Understand Engagement Quality Reviews and Monitoring and Remediation

By Charles Hall | Auditing

Oct 19

The new quality management standards include (1) engagement quality reviews and (2) monitoring and remediation. So what are these, and how will they impact CPA firms? Will they require changes in how you operate? Will you need additional personnel? Can firms review their own work, or will you need external help?

In this post, I explain how engagement quality reviews (EQR) and monitoring are different and how they complement each other. We also look at the objectivity requirements for monitoring (which can be tricky, especially for small firms). 

SQMS No. 1, A Firm’s System of Quality Management, requires firms to create a monitoring and remediation process. That standard also requires an Engagement Quality Review for higher-risk engagements (as defined by the firm). SQMS No. 2, Engagement Quality Reviews, provides information about the reviewers’ appointments and responsibilities. 

So, how do EQRs relate to monitoring and remediation? 

To answer this question, let’s first look at a summary of these two functions. 

1. Engagement Quality Reviews

EQRs are at the engagement level. For example, a designated reviewer will review a completed audit file for compliance with standards and an appropriate audit report. The purpose of an EQR is to provide an objective evaluation of significant judgments and conclusions. The EQR will, if done appropriately, reduce the risk of noncompliance with professional standards and the risk of issuing improper reports. It is not, however, an evaluation of the entire engagement. 

Firms perform EQRs for selected (usually high-risk) engagements. SQMS No. 2 requires EQRs for two types of engagements:

  1. When laws or regulations require an EQR for an audit or other engagement (which is rare)
  2. When a firm determines that an EQR is an appropriate response to one or more quality risks (which is common)

The second engagement type is one most firms will encounter, especially if it audits more complex entities such as banks. Why? Because such entities have estimates with a high degree of estimation uncertainty, making it higher risk. Additionally, an entity with significant going concern uncertainties will usually need an EQR, another example of a higher risk engagement.

Next, we’ll look at EQR criteria. 

EQR Criteria

Firms must create EQR policies and procedures defining the engagements requiring such reviews. The firm’s EQR criteria (see SQMS No. 1, A145) might include the following:

  • Types of engagements (e.g., audits)
  • Types of reports (e.g., Single Audits)
  • Types of entities (e.g., employee benefit plans)
  • Engagements with a high level of complexity or judgment (e.g., banks)
  • Engagements with recurring internal or external inspection findings
  • Engagements involving regulatory filing information 
  • Entities in emerging industries (e.g., artificial intelligence)
  • Entities for which the firm has no prior experience
  • Entities with public accountability characteristics (e.g., benefit plans)
  • Governmental entities, if large or complex

So, consider these criteria as you define which engagements will require an EQR. Create a firm policy for this purpose. 

Now, let’s consider the monitoring and remediation requirements.

2. Monitoring and Remediation

Firms perform a monitoring and remediation process, a component of the engagement quality control system. Another component is the risk assessment process. The QM system also includes the following six components:

  • Governance and leadership
  • Relevant ethical requirements
  • Engagement performance
  • Acceptance and continuance
  • Information and communication
  • Resources  

As we saw in my previous QM post, firms create quality objectives, quality risks, and responses for these six components (as a part of their risk assessment process). Once those are in place, firms must monitor them–and remediate deficiencies when noted. 

Monitoring activities may include in-process engagements and should include the inspection of completed engagements. These reviews may include engagements not subject to an EQR, such as those with lower risk (e.g., a client with no estimates or complex accounting). 

In-Process Reviews (Optional)

So, why might a firm review a lower-risk job while it’s in process as a part of monitoring? To see if the QM system is working. For instance, the reviewer might look at risk assessment documentation if the previous inspection revealed problems in this area. Additionally, the firm may want to look at a particular engagement partner’s work if that person had prior deficiencies. 

Completed Engagement Reviews (Required)

Firms should also perform inspections of completed engagements. The firm should review at least one completed engagement for each engagement partner on a cyclical basis (e.g., once every three years). 

Remediation

If a firm notes deficiencies, it will remediate the issues by planning and performing corrective steps. For example, suppose Single Audit engagements reviewed in monitoring did not have appropriate major program determination documentation. In that case, the firm might require that a designated reviewer look at this part of each future Single Audit file. The purpose of the step is to cure the deficiency. 

So, what’s the difference between EQRs and monitoring?

Differences in EQRs and Monitoring 

Engagement risk triggers an EQR, but monitoring has a broader perspective, one focused on the QM system as a whole. 

Engagement Reviews

So, EQRs occur based on the firm’s policies and procedures that define higher-risk jobs. If a firm has only three audits that meet the firm’s EQR criteria (as we previously discussed), then only those are subject to an EQR. 

But even if a firm has no EQR engagements (which would be unusual), it still needs to monitor its QM system. And that may entail reviews of in-process jobs. 

Other Components Monitoring

Additionally, monitoring includes reviews of the QM responses to the six components listed above. (Remember, the firm establishes quality objectives, quality risks, and responses for each of the components.) 

For example, a firm could test its hiring practices for the resource component’s response to a related quality risk. Or a firm might see if peer review findings are being communicated to relevant firm members as a test of the information and communication component. Notice these monitoring examples do not focus on a particular engagement (as an EQR does). 

EQR Findings Affect Monitoring and Remediation

Firms should communicate EQR findings, if any, to firm members. Such findings might lead to remedial action. For example, if the EQRs discover a need for more documentation related to estimates, the firm might require a second partner review of specific estimates (e.g., a bank’s allowance for loan losses). Then, the firm might monitor the response to see if the second review takes place. 

Next, we will discuss the importance of objectivity. 

Maintaining Objectivity

Reviewers need to be objective, whether in an engagement quality review or when monitoring. 

SQMS No. 1 (paragraph 40) requires firms to create policies and procedures that address the objectivity of individuals performing monitoring activities. Objectivity is enhanced when someone monitoring does not review their prior work (such as (1) serving as a member of the engagement team or (2) as an engagement quality reviewer). 

Self Review Threat

A self-review threat exists if a monitoring person reviews their previous work. For example, if the quality management director serves as the EQR person in the audit of ABC Company and then checks that job in the monitoring process, she examines her own work. Such a situation can adversely affect her objectivity. It would be better for another person (someone not a part of the ABC Company audit engagement team or who did not serve as the engagement quality reviewer) to look at that engagement during monitoring. 

EQR in Stages

So, can the person performing the EQR do so at different engagement stages (e.g., beginning, middle, end) or only after the file is complete? You can do either. Consider doing that which lessens your risk the most. 

If the EQR person reviews the engagement at stages (e.g., beginning, middle, end), can they be objective? Yes, as long as they don’t make engagement decisions. For example, they can review and sign off on planning but can’t tell the engagement team how to plan the job. In another example, the EQR person can review risk assessment, but they can’t make those decisions.

Firms are not required to perform EQRs in stages, but they can. Alternatively, the firm might decide to do the EQRs once the engagement is finished. 

Safeguards

SQMS No. 1 states it does not preclude self-inspection. Nevertheless, it says self-review leads to a higher risk that noncompliance with policies and procedures may occur. It is best to remove self-inspection, but if this is not possible, the firm may provide safeguards (actions to reduce the self-review threat) such as the following:

  • Promote continuing professional education and provide training programs to ensure that personnel are current in accounting, auditing, and QM standards
  • Require the use of peer review or other inspection checklists in the monitoring work
  • Provide training about proper monitoring procedures
  • Perform the self-inspection after some time has passed since the completion of the engagement

Responses to Quality Risks

Additionally, the firm’s responses to certain quality risks (as developed in the risk assessment process) may be helpful, such as the following:

  • Develop strong client acceptance and continuance policies that require the firm to have the competence and time to perform the engagement
  • Create a consultation policy that requires the engagement team to consult with another person (e.g., external or internal CPA) when they encounter difficult accounting and auditing issues
  • Take corrective action to cure issues noted in internal monitoring, EQRs, peer review, or other outside reviews (e.g., DOL inspection)
  • Require the use of an outside service provider to perform EQRs when deficiencies were previously noted (e.g., in peer review) or the firm or its environment changes (e.g., the firm starts auditing a client in a new industry)
YouTube player

Summary

So, engagement characteristics trigger EQRs, and firms need to perform monitoring and remediation, regardless of the EQRs. Furthermore, firms perform EQRs at the engagement level, but monitoring and remediation focuses on the QM system as a whole. 

As you prepare for the new QM standards, consider if you have the personnel to perform the EQRs and monitoring. You may need to hire new staff or contract with external CPAs. 

Finally, if there are objectivity threats from self-review, your firm may need safeguards such as using a peer review checklist in performing a cold engagement review. Strong quality risk responses are also helpful.

Follow

About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty-five years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention, The Why and How of Auditing, Audit Risk Assessment Made Easy, and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles consults with other CPA firms, assisting them with auditing and accounting issues.

>
Tweet
Share
Share
Email
Pocket