In our work with firms, we have seen a clear shift in how monitoring and remediation are viewed under modern quality management frameworks. They are no longer treated as retrospective compliance exercises. Instead, engagement deficiencies are increasingly used as meaningful inputs into an ongoing, risk-based system designed to identify issues early, address them thoughtfully, and reduce the likelihood of recurrence. Regulatory messaging reinforces this evolution. Oversight bodies are signaling a shift in focus from isolated engagement outcomes and more on whether firms have a system of quality management that consistently detects quality risks, responds appropriately, and demonstrates that remediation is working in practice. Based on our experience, while individual engagement deficiencies remain important, the more critical question is becoming how firms analyze, respond to, and learn from those issues over time. Engagement Deficiencies Are Signals, Not Endpoints Engagement deficiencies can surface through many channels, including pre-issuance reviews, internal inspections, post-issuance reviews, peer reviews, and regulatory inspections. Regardless of source, firms benefit most when these findings are evaluated through a consistent quality management lens. In practice, we encourage firms to look beyond whether a single engagement fell short . The more meaningful consideration is whether the deficiency points to potential weaknesses in governance, methodology, training, supervision, resourcing, or monitoring activities. We often observe that when issues are quickly labeled as engagement-specific, without assessing whether they reflect broader quality risks, valuable insight is lost. Modern quality management frameworks are designed to use these signals to strengthen the system, not simply close individual findings. What Effective Monitoring and Remediation Looks Like in Practice Firms that navigate this environment effectively tend to apply a disciplined and repeatable approach when deficiencies are identified. Based on our experience supporting firms across a range of practice areas, several elements consistently make a difference: Assess whether the issue may be systemic Recurring observations across engagements, service lines, or time periods often indicate system-level risk. Similar documentation gaps, inconsistent application of methodology, or supervision challenges rarely arise in isolation. Perform meaningful root cause analysis Effective root cause analysis typically moves beyond surface explanations. Firms benefit from evaluating whether policies and procedures were designed appropriately, implemented as intended, and supported by sufficient training, time, and resources. Design remediation that directly responds to the quality risk Remediation is most effective when it is clearly linked to the underlying risk. Depending on the circumstances, this may include enhancements to methodology, targeted training, revised review requirements, or changes to engagement acceptance, staffing, or oversight processes. Validate remediation through timely monitoring Implementing corrective actions is only part of the process. In our experience, firms are most successful when they also confirm that remediation operates as intended. Follow-up monitoring performed early enough to prevent recurrence is a critical component of this step. Failure to validate remediation remains one of the most common and consequential weaknesses we observe across firms. Case Study: When Remediation Is Not Validated In one situation we encountered, a firm identified engagement deficiencies through post-issuance reviews. The issues mirrored observations that had previously been noted during peer review and were communicated as having been addressed by the group responsible for report issuance. However, responsibility for validation was not clearly assigned, and no follow-up procedures were performed to evaluate whether the revised processes were effective. Subsequent post-issuance reviews, triggered by an organizational change, revealed that similar and additional deficiencies had re-emerged. From a quality management perspective, this was not an engagement execution failure. It reflected a breakdown in monitoring and remediation. The firm had information indicating quality risk but did not adjust its monitoring activities to confirm that remediation was working. Viewed through a system lens, this represents a system-level deficiency rather than an isolated engagement issue. Quality Management Applies Across All Engagement Types Modern quality management frameworks apply across a firm’s assurance and attestation practice, including private company audits, public company audits, SOC engagements, nonprofit audits, and other services. Deficiencies identified in any practice area may signal broader weaknesses in: Governance and leadership Methodology and training Monitoring activities Remediation processes In our experience, firms struggle to maintain an effective system of quality management when certain practices are treated as exempt from system-level evaluation. Key Takeaways Engagement deficiencies are inputs into the system, not endpoints. Recurring issues often indicate systemic quality risk. Remediation should be validated, not assumed. Monitoring activities should evolve as risks emerge. Quality management applies across all engagement types. Firms that treat monitoring and remediation as a continuous feedback loop, rather than a periodic exercise, are typically better positioned to improve engagement quality and respond to evolving regulatory expectations. Looking for an independent perspective on whether engagement deficiencies have been fully addressed? Based on our experience working with firms across assurance and attestation practices, Johnson Global Advisory supports clients by performing independent reviews, validating remediation efforts, and strengthening monitoring processes. If you would like support refining policies, training, workflows, or documentation standards, or would benefit from an objective assessment ahead of regulatory, peer, or internal inspections, contact your JGA audit quality advisor to discuss your needs.

Introduction In today’s regulatory climate, audit firms must take a fresh look at how they evaluate engagement acceptance and client continuance. The stakes have never been higher. With the PCAOB’s newly adopted QC 1000 standard and the AICPA’s SQMS 1 framework now in effect , firms are expected to demonstrate a more rigorous, risk-based approach to quality control—starting with the very first decision: "Should we take this engagement?" The PCAOB recently released a new Audit Focus: Engagement Acceptance on this topic (Audit Focus). At the same time, we’ve been speaking, writing, and helping firms improve their process in this area. On the steps of PCAOB’s recent and timely guidance, this article explores the evolving risk landscape and offers practical guidance for firms to strengthen their engagement acceptance protocols in line with new regulatory expectations and JGA’s quality management insights. The New Risk Landscape: What QC 1000 and SQMS 1 Require The PCAOB’s QC 1000 standard introduces a scalable, risk-based framework that applies to all firms performing PCAOB engagements. It emphasizes that engagement acceptance is not just a procedural checkpoint, it’s a critical quality control decision that must reflect the firm’s risk profile, independence safeguards, and capacity to deliver a high-quality audit. Key risks highlighted in QC 1000 include: Independence and ethics violations: Firms must have systems to identify and escalate potential conflicts, including automated tracking of financial interests. Monitoring of in-process engagements: Firms are expected to assess quality risks before and during engagements, not just after the fact. Scalability and oversight: Larger firms face enhanced requirements, including external oversight and formal complaint tracking mechanisms. Similarly, SQMS 1 requires firms to design and implement a system of quality management that includes robust procedures for engagement acceptance and continuance. These procedures must consider: integrity and reputation of the client firm competence and resources ethical and legal requirements, and risks to audit quality and compliance. Issues arising from poor or inconsistent client or engagement acceptance policies and procedures isn’t new, but is being looked at in new ways by firms and their regulators with the: decrease in public company auditors qualified or going to market on conducting public company audits increasing number of firms that have been stripped of their privilege to conduct public company audits, and movement of companies to different auditors (think BF Borgers as the most egregious example, but your typical attrition in the most common case). The PCAOB, AICPA, and other regulators around the world, will take these business risks and apply them in a new lens in their inspection, peer review, and enforcement processes as they look at how firms have identified and addressed risks when implementing their QC system when it comes to client acceptance. Improving Communications: Predecessor Auditors & Audit Committees Recent PCAOB inspection findings and the Audit Focus document emphasize that engagement acceptance decisions are under increasing scrutiny. Deficiencies in areas like AS 1301 (Communications with Audit Committees) and AS 2610 (Successor Auditor Communications) often stem from weak or incomplete risk assessments at the outset of the engagement. Firms must be prepared to engage in transparent, candid conversations with audit committees, especially when the going gets tough. Whether it’s disclosing an unanticipated CAM , identifying a material weakness in internal control , or explaining a shift in audit scope, the ability to communicate openly and credibly is a hallmark of audit quality. Similarly, in our article on audit committees , we emphasized that audit committees are becoming more sophisticated and assertive. They expect auditors to be proactive, risk-aware, and ready to explain their judgments—not just their procedures. The Audit Focus does a great job of asking questions for firms to consider in assessing the quality of both management and the AC. As part of your engagement acceptance process, assess not only the technical risks of the engagement, but also the firm’s ability to maintain transparency and trust with the audit committee. Ask: Will we be able to have frank conversations with this client’s governance team? Are we prepared to deliver difficult messages if needed? Do we have the right people and protocols in place to support those conversations Internal Inspections: Engagement Acceptance as a Root Cause The Audit Focus also highlights how engagement acceptance decisions can directly impact audit quality and inspection outcomes. We encourage firms to examine their internal inspection programs to see how/whether outcomes can inform or rise to potential root causes targeting the firm’s engagement/client acceptance process. For example, a risk-based selection for the annual internal inspection process should include certain jobs tied specifically to new client and new engagements: