The evolving, risk-based approach to audit firm quality management is consistent with a trend that has become well established in the accounting profession.
Over the past 15 years or so, leaders of the profession have increasingly understood and embraced the effectiveness of using a risk-based approach in their work.
Auditing standards require engagements to be conducted according to risks that are identified in the early stages of an audit and refined throughout the engagement. Increasingly sophisticated enterprise risk management systems help companies of all sizes integrate consideration of risks and mitigation into their strategy. And anti-fraud controls of all types are developed based on specific risks that bad actors are posing.
“Almost every organization that’s put out something new has really taken a risk-based, top-down approach,” said Jon Heath, CPA. “We thought it was time to do the same for our quality management standards.”
Heath chairs one of two joint task forces working to develop proposed quality management standards presented in an exposure draft by the AICPA Auditing Standards Board (ASB) in February. The proposal would move audit firms away from rules-based, checklist-geared quality control standards that firms have used for many years.
The new quality management standards would require firms to take inventory of their own risks and create a system tailored to their specific needs. Some leaders at smaller firms have told the ASB that the existing quality control standards are too prescriptive and sometimes require processes and controls that aren’t relevant to them.
“The new [proposed] standards are really focused on the question of, what does your firm need to do?” said Sara Lord, CPA, who chairs the other ASB task force that is developing the standards. “What’s relevant to you? What are the quality risks that you’re trying to solve for? And designing a system of quality management that responds to those questions.”
The ASB is seeking comments on the proposal, which can be emailed to firstname.lastname@example.org by Aug. 31.
The risk-based standards have the potential to eliminate irrelevant work, but they will require a time commitment that may be substantial, especially during the implementation phase. For example, practitioners will need to consider quality control systems already in place and what additional steps are needed to meet the new requirements.
Moving away from a checklist approach would require firm leaders to invest time and resources in an assessment of their own operations and risks. This is ideal over the long term because it will enable them to develop a system that’s tailored to their own unique facts and circumstances.
“Many firms have great systems of quality control. They work,” Heath said. “But they’re probably not documented in a way that’s going to meet these new criteria — for example, to include information regarding a firm’s quality objectives and quality risks. And I think it’s that deferred maintenance and that fresh look that are going to be challenging for some of them.”
The importance of quality
The proposed new standards are just a small part of a years-long, focused effort to continue to make sure the services that CPAs provide are of the highest quality. In this case, the goal is to make sure the entire practice is designed and aligned in a way that quality work will be delivered.
The proposed standards help firm leaders understand how to assess quality risks and provide appropriate responses to areas including maintaining proper tone at the top, hiring and training people, and understanding clients and accepting only the right engagements.
“It’s all the things we need to do to ensure that our auditors are equipped to go out and provide that high quality that the users of the financial statements expect,” Lord said. “The quality management standard is more encompassing. It will affect not just the audit practices, but to the extent audit firms are using specialists from tax, valuation, or IT consulting, it’s making sure that they’re living up to the same standards of quality on engagements that the core auditors are using.”
The assessment of risk also would be ongoing. For example, a firm that has never done an employee benefit plan (EBP) audit could be taking on new and perhaps substantial risk if asked to perform such an audit for a longtime client whose employee base has increased and who thus now needs such an audit.
On the other hand, taking on an additional EBP audit might pose significantly less risk to a firm that performs hundreds of such audits each year, is a member of the AICPA Employee Benefit Plan Audit Quality Center, and has the appropriate staff regularly complete EBP-specific CPE.
But if the firm with substantial EBP audit experience suddenly has three of its most prolific EBP practitioners leave for other jobs, a new consideration of EBP-related risks and mitigation might be required.
A time for cooling off
To reduce familiarity risks among reviewers, the ASB is proposing that the engagement partner should be required to wait for two years after leaving an audit team before serving as an engagement quality reviewer on that audit.
The ASB is particularly eager to see comment letters on whether this “cooling-off period” is appropriate.
“If it isn’t, then what would be an appropriate way for us to address the familiarity threat to quality from you having done the audit for years and now you’re the sort-of-independent eyes and ears in a period of less than two years?” said Tracy Harding, CPA, the ASB chair. “We’re very interested in what people think about that.”
The proposed standard includes requirements for an annual evaluation of the quality management system and for inspection of completed engagements on a cyclical basis. The proposed standard prohibits and individual from performing such inspections of engagements on which they served as an engagement team member or engagement quality reviewer. The ASB hopes commenters will address this prohibition on self-inspection.
The requirement could be particularly challenging for sole practitioners because the proposal would prohibit self-inspection as part of a firm’s monitoring and remediation. Instead, they would need an outside reviewer to inspect their quality management processes.
ASB members are sensitive to concerns that sole practitioners and leaders of smaller firms may have about the proposed standards. In particular, they know the requirement to take inventory of the quality management system and document processes may be time-consuming.
Harding hopes the firm-specific nature of the proposed standards addresses some of those concerns.
“A smaller firm might have a less formalized quality management system,” he said, “and the process of identifying its risks may not be as time-consuming as that of a firm that has hundreds of thousands of clients in multiple jurisdictions. That’s where the scalability comes in.”
The proposed standards also would guide the engagement partner in determining the level of oversight they need to provide throughout an audit, and the amount of work they can delegate to other team members, internal or external experts, or specialists.
The ASB in general attempts to keep its standards similar to those of the International Auditing and Assurance Standards Board (IAASB), and the quality management standard is no exception. The IAASB’s standards take effect Dec. 15, 2022.
Meanwhile, in a concept release issued exploring the topic in 2019, the PCAOB said it is considering using IAASB standards as a starting point for a possible PCAOB quality management standard.
Heath said convergence is ideal.
“Quality management is such a foundational aspect of the firm that to have significantly different requirements would be untenable for people,” he said. “It's just too fundamental for us to have significant differences.”
This foundational project also is accompanied by substantial educational efforts. ASB task force leaders are participating in multiple roundtables to answer questions, and the board provided executive summaries to explain the contents of the standards. A comment letter template also was provided; most of these resources can be accessed on the AICPA website, and upcoming roundtable registration is available here.
The ASB also extended the comment letter date for the ED from June 11 to Aug. 31 to allow more time for responses.
“Now is the time to get engaged and think about this, even though I know it’s hard when you’re so busy to think about standards that may happen in the future as opposed to what you’re trying to do today,” Lord said. “But this is a really important one.”
The comments will be reviewed with the goal of issuing a final standard in May 2022, to be implemented on Dec. 15, 2023. Further implementation guidance will be provided after the standard is issued.
Ultimately, while the ASB members understand that there will be implementation challenges associated with the standard, the board hopes to improve quality without causing too much of a burden for practitioners.
“That’s always a healthy tension in standard setting, to attend to the public interest while being mindful of cost and burden, and of course costs of audits are ultimately borne by the public through the clients and whoever else may foot the bill,” Harding said. “So we’re doing things intended to benefit the public and recognize the need to do things that are reasonable and provide a good balance.”
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.