AICPA Quality Management: Why You Need to Start Now

All firms performing any engagement in an accounting and auditing practice must comply with the new Quality Management (QM) standards, including SQMS No. 1 and SQMS No. 2.

Your quality management system must be designed and implemented by December 15, 2025.

Then, after your new QM process is in place for one year, your managing partner (or other persons with ultimate QM system responsibility) will conclude whether the QM system provides reasonable assurance that objectives are being achieved.

Start your work on this implementation as soon as you can, especially if you perform more complex engagements such as audits and attestations. 

In this article, I explain why quality management is essential, and then I summarize SQMS No. 1 (the firm’s system of QM) and SQMS No. 2 (engagement quality reviews).

I also provide this video (an interview with Jennifer O’Neal) that provides an overview of the QM standards and information about how to get started. 

Why Quality Management?

The purpose of the QM Standards, issued by the American Institute of Certified Public Accountants (AICPA), is to assist accountants with compliance (with professional standards). The QM standards assist with the following:

1. Compliance with professional standards and
2. Issuance of appropriate engagement reports

And when firms comply with professional standards and issue correct reports, their peer review results should be good. 

An unstated benefit of the QM standards is risk management (avoiding loss through legal suits). These standards (when used appropriately) lessen the probability that a firm will be sued for deficient work. How? By helping firms identify QM system and engagement deficiencies. Thereafter, firms can create responses to improve their work.

My main point here is the QM standards help protect your accounting firm, lessening the potential for future harm (whether from peer review failures or legal loss).

QM Standards

The QM standards are made up of the following:

This article addresses SQMS No. 1 and SQMS No. 2.

SQMS No. 1 – The Firm’s System of QM

SQMS No. 1 addresses how a firm’s system of quality management operates and specifies eight components:

1. Risk assessment process
2. Governance and leadership
3. Relevant ethical requirements
4. Acceptance and continuance
5. Engagement performance
6. Resources
7. Information and communication
8. Monitoring and remediation process

(1) Risk assessment and (2) information and communication are new components; they were not included in the prior quality control standards. 

Risk assessment, as well as monitoring and remediation, are processes. So, you will not establish quality objectives, quality risks, and responses for these. 

Risk Assessment: Most Significant Change

The risk assessment component is the most significant change. Firms are required to do the following for the six components listed below:

1. Establish quality objectives
2. Identify and assess risks to achieving the quality objectives and
3. Design and implement responses to address the quality risks

Here’s an example:

1. A quality objective might be that consultation occurs when there are complex or contentious matters.
2. The risk could be that firm personnel do not consult with persons in or outside the firm regarding complex or contentious issues.
3. The risk response could be, for example, that the engagement partner is responsible for consultations and documentation.

SQMS No. 1 requires that firms establish quality objectives, quality risks, and responses (the risk assessment process) for the following components:

1. Governance and leadership
2. Relevant ethical requirements
3. Acceptance and continuance
4. Engagement performance
5. Resources
6. Information and communication

Monitoring and Remediation

After establishing objectives, risks, and responses for these six components, the firm will create a monitoring and remediation process. In doing so, firms will consider the reasons for quality risk assessments, the designed responses, changes in the QM system, the results of previous monitoring, and other relevant information such as peer review information.

Holistic QM System

The QM standards are a holistic approach to ensure (1) that firms comply with professional standards and (2) issue appropriate reports. Develop your objectives, risks, and responses in light of these objectives. The eight components should dovetail. In other words, they should work together.

Additionally, the QM system is organic (or at least, it should be). As changes occur in your firm’s accounting and auditing engagements or how it operates, you will reassess your overall system to see if it needs changing.

No longer will we create static quality control documents that sit on the shelf. Real-time changes make sense: your responses (actions to lessen risk) should change as your risks change.

Scalable QM System

The QM system is also scalable. For smaller firms with fewer risks, the QM documentation will be less than that of more complex CPA firms.

Think of a firm that does compilation engagements and nothing else; this firm’s chance of noncompliance with professional standards and issuing incorrect reports is generally less than that of a firm performing audits or attestation services. So, the smaller firm’s QM system will be simpler.

The QM system is like an accordion, expanding for more risk and compressing for less risk.

So, who is responsible for the QM system?

Persons Responsible for QM System

SQMS No. 1 states that your firm will assign ultimate responsibility and accountability to your managing partner, CEO, or managing board. This person or board will evaluate the QM system at a point in time (at least annually) and conclude whether the QM system provides reasonable assurance that objectives are being met.

The conclusion will include one of the following:

1. The QM system provides reasonable assurance that the system’s objectives are being achieved.
2. Except for matters related to identified deficiencies, the QM system provides reasonable assurance that the system’s objectives are being achieved.
3. The QM system does not provide reasonable assurance that the objectives of the QM system are being achieved.

If 2. or 3. is in play, the firm should take prompt and appropriate action and communicate to engagement teams and QM personnel as needed.

SQMS No. 1 also says that firms will assign operational responsibility for the QM system to someone such as a QM partner or director. The person with operational responsibility oversees:

• Compliance with independence standards
• Monitoring and remediation process

So, does this person have to perform all QM duties? No, the person with operational responsibility can delegate specific responsibilities to other firm members, such as independence monitoring. Even so, the person with operational responsibility is still responsible for the QM system operations (in this example, independence monitoring).

The standard creates accountability by defining who is responsible for what. In most firms, the managing partner has ultimate responsibility, and the quality control partner/director has operational responsibility. Also, SQMS No. 1 states that the firm should perform periodic performance evaluations of these persons.

QM System Documentation

The firm should document its QM system, including:

• Person(s) with ultimate responsibility
• Person(s) with operational responsibility
• Quality objectives
• Quality risks
• Responses
• How quality risks are addressed
• Monitoring activities
• Evaluation of findings
• Evaluation of identified deficiencies (and their root causes)
• Remedial actions
• Communications about monitoring and remediation
• Conclusions reached
• Basis for conclusion

This documentation should be retained long enough for the firm and its peer reviewer to monitor the QM system (and to meet any legal and regulatory requirements).

For higher-risk engagements, firms may need an engagement quality review.

Engagements Subject to Engagement Quality Reviews

SQMS No. 1 requires that firms establish policies and procedures that address engagement quality reviews in accordance with SQMS No. 2. Engagement quality reviews are required for the following:

• Audits or other engagements requiring an engagement quality review due to laws or regulations
• Audits or other engagements as a response to quality risks as defined by the firm

Not all engagements are subject to an engagement quality review. Riskier engagements (as defined by the firm; see SQMS No. 1 criteria) are more likely to be subject to an engagement quality review.

Next, we look at SQMS No. 2, Engagement Quality Reviews.

SQMS No. 2 – Engagement Quality Reviews

An engagement quality review (EQR) is an objective evaluation of the engagement team’s significant judgments and conclusions. It is not an evaluation of the entire engagement. The review is done at the engagement level, and an engagement quality reviewer performs the EQR before the engagement report is released.

So, who can be an engagement quality reviewer (EQ reviewer)? An engagement quality reviewer can be a:

• Partner
• Another individual in the firm, or
• Someone external to the firm

EQ Reviewer Requirements

The EQ reviewer should understand SQMS No. 2 and apply the requirements. The firm will also define the EQ reviewer qualifications in its policies and procedures, namely that this person must have the competence, capability, and time to perform the review and that the person will be objective.

EQR Policies and Procedures

EQR policies and procedures should address the following:

• Require the EQ reviewer to take overall responsibility for the EQR
• Require the EQ reviewer to take overall responsibility for the supervision of persons assisting with the EQR
• The EQ reviewer (and anyone assisting this person) can’t be a member of the audit team
• The EQ reviewer (and anyone assisting this person) must have sufficient competence, capabilities, and time to perform their duties
• The EQ reviewer (and anyone assisting this person) must comply with relevant ethical requirements and laws and regulations
• Circumstances in which the EQ reviewer’s discussion with the engagement team gives rise to an objectivity threat and actions to take when this happens
• Circumstances in which the EQ reviewer’s eligibility is impaired, including how a replacement reviewer will be chosen
• Performance of EQRs during the engagement
• A prohibition from releasing an engagement report until the EQ reviewer notifies the engagement partner that the EQR is complete

SQMS No. 2 also provides EQR performance requirements.

EQR Performance

The EQR performance should include the following:

• EQ reviewer talks with the engagement partner (and team, if needed) about significant matters and significant judgments
• EQ reviewer reviews communications regarding the nature and circumstances of the engagement and the entity
• EQ reviewer considers the firm’s monitoring and remediation process, including deficiencies relating to significant judgment areas
• EQ reviewer reviews significant judgment documentation, including the basis for the judgment, and determines:
• Whether the documents support the conclusion
• Whether the conclusions are appropriate
• EQ reviewer evaluates the basis for the engagement partner’s independence determination when applicable
• EQ reviewer should evaluate whether an appropriate consultation took place for difficult or contentious matters
• EQ reviewer should determine whether the engagement partner was sufficiently involved when the engagement is subject to generally accepted auditing standards (if not, the engagement partner may not have a sufficient basis for determining that significant judgments and conclusions are appropriate)
• EQ reviewer should review the financial statements and reports for audits and review engagements
• EQ reviewer should review the engagement report and the subject matter information (when applicable) for engagements other than audits and review engagements
• EQ reviewers should notify the engagement partner when they have concerns about significant judgments and conclusions
• EQ reviewer should notify the engagement partner when the engagement review is complete

SQMS No. 2 includes documentation requirements. Let’s see what those are.

EQR Documentation

The EQR documentation should include:

• Policies and procedures requiring the EQ reviewer to take responsibility
• Evidence of the EQ review in the engagement file
• Names of the EQ reviewers
• Identification of the engagement reviewed
• Whether the EQR complies with SQMS No. 2
• Evidence that the engagement is complete
• Notification that the reviewer has concerns about judgments and conclusions, if applicable
• Notification from the EQ reviewer to the engagement partner that the review is complete

EQR Findings

It’s a good idea—though not required by standards—to capture EQR findings in a summary document (e.g., Excel or a database). Then, the firm can use this information in planning and performing its monitoring duties. 

EQR is Scalable

The EQR is scalable depending on the engagement, entity’s nature, and circumstances. Again, less risk will result in less work and documentation than riskier engagements. Fewer significant judgments will likely mean fewer EQR procedures.

Given the EQ reviewer’s involvement, can the engagement partner’s work be reduced? The short answer is no. 

EQR’s Effect on Engagement Partner Responsibilities

The EQR does not change the engagement partner’s responsibilities. For example, an engagement partner should review judgment areas such as complex estimates even though the EQ reviewer does the same.

How EQRs Relate to Monitoring and Remediation

You may be wondering how EQRs relate to monitoring and remediation. For instance, can the person performing an EQR also perform the monitoring on the same engagement? Find in this related article. 

Conclusion

In conclusion, the QM standards are no small change. As you can see from the above, you have a great deal of work before you. This is especially true if you perform riskier audits and attestation engagements. So, start working on this transition as soon as possible. That way, you’ll have everything in place by December 15, 2025.

The most challenging part of this change is the risk assessment process. You need to document your quality objectives, quality risks, and responses for the six components (those that are not processes, i.e., risk assessment and monitoring) listed above.

Finally, consider whom you will assign the QM system operational responsibility. This person must have the competence, capability, and time to comply with the standards. You may need to hire someone to fill this role or contract with someone outside your firm.