Tag Archives for " Quality Management "

monitoring and remediation
Oct 19

Understand Engagement Quality Reviews and Monitoring and Remediation

By Charles Hall | Auditing

The new quality management standards include (1) engagement quality reviews and (2) monitoring and remediation. So what are these, and how will they impact CPA firms? Will they require changes in how you operate? Will you need additional personnel? Can firms review their own work, or will you need external help?

In this post, I explain how engagement quality reviews (EQR) and monitoring are different and how they complement each other. We also look at the objectivity requirements for monitoring (which can be tricky, especially for small firms). 

SQMS No. 1, A Firm’s System of Quality Management, requires firms to create a monitoring and remediation process. That standard also requires an Engagement Quality Review for higher-risk engagements (as defined by the firm). SQMS No. 2, Engagement Quality Reviews, provides information about the reviewers’ appointments and responsibilities. 

So, how do EQRs relate to monitoring and remediation? 

To answer this question, let’s first look at a summary of these two functions. 

1. Engagement Quality Reviews

EQRs are at the engagement level. For example, a designated reviewer will review a completed audit file for compliance with standards and an appropriate audit report. The purpose of an EQR is to provide an objective evaluation of significant judgments and conclusions. The EQR will, if done appropriately, reduce the risk of noncompliance with professional standards and the risk of issuing improper reports. It is not, however, an evaluation of the entire engagement. 

Firms perform EQRs for selected (usually high-risk) engagements. SQMS No. 2 requires EQRs for two types of engagements:

  1. When laws or regulations require an EQR for an audit or other engagement (which is rare)
  2. When a firm determines that an EQR is an appropriate response to one or more quality risks (which is common)

The second engagement type is one most firms will encounter, especially if it audits more complex entities such as banks. Why? Because such entities have estimates with a high degree of estimation uncertainty, making it higher risk. Additionally, an entity with significant going concern uncertainties will usually need an EQR, another example of a higher risk engagement.

Next, we’ll look at EQR criteria. 

EQR Criteria

Firms must create EQR policies and procedures defining the engagements requiring such reviews. The firm’s EQR criteria (see SQMS No. 1, A145) might include the following:

  • Types of engagements (e.g., audits)
  • Types of reports (e.g., Single Audits)
  • Types of entities (e.g., employee benefit plans)
  • Engagements with a high level of complexity or judgment (e.g., banks)
  • Engagements with recurring internal or external inspection findings
  • Engagements involving regulatory filing information 
  • Entities in emerging industries (e.g., artificial intelligence)
  • Entities for which the firm has no prior experience
  • Entities with public accountability characteristics (e.g., benefit plans)
  • Governmental entities, if large or complex

So, consider these criteria as you define which engagements will require an EQR. Create a firm policy for this purpose. 

Now, let’s consider the monitoring and remediation requirements.

2. Monitoring and Remediation

Firms perform a monitoring and remediation process, a component of the engagement quality control system. Another component is the risk assessment process. The QM system also includes the following six components:

  • Governance and leadership
  • Relevant ethical requirements
  • Engagement performance
  • Acceptance and continuance
  • Information and communication
  • Resources  

As we saw in my previous QM post, firms create quality objectives, quality risks, and responses for these six components (as a part of their risk assessment process). Once those are in place, firms must monitor them–and remediate deficiencies when noted. 

Monitoring activities may include in-process engagements and should include the inspection of completed engagements. These reviews may include engagements not subject to an EQR, such as those with lower risk (e.g., a client with no estimates or complex accounting). 

In-Process Reviews (Optional)

So, why might a firm review a lower-risk job while it’s in process as a part of monitoring? To see if the QM system is working. For instance, the reviewer might look at risk assessment documentation if the previous inspection revealed problems in this area. Additionally, the firm may want to look at a particular engagement partner’s work if that person had prior deficiencies. 

Completed Engagement Reviews (Required)

Firms should also perform inspections of completed engagements. The firm should review at least one completed engagement for each engagement partner on a cyclical basis (e.g., once every three years). 

Remediation

If a firm notes deficiencies, it will remediate the issues by planning and performing corrective steps. For example, suppose Single Audit engagements reviewed in monitoring did not have appropriate major program determination documentation. In that case, the firm might require that a designated reviewer look at this part of each future Single Audit file. The purpose of the step is to cure the deficiency. 

So, what’s the difference between EQRs and monitoring?

Differences in EQRs and Monitoring 

Engagement risk triggers an EQR, but monitoring has a broader perspective, one focused on the QM system as a whole. 

Engagement Reviews

So, EQRs occur based on the firm’s policies and procedures that define higher-risk jobs. If a firm has only three audits that meet the firm’s EQR criteria (as we previously discussed), then only those are subject to an EQR. 

But even if a firm has no EQR engagements (which would be unusual), it still needs to monitor its QM system. And that may entail reviews of in-process jobs. 

Other Components Monitoring

Additionally, monitoring includes reviews of the QM responses to the six components listed above. (Remember, the firm establishes quality objectives, quality risks, and responses for each of the components.) 

For example, a firm could test its hiring practices for the resource component’s response to a related quality risk. Or a firm might see if peer review findings are being communicated to relevant firm members as a test of the information and communication component. Notice these monitoring examples do not focus on a particular engagement (as an EQR does). 

EQR Findings Affect Monitoring and Remediation

Firms should communicate EQR findings, if any, to firm members. Such findings might lead to remedial action. For example, if the EQRs discover a need for more documentation related to estimates, the firm might require a second partner review of specific estimates (e.g., a bank’s allowance for loan losses). Then, the firm might monitor the response to see if the second review takes place. 

Next, we will discuss the importance of objectivity. 

Maintaining Objectivity

Reviewers need to be objective, whether in an engagement quality review or when monitoring. 

SQMS No. 1 (paragraph 40) requires firms to create policies and procedures that address the objectivity of individuals performing monitoring activities. Objectivity is enhanced when someone monitoring does not review their prior work (such as (1) serving as a member of the engagement team or (2) as an engagement quality reviewer). 

Self Review Threat

A self-review threat exists if a monitoring person reviews their previous work. For example, if the quality management director serves as the EQR person in the audit of ABC Company and then checks that job in the monitoring process, she examines her own work. Such a situation can adversely affect her objectivity. It would be better for another person (someone not a part of the ABC Company audit engagement team or who did not serve as the engagement quality reviewer) to look at that engagement during monitoring. 

EQR in Stages

So, can the person performing the EQR do so at different engagement stages (e.g., beginning, middle, end) or only after the file is complete? You can do either. Consider doing that which lessens your risk the most. 

If the EQR person reviews the engagement at stages (e.g., beginning, middle, end), can they be objective? Yes, as long as they don’t make engagement decisions. For example, they can review and sign off on planning but can’t tell the engagement team how to plan the job. In another example, the EQR person can review risk assessment, but they can’t make those decisions.

Firms are not required to perform EQRs in stages, but they can. Alternatively, the firm might decide to do the EQRs once the engagement is finished. 

Safeguards

SQMS No. 1 states it does not preclude self-inspection. Nevertheless, it says self-review leads to a higher risk that noncompliance with policies and procedures may occur. It is best to remove self-inspection, but if this is not possible, the firm may provide safeguards (actions to reduce the self-review threat) such as the following:

  • Promote continuing professional education and provide training programs to ensure that personnel are current in accounting, auditing, and QM standards
  • Require the use of peer review or other inspection checklists in the monitoring work
  • Provide training about proper monitoring procedures
  • Perform the self-inspection after some time has passed since the completion of the engagement

Responses to Quality Risks

Additionally, the firm’s responses to certain quality risks (as developed in the risk assessment process) may be helpful, such as the following:

  • Develop strong client acceptance and continuance policies that require the firm to have the competence and time to perform the engagement
  • Create a consultation policy that requires the engagement team to consult with another person (e.g., external or internal CPA) when they encounter difficult accounting and auditing issues
  • Take corrective action to cure issues noted in internal monitoring, EQRs, peer review, or other outside reviews (e.g., DOL inspection)
  • Require the use of an outside service provider to perform EQRs when deficiencies were previously noted (e.g., in peer review) or the firm or its environment changes (e.g., the firm starts auditing a client in a new industry)
YouTube player

Summary

So, engagement characteristics trigger EQRs, and firms need to perform monitoring and remediation, regardless of the EQRs. Furthermore, firms perform EQRs at the engagement level, but monitoring and remediation focuses on the QM system as a whole. 

As you prepare for the new QM standards, consider if you have the personnel to perform the EQRs and monitoring. You may need to hire new staff or contract with external CPAs. 

Finally, if there are objectivity threats from self-review, your firm may need safeguards such as using a peer review checklist in performing a cold engagement review. Strong quality risk responses are also helpful.

quality management
Oct 13

AICPA Quality Management: Why You Need to Start Now

By Charles Hall | Auditing

All firms performing any engagement in an accounting and auditing practice must comply with the new Quality Management (QM) standards, including SQMS No. 1 and SQMS No. 2.

Your quality management system must be designed and implemented by December 15, 2025.

Then, after your new QM process is in place for one year, your managing partner (or other persons with ultimate QM system responsibility) will conclude whether the QM system provides reasonable assurance that objectives are being achieved.

Start your work on this implementation as soon as you can, especially if you perform more complex engagements such as audits and attestations. 

In this article, I explain why quality management is essential, and then I summarize SQMS No. 1 (the firm’s system of QM) and SQMS No. 2 (engagement quality reviews).

I also provide this video (an interview with Jennifer O’Neal) that provides an overview of the QM standards and information about how to get started. 

YouTube player

Why Quality Management?

The purpose of the QM Standards, issued by the American Institute of Certified Public Accountants (AICPA), is to assist accountants with compliance (with professional standards). The QM standards assist with the following:

  1. Compliance with professional standards and
  2. Issuance of appropriate engagement reports

And when firms comply with professional standards and issue correct reports, their peer review results should be good. 

An unstated benefit of the QM standards is risk management (avoiding loss through legal suits). These standards (when used appropriately) lessen the probability that a firm will be sued for deficient work. How? By helping firms identify QM system and engagement deficiencies. Thereafter, firms can create responses to improve their work.

My main point here is the QM standards help protect your accounting firm, lessening the potential for future harm (whether from peer review failures or legal loss).

QM Standards

The QM standards are made up of the following:

Standard Abbreviation Title
Statement of Quality Management Standards No. 1 SQMS No. 1 The Firm’s System of Quality Management
Statement of Quality Management Standards No. 2 SQMS No. 2 Engagement Quality Reviews
Statement of Quality Management Standards No. 3 SQMS No. 3 Amendments to QM Sections 10, A Firm’s System of Quality Management, and 20, Engagement Quality Reviews
Statement on Auditing Standards No. 146 SAS 146 Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards
Statement on Standards for Accounting and Review Services 26 SSARS 26 Quality Management for an Engagement Conducted in Accordance With Statements on Standards for Accounting and Review Services

This article addresses SQMS No. 1 and SQMS No. 2.

SQMS No. 1 – The Firm’s System of QM

SQMS No. 1 addresses how a firm’s system of quality management operates and specifies eight components:

  1. Risk assessment process
  2. Governance and leadership
  3. Relevant ethical requirements
  4. Acceptance and continuance
  5. Engagement performance
  6. Resources
  7. Information and communication
  8. Monitoring and remediation process

(1) Risk assessment and (2) information and communication are new components; they were not included in the prior quality control standards. 

Risk assessment, as well as monitoring and remediation, are processes. So, you will not establish quality objectives, quality risks, and responses for these. 

Risk Assessment: Most Significant Change

The risk assessment component is the most significant change. Firms are required to do the following for the six components listed below:

  1. Establish quality objectives
  2. Identify and assess risks to achieving the quality objectives and
  3. Design and implement responses to address the quality risks

Here’s an example:

  1. A quality objective might be that consultation occurs when there are complex or contentious matters.
  2. The risk could be that firm personnel do not consult with persons in or outside the firm regarding complex or contentious issues.
  3. The risk response could be, for example, that the engagement partner is responsible for consultations and documentation.

SQMS No. 1 requires that firms establish quality objectives, quality risks, and responses (the risk assessment process) for the following components:

  1. Governance and leadership
  2. Relevant ethical requirements
  3. Acceptance and continuance
  4. Engagement performance
  5. Resources
  6. Information and communication

Monitoring and Remediation

After establishing objectives, risks, and responses for these six components, the firm will create a monitoring and remediation process. In doing so, firms will consider the reasons for quality risk assessments, the designed responses, changes in the QM system, the results of previous monitoring, and other relevant information such as peer review information.

Holistic QM System

The QM standards are a holistic approach to ensure (1) that firms comply with professional standards and (2) issue appropriate reports. Develop your objectives, risks, and responses in light of these objectives. The eight components should dovetail. In other words, they should work together.

Additionally, the QM system is organic (or at least, it should be). As changes occur in your firm’s accounting and auditing engagements or how it operates, you will reassess your overall system to see if it needs changing.

No longer will we create static quality control documents that sit on the shelf. Real-time changes make sense: your responses (actions to lessen risk) should change as your risks change.

Scalable QM System

The QM system is also scalable. For smaller firms with fewer risks, the QM documentation will be less than that of more complex CPA firms.

Think of a firm that does compilation engagements and nothing else; this firm’s chance of noncompliance with professional standards and issuing incorrect reports is generally less than that of a firm performing audits or attestation services. So, the smaller firm’s QM system will be simpler.

The QM system is like an accordion, expanding for more risk and compressing for less risk.

So, who is responsible for the QM system?

Persons Responsible for QM System

SQMS No. 1 states that your firm will assign ultimate responsibility and accountability to your managing partner, CEO, or managing board. This person or board will evaluate the QM system at a point in time (at least annually) and conclude whether the QM system provides reasonable assurance that objectives are being met.

The conclusion will include one of the following:

  1. The QM system provides reasonable assurance that the system’s objectives are being achieved.
  2. Except for matters related to identified deficiencies, the QM system provides reasonable assurance that the system’s objectives are being achieved.
  3. The QM system does not provide reasonable assurance that the objectives of the QM system are being achieved.

If 2. or 3. is in play, the firm should take prompt and appropriate action and communicate to engagement teams and QM personnel as needed.

SQMS No. 1 also says that firms will assign operational responsibility for the QM system to someone such as a QM partner or director. The person with operational responsibility oversees:

  • Compliance with independence standards
  • Monitoring and remediation process

So, does this person have to perform all QM duties? No, the person with operational responsibility can delegate specific responsibilities to other firm members, such as independence monitoring. Even so, the person with operational responsibility is still responsible for the QM system operations (in this example, independence monitoring).

The standard creates accountability by defining who is responsible for what. In most firms, the managing partner has ultimate responsibility, and the quality control partner/director has operational responsibility. Also, SQMS No. 1 states that the firm should perform periodic performance evaluations of these persons.

QM System Documentation

The firm should document its QM system, including:

  • Person(s) with ultimate responsibility
  • Person(s) with operational responsibility
  • Quality objectives
  • Quality risks
  • Responses
  • How quality risks are addressed
  • Monitoring activities
  • Evaluation of findings
  • Evaluation of identified deficiencies (and their root causes)
  • Remedial actions
  • Communications about monitoring and remediation
  • Conclusions reached
  • Basis for conclusion

This documentation should be retained long enough for the firm and its peer reviewer to monitor the QM system (and to meet any legal and regulatory requirements).

For higher-risk engagements, firms may need an engagement quality review.

Engagements Subject to Engagement Quality Reviews

SQMS No. 1 requires that firms establish policies and procedures that address engagement quality reviews in accordance with SQMS No. 2. Engagement quality reviews are required for the following:

  • Audits or other engagements requiring an engagement quality review due to laws or regulations
  • Audits or other engagements as a response to quality risks as defined by the firm

Not all engagements are subject to an engagement quality review. Riskier engagements (as defined by the firm; see SQMS No. 1 criteria) are more likely to be subject to an engagement quality review.

Next, we look at SQMS No. 2, Engagement Quality Reviews.

SQMS No. 2 – Engagement Quality Reviews

An engagement quality review (EQR) is an objective evaluation of the engagement team’s significant judgments and conclusions. It is not an evaluation of the entire engagement. The review is done at the engagement level, and an engagement quality reviewer performs the EQR before the engagement report is released.

So, who can be an engagement quality reviewer (EQ reviewer)? An engagement quality reviewer can be a:

  • Partner
  • Another individual in the firm, or
  • Someone external to the firm

EQ Reviewer Requirements

The EQ reviewer should understand SQMS No. 2 and apply the requirements. The firm will also define the EQ reviewer qualifications in its policies and procedures, namely that this person must have the competence, capability, and time to perform the review and that the person will be objective.

EQR Policies and Procedures

EQR policies and procedures should address the following:

  • Require the EQ reviewer to take overall responsibility for the EQR
  • Require the EQ reviewer to take overall responsibility for the supervision of persons assisting with the EQR
  • The EQ reviewer (and anyone assisting this person) can’t be a member of the audit team
  • The EQ reviewer (and anyone assisting this person) must have sufficient competence, capabilities, and time to perform their duties
  • The EQ reviewer (and anyone assisting this person) must comply with relevant ethical requirements and laws and regulations
  • Circumstances in which the EQ reviewer’s discussion with the engagement team gives rise to an objectivity threat and actions to take when this happens
  • Circumstances in which the EQ reviewer’s eligibility is impaired, including how a replacement reviewer will be chosen
  • Performance of EQRs during the engagement
  • A prohibition from releasing an engagement report until the EQ reviewer notifies the engagement partner that the EQR is complete

SQMS No. 2 also provides EQR performance requirements.

EQR Performance

The EQR performance should include the following:

  • EQ reviewer talks with the engagement partner (and team, if needed) about significant matters and significant judgments
  • EQ reviewer reviews communications regarding the nature and circumstances of the engagement and the entity
  • EQ reviewer considers the firm’s monitoring and remediation process, including deficiencies relating to significant judgment areas
  • EQ reviewer reviews significant judgment documentation, including the basis for the judgment, and determines:
  • Whether the documents support the conclusion
  • Whether the conclusions are appropriate
  • EQ reviewer evaluates the basis for the engagement partner’s independence determination when applicable
  • EQ reviewer should evaluate whether an appropriate consultation took place for difficult or contentious matters
  • EQ reviewer should determine whether the engagement partner was sufficiently involved when the engagement is subject to generally accepted auditing standards (if not, the engagement partner may not have a sufficient basis for determining that significant judgments and conclusions are appropriate)
  • EQ reviewer should review the financial statements and reports for audits and review engagements
  • EQ reviewer should review the engagement report and the subject matter information (when applicable) for engagements other than audits and review engagements
  • EQ reviewers should notify the engagement partner when they have concerns about significant judgments and conclusions
  • EQ reviewer should notify the engagement partner when the engagement review is complete

SQMS No. 2 includes documentation requirements. Let’s see what those are.

EQR Documentation

The EQR documentation should include:

  • Policies and procedures requiring the EQ reviewer to take responsibility
  • Evidence of the EQ review in the engagement file
  • Names of the EQ reviewers
  • Identification of the engagement reviewed
  • Whether the EQR complies with SQMS No. 2
  • Evidence that the engagement is complete
  • Notification that the reviewer has concerns about judgments and conclusions, if applicable
  • Notification from the EQ reviewer to the engagement partner that the review is complete

EQR Findings

It’s a good idea—though not required by standards—to capture EQR findings in a summary document (e.g., Excel or a database). Then, the firm can use this information in planning and performing its monitoring duties. 

EQR is Scalable

The EQR is scalable depending on the engagement, entity’s nature, and circumstances. Again, less risk will result in less work and documentation than riskier engagements. Fewer significant judgments will likely mean fewer EQR procedures.

Given the EQ reviewer’s involvement, can the engagement partner’s work be reduced? The short answer is no. 

EQR’s Effect on Engagement Partner Responsibilities

The EQR does not change the engagement partner’s responsibilities. For example, an engagement partner should review judgment areas such as complex estimates even though the EQ reviewer does the same.

How EQRs Relate to Monitoring and Remediation

You may be wondering how EQRs relate to monitoring and remediation. For instance, can the person performing an EQR also perform the monitoring on the same engagement? Find in this related article

Conclusion

In conclusion, the QM standards are no small change. As you can see from the above, you have a great deal of work before you. This is especially true if you perform riskier audits and attestation engagements. So, start working on this transition as soon as possible. That way, you’ll have everything in place by December 15, 2025.

The most challenging part of this change is the risk assessment process. You need to document your quality objectives, quality risks, and responses for the six components (those that are not processes, i.e., risk assessment and monitoring) listed above.

Finally, consider whom you will assign the QM system operational responsibility. This person must have the competence, capability, and time to comply with the standards. You may need to hire someone to fill this role or contract with someone outside your firm.

>