6 Tips for Implementing the New Quality Management Standards

On Dec. 15, 2025, a series of new risk-based professional standards from the AICPA will go into effect, which will have a significant impact on CPA firms that perform engagements under Statements on Auditing Standards (SAS), Statements on Standards for Accounting and Review Services (SSARS), and Statements on Standards for Attestation Engagements (SSAEs). Until then, you can expect the noise and chatter surrounding the new Statements on Quality Management Standards (SQMS) to grow louder. The standards include:

• SQMS No. 1: “A Firm’s System of Quality Management.”
• SQMS No. 2: “Engagement Quality Reviews.”
• SAS No. 146: “Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards.”
• SSARS No. 26: “Quality Management for an Engagement Conducted in Accordance With Statements on Standards for Accounting and Review Services.” While no one can eliminate the inevitable confusion these new standards may bring, it’s important for firms to keep in mind the “why” behind them: to ensure the quality of the profession’s auditing and accounting work.

Here are six tips to consider as you start your important SQMS implementation journey.

1. START NOW

First and foremost, firms must start their SQMS implementation process as soon as possible.

While implementing new professional standards often involves looking backward, that’s not a luxury firms have this time around because they must design and implement quality management systems by the Dec. 15, 2025, compliance deadline.

2. UNDERSTAND THE BASICS OF WHAT’S REQUIRED

SQMS, which supersede the current Statements on Quality Control Standards (SQCS), requires firms to develop quality management systems that provide reasonable assurance a firm will conduct engagements in accordance with professional standards and applicable legal and regulatory requirements, as well as issue appropriate reports.

Practically, the objectives of SQMS and SQCS are the same, with the change being how firms achieve this goal. Instead of adopting a set of generic policies, SQMS employs the concept of quality risk and response. Firms will need to focus on quality concerns specific to their circumstances, tailoring risk responses to form a system of quality management.

SQMS lays out a framework of two process-oriented components: 1) risk assessment and 2) monitoring and remediation. These two components are then integrated with six environmental and operational components:

1. Governance and leadership.
2. Relevant ethical requirements
3. Acceptance and continuance.
4. Engagement performance.
5. Resources.
6. Information and communication.

For each of these six components, firms must establish quality objectives, identify and assess quality risks to those objectives, and design and implement responses to those risks.

3. GAIN FAMILIARITY WITH THE STANDARDS

Whether it be through continuing education, reading through the standards, or reviewing AICPA resources, everyone involved with the implementation process on your team should take time to develop familiarity with the standards.

Equally essential is gaining a thorough understanding of your firm, including its practice, structure, operations, and culture. These factors help reveal risks that could prevent the firm from performing work that meets professional standards, what actions the firm already takes (or should take) to mitigate those risks, and how the firm can monitor the effectiveness of its actions.

“It’s mentally similar to a client audit risk assessment where you have to gain an understanding of the business and the environment that it works in and everything else involved with that,” says Kelly Buchheit, CPA, director of quality control at ORBA, who is currently spearheading the firm’s SQMS implementation process.

Like documenting the understanding of an audit client, it’s helpful to draft a brief profile summarizing key points about the firm, such as the types of engagements it performs, firm structure, personnel, accessible resources (e.g., technology, external consultants, etc.), training, previous monitoring and peer review issues, and upcoming changes (e.g., retirements). Firms can refine this understanding by discussing it with personnel and their peer reviewers.

4. BUILD THE RIGHT TEAM

Before jumping into the implementation process, you should identify your key players. “It’ll be more helpful if you have somebody who has good knowledge of the inner workings of the firm,” Buchheit says.

Specifically, Buchheit suggests firms consider individuals who might be most impacted by the standard, possess a strong understanding of the firm’s technological resources, and hold strong institutional knowledge of the firm and its strategic goals.

She adds that it’s equally important to not overly involve individuals: “You don’t want too many cooks in the kitchen—there needs to be a balancing act.”

While firms with small leadership teams may have less of a challenge identifying who to involve in the implementation process, figuring out ways to bring multiple perspectives to the table will ultimately be key in ensuring the potential risks are considered from all angles.

5. FIND THE RIGHT RISK-ASSESSMENT APPROACH

The AICPA released a practice aid, “Establishing and Maintaining a System of Quality Management,” to assist firms with the SQMS implementation process. It offers a framework that lays out component quality objectives and potential risks that firms should consider during their risk assessment.

The aid consists of three files: a guide for sole practitioners, a guide for small-to-medium-sized firms, and an example risk assessment template. More details on how to use this guide were provided in the fall 2024 Insight article, “Navigating the Path to Audit and Attest Quality Management.”

Notably, determining whether potential risks represent actual quality risks for your firm can be a difficult process. For instance, a quality risk for one firm may not be relevant to another.

Genevra Knight, CPA, CCIFP, partner at Porte Brown LLC, stresses it’s not reasonable to have every single risk from the AICPA practice aid listed in your quality management document. “Instead, focus on the relevant risks through eliminating, combining, and/or simplifying some of the AICPA practice aid’s risk language,” she says, which should effectively tailor risks to your firm’s circumstances.

Some firms may choose to use the common strategy of tackling each component one at a time to determine their quality objectives and risks before moving on to the next component. Other firms may prefer using a step-by-step approach, where they lay out the risks of the quality objectives for all six components before determining responses.

Knight’s team chose to assess the acceptance and continuance component first because it felt less daunting to them. By comparison, Buchheit’s firm tackled the governance and leadership component first.

For both Knight and Buchheit, the mechanics of the risk-assessment process involved in-person meetings and video calls, using the list of potential risks from the relevant AICPA practice aid as a guide. Discussions also focused on potential risks for each component and deciding whether the impact would represent a quality risk.

6. PRACTICE YOUR RISK-ASSESSMENT THOUGHT PROCESS

So, how should practitioners think through their risk assessment? For practice, let’s review some potential risks from the practice aid’s acceptance and continuance component, along with what conditions might impact their quality risk determination.

• Proposed fees don’t sufficiently cover time and resources to perform the engagement.
• Failure to apply acceptance procedures to clients from purchased or merged-in firms.

The first risk is likely a quality risk for many firms. But for firms that perform a substantial amount of work in highly fee-conscious industries, the quality risk may be higher, requiring a stronger set of responses. Conversely, some firms may consider the second risk highly unlikely if no intention exists to purchase other firms, meaning it may not represent a quality risk, and no response would be required.

Knight provided another example of this thinking, explaining that her team eliminated a potential risk associated with inappropriately accepting an engagement solely to fill staff capacity. “Lack of staff capacity is the bane of everybody’s existence,” Knight says. For Knight’s firm, the likelihood of excess staff capacity driving an engagement acceptance decision was extremely low, making it easy for her team to determine that it didn’t represent a quality risk.

While many firms already operate under a set of policies and procedures that can be leveraged in designing and documenting how it responds to quality risks, the challenges will be ensuring the policies and procedures fully address all quality risks and are sufficiently documented.

Quality management implementation requires thoughtful reflection about each firm’s situation. Firms that understand this, start the implementation process early, and remember the “why” behind the standards will have an easier time devising an effective quality management system.

Related Content:

• Navigating the Path to Audit and Attest Quality Management: Four new standards will soon require firms to take a risk-based and scalable approach to designing, implementing, and operating a system of quality management. Here’s some guidance to get you started.
• Best Practices for Performing a Quality Audit: Here's how to ensure your audit engagements are efficient (e.g., on budget) and effective (e.g., have no deficiencies).