AICPA Quality Management Standards: A New Risk-Based Approach

The American Institute of Certified Public Accountants (AICPA) has introduced new standards governing accounting and auditing practices, shifting away from the long-standing Statements on Quality Control Standards (SQCS). The previous framework, which was more reactive, is being replaced by a proactive and integrated approach to quality that is more responsive to the modern business environment. Firms must now adopt a risk-based “quality management” system that is scalable, allowing them to tailor their approach to their specific circumstances. The implementation deadline for this new system is December 15, 2025, compelling every firm with an accounting and auditing practice to reevaluate its approach. The new standards are intended to modernize the profession by addressing changes in technology and the increasing use of external service providers.

The New Suite of Quality Management Standards

The new framework for quality management is built upon a suite of three interconnected standards issued by the AICPA’s Auditing Standards Board. These standards work together to create a structure that addresses quality at both the firm-wide and individual engagement levels.

Statement on Quality Management Standards (SQMS) No. 1, A Firm’s System of Quality Management, is the foundation, requiring every firm to design, implement, and operate a system of quality management. It moves away from a one-size-fits-all model to a more tailored approach where the system is customized to the firm’s specific practice and engagements.

Statement on Quality Management Standards (SQMS) No. 2, Engagement Quality Reviews, provides specific rules for the engagement quality review process. It outlines the requirements for when such a review is necessary and establishes criteria for the eligibility of the individuals who can perform them. SQMS No. 2 also details how these reviews must be performed and documented, ensuring a consistent evaluation process for high-risk engagements.

Statement on Auditing Standards (SAS) No. 146, Quality Management for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards, brings the focus to the individual engagement level. This standard clarifies the partner’s role in managing and achieving quality throughout the audit process. It emphasizes professional skepticism, enhances documentation requirements for key judgments, and reinforces the need for robust communication within the engagement team.

Core Components of a System of Quality Management

SQMS No. 1 mandates that every firm’s system of quality management be built upon eight integrated components. These components work together to create a cohesive system that provides reasonable assurance that quality objectives are met.

• The firm’s risk assessment process, a new element that drives the quality management approach. This process requires the firm to establish quality objectives and then identify and assess the risks that could prevent those objectives from being achieved.
• Governance and leadership, which establishes the tone at the top. This involves assigning ultimate responsibility and accountability for the quality management system to specific individuals to ensure the commitment to quality permeates the firm’s culture.
• Relevant ethical requirements, which ensures that the firm and its personnel comply with all applicable ethical standards, including rules on independence. This involves establishing policies that promote adherence and address any threats to compliance.
• Acceptance and continuance of client relationships and specific engagements. The firm must establish policies to determine whether it has the necessary competence, capabilities, and resources to take on a new client or continue with an existing one.
• Engagement performance, which focuses on the execution of audit, review, or other attestation services. This involves creating policies and procedures that direct and supervise the work performed, ensuring it complies with professional standards.
• Resources, which encompasses the human, technological, and intellectual capital necessary to perform quality work. Firms must have processes to ensure they have sufficient personnel, effective technology, and accessible methodologies and guidance.
• Information and communication, which ensures that necessary information is exchanged within the firm and with external parties. A robust communication system facilitates the proper functioning of the other components and ensures teams have the information they need.
• The monitoring and remediation process, the mechanism through which the firm evaluates its own system. It involves ongoing monitoring to identify potential deficiencies and a process for implementing corrective actions to address them.

Designing and Implementing Your Quality Management System

The initial step in transitioning to the new standards is to establish quality objectives. SQMS No. 1 provides foundational objectives, but firms are required to consider whether additional objectives are necessary to address their specific circumstances. For example, a firm specializing in a highly complex industry may need more detailed objectives related to personnel training. These objectives become the benchmark against which risks are identified.

Once the objectives are set, the firm must undertake a process to identify and assess quality risks. A quality risk is anything that could reasonably hinder the achievement of a quality objective. This requires a thorough analysis of the firm’s engagements, personnel, and processes to determine its significance.

With a clear understanding of the quality risks, the firm can then design and implement responses. These responses are the specific policies and procedures that mitigate the identified risks, using the eight components as building blocks. For instance, if a risk is identified related to inexperienced staff performing complex audit procedures, the response might involve designing enhanced training programs. This would be a “resources” component response, which could be combined with requiring more direct supervision by senior personnel, an “engagement performance” response.

The Monitoring and Remediation Process

The monitoring and remediation process is the component that ensures the system remains relevant and effective over time. Firms must design and perform monitoring activities to gather information about how the system is operating. These activities can include inspecting completed engagement files and interviewing personnel. The nature and extent of these monitoring activities should be influenced by the firm’s risk assessment, with more focus on higher-risk areas.

The findings from these activities must be evaluated to identify any deficiencies. A deficiency is a weakness in the system that occurs when a quality risk is not properly addressed or a policy is not implemented effectively. This evaluation requires performing a root cause analysis to understand not just what went wrong, but why.

Upon identifying deficiencies, the firm is required to design and implement appropriate remedial actions. These actions should correct the underlying issue within the system of quality management. For example, if monitoring reveals that engagement teams consistently fail to document an assessment of a specific fraud risk, remediation might involve both retraining and revising the firm’s audit software.

The process culminates in an annual evaluation of the entire system of quality management. The individual assigned ultimate responsibility for the system must review the monitoring results and remediation efforts to conclude whether the system is achieving its objectives. This annual conclusion must be documented and drives the continuous improvement of the firm’s commitment to quality.