• News & Resources
• Technical Resources
  • Tax
    • American Rescue Plan Act Conformity Guide (2021)
    • CCH Online Tax Research
    • SALT Resources
    • Tax Podcasts
    • CCH Tax Deadline Calendar
    • Tax Communities
  • Audit
    • Single Audit Resources
  • Beneficial Ownership Information
  • Cannabis
  • QM Standards
• Business Resources
  • Human Resources
    • HR Hotline
    • HR Webinar Archive
    • HR Assessment
    • HR Articles
    • Sample HR Documents
    • Return to Work Resources
  • Disaster and Pandemic Planning
  • Data Privacy and Protection
• Accounting Firm Management
  • Small Firm Special Interest Section
  • Client Letters
  • Engagement Letters
  • Client Record Retention Guidelines
  • MAP Survey
    • Download Results
  • Customized CPE Training
  • Career Center
• Publications
  • Footnote
    • Issue Archive
    • Regular Columns
    • Articles by Topic
    • Write for the MNCPA
  • eNewsletters
    • This Just In
    • Legislative Digest
    • Firm Administrator Bulletin
    • Accounting Educator
    • Student eNews
  • CPA Stories
  • MNCPA Perspectives
    • Topics
    • Authors
    • Archive
  • Tax Podcasts
    • Archive
• Areas of Interest
  • Focus Features
    • Cybersecurity
    • Emerging Technologies
    • Cannabis
    • Automation
• Wellness Resources
  • Step Challenge
    • Step Challenge FAQs
  • Wellness Webinars
• Knowledge Hub
• Webinar Archive
• Rules & CPA Certification
  • CPE Log
  • CPE Rules
  • CPA Certificate Information
    • Applying for Your Certificate
    • First Year Requirements
    • Certificate Renewal
    • 2020 CPE deadline extension
  • Certificate Status
    • Active vs. inactive: What's the Difference?
    • Convert to Active CPA
    • Love Your CPA Letters?
    • Retired CPA Status
    • Videos
  • Firm Requirements
    • Firm Permit Renewal
    • Firm Name Changes
  • MNCPA and BOA Differences
  • Preparing for the CPA Exam
    • Educational Requirements
    • Experience Requirements
    • Applying to Take the Exam
    • Becoming a CPA FAQ
  • FAQ
• Peer Review
  • PRIMA info
  • Review Process
  • Fees
  • Pay Peer Review Invoice
  • Find a Reviewer
  • Become a Peer Reviewer
  • AICPA Resources
  • FAQ
• Press Room
  • MNCPA Overview
    • About the MNCPA
    • Leadership Bios
      • Board Chair
      • President and CEO
    • About Minnesota CPAs
  • MNCPA in the News
  • Connect with a Media Spokesperson
  • MNCPA Logo Usage
• Professional Ethics
  • Ask an Ethics Question
  • Filing an Ethics Complaint
  • Responding to an Ethics Complaint
  • Professional Ethics Resources

Quality Management standards

Staying on track for implementation

Faye Hayhurst, MNCPA director of finance and administration | December 2023/January 2024 Footnote

The quality management (QM) suite of standards were approved in 2022. We’re now a year and a half closer to Dec. 15, 2025, the date by which implementation is required.

So, what should firms be doing now to ensure they make that deadline?

Background

The QM standards apply to every firm that performs engagements under SASs, SSARS or SSAEs. The core of the new standards is Statement on Quality Management Standard (SQMS) No. 1, A Firm’s System of Quality Management, which will replace the current Statement on Quality Control No. 8, A Firm’s System of Quality Control.

Key components

Much of the content of SQMS No. 1 is not new — but the part that is entirely new is big: a risk-assessment process for the firm’s system of quality over A&A engagements.

The risk-assessment process includes:

• Establishing quality objectives, listed in the standard, for components of the system of quality management.
• Identifying and assessing the risks to achieving those objectives, which will vary from firm to firm depending on factors of size, structure, culture, industries served, type of work performed, etc. These risks are called “quality risks.”
• Designing and implementing safeguards to address quality risks.

While not a part of risk assessment, the remediation and monitoring component of a firm’s system of quality management evaluates actual quality achieved, prescribes remediation and will feed right back into risk assessment, where risks and safeguards are modified as needed. If it sounds like a circle, that’s because it is.

What should firms be doing now?

Determine a champion for the process. Someone must make it happen, and it’s important to identify who that will be. It can be one person or a team of people and, although participation from the owner/partner level is a must, A&A staff at all levels could be included.

Read the standard. It’s a good idea for all A&A staff to read SQMS No. 1, but the champion(s) needs to know it on a deeper level. It’s easy reading, not intimidatingly long and should feel very familiar.

Develop a plan. Realistically, not much progress will be made during busy season. But a timeline could be laid out for doing the bulk of the work in the spring through fall of 2024.

Start the risk assessment process (or at least start thinking about it):

1. There are tools available! Whether you use a tool from a third-party practice aid provider or the free tool available from the AICPA, you don’t have to start from a blank sheet.
2. Determine a risk assessment strategy. For a small firm, this may mean picking one component to start with; for a larger firm, each component may be assigned to a team. An Excel workbook with a separate tab for each component seems to be a good format to start with.

When there’s time, either before or after busy season:

1. Document the firm’s nature and circumstances to help understand risk. This should be reviewed at least annually, with reflection about whether and how any changes affect quality risks or needed safeguards. Documented factors should include:
   • Complexity and operating characteristics.
   • Key business processes, business model, etc.
   • Characteristics and management style of leadership.
   • Resources used, including those from service providers.
   • Laws, regulations and standards pertinent to the firm’s operations.
   • Nature and extent of any network in which the firm participates.
   • Types of engagements performed by the firm.
   • Types of entities for which the firm undertakes engagements.
2. Go through the risk assessment process for each component. Establishing quality objectives is the easy partbecause they are in the standard. Identifying quality risks will take more thoughtfulness and brainstorming. The QM tools provide lists of potential risks; the firm can assess the applicability of each one to its situation.
   • One point to remember: a quality risk is one that has a reasonable possibility of:
     • Occurring.
     • Adversely affecting the achievement of one or more quality objectives.
3. Design and implement safeguards for each risk. Here’s where the firm’s current quality control document could play a part. What policies and procedures does the firm already have in place? What tweaking might be necessary?

Other tips along the way to implementation

• The quality objectives are listed in SQMS No.1, paragraphs 29-34. Are they all covered in your risk assessment document?
• Bookmark paragraph 35, which contains all the required risk responses. There aren’t that many, but some may not be covered in your current policies and procedures. For example, item C requires the firm to establish policies or procedures for receiving, investigating and resolving complaints about failure to perform work in accordance with professional standards. The standard doesn’t say the policies and procedures must be complex, but they should be documented. Keep in mind that the required responses are only a starting point, and the firm will have additional risk responses.
• Highlight requirements that are outside the risk assessment process. One instance is in paragraph 21, which requires the firm to assign responsibilities for certain functions: ultimate responsibility for the system of quality management, operational responsibility for the system of quality management and operational responsibility for compliance with independence requirements and the monitoring and remediation process. Evaluation of the system of quality management is another key requirement starting at paragraph 54.

Planning ahead and staying prepared

Implementation doesn’t have to happen in the immediate future, but getting started is the key. Even if the lion’s share of the process will happen later, taking a few steps now will put the firm in a good position to meet the deadline with time to spare.

Faye Hayhurst is the MNCPA director of finance and administration, where she serves as the CPA on staff for peer reviews administered by the MNCPA. You may reach her at 952-885-5540 or fhayhurst@mncpa.org.