Quality Management
Quality management is the backbone of a reliable audit profession. A firm's system of quality management ensures that engagements are performed consistently and in accordance with professional standards, that reports issued are appropriate, and that the firm and its personnel fulfill their professional and ethical obligations. Without robust quality management, even technically competent auditors may produce inconsistent or deficient work.
This section covers the system of quality management (SQMS) at the firm level, the engagement quality review (EQR) process, concurring partner review, and the firm's responsibilities for inspection and monitoring of engagement quality.
Quality management standards are established by the AICPA (Statement on Quality Management Standards, or SQMS) for nonissuers and by the PCAOB (QC Section 1000 and AS 1220) for issuers. Both frameworks share a common goal: ensuring audit quality at every level of the firm.
The Firm's System of Quality Management (SQMS)
Under SQMS No. 1, every CPA firm that performs engagements under the SAS, SSARS, or SSAE standards must design, implement, and operate a system of quality management (SQM). This is a firm-wide system—not something that applies to individual engagements in isolation.
Objective of the System
The firm's SQM is designed to provide the firm with reasonable assurance that:
- The firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements
- Engagement reports issued by the firm are appropriate in the circumstances
The system provides reasonable assurance, not absolute assurance. No system of quality management can guarantee that every engagement will be performed flawlessly—but it must be designed to reduce the risk of quality failures to an acceptably low level.
Components of the System of Quality Management
The firm's SQM includes the following components:
| Component | Description |
|---|---|
| Governance and leadership | The firm's leadership is responsible for quality and must establish a culture that recognizes quality as essential |
| Relevant ethical requirements | Policies ensuring compliance with independence, integrity, objectivity, and other ethical requirements |
| Acceptance and continuance | Policies for deciding whether to accept or continue client relationships and specific engagements |
| Engagement performance | Policies covering how engagements are planned, performed, supervised, and reviewed |
| Resources | Ensuring the firm has sufficient and appropriate human, technological, and intellectual resources |
| Information and communication | Systems for communicating quality-related information within the firm and to external parties |
| Monitoring and remediation | Ongoing monitoring of the SQM and timely remediation of identified deficiencies |
| Specified responses | Required responses that must be included in every firm's SQM, including engagement quality reviews |
Risk-Based Approach
SQMS No. 1 takes a risk-based approach to quality management. The firm must:
- Identify quality risks — What could go wrong in the firm's operations or engagements?
- Assess quality risks — How likely and significant are those risks?
- Design and implement responses — What policies and procedures will address those risks?
- Monitor effectiveness — Are the responses working as intended?
Example: Gies Co.'s audit firm identifies a quality risk that staff assigned to complex fair value audits may lack sufficient expertise. In response, the firm implements a policy requiring that at least one team member with specialized valuation training be assigned to any engagement involving significant Level 3 fair value measurements.
Engagement Quality Review (EQR)
An engagement quality review is an objective evaluation of the significant judgments made by the engagement team and the conclusions reached in formulating the report. It is performed by an engagement quality reviewer (EQR reviewer) who is not a member of the engagement team.
Purpose of the EQR
The EQR serves as an independent check on engagement quality. It helps ensure that:
- Significant judgments were appropriate and well-supported
- The engagement was performed in accordance with professional standards
- The report to be issued is appropriate given the evidence obtained
Under SQMS No. 2 (Engagement Quality Reviews), the firm must establish policies determining which engagements require an EQR. For PCAOB engagements, all audits of issuers require an EQR. For nonissuers, the firm uses its judgment based on factors such as risk, public interest, and complexity.
Criteria for Requiring an EQR
The firm considers the following factors when determining whether an EQR is necessary:
- The nature and complexity of the engagement
- The risk associated with the engagement (e.g., entities in regulated industries or with going concern issues)
- Whether the entity is of public interest (e.g., large nonpublic entities with many stakeholders)
- Whether there are unusual circumstances or emerging risks
- Whether the engagement involves a new client or a first-year audit
Example: BIF Partners takes on a new audit engagement for MSA Records, a rapidly growing entertainment company that recently completed an IPO. Because this is a first-year audit of a newly public company, the firm determines that an EQR is mandatory.
Eligibility of the EQR Reviewer
The EQR reviewer must possess:
- Sufficient competence and experience to perform the review
- Objectivity — The reviewer must not have been involved in performing the engagement and must not have relationships that impair objectivity
- Authority — The reviewer's conclusions cannot be overridden by the engagement partner
The EQR reviewer performs an evaluation, not a re-audit. The reviewer assesses whether significant judgments were reasonable and the conclusions are supported—but is not required to re-perform all audit procedures.
Timing of the EQR
The EQR must be completed before the report is issued. The engagement report cannot be released, dated, or otherwise finalized until the EQR reviewer has confirmed that no unresolved significant matters remain.
Concurring Partner Review
A concurring partner review (sometimes used interchangeably with EQR in certain contexts) involves a second partner reviewing the engagement before the report is issued. This concept is particularly emphasized in PCAOB standards.
Concurring Partner vs. EQR Reviewer
| Feature | Concurring Partner (PCAOB) | EQR Reviewer (AICPA/SQMS) |
|---|---|---|
| Required for | All issuer audits | Based on firm policies and risk assessment |
| Independence from engagement | Must not be a member of the engagement team | Must not be a member of the engagement team |
| Scope | Reviews significant judgments and conclusions | Reviews significant judgments and the appropriateness of the report |
| Authority | Cannot be overruled by the engagement partner | Cannot be overruled by the engagement partner |
| Timing | Must be completed before report issuance | Must be completed before report issuance |
Example: Kingfisher Industries is a publicly traded manufacturer. Under PCAOB standards, the audit firm assigns a concurring partner who was not involved in the engagement to review the engagement team's conclusions on significant estimates, including inventory obsolescence reserves and warranty liabilities, before the audit report is released.
Inspection and Monitoring Activities
A firm's system of quality management is only as effective as its monitoring. The firm must establish policies and procedures to monitor whether its SQM is operating effectively and to identify deficiencies that need remediation.
Monitoring Activities
Monitoring activities include:
- Ongoing monitoring — Day-to-day activities built into the firm's operations, such as reviewing engagement documentation as part of normal supervision
- Periodic inspections — Systematic reviews of completed engagements and the firm's quality management policies, often referred to as inspection programs or peer reviews
Inspection of Completed Engagements
The firm's inspection program involves selecting completed engagements for detailed review. Inspectors evaluate whether:
- The engagement was performed in accordance with professional standards
- Appropriate audit evidence was obtained and documented
- The report issued was appropriate
- Quality management policies were followed throughout the engagement
For firms that audit issuers, the PCAOB conducts external inspections. The PCAOB inspects registered firms annually (for firms that audit more than 100 issuers) or at least triennially (for firms that audit 100 or fewer issuers). These inspections are separate from the firm's own internal inspection program.
Remediation of Deficiencies
When monitoring or inspection activities identify deficiencies, the firm must:
- Evaluate the severity of the deficiency — Is it a one-time lapse or a systemic problem?
- Determine the root cause — Why did the deficiency occur?
- Design remedial actions — What changes to policies, procedures, training, or resources will address the deficiency?
- Implement and follow up — Ensure the remedial actions are put into place and are effective
Example: During its annual inspection, Illini Security's audit firm discovers that three engagement files lacked documentation of the assessed risk of material misstatement at the assertion level. The firm investigates and determines that the root cause was insufficient training on new documentation standards. The remedial action includes mandatory training sessions and updated engagement checklists.
External Monitoring: Peer Review
For firms that perform engagements under AICPA standards, peer review is an essential external monitoring mechanism. Firms enrolled in the AICPA Peer Review Program are subject to periodic review by another CPA firm to evaluate the quality of their accounting and auditing practice.
| Peer Review Type | Applies To | Scope |
|---|---|---|
| System review | Firms performing audits, reviews, or attestation engagements | Review of the firm's system of quality management and selected engagements |
| Engagement review | Firms performing only compilations or preparation engagements | Review of selected engagements for compliance with professional standards |
Summary
| Topic | Key Takeaway |
|---|---|
| SQMS | Firm-wide system providing reasonable assurance that engagements comply with professional standards and reports are appropriate |
| Risk-based approach | Firms identify, assess, and respond to quality risks, then monitor effectiveness |
| EQR | Objective evaluation of significant judgments by a reviewer not on the engagement team; must be completed before report issuance |
| Concurring partner | Required for all issuer audits under PCAOB standards; similar role to the EQR reviewer |
| Monitoring | Combination of ongoing monitoring, internal inspection, and external peer review to ensure the SQM operates effectively |
| Remediation | Deficiencies must be evaluated, root causes identified, and corrective actions implemented |