certain terms to language used in SAS No. 149, Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors and Audits of Referred-to Auditors).
    • Provides guidance on differentiating between a resource and an information source.
    • SQMS No. 3 is effective concurrently with the effective dates provided in QM sections 10 and 20.
  • Statement on Auditing Standards (SAS) No. 146Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards, focuses on quality management for audits at the engagement level, including the engagement partner’s responsibility for managing engagements to achieve quality, and the importance of quality to all members of the engagement team.
  • Statement on Standards for Accounting and Review Services (SSARS) No. 26Quality Management for an Engagement Conducted in Accordance With Statements on Standards for Accounting and Review Services, amends the SSARSs to conform with SQMS Nos. 1 and 2.
  • Statement on Standards for Attestation Engagements (SSAE) No. 23, Amendments to the Attestation Standards for Consistency With the Issuance of AICPA Standards on Quality Management, amends the SSAEs to conform with SQMS Nos. 1 and 2.

Other significant changes include two new components of systems of quality management (the risk assessment process and the information and communication component), more robust requirements for leadership and governance, enhanced monitoring and remediation processes, and new requirements for networks and service providers.

Learning Resources

This article is updated and adapted from an article in the Journal of Accountancy, November 2023, published by AICPA & CIMA, together as the Association of International Certified Public Accountants.