Should an auditor perform extended audit procedures when there is no segregation of duties? Or are basic procedures sufficient?

No Segregation of Duties

A few months ago, I was talking to a CPA about audit procedures where a client had only one person performing accounting duties. In other words, there was no segregation of duties, and no one reviewed the activity.

Regarding cash, the CPA said basic procedures would be sufficient. In other words, test the bank reconciliation and tie the book balance back to the trial balance, and you’re done.

I said, “What if the bookkeeper stole $100,000 before it was deposited? Would a test of the bank reconciliation detect the theft?” But he insisted that basic procedures were appropriate. Why? Because the entity was small.

The size of the entity does not matter. The risks do.

Extended Procedures

When segregation of duties is lacking, especially if severe (e.g., one person does everything), extended procedures such as fraud detection steps are warranted. In the example above, the auditor should test receipts and disbursements.

Balance sheet audit steps (like testing a bank reconciliation) will usually not detect theft of funds. Cash, receivables, and payables can still reconcile to the trial balance--but the stolen funds are gone.

Responsibility for Fraud Detection

Through the years, I've heard CPAs say, "I'm not responsible for fraud." They incorrectly believe they don't have to look for fraud. 

That idea died in 2002 with the issuance of SAS 99, Consideration of Fraud in a Financial Statement audit. Yes, it's been a while. The auditor is responsible for the detection of material fraud. 

So, the auditor should plan to detect fraud if risk assessment calls for it. In the above situation, where there is no segregation of duties, the walkthroughs of cash receipts and disbursements would reveal high risks of material misstatement. 

Additionally, if the entity receives a significant amount of cash (currency, not checks), the risk is even higher. 

And how many ways can theft occur through disbursements? There are many. 

Let's consider revenue and expense cycle tests that you might use when segregation of duties is lacking. 

Extended Procedures - Revenue Cycle

So, how does an auditor know what extended procedures might be appropriate?

First, review the revenue cycle processes and controls with a walkthrough. Consider the related risks of material misstatement, and plan your tests.  

Nonprofit Example

For example, if you are auditing a nonprofit that receives contributions through the mail, review the processes and controls. Here are example questions:

• Who opens the mail?
• Is a second person present when the mail is opened?
• Is a list of daily receipts created and signed by the two persons opening the mail?
• Does a video camera record those opening the mail? 
• Are daily deposits reconciled to the daily cash receipts log?
• Are contributions tracked in a contributions software package? If yes, does someone other than those who opened the mail enter the amounts received?
• Do persons opening the mail (those with access to checks) reconcile the related bank account?
• Are daily deposits made?
• Who takes the daily cash receipts to the bank for deposit?
• Are acknowledgment letters mailed to contributors? Are those reconciled to the daily receipts log and contributions software by someone who did not initially open the mail?

I could go on, but these are the types of questions to ask before deciding whether extended audit procedures are required and, if they are, what those might be. 

What extended audit procedures might the auditor perform in this situation?

Extended Revenue Procedures

Testing in the nonprofit environment described above is challenging, especially if currency is received in the mail. Even so, here are some extended procedures that one might perform:

1. On a sample basis, reconcile the daily receipts log to the contributions software entries.
2. On a sample basis, reconcile the daily receipts log to the daily deposits. Agree the bank deposit receipt to the total daily bank deposit.
3. On a sample basis, compare the daily receipts log to the donor acknowledgment letter (you may need to review the contribution software entries if multiple payments are received). 

You could perform other tests, but these provide you with some examples for this entity.

For companies that bill and receive payment, it's easier to design revenue cycle tests--and those tests will be different than the nonprofit examples. You can, for example, compare amounts billed with collections and review receivable write-offs for appropriateness.

But what about expense tests?

Extended Procedures - Expense Cycle 

There are many ways to steal funds through the expense cycle, so I will provide a few examples. Again, understand the processes and controls walkthrough. Assess your risk and create your responses. 

Here are example questions for a nonprofit:

• Who can add vendors to the payables software?
• Are new vendors reviewed for existence (to ensure the entity exists)? Who performs this review and how?
• Who can authorize a payment, and how?
• Who can sign checks or disburse funds in other ways (e.g., electronic payment)?
• Who enters invoices in the payables software?
• Who has logical access (as provided by I.T.) to the payables module?
• Who reconciles the bank account used for vendor payments?
• Is a budget-to-actual report provided to management?

Again, these are example questions. There are many more that you can ask. 

Extended Expense Procedures

Once you understand the payables process, consider where fraud might occur. For example, if someone can sign checks, add vendors, and enter invoice amounts, theft could happen. Then you might perform extended audit procedures such as the following:

1. On a sample basis, review cleared checks for appropriateness by inspecting the payees and comparing those to the descriptions in the general ledger
2. On a sample basis, compare cleared checks to invoices
3. Review new vendors with someone outside of the payables department who is familiar with vendors used by the company

As you can see, context (the processes and controls) aids in designing the control tests.

Summary  

Test revenue and expense cycles when there is a lack of segregation of duties. You'll know if the accounting system has this control weakness from your walkthroughs of the revenue and expense cycles. Once you understand those dynamics, you can assess the risks of material misstatement and plan your extended audit procedures, such as those listed above. 

When is a gift a bribe?

Vendors often give sporting event tickets to clients. Or maybe they take them out for a nice dinner. Others might pay for a trip to Vegas.

So, at what point does a gift become a bribe? A friend of mine recently asked me this question. He said, "I give football tickets to clients. Is that a bribe?" I responded, "Maybe not, but if you give them season-long tickets, probably yes." (Such tickets cost several thousand dollars.) My friend followed with, "What if I go to every game with them?" My answer was, "That makes no difference." And doing so could be worse.

Cozy Vendor Relationships

20% of the 2022 fraud cases in the ACFE's recent study revealed "unusually close association with a vendor" as a red flag.

I've lost count of the fraud cases involving close vendor-client relationships. For example, the vendor and client might take annual family vacations together (think Aspen ski trip), with the former footing the bill.

I once spoke at a conference with vendors in the audience. One of them asked, "What can vendors give?" I responded, "I can't give you a list, but I would never give cash." He wanted a list of acceptable gifts. So, here's one: planes, trains, and automobiles. Yes, I'm trying to be funny, though I know of one vacation home gifted to a CEO. Why? So, a construction company could win a bid.

Some presents (like a vacation home) are obviously a bribe, but lower-cost ones are more difficult to define.

Gray Gift Decisions

You may wonder, "How can I know when a gift is okay?" There's no easy answer to this question. But consider these scenarios. A vendor offers one of the following to you:

-A sleeve of golf balls
-Takes you to play golf
-Pays for you to attend a PGA tournament at Pebble Beach and all expenses for a week-long trip (including your spouse and children)
-Pays your annual dues at your local country club (cost is $25,000 annually)

I'll take the sleeve of balls and play golf, but I'm uncomfortable with the other two.

Front Page Litmus Test

When there is a gray ethical decision, I always say, "Put it on the front page of the paper and see how you feel." If you're comfortable with it, you're probably okay. If not, then don't do it. Another step you might take is to ask an honest friend what they think, someone who has no vested interest. (If you're unwilling to ask your friend the question, your conscience is probably telling you, "This is not okay.")

Most vendors want to give gifts without crossing the line (they want to avoid going to jail). But the line is not usually defined, and naming particulars can be futile. After all, how many things could be on such a list? So, creating a list of proper (or improper) gifts may not work.

So, how do we know if a gift is a bribe?

Quid Pro Quo

In the context of bribery, the concept of "quid pro quo" plays a significant role. This Latin phrase means a direct exchange, where something is given with the expectation of receiving something in return. To determine if a gift can be considered a bribe, one key question is: Was the gift given with the expectation of receiving something in return?

It's easier to argue that a gift is not a bribe if it's small or of low value. In such cases, it may appear more like a token of appreciation than an inducement for a particular action. However, when a vendor gives an expensive gift, it becomes much more challenging to assert that there's no expectation of something in return. Expensive gifts raise red flags and make it more likely that the present is, in fact, a bribe.

So, your company should create a gift policy, defining what is acceptable and unacceptable.

Gift Policies

Gift policies should limit amounts to a specific dollar amount, such as $100 annually. As I said earlier, cash (at least, in my mind) is never an acceptable gift.

The gift policy might provide examples of proper activity with a vendor, such as playing golf together once or twice a year. It might also provide examples of improper actions, such as going on vacations with vendors.

You could list unacceptable gifts, but this is challenging. I would instead define inappropriate gifts in terms of dollars. Doing so is a blanket covering all types of activity.

Moreover, consider including actions the company might take if the employee violates the policy. You may want to say that violations could lead to the loss of their job. But, consult with your legal advisors about the written policy.

And remember to communicate the policy.

Communicate the Gift Policy

Give your written gift policy to new employees, and discuss the importance of transparency regarding vendor gifts. Additionally, remind existing employees of the policy. You might do so in annual training classes.

So, should companies require written disclosure of gifts received?

Gift Disclosure Forms

Companies might also require a signed disclosure form once a year where employees provide details of what they receive from vendors. (Here’s a sample disclosure form.) Additionally, provide such disclosures to your compliance department if you have one. If not, consider giving these to the company owner.

And who might you require to complete such a disclosure form? Anyone with the power to purchase, whether a person issuing a purchase order, a department head authorizing payments, or someone signing checks--anyone able to pay a vendor (or cause a vendor to be paid).

Again, consult with your legal advisors about your disclosure form and processes.

So, is bribery a significant threat to most businesses?

Bribery is Real

ACFE fraud surveys continue to reveal that bribery is one of the leading causes of fraud. 50% of the ACFE's 2022 fraud cases involved corruption (bribery is a form of corruption). Why is this so?

Because it's easy for employees to receive illegal payments (or gifts) without anyone's knowledge, but make no mistake: This activity adversely affects the employer. How? The vendors usually pass the bribe cost to the company through inflated prices or substandard goods. Strangely enough, the vendor often sees a bribe as a cost of doing business, albeit an illegal one.

The new quality management standards include (1) engagement quality reviews and (2) monitoring and remediation. So what are these, and how will they impact CPA firms? Will they require changes in how you operate? Will you need additional personnel? Can firms review their own work, or will you need external help?

In this post, I explain how engagement quality reviews (EQR) and monitoring are different and how they complement each other. We also look at the objectivity requirements for monitoring (which can be tricky, especially for small firms). 

SQMS No. 1, A Firm's System of Quality Management, requires firms to create a monitoring and remediation process. That standard also requires an Engagement Quality Review for higher-risk engagements (as defined by the firm). SQMS No. 2, Engagement Quality Reviews, provides information about the reviewers' appointments and responsibilities. 

So, how do EQRs relate to monitoring and remediation? 

To answer this question, let's first look at a summary of these two functions. 

1. Engagement Quality Reviews

EQRs are at the engagement level. For example, a designated reviewer will review a completed audit file for compliance with standards and an appropriate audit report. The purpose of an EQR is to provide an objective evaluation of significant judgments and conclusions. The EQR will, if done appropriately, reduce the risk of noncompliance with professional standards and the risk of issuing improper reports. It is not, however, an evaluation of the entire engagement. 

Firms perform EQRs for selected (usually high-risk) engagements. SQMS No. 2 requires EQRs for two types of engagements:

1. When laws or regulations require an EQR for an audit or other engagement (which is rare)
2. When a firm determines that an EQR is an appropriate response to one or more quality risks (which is common)

The second engagement type is one most firms will encounter, especially if it audits more complex entities such as banks. Why? Because such entities have estimates with a high degree of estimation uncertainty, making it higher risk. Additionally, an entity with significant going concern uncertainties will usually need an EQR, another example of a higher risk engagement.

Next, we’ll look at EQR criteria. 

EQR Criteria

Firms must create EQR policies and procedures defining the engagements requiring such reviews. The firm's EQR criteria (see SQMS No. 1, A145) might include the following:

• Types of engagements (e.g., audits)
• Types of reports (e.g., Single Audits)
• Types of entities (e.g., employee benefit plans)
• Engagements with a high level of complexity or judgment (e.g., banks)
• Engagements with recurring internal or external inspection findings
• Engagements involving regulatory filing information 
• Entities in emerging industries (e.g., artificial intelligence)
• Entities for which the firm has no prior experience
• Entities with public accountability characteristics (e.g., benefit plans)
• Governmental entities, if large or complex

So, consider these criteria as you define which engagements will require an EQR. Create a firm policy for this purpose. 

Now, let's consider the monitoring and remediation requirements.

2. Monitoring and Remediation

Firms perform a monitoring and remediation process, a component of the engagement quality control system. Another component is the risk assessment process. The QM system also includes the following six components:

• Governance and leadership
• Relevant ethical requirements
• Engagement performance
• Acceptance and continuance
• Information and communication
• Resources  

As we saw in my previous QM post, firms create quality objectives, quality risks, and responses for these six components (as a part of their risk assessment process). Once those are in place, firms must monitor them--and remediate deficiencies when noted. 

Monitoring activities may include in-process engagements and should include the inspection of completed engagements. These reviews may include engagements not subject to an EQR, such as those with lower risk (e.g., a client with no estimates or complex accounting). 

In-Process Reviews (Optional)

So, why might a firm review a lower-risk job while it's in process as a part of monitoring? To see if the QM system is working. For instance, the reviewer might look at risk assessment documentation if the previous inspection revealed problems in this area. Additionally, the firm may want to look at a particular engagement partner's work if that person had prior deficiencies. 

Completed Engagement Reviews (Required)

Firms should also perform inspections of completed engagements. The firm should review at least one completed engagement for each engagement partner on a cyclical basis (e.g., once every three years). 

Remediation

If a firm notes deficiencies, it will remediate the issues by planning and performing corrective steps. For example, suppose Single Audit engagements reviewed in monitoring did not have appropriate major program determination documentation. In that case, the firm might require that a designated reviewer look at this part of each future Single Audit file. The purpose of the step is to cure the deficiency. 

So, what's the difference between EQRs and monitoring?

Differences in EQRs and Monitoring 

Engagement risk triggers an EQR, but monitoring has a broader perspective, one focused on the QM system as a whole. 

Engagement Reviews

So, EQRs occur based on the firm's policies and procedures that define higher-risk jobs. If a firm has only three audits that meet the firm's EQR criteria (as we previously discussed), then only those are subject to an EQR. 

But even if a firm has no EQR engagements (which would be unusual), it still needs to monitor its QM system. And that may entail reviews of in-process jobs. 

Other Components Monitoring

Additionally, monitoring includes reviews of the QM responses to the six components listed above. (Remember, the firm establishes quality objectives, quality risks, and responses for each of the components.) 

For example, a firm could test its hiring practices for the resource component's response to a related quality risk. Or a firm might see if peer review findings are being communicated to relevant firm members as a test of the information and communication component. Notice these monitoring examples do not focus on a particular engagement (as an EQR does). 

EQR Findings Affect Monitoring and Remediation

Firms should communicate EQR findings, if any, to firm members. Such findings might lead to remedial action. For example, if the EQRs discover a need for more documentation related to estimates, the firm might require a second partner review of specific estimates (e.g., a bank's allowance for loan losses). Then, the firm might monitor the response to see if the second review takes place. 

Next, we will discuss the importance of objectivity. 

Maintaining Objectivity

Reviewers need to be objective, whether in an engagement quality review or when monitoring. 

SQMS No. 1 (paragraph 40) requires firms to create policies and procedures that address the objectivity of individuals performing monitoring activities. Objectivity is enhanced when someone monitoring does not review their prior work (such as (1) serving as a member of the engagement team or (2) as an engagement quality reviewer). 

Self Review Threat

A self-review threat exists if a monitoring person reviews their previous work. For example, if the quality management director serves as the EQR person in the audit of ABC Company and then checks that job in the monitoring process, she examines her own work. Such a situation can adversely affect her objectivity. It would be better for another person (someone not a part of the ABC Company audit engagement team or who did not serve as the engagement quality reviewer) to look at that engagement during monitoring. 

EQR in Stages

So, can the person performing the EQR do so at different engagement stages (e.g., beginning, middle, end) or only after the file is complete? You can do either. Consider doing that which lessens your risk the most. 

If the EQR person reviews the engagement at stages (e.g., beginning, middle, end), can they be objective? Yes, as long as they don't make engagement decisions. For example, they can review and sign off on planning but can't tell the engagement team how to plan the job. In another example, the EQR person can review risk assessment, but they can't make those decisions.

Firms are not required to perform EQRs in stages, but they can. Alternatively, the firm might decide to do the EQRs once the engagement is finished. 

Safeguards

SQMS No. 1 states it does not preclude self-inspection. Nevertheless, it says self-review leads to a higher risk that noncompliance with policies and procedures may occur. It is best to remove self-inspection, but if this is not possible, the firm may provide safeguards (actions to reduce the self-review threat) such as the following:

• Promote continuing professional education and provide training programs to ensure that personnel are current in accounting, auditing, and QM standards
• Require the use of peer review or other inspection checklists in the monitoring work
• Provide training about proper monitoring procedures
• Perform the self-inspection after some time has passed since the completion of the engagement

Responses to Quality Risks

Additionally, the firm's responses to certain quality risks (as developed in the risk assessment process) may be helpful, such as the following:

• Develop strong client acceptance and continuance policies that require the firm to have the competence and time to perform the engagement
• Create a consultation policy that requires the engagement team to consult with another person (e.g., external or internal CPA) when they encounter difficult accounting and auditing issues
• Take corrective action to cure issues noted in internal monitoring, EQRs, peer review, or other outside reviews (e.g., DOL inspection)
• Require the use of an outside service provider to perform EQRs when deficiencies were previously noted (e.g., in peer review) or the firm or its environment changes (e.g., the firm starts auditing a client in a new industry)

Summary

So, engagement characteristics trigger EQRs, and firms need to perform monitoring and remediation, regardless of the EQRs. Furthermore, firms perform EQRs at the engagement level, but monitoring and remediation focuses on the QM system as a whole. 

As you prepare for the new QM standards, consider if you have the personnel to perform the EQRs and monitoring. You may need to hire new staff or contract with external CPAs. 

Finally, if there are objectivity threats from self-review, your firm may need safeguards such as using a peer review checklist in performing a cold engagement review. Strong quality risk responses are also helpful.

All firms performing any engagement in an accounting and auditing practice must comply with the new Quality Management (QM) standards, including SQMS No. 1 and SQMS No. 2.

Your quality management system must be designed and implemented by December 15, 2025.

Then, after your new QM process is in place for one year, your managing partner (or other persons with ultimate QM system responsibility) will conclude whether the QM system provides reasonable assurance that objectives are being achieved.

Start your work on this implementation as soon as you can, especially if you perform more complex engagements such as audits and attestations. 

In this article, I explain why quality management is essential, and then I summarize SQMS No. 1 (the firm’s system of QM) and SQMS No. 2 (engagement quality reviews).

I also provide this video (an interview with Jennifer O'Neal) that provides an overview of the QM standards and information about how to get started. 

Why Quality Management?

The purpose of the QM Standards, issued by the American Institute of Certified Public Accountants (AICPA), is to assist accountants with compliance (with professional standards). The QM standards assist with the following:

1. Compliance with professional standards and
2. Issuance of appropriate engagement reports

And when firms comply with professional standards and issue correct reports, their peer review results should be good. 

An unstated benefit of the QM standards is risk management (avoiding loss through legal suits). These standards (when used appropriately) lessen the probability that a firm will be sued for deficient work. How? By helping firms identify QM system and engagement deficiencies. Thereafter, firms can create responses to improve their work.

My main point here is the QM standards help protect your accounting firm, lessening the potential for future harm (whether from peer review failures or legal loss).

QM Standards

The QM standards are made up of the following:

This article addresses SQMS No. 1 and SQMS No. 2.

SQMS No. 1 - The Firm’s System of QM

SQMS No. 1 addresses how a firm’s system of quality management operates and specifies eight components:

1. Risk assessment process
2. Governance and leadership
3. Relevant ethical requirements
4. Acceptance and continuance
5. Engagement performance
6. Resources
7. Information and communication
8. Monitoring and remediation process

(1) Risk assessment and (2) information and communication are new components; they were not included in the prior quality control standards. 

Risk assessment, as well as monitoring and remediation, are processes. So, you will not establish quality objectives, quality risks, and responses for these. 

Risk Assessment: Most Significant Change

The risk assessment component is the most significant change. Firms are required to do the following for the six components listed below:

1. Establish quality objectives
2. Identify and assess risks to achieving the quality objectives and
3. Design and implement responses to address the quality risks

Here’s an example:

1. A quality objective might be that consultation occurs when there are complex or contentious matters.
2. The risk could be that firm personnel do not consult with persons in or outside the firm regarding complex or contentious issues.
3. The risk response could be, for example, that the engagement partner is responsible for consultations and documentation.

SQMS No. 1 requires that firms establish quality objectives, quality risks, and responses (the risk assessment process) for the following components:

1. Governance and leadership
2. Relevant ethical requirements
3. Acceptance and continuance
4. Engagement performance
5. Resources
6. Information and communication

Monitoring and Remediation

After that, the firm will establish a monitoring and remediation process. In doing so, firms will consider the reasons for quality risk assessments, the designed responses, changes in the QM system, the results of previous monitoring, and other relevant information such as peer review information.

Holistic QM System

The QM standards are a holistic approach to ensure (1) that firms comply with professional standards and (2) issue appropriate reports. Develop your objectives, risks, and responses in light of these objectives. The eight components should dovetail. In other words, they should work together.

Additionally, the QM system is organic (or at least, it should be). As changes occur in your firm’s accounting and auditing engagements or how it operates, you will reassess your overall system to see if it needs changing.

No longer will we create static quality control documents that sit on the shelf. Real-time changes make sense: your responses (actions to lessen risk) should change as your risks change.

Scalable QM System

The QM system is also scalable. For smaller firms with fewer risks, the QM documentation will be less than that of more complex CPA firms.

Think of a firm that does compilation engagements and nothing else; this firm’s chance of noncompliance with professional standards and issuing incorrect reports is generally less than that of a firm performing audits or attestation services. So, the smaller firm’s QM system will be simpler.

The QM system is like an accordion, expanding for more risk and compressing for less risk.

So, who is responsible for the QM system?

Persons Responsible for QM System

SQMS No. 1 states that your firm will assign ultimate responsibility and accountability to your managing partner, CEO, or managing board. This person or board will evaluate the QM system at a point in time (at least annually) and conclude whether the QM system provides reasonable assurance that objectives are being met.

The conclusion will include one of the following:

1. The QM system provides reasonable assurance that the system’s objectives are being achieved.
2. Except for matters related to identified deficiencies, the QM system provides reasonable assurance that the system’s objectives are being achieved.
3. The QM system does not provide reasonable assurance that the objectives of the QM system are being achieved.

If 2. or 3. is in play, the firm should take prompt and appropriate action and communicate to engagement teams and QM personnel as needed.

SQMS No. 1 also says that firms will assign operational responsibility for the QM system to someone such as a QM partner or director. The person with operational responsibility oversees:

• Compliance with independence standards
• Monitoring and remediation process

So, does this person have to perform all QM duties? No, the person with operational responsibility can delegate specific responsibilities to other firm members, such as independence monitoring. Even so, the person with operational responsibility is still responsible for the QM system operations (in this example, independence monitoring).

The standard creates accountability by defining who is responsible for what. In most firms, the managing partner has ultimate responsibility, and the quality control partner/director has operational responsibility. Also, SQMS No. 1 states that the firm should perform periodic performance evaluations of these persons.

QM System Documentation

The firm should document its QM system, including:

• Person(s) with ultimate responsibility
• Person(s) with operational responsibility
• Quality objectives
• Quality risks
• Responses
• How quality risks are addressed
• Monitoring activities
• Evaluation of findings
• Evaluation of identified deficiencies (and their root causes)
• Remedial actions
• Communications about monitoring and remediation
• Conclusions reached
• Basis for conclusion

This documentation should be retained long enough for the firm and its peer reviewer to monitor the QM system (and to meet any legal and regulatory requirements).

For higher-risk engagements, firms may need an engagement quality review.

Engagements Subject to Engagement Quality Reviews

SQMS No. 1 requires that firms establish policies and procedures that address engagement quality reviews in accordance with SQMS No. 2. Engagement quality reviews are required for the following:

• Audits or other engagements requiring an engagement quality review due to laws or regulations
• Audits or other engagements as a response to quality risks as defined by the firm

Not all engagements are subject to an engagement quality review. Riskier engagements (as defined by the firm; see SQMS No. 1 criteria) are more likely to be subject to an engagement quality review.

Next, we look at SQMS No. 2, Engagement Quality Reviews.

SQMS No. 2 - Engagement Quality Reviews

An engagement quality review (EQR) is an objective evaluation of the engagement team’s significant judgments and conclusions. It is not an evaluation of the entire engagement. The review is done at the engagement level, and an engagement quality reviewer performs the EQR before the engagement report is released.

So, who can be an engagement quality reviewer (EQ reviewer)? An engagement quality reviewer can be a:

• Partner
• Another individual in the firm, or
• Someone external to the firm

EQ Reviewer Requirements

The EQ reviewer should understand SQMS No. 2 and apply the requirements. The firm will also define the EQ reviewer qualifications in its policies and procedures, namely that this person must have the competence, capability, and time to perform the review and that the person will be objective.

EQR Policies and Procedures

EQR policies and procedures should address the following:

• Require the EQ reviewer to take overall responsibility for the EQR
• Require the EQ reviewer to take overall responsibility for the supervision of persons assisting with the EQR
• The EQ reviewer (and anyone assisting this person) can’t be a member of the audit team
• The EQ reviewer (and anyone assisting this person) must have sufficient competence, capabilities, and time to perform their duties
• The EQ reviewer (and anyone assisting this person) must comply with relevant ethical requirements and laws and regulations
• Circumstances in which the EQ reviewer’s discussion with the engagement team gives rise to an objectivity threat and actions to take when this happens
• Circumstances in which the EQ reviewer’s eligibility is impaired, including how a replacement reviewer will be chosen
• Performance of EQRs during the engagement
• A prohibition from releasing an engagement report until the EQ reviewer notifies the engagement partner that the EQR is complete

SQMS No. 2 also provides EQR performance requirements.

EQR Performance

The EQR performance should include the following:

• EQ reviewer talks with the engagement partner (and team, if needed) about significant matters and significant judgments
• EQ reviewer reviews communications regarding the nature and circumstances of the engagement and the entity
• EQ reviewer considers the firm’s monitoring and remediation process, including deficiencies relating to significant judgment areas
• EQ reviewer reviews significant judgment documentation, including the basis for the judgment, and determines:
• Whether the documents support the conclusion
• Whether the conclusions are appropriate
• EQ reviewer evaluates the basis for the engagement partner’s independence determination when applicable
• EQ reviewer should evaluate whether an appropriate consultation took place for difficult or contentious matters
• EQ reviewer should determine whether the engagement partner was sufficiently involved when the engagement is subject to generally accepted auditing standards (if not, the engagement partner may not have a sufficient basis for determining that significant judgments and conclusions are appropriate)
• EQ reviewer should review the financial statements and reports for audits and review engagements
• EQ reviewer should review the engagement report and the subject matter information (when applicable) for engagements other than audits and review engagements
• EQ reviewers should notify the engagement partner when they have concerns about significant judgments and conclusions
• EQ reviewer should notify the engagement partner when the engagement review is complete

SQMS No. 2 includes documentation requirements. Let’s see what those are.

EQR Documentation

The EQR documentation should include:

• Policies and procedures requiring the EQ reviewer to take responsibility
• Evidence of the EQ review in the engagement file
• Names of the EQ reviewers
• Identification of the engagement reviewed
• Whether the EQR complies with SQMS No. 2
• Evidence that the engagement is complete
• Notification that the reviewer has concerns about judgments and conclusions, if applicable
• Notification from the EQ reviewer to the engagement partner that the review is complete

EQR Findings

It’s a good idea—though not required by standards—to capture EQR findings in a summary document (e.g., Excel or a database). Then, the firm can use this information in planning and performing its monitoring duties. 

EQR is Scalable

The EQR is scalable depending on the engagement, entity’s nature, and circumstances. Again, less risk will result in less work and documentation than riskier engagements. Fewer significant judgments will likely mean fewer EQR procedures.

Given the EQ reviewer’s involvement, can the engagement partner’s work be reduced? The short answer is no. 

EQR’s Effect on Engagement Partner Responsibilities

The EQR does not change the engagement partner’s responsibilities. For example, an engagement partner should review judgment areas such as complex estimates even though the EQ reviewer does the same.

How EQRs Relate to Monitoring and Remediation

You may be wondering how EQRs relate to monitoring and remediation. For instance, can the person performing an EQR also perform the monitoring on the same engagement? Find in this related article. 

Conclusion

In conclusion, the QM standards are no small change. As you can see from the above, you have a great deal of work before you. This is especially true if you perform riskier audits and attestation engagements. So, start working on this transition as soon as possible. That way, you’ll have everything in place by December 15, 2025.

You have this many days left:

The most challenging part of this change is the risk assessment process. You need to document your quality objectives, quality risks, and responses for the six components (those that are not processes, i.e., risk assessment and monitoring) listed above.

Finally, consider whom you will assign the QM system operational responsibility. This person must have the competence, capability, and time to comply with the standards. You may need to hire someone to fill this role or contract with someone outside your firm.