Moving Beyond Risk Assessment in the SQMS Implementation Journey

Firms that perform engagements under Statements on Auditing Standards, Statements on Standards for Accounting and Review Services, and Statements on Standards for Attestation Engagements should be spending part of their summer studying up on the AICPA’s new Statements on Quality Management Standards (SQMS). With an effective date requiring that firms’ quality management systems be designed and operational by Dec. 15, 2025, there’s little time to waste.

As I outlined in my winter 2024 Insight article, “6 Tips for Implementing the New Quality Management Standards,” the new SQMS lays out a framework that includes two process-oriented components: 1) risk assessment and 2) monitoring and remediation. These two components are integrated with six environmental and operational components (governance and leadership, relevant ethical requirements, acceptance and continuance, engagement performance, resources, and information and communication).

Overall, the nuts and bolts of this new framework require firms to set quality objectives, identify and assess quality risks, and design responses for the six environmental and operational components.

In my winter article, I gave an overview on the importance of learning the basics of what’s required under the new SQMS, building a design and implementation team, developing a roadmap for the design process, and understanding the new risk-assessment requirements. However, at this stage in the SQMS implementation journey, firms should be moving beyond identifying and assessing risks to responding to quality risks through their policies and procedures, sufficiently documenting the design of their quality management systems, and communicating and training personnel about the changes. Here, I’ll be addressing all three of these important next steps.

RESPONDING TO QUALITY RISKS

Developing effective responses to quality risks involves leveraging current firm policies and procedures and potentially designing new ones. For example, SQMS No. 1, “A Firm’s System of Quality Management,” requires certain “Specified Responses” be incorporated into a firm’s quality management system, addressing presumed risks within the system. One of the “Specified Responses” requires firms to establish policies and procedures to annually obtain personnel’s confirmation of compliance with independence requirements. (Many firms already have such a process in place and will only need to link this response to related risks within quality management design documentation.)

Conversely, firms will likely need to design new policies and procedures for “Specified Responses” relating to information and communications. Specifically, firms will need to address risk associated with external communication about the firm’s quality management system, including the nature, timing, extent, and form of any such communications.

While firms must incorporate “Specified Responses” into their quality management systems, these alone won’t address all quality risks. Firms will need to review current policies and procedures, mapping these out against identified quality risks and designing new responses where necessary.

Further, SQMS No. 1 requires firms to assign ultimate responsibility and accountability for the quality management system to the managing partner (or equivalent) as well as certain other roles. This includes assigning operational responsibility for the quality management system, compliance with independence requirements, and the monitoring and remediation process. Though the same individual may assume responsibility for all these roles, the standard requires firms specify (and document) which individual or position will fulfill each task.

DEVELOPING DESIGN DOCUMENTATION

SQMS No. 1 also requires firms to develop documentation supporting both the design and operation of their quality management systems. Firms in the midst of the design and implementation process must determine the best method of documentation to:

• Facilitate understanding of the system’s operation by personnel, including roles and responsibilities.
• Ensure consistent implementation and operation of the responses (i.e., policies and procedures).
• Provide sufficient evidence of design, implementation, and operation of the responses to support the evaluation of the system.

Importantly, design documentation can take many forms and will vary in complexity based on each firm’s circumstances. However, regardless of its form, the design documentation must assign required roles, demonstrate that a risk-assessment and response design process was performed (including the establishment of quality objectives), and, if applicable, address relevant network participation considerations.

For example, one approach could be creating a quality management document supported by a risk-assessment and response document, with each part serving the following purposes:

• Quality Management Document: This summarizes the firm’s approach to quality management with policies and procedures for all eight components. For the two process-oriented components in the new SQMS (risk assessment and monitoring and remediation), the document would include policies and procedures related to how the firm administers each process. For the six environmental and operational components requiring risk assessment, the policies and procedures summarize the responses to identified quality risks (including the required “Specified Responses”) linking back to the risk-assessment and response document. Additionally, the document would assign the required roles.
• Risk-Assessment and Response Document: This provides evidence of the firm’s risk-assessment process, including the establishment of quality objectives, identification and assessment of risks, and development of appropriate responses. The document demonstrates the linkage between risks and designed responses (policies and procedures that flow into the quality management document). The firm can periodically revisit this document to reexamine conclusions on quality risks and determine the need for new or revised responses depending on changing conditions and circumstances.

TRAINING FIRM PERSONNEL

The existence of a written document means very little without a commitment to educating firm personnel about how to live out its contents. Though not everyone needs to understand the ins and outs of the firm’s quality management system, having all personnel possess a general understanding of quality management and its role in the firm’s operations is critical to ensuring they adhere to the firm’s newly designed policies and procedures.

To foster this understanding among personnel, begin by spreading awareness. Circulate the quality management document to all personnel and hold a short meeting to familiarize them with the SQMS basics, including policies and procedures (current and new) and the process that firm leadership went through to identify, assess, and respond to quality risks.

Stella Marie Santos, CPA, managing partner at Adelfia LLC, champions this approach, explaining that her firm has always made reading its quality control document a part of the employee onboarding process. Now, with the new SQMS implementation looming, Santos says the firm plans to hold specific training to educate personnel about the upcoming changes and the firm’s new quality management document.

Of course, even after the Dec. 15 implementation deadline, firms should consider how to maintain quality management awareness.

Randall Miller, CPA, partner at Hawkins Ash CPAs, suggests a method his firm uses to keep employees up to date on policies and procedures: requiring employees to confirm receipt of and review the firm’s updated quality management policies and procedures each year alongside their annual confirmation of compliance with independence requirements.

In addition to awareness, providing context of the “why” behind certain policies and procedures is important. For example, firm personnel should consider the criticality of completeness, retention, and secure storage of engagement documentation during training, as well as prior to locking down engagement files.

For Santos and her team, the plan is to explain the concept of quality risk assessment during training and provide context about the resulting responses and how various business considerations may impact risk, which may then lead to new or amended responses in the future.

Further, asking personnel to identify connections between their roles and quality management concepts, such as whether their continuing professional education plans align with the type of work they perform, can be an effective tool for gauging understanding.

Overall, a successful quality management system hinges on a firm’s ability to comprehensively identify quality risks, develop responses to the risks, and successfully communicate and achieve buy-in from all personnel. Spending sufficient time tackling these challenges will help ensure that your firm’s system isn’t only well-designed but also well-executed.

Heather Lindquist, CPA, is the Illinois CPA Society’s director of peer review and professional standards.

Related Content:

• 6 Tips for Implementing the New Quality Management Standards: Starting now, gaining familiarity, and building the right team will be crucial for complying with the AICPA’s coming professional standards.
• Navigating the Path to Audit and Attest Quality Management: Four new standards will soon require firms to take a risk-based and scalable approach to designing, implementing, and operating a system of quality management. Here’s some guidance to get you started.