The New Quality Management Standards

Did I Hear Someone Say Risk Assessment?

In 2022, the AICPA issued four new quality management standards, as follows:

  • Statement on Quality Management Standards (SQMS) No. 1 – A Firm’s System of Quality Management;
  • SQMS No. 2 – Engagement Quality Reviews;
  • Statement on Auditing Standards (SAS) No. 146 – Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards; and
  • Statement on Standards for Accounting and Review Services (SSARS) No. 26 – Quality Management for an Engagement Conducted in Accordance With Statements for Accounting and Review Services.

Effective Dates. The quality management systems compliance with SQMS No. 1 must be designed and implemented by December 15, 2025. The quality management system evaluation required by paragraphs 54-55 of SQMS No. 1 must be performed within one year following December 15, 2025.

SQMS No. 2 is effective for audits or reviews of financial statements for periods beginning on or after December 15, 2025, and other engagements in the firm’s accounting and auditing practice beginning on or after December 15, 2025.

SAS No. 146 becomes effective for audits of financial statements for periods beginning on or after December 15, 2025.

SSARS No. 26 becomes effective for engagements performed for periods beginning on or after December 15, 2025.

Who Do the New Standards Affect? The new standards apply to every firm that does engagements under SASs, SSARSs, and SSAEs. It also applies to audit and attestation engagements performed under Government Auditing Standards. However, it does not apply to audits of government organizations.

SQMS No. 1 – A Firm’s System of Quality Management. SQMS 1 will supersede Statement on Quality Control Standards No. 8 (SQCS No. 8) on December 15, 2025.

SQMS No. 1 represents a significant change in how CPA firms manage quality. It will take considerable time and effort to implement fully. Thus, the reason for what may appear to be a long time-line before the effective date.

Under the current QAS system, CPA firms must have a quality control system in place, but there are no specific requirements for what the system must include or how it must be implemented. It is more principles-based. SQMS No. 1, on the other hand, sets out specific requirements for designing and implementing a quality management system. CPA firms must significantly change their quality control systems to comply with SQMS No. 1, and a word of caution – it may take more time than you may think.

As stated in SQMS No. 1: “(t)he objective of the firm is to design, implement, and operate a system of quality management for engagements performed by the firm in its accounting and auditing practice that provides the firm with reasonable assurance that

a. the firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements and conduct engagements in accordance with such standards and requirements, and
b. engagement reports issued by the firm are appropriate in the circumstances.”

To give you an idea of the approach taken in SQMS No. 1, here are some of the changes and approaches:

  • SQMS No.1 will address eight components of quality instead of the current six areas under SQCS No. 8. Those eight areas are:
    1. The firm’s risk assessment process (Surprise! New area),
    2. Governance and leadership,
    3. Relevant ethical requirements,
    4. Acceptance and continuance of client relationships and specific engagements,
    5. Engagement performance,
    6. Resources,
    7. Information and communication (new area),
    8. The monitoring and remediation process.

  • The new risk-based approach (sound familiar?) requires:
    1. That quality objectives be established,
    2. Quality risks are identified and assessed to design and implement appropriate responses.

    Fortunately, the risk-based approach is scalable based on the design and formality of the system.

  • As stated in SQMS No. 1, the new information and communication component requires:
    1. An information system that “identifies, captures, processes, and maintains relevant and reliable information that supports the system of quality management, whether from internal or external sources.”
    2. The firm culture values the exchange of information with the firm and one another,
    3. “Relevant and reliable information is exchanged throughout the firm and with engagement teams…”
    4. “Relevant and reliable information is communicated to external parties…”

  • The system of quality management must be evaluated annually, even during the peer review year. So gone will be the days of assessing the system two out of three years.

SQMS No. 2 – Engagement Quality Reviews. This standard discusses the appointment and eligibility of the engagement quality reviewer (EQR) and the EQR’s responsibilities.

An engagement quality review is necessary under the standard when it is required by law or regulation and when the firm determines it is an appropriate response to one or more quality risks identified in the risk assessment. Additionally, an engagement quality review is scalable based on the nature and circumstances of the engagement or the entity.

As in the current standard, the EQR cannot be an engagement team member.

Stay tuned. There is more coming on this topic.

Changes To The Non-Public Auditor’s Report

The Times They Are-a-Changin

The AICPA has issued several Statements on Auditing Standards (“SASs”) that, on the effective date, will impact the auditor’s report. These changes are included in SAS 134 through 140 and are effective for periods ending on or after December 15, 2021, per SAS 141. Therefore, they will initially be effective for the calendar year 2021 audits. Early implementation is permitted.

Usually, busy private business owners don’t need to concern themselves with the SASs. Why should they? However, owners should be aware of these recently issued SASs because crucial decisions must be about engaging the auditor to report on what is styled as “Key Audit Matters.” Some of the more noteworthy changes related to the non-public auditor’s report are summarized below.

  1. SAS 134 changes both the contents and arrangement of the auditor’s report for non-public companies. These changes are designed to provide greater transparency and improve communication for the end-users of the financial statements.

    • Key Audit Matters. The Auditing Standards Board has added new AU-C Section 701, Communicating Key Audit Matters in the Independent Auditor’s Report. If the auditor is so engaged, the purpose of communicating key audit matters (“KAMs”) in the auditor’s report is to provide greater clarity regarding significant audit issues to the end-users of the financial statements. Many end-users thought the old standard boilerplate auditor’s report didn’t provide sufficient insight into the audit process. The KAM section of the SAS 134 auditor’s report is advanced in response to this concern.

      The new standard does not require that KAMs be communicated in the auditor’s report. However, end-users, such as banks, absentee owners, and potential buyers may request that KAM communications be included to facilitate their analysis and understanding of the audit. Accordingly, company management may find it prudent to comply with this request and engage the auditor to include a KAM section in the auditor’s report.

      KAMs include matters that, in the auditor’s professional judgment, are most significant in the audit. For example, the following are key matters areas that the auditor may communicate:

      • Areas in the audit that pose a higher risk of material misstatement
      • Significant estimates and related disclosures that are susceptible to material misstatement
      • Areas of high complexity
      • Transactions or events having a significant effect on the financial statements or the audit
      • Areas of the audit that were challenging to the auditor
      • Matters that required consultation by the auditor

      If reporting on KAMs, the audit report should describe the following for each KAM:

      • Why the KAM was considered to be significant
      • How the matter was addressed during the audit
      • Provide a reference to the financial statement areas or the related disclosures addressed by the KAM

    • SAS 134 also:

      • Expanded the descriptions of management’s responsibility about going concern evaluations
      • Expanded descriptions regarding the auditor’s professional judgment, professional skepticism, going concern, and communication with the governing board.

    • The arrangement of the auditor’s report has changed, as follows:

      • The opinion paragraph is now the first paragraph. The thought here is that most readers of the audit report immediately focused their attention on the opinion paragraph, which, in the current report, is positioned at the end. So it makes sense to move it to the first paragraph, thereby stating up-front the auditor’s opinion on the financial statements.
      • The basis for opinion follows the opinion paragraph
      • KAMs, if requested by company management, is the next paragraph, followed by a description of each KAM
      • The following paragraph describes the responsibilities of management, followed by
      • A paragraph on the auditor’s responsibilities

        NOTE: Both the management and auditor’s sections must now include each parties responsibilities for assessing the company’s going concern

      • The final three sections are the firm’s signature, city and state, and date.

    • SAS 134 also modified AU-C Section 706, Emphasis -of-Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report. It clarified the relationship between Emphasis of Matters and KAMs if both are included in the auditor’s report.

  2. SAS 136 made significant revisions to the ERISA auditor’s report. Next month we will discuss those revisions and their impact.