Skip to main content

The path to quality management: Risk assessment

July 13, 2023

Ross Roye, CPABy Ross H. Roye, CPA

The Quality Management Standards The Quality Management Standards affect every firm with an audit or accounting practice, not just firms that have a peer review. Every firm performing engagements in accordance with the SASs, SSARSs and SSAEs must adopt the standards. The old Quality Control Standards will remain in effect for your firm until your firm has adopted the Quality Management Standards. Early adoption is permitted, but you have to adopt the entire suite of standards.

You need to read the standard. Download the standard and print it for reference as you read this article. This article will be more technical due to the space restraints in this edition of the FOCUS.

Your firm’s system of quality management is meant to operate continually and in an iterative manner. The system must be responsive to changes in the nature and circumstances of your firm as a whole and at the engagement level. Those who have ultimate responsibility for the firm’s system are required to have an understanding of the SQMS to understand the objectives of the SQMS and to apply the requirements properly. Your system needs to address these eight components listed below and may need to address more:

The firm's risk assessment process: 

  •  Governance and leadership
  • Relevant ethical requirements
  • Acceptance and continuance of client relationships and specific engagements 
  • Engagement performance
  • Resources
  • Information and communication
  • The monitoring and remediation process
  • SQMS 1, par. 8, requires a risk-based approach in designing, implementing and operating your system in an interconnected and coordinated manner to productively manage the quality of engagements performed. 

As you go through the risk assessment process, you may find relationships between components. One example given in the standard is certain aspects of relevant ethical requirements are relevant to accepting and continuing client relationships and specific engagements.

Definition can be found in par. 17. Please review the definitions for reasonable assurance, quality objectives and quality risk before you continue.

SQMS 1, par. 18: “The firm should comply with each requirement of this SQMS unless the requirement is not relevant to the firm because of the nature and circumstances of the firm or its engagements.”

SQMS 1, par. A29, gives examples of when requirements may not be relevant to your firm. Less complex organizations need to read these examples carefully. This is not a complete list.

SQMS 1, par. 24: “The firm should design and implement a risk assessment process to establish quality objectives, identify and assess quality risks, and design and implement responses to address the quality risks.”

Keep in mind not all objectives in the standard may apply to your firm, and your firm may find that additional quality objectives in addition to those in the standard apply. Over time the applicable quality objectives that are relevant to your firm will change as the circumstances of your firm and your engagements change. State law or other regulations may require you to establish additional quality objectives to address requirements laid out in those laws or regulations.

Using sub-objectives may help in your identification and assessment of quality risks. Using a lower level of objective may also help in your design and implementation of responses to quality risks.

While you are identifying and assessing quality risks, you may find that additional quality objectives apply to your firm. When designing and implementing responses to risks you may find a quality risk that was not previously identified and assessed, and you need to loop back around in your process. This is the iterative nature of the process.

SQMS 1, par. A42, will help you think about the information needed to complete this process. This is a good list, but it is not all inclusive.

You are required to assess quality risks as a basis for designing and implementing responses to mitigate those risks. You are required to obtain an understanding of the conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives. A partial list of these can be found in par. 26.

A risk arises from how and the degree to which those things listed in par. 26 will adversely affect the achievement of any of your quality objectives. Not all risks meet the definition of a quality risk. Professional judgment is key in determining quality risk. If there is a reasonable possibility of the risk occurring, and individually, or in combination with other risks, it will adversely affect the achievement of a quality objective you must mitigate this risk. The assessment of quality risks does not have to use scores or ratings, although you are not precluded from using them.

This reminds me of the likelihood and magnitude diagrams we all
know so well. The circumstance of our firm or engagement may have a high likelihood of occurrence but a low magnitude of harm. This circumstance may not rise to the level of a quality risk. However, a different circumstance may have a moderate likelihood of occurrence and a high magnitude of harm which would likely be a quality risk.

SQMS 1, par. A48, gives examples of conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives. Again, this is a good list, but it will not include everything that might apply to your firm.

I have discussed establishing quality objectives and identifying and assessing quality risk, now on to designing and implementing responses.

SQMS 1, par. 27: “The firm should design and implement responses to address the quality risks in a manner that is based on, and responsive to, the reasons for the assessments given to the quality risks. The firm’s responses should include the responses specified in par. 35. However, the responses specified in par. 35 alone are not sufficient to achieve the objectives of the system of quality management.”

The final paragraph of the risk assessment section reiterates that you need appropriately designed policies and procedures to identify when changes in your firm, or engagements, occur. Ideally these policies and procedures would help you to catch the changes before the occur and not after. This would be like your own firm Doppler radar you can use to see the storm coming to avoid being swept away by it.

This last section also makes clear that as your policies and procedures
capture information you may need to establish new quality objectives, identify and assess quality risk and design and implement new responses. Or you may need to remove quality objectives, quality risks and procedures that are no longer applicable. The point is, someone has keep watch over the system.

There is more to come on risk assessment. You can stay up to date on the QM standards by visiting the following link: https://www.aicpa.org/topic/audit-assurance/qualitymanagement.

ROSS H. ROYE, CPA, is a shareholder of Gray, Blodgett & Company, PLLC, and has been with the firm since 2006. He currently serves as the chair of the OSCPA Peer Review Committee. Roye has previously served on the OSCPA board of directors as an at-large director, as well as the Society’s New CPA, Financial Literacy and the Accounting Careers Committees. He was honored as an OSCPA Trailblazer in 2012. Roye is a Past President of the OSCPA’s Norman Chapter and was selected as the Chapter’s Distinguished CPA in 2014