QM standards: Overview of the monitoring and remediation process

Editor’s note: This article is the third in a series to help practitioners learn about the AICPA’s new quality management standards and prepare to implement them.

The new final standards on quality management that go into effect in 2025 require firms that perform audit and accounting engagements to implement a monitoring and remediation process.

Statement on Quality Management Standards (SQMS) No. 1, A Firm’s System of Quality Management, indicates that the monitoring and remediation process should be designed to provide relevant, reliable, and timely information about the design, implementation, and operation of a system of quality management. The information produced during this process would provide a basis for the firm to take actions to respond to any deficiencies identified and remediate them on a timely basis. Monitoring activities are designed and performed to provide a basis for identifying deficiencies.

This article delves into the details of the new requirements for monitoring and remediation found in two of the new standards.

• SQMS No. 1 requires firms to design and implement a system of quality management tailored to their practices and engagements by Dec.15, 2025, and to have firm leadership evaluate whether the firm is meeting its quality objectives. The first evaluation is due by Dec. 15, 2026. SQMS No. 1 takes a risk-based approach and provides eight integrated components for systems of quality management.
• SQMS No. 2, Engagement Quality Reviews, addresses the appointment and eligibility of an engagement quality (EQ) reviewer, as well as the performance and documentation of the EQ reviews when the firm decides that an EQ review is an appropriate response to a quality risk under SQMS No. 1.

What is monitoring?

Monitoring is not a new part of quality management. What’s different from the current requirements under QC Section 10, A Firm’s System of Quality Control, are the requirements to evaluate findings to determine whether deficiencies exist, then evaluate the severity and pervasiveness of identified deficiencies, and use the results of a root cause analysis to design and implement responsive remedial actions.

“The requirement to monitor and remediate is one of the two overarching components of a [system of quality management],” said Toby Akrab, CPA, partner, quality and risk management, at Mazars USA LLP.  

Monitoring activities include both engagement and firm-wide procedures. “Common examples that firms use today include pre- and post-issuance reviews of engagements, engagement quality reviews, engagement inspections, and routine tracking of incidents that occur during the year and how they were addressed,” Akrab said.

Designing a monitoring and remediation process

To comply with SQMS No. 1’s system design and implementation deadline of Dec. 15, 2025, firms should start to design their monitoring activities now.

“Since firms are currently doing monitoring under the existing quality control standards, including assigning responsibility to qualified reviewers for periodic reviews of engagement documentation, this aspect of SQMS No. 1 could be one of the easier parts to implement,” Akrab said. “But some firms’ QC testing may not be as robust as is now required, and smaller firms without many monitoring procedures in place may be more likely to start fresh using the new standard.” The earlier that firms start, the better, to make sure they have enough time to consider new quality risks and develop a process for root cause analysis and remediation, she said.

“Firms should first determine who will be the individual assigned operational responsibility for the monitoring and remediation process,” Akrab said. “The identification process for the appointment of this position must be documented.”

SQMS No. 1 added a requirement that firms should establish policies or procedures that address the qualifications of the individuals performing monitoring activities, including experience, influence, authority, time to fulfill responsibilities, and objectivity. “Unlike QC 10, and unlike the other [system of quality management] components, SQMS No. 1 specifies who should do monitoring and remediation and how they should be assigned,” Akrab said. “This highlights the importance of having the right person with enough time. Firms should not underestimate this process.”

To design monitoring and remediation policies and procedures, she said, the firm’s quality leader and the person assigned operational responsibility for monitoring and remediation may consider a brainstorming session. The brainstorming session would likely include the determination of the types of monitoring procedures to be performed such as testing and/or inspections and the determination of the planned timing and coverage of the testing procedures.

“The objective is to determine if the current processes and procedures, including their nature and extent, are sufficient to fulfill the requirements of the new standard related to quality objectives and risks and what changes will need to be made,” she said. “The factors in paragraph 38 of SQMS No. 1 should be considered in designing monitoring activities, including the types of activities, how frequently they will be performed, and by whom.”

Firms that are part of a network or use network services in their engagements or system of quality management are required to comply with additional requirements in the standard.

A free practice aid published Sept. 26 by the AICPA Quality Management Task Force includes a comprehensive example of potential quality risks and responses, which came from actual firm examples. This aid could be very useful to firms in designing quality management policies and procedures, including monitoring.

In considering the nature and extent of processes and procedures for planned monitoring activities, Akrab shared these specific examples related to engagement inspections:

• Using templates to help structure inspections;
• Establishing selection protocols for selecting engagements to inspect (frequency of partner selection, engagement types — by office, industry, type, new, high risk); and
• Establishing selection criteria for determining qualifications/competence during internal inspections (attendance at training, industry experience, level within the firm, availability, independence).

“During the brainstorming, in addition to monitoring activities, firms should consider if their current processes in place for evaluating findings to determine deficiencies, designing action items in response, and monitoring the remedial actions are sufficient,” Akrab said.

She recommended firms consider peer firms’ quality risks and processes, share information, and incorporate them into the brainstorming process.

Documenting the monitoring and remediation process

Firms need to determine how and where they will document their monitoring policies and procedures, which will vary depending on the size and complexity of the firm. “The design of the monitoring and remediation process should be documented and then reviewed and approved by the appropriate person within the firm,” Akrab said. She added that it may be reviewed by the brainstorming team and then by the head of quality or an audit leader, depending on the firm’s structure.

Monitoring activities are required to be documented every year. “Documentation in the first year is the hardest and will take the most time, especially if people are working on this part-time in addition to other responsibilities,” she said.

According to SQMS No. 1, a firm’s monitoring activities may include both ongoing activities that are routine parts of firm processes performed on a real-time basis and periodic activities conducted at certain intervals. The design of these activities will differ based on the size and complexity of the firm. For example, in smaller firms, monitoring activities may be simpler because firm leadership may be more knowledgeable about the system of quality management.

Performing ongoing monitoring activities

Once monitoring procedures are designed and documented to comply with SQMS No.1, firms should start monitoring activities early in 2026 to test the system of quality management and evaluate findings to identify deficiencies.

Akrab shared an example of a monitoring timeline that may help a firm meet the SQMS No. 1 requirement that firm leadership completes its first evaluation and conclusion of whether the firm is meeting its quality objectives by Dec. 15, 2026:

• Begin monitoring activities in January 2026.
• Perform EQ reviews and engagement inspections of completed engagements (including all aspects of the system of quality management, such as engagement acceptance and continuance) in the first and second quarters of 2026.
• Perform system of quality management inspections and target testing in the second and third quarters of 2026.
• Evaluate findings to identify deficiencies and design and implement document remediation action plans by the beginning of the fourth quarter of 2026.

She suggested firms create a timeline that does not compress the monitoring activities into a short period of time. “This provides information about the system of quality management in a more timely manner and allows appropriate identification of and response to findings and potential deficiencies,” she said. “The benefits of finishing testing early and ongoing monitoring are that there may be an opportunity to respond to a finding and retest controls in advance of the evaluation date so that the controls are operating effectively as of that date.”

She recommended that each firm determine the best timeline for itself based on its own operations and circumstances. “There should also be routine monitoring activities and communications throughout the year,” she said.

Evaluating the system of quality management

In testing their system of quality management, firms may use a sampling approach, which may be a random or risk-based approach.

“This is not new for firms, and they can follow their existing quality control processes for assigning reviewers and selecting which engagements to review,” Akrab said. The testing can take the form of inquiries of personnel, observation/performing walkthroughs, inspecting relevant documentation, and reperforming procedures. Firms can select completed engagements or engagements in process.

Once testing procedures are complete, firms are required to identify and describe findings, evaluate them to determine if any deficiencies exist, and then identify and evaluate the severity and pervasiveness of identified deficiencies, including through the performance of a root cause analysis.

Akrab shared this example: Firm policy requires the consideration of specific factors, including the integrity of management, independence, and nature of the engagement, when determining whether to accept a client relationship. When testing compliance with this policy, out of 30 acceptances, only 15 evidenced that this procedure had been followed. The firm finds that half of the client acceptances tested did not follow firm policy. The firm further evaluated this finding and determined there was a flaw in the client-acceptance template used by the engagement teams. Additionally, there are no compensating controls or mitigating factors, and the nature of this finding indicates a trend and systematic issues.  Based on these factors, the firm has determined that this is a deficiency, as the quality risk is not reduced to an acceptably low level. The firm should document this deficiency and further investigate why it happened and how to remediate it.

Communicating and documenting the monitoring and remediation process

The quality management standards require that the following monitoring and remediation process documentation be maintained:

• Evidence of the monitoring activities performed;
• Evaluation of the findings and identified deficiencies, and their related root causes;
• Remedial actions to address identified deficiencies, and the evaluation of the design and implementation of the remedial actions; and
• Communications about monitoring and remediation

The firm’s documentation should address these requirements. It may include a description of the procedures performed, documents examined, and evidence obtained in response.

“Similar to audit documentation and the reperformance standard, for the item included in the sample, you document the discovery process, so you may keep a copy of the report or other client documents you looked at, document the procedures you performed, and what you found,” Akrab said. “Then you also document the evaluation process, including why a deficiency happened, how severe or pervasive it is, whether it is an isolated instance not requiring any further actions, whether the right policies and procedures are in place, or what the remediation plan will be (such as a new policy or additional training).”  

She said that firms should identify a remediation plan that is responsive to the root cause so that they do not have repeat deficiencies year after year.

SQMS No. 1 requires the individual(s) with operational responsibility for the monitoring and remediation process to communicate the results of monitoring procedures to those with operational accountability for the system of quality management, which will depend on the structure of the firm. The communication includes the description of the monitoring activities performed, deficiencies noted (including severity and pervasiveness), and remedial action planned. The firm should communicate these matters to engagement teams and others within the system of quality management so they can take appropriate action and be held accountable. This communication may be ongoing or on a periodic basis.

There are different ways to accomplish the documentation requirements, including preparing manual notes, Excel or Word documents, checklists, or a monitoring report.

Other quality management standards series articles

• July: “How to Identify Risks and Design Responses” (JofA website)
• August: “How to Perform a Root Cause Analysis” (JofA website)

Upcoming

• October: “The QM Implementation Quiz” (JofA website)
• November: “QM Is Approaching Faster Than You Think — Get Ready” (JofA flipbook)

About the author

Maria L. Murphy, CPA, is a senior content management consultant, accounting and auditing products, for Wolters Kluwer Tax & Accounting North America, and a freelance writer based in North Carolina. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.

Resources

A number of quality management resources are available on the AICPA & CIMA website at www.aicpa.org/auditqm, including a crosswalk that compares the existing quality control standards with the new quality management standards. A webcast series, “New Quality Management Standards Webinar Series,” will be rebroadcast in October and December. A self-study course, “Understanding and Implementing the New Quality Management Standards,” is available as well.

In addition, a free interactive practice aid with example risks and responses that align with the quality management objectives in the standards has been published. It also includes tips, tricks, and warnings to help firms apply the new standards, similar to the AICPA’s current quality control practice aid. Versions for sole practitioners and small- and medium-sized firms are offered. The practice aid is accompanied by an Example Risk Assessment template tool that provides a starting point for each component and library of quality risks and responses.