The AICPA Auditing Standards Board issued Statement of Quality Management Standards (SQMS) No. 1 in June 2022 for CPA firms having an accounting or auditing practice, with an effective date of December 15, 2025. SQMS No. 1 supersedes Statement on Quality Control Standards No. 8, A Firm’s System of Quality Management. As a reader of this article, why do you care? CPA firms that are providing services such as SOC 1, SOC 2, etc., are required to implement and be compliant with SQMS No. 1.
The Quality Management standard is an integral part of overarching and daily quality standards that a CPA firm operates under. The standard applies to all firm sizes from large, global firms to small, boutique firms.
Per paragraph 15 of SQMS No. 1,
“The objective of the firm is to design, implement, and operate a system of quality management for engagements performed by the firm in its accounting and auditing practice that provides the firm with reasonable assurance that
- the firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements, and conduct engagements in accordance with such standards and requirements; and
- engagement reports issued by the firm or engagement partners are appropriate in the circumstances.”
If you think that a CPA firm performing SOC 1, SOC 2, or other similar services does not have to adhere to SQMS No.1, think again. Per the AICPA, an accounting and auditing practice includes engagements which are audit, attestation, review, and compilation services along with other services named by the AICPA Auditing Standards Board (ASB) or the AICPA Accounting and Review Services Committee (ARSC). SOC 1 and SOC 2 services are two such services that fall under the category of attestation engagements.
When developing the Quality Management system, the firm should take into account the nature and circumstances of the firm and engagements performed by the firm.
Why Should You Care About the New Quality Management Standards?
Implementation of a strong quality management system and adherence to SQMS No. 1 enhances the quality of the work that the CPA firm performs for its clients thus resulting in a higher-quality final product, such as a SOC 1 report or SOC 2 report, for their client. This also results in a greater level of confidence in the report being issued by the CPA firm and the services that their clients provide.
Two important components of SQMS No. 1 that I will focus on in this article are:
- The risk assessment process that the CPA firm must perform.
- The types of engagements performed by the CPA firm that may be subject to an engagement quality review.
Why focus on these two areas? Proper development, implementation, and maintenance of both components lead to a firm that can provide its clients with a higher standard of service and a better end product that their clients can rely on.
The Risk Assessment Process
Similar to the risk assessment process that is part of the AICPA Trust Services Common Criteria/Security criteria CC3.1-CC3.4, the Quality Management standard has a focus on developing a risk-based approach in designing, implementing, and operating a system of quality control for the CPA firm. The main focus is on risks that may impact the overall quality operations of the firm and impact the quality of an engagement performed by the firm. This applies to any one of a CPA firm’s service offerings as the same level of quality should be provided by a CPA firm no matter the engagement type.
SQMS No. 1 has the risk assessment process defined as the following:
- “Establish quality objectives”
- “Identify and assess quality risks”
- “Design and implement responses to address the quality risks”
- “Changes in the nature and circumstances of the firm or its engagements”
As you can imagine, the questions considered as part of the process are the same types of questions any organization would ask as part of their risk assessment process. Some of the questions to consider as part of this quality risk assessment:
- Who are the responsible parties for identifying and defining the risks?
- What are the potential risks to consider?
- What are the components of the risk?
- What is the impact of those risks?
- Who is responsible for each risk?
- Is the risk something the firm can accept or requires mitigation and/or remediation?
- What type of effort is required to mitigate or remediate the risk?
- Is a process or control already in place that addresses the risk?
Identifying and addressing risks related to a quality control system enhances firm operations and engagements performed by the firm.
Engagements Impacted by SQMS No. 1
We already discussed how attest engagements are subject to SQMS No. 1. The standard goes on to require that policies and procedures be created and implemented to address engagements that are subject to engagement quality reviews. SQMS No. 2, not covered by this article, is entitled Engagement Quality Reviews and addresses the quality review process for the engagements subject to quality reviews.
There are two reasons for which an engagement would be subject to an engagement quality review:
- Required by law or regulation.
- The firm determined that such a review is an appropriate response to assessed quality risks.
In my opinion, the most likely of the two to occur at a CPA firm would be the second point. To briefly expand on this point, the types of engagements where a review would be an appropriate response to assessed quality risks would be ones where for example:
- There is a high level of complexity or judgment.
- The auditee is in an industry that may be considered to be high-risk.
- Specialized skills and or knowledge are required by the auditor.
- Significant or high-risk issues are identified during the audit procedures.
- Unusual circumstances exist at the auditee or were identified during the audit procedures.
Performing an engagement quality review serves the purposes of validating that the audit was performed to the correct audit quality standards, identifying areas of improvement in adherence and application of the audit quality standards for that engagement, and/or providing for lessons learned and room for improvement for the auditors assigned to the engagement and for the overall firm. Improvement in the application of and adherence to quality management standards should be an ongoing objective of a CPA firm.
Conclusion
The moral of the story is that adherence to SQMS No. 1 is a requirement for all CPA firms and is the next step from the previous quality management standards, Statement on Quality Control Standards No. 8, A Firm’s System of Quality Management. The CPA firm you are working with to perform attestation service for your firm should already be adhering to Statement on Quality Control Standards No. 8 and working towards adjusting their quality management system to adhere to SQMS No. 1 when it becomes effective on December 15, 2025.
Linford and Company LLP has already begun the process of making any needed updates or enhancements to its existing quality management system so as to be compliant by the effective date. Quality is just one of the key objectives of the team at Linford & Co. For any additional questions surrounding SQMS No. 1, or if you would like to learn more about the different audit services provided by Linford, please contact us.
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1, SOC 2, HIPAA, ISO, and CMMC audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.