System of Quality Management Resources

Advisory Services for Public Company Auditors

New QC Standards Readiness and Implementation

The International Auditing and Assurance Standards Board (IAASB) has adopted the new International Standard on Quality Management 1 (ISQM 1). In addition, the PCAOB has indicated its intention to issue new quality control (QC) standards in the near future. As a result, firms that are required to follow IAASB or PCAOB standards need to reconsider their internal quality controls and begin to implement new processes to comply with these new requirements. 

Preparation and Assessment Process

Risk Assessment

  • The firm’s process of implementing the risk-based approach to quality management.
  • Consists of establishing quality objectives, identifying and assessing quality risks and designing and implementing responses to quality risks. 

Requirements of the ISQM 1 Standard (and Proposed SQMS 1)

  • Design and implement a risk assessment process (Ref: Para. A39–A41)
  • Establish the quality objectives specified by this ISQM and any additional quality objectives considered necessary (Ref: Para. A42–A44)
  • Identify and assess quality risks to provide a basis for the design and implementation of responses. In doing so, the firm shall:
  • Obtain an understanding of the conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives. (Ref: Para. A45–A47)
  • Consider how, and the degree to which, the conditions, events, circumstances, actions or inactions in paragraph 25(a) may adversely affect the achievement of the quality objectives. (Ref: Para. A48)
  • Design and implement responses to address the quality risks (Ref: Para. A49–A51)
  • Establish policies or procedures that are designed to identify information that indicates additional quality objectives. (Ref: Para. A52–A53) 


Governance & Leadership

Deals with matters such as the:

  1. Firm’s culture
  2. Leadership responsibility and accountability
  3. The firm’s organizational structure
  4. Assignment of roles and responsibilities, and
  5. Resource planning and allocation.

Requirements of the ISQM 1 Standard (and Proposed SQMS 1)

Establish the following quality objectives that address the firm’s governance and leadership:

  • Demonstrates a commitment to quality through a culture that exists throughout the firm, which recognizes and reinforces: (Ref: Para. A55–A56) 
  • Serving the public interest by consistently performing quality engagements;
  • Importance of professional ethics, values and attitudes;
  • Responsibility of all personnel for quality relating to the performance of engagements; and
  • Importance of quality in the firm’s strategic decisions/actions including financial and operational priorities.
  • Leadership is responsible and accountable for quality. (Ref: Para. A57)
  • Leadership demonstrates a commitment to quality through their actions and behaviors. (Ref: Para. A58)
  • Organizational structure & assignment of roles, responsibilities, and authority is appropriate to enable the design, implementation, & operation of firm system of quality management. (Ref: Para. A32, A33, A35, A59) 
  • Resource needs, including financial resources, are planned for and resources are obtained, allocated or assigned in a manner that is consistent with the firm’s commitment to quality. (Ref: Para. A60–A61) 


Ethical Requirements

  • Deals with fulfilling relevant ethical requirements by the firm, its personnel, and ethical requirements that apply to others external to the firm.

Requirements of the ISQM 1 Standard (and Proposed SQMS 1)

Establish the following quality objectives that address the fulfillment of responsibilities in accordance with relevant ethical requirements, including those related to independence: (Ref: Para. A62–A64, A66) 

  • The firm and its personnel: 
  • Understand the relevant ethical requirements to which the firm and the firm’s engagements are subject; and (Ref: Para. A22, A24) 
  • Fulfill their responsibilities in relation to the relevant ethical requirements to which the firm and the firm’s engagements are subject. 
  • Others, including the network, network firms, individuals in the network or network firms, or service providers, who are subject to the relevant ethical requirements to which the firm and the firm’s engagements are subject: 
  • Understand the relevant ethical requirements that apply to them; and (Ref: Para. A22, A24, A65) 
  • Fulfill their responsibilities in relation to the relevant ethical requirements that apply to them. 


Acceptance & Continuance

Deals with the firm’s judgments about whether to accept or continue a client relationship or specific engagement.

Requirements of the ISQM 1 Standard (and Proposed SQMS 1)

Establish the following quality objectives that address the acceptance and continuance of client relationships and specific engagements: 

  • Judgments by the firm about whether to accept or continue a client relationship or specific engagement are appropriate based on: 
  • Information obtained about the nature and circumstances of the engagement and the integrity and ethical values of the client (including management, and, when appropriate, those charged with governance) that is sufficient to support such judgments; and (Ref: Para. A67–A71) 
  • The firm’s ability to perform the engagement in accordance with professional standards and applicable legal and regulatory requirements. (Ref: Para. A72) 
  • The financial and operational priorities of the firm do not lead to inappropriate judgments about whether to accept or continue a client relationship or specific engagement. (Ref: Para. A73–A74) 

Engagement Performance

  • Deals with the firm’s actions that support consistent quality engagements through direction, supervision and review, consultation, and differences of opinion.
  • Includes how the firm supports engagement teams in exercising professional judgment and professional skepticism.

Requirements of the ISQM 1 Standard (and Proposed SQMS 1)

Establish the following quality objectives that address the performance of quality engagements: 

  • Engagement teams understand and fulfill their responsibilities in connection with the engagements, including, as applicable, the overall responsibility of engagement partners for managing and achieving quality on the engagement and being sufficiently and appropriately involved throughout the engagement. (Ref: Para. A75) 
  • The nature, timing and extent of direction and supervision of engagement teams and review of the work performed is appropriate based on the nature and circumstances of the engagements. (Ref: Para. A76–A77) 
  • Engagement teams exercise appropriate professional judgment and professional skepticism. (Ref: Para. A78) 
  • Consultation on difficult matters is undertaken and conclusions are implemented. (Ref: Para. A79–A81) 
  • Differences of opinion within the engagement are communicated and resolved. (Ref: Para. A82) 
  • Documentation is assembled timely after the date of the engagement report. (Ref: Para. A83–A85) 

Resources

  • Deals with obtaining, developing, using, maintaining, allocating and assigning resources in a timely manner to enable the design, implementation and operation of the SQM.
  • Includes 1) technological, 2) intellectual, 3) human resources, and 4) service providers.

Requirements of the ISQM 1 Standard (and Proposed SQMS 1)

Establish the following quality objectives that address appropriately obtaining, developing, using, maintaining, allocating and assigning resources in a timely manner: (Ref: Para. A86–A87, A95–A97)

Human Resources 

  • Personnel are hired, developed and retained and have the competence and capabilities to achieve quality objectives (Ref: Para. A88–A90); demonstrate a commitment to quality and are held accountable (Ref: Para. A91–A93); and individuals are obtained from external sources when needed to achieve quality objectives. (Ref: Para. A94) 

Technological Resources

  • Appropriate technological resources are obtained or developed, implemented, maintained, and used, to enable the operation of the firm’s system of quality management and the performance of engagements. (Ref: Para. A98–A101, A104)

Intellectual Resources

  • Appropriate intellectual resources are obtained or developed, implemented, maintained, and used, to enable the operation of the firm’s system of quality management. (Ref: Para. A102–A104)

Service Providers 

  • Human, technological or intellectual resources from service providers are appropriate for use in the firm’s system of quality management and in the performance of engagements. (Ref: Para. A105–A108)

Information & Communication

  • Deals with obtaining, generating or using information regarding the SQM, and communicating information within the firm and to external parties on a timely basis to enable the design, implementation, and operation of the SQM.

Requirements of the ISQM 1 Standard (and Proposed SQMS 1)

Establish the following quality objectives that address obtaining, generating or using information regarding the system of quality management: (Ref: Para. A109) 

  • The information system identifies, captures, processes and maintains relevant and reliable information that supports the system of quality management, whether from internal or external sources. (Ref: Para. A110–A111) 
  • The culture of the firm recognizes and reinforces the responsibility of personnel to exchange information with the firm and with one another. (Ref: Para. A112) 
  • Relevant and reliable information is exchanged throughout the firm, including: (Ref: Para. A112) 
  • Information sufficient to fulfil responsibilities relating to the system of quality management; and 
  • Information when performing activities within the system of quality management or engagements. 
  • Relevant and reliable information is communicated to external parties, including: 
  • Information from the firm to or within the firm’s network or to service providers, and (Ref: Para. A113) 
  • Externally when required by law, regulation or professional standards. (Ref: Para. A114–A115) 

Monitoring & Remediation

  • Provides the firm with information about the design and operation of the SQM; and
  • Addresses the remediation of deficiencies on a timely basis.

Requirements of the ISQM 1 Standard (and Proposed SQMS 1)

Establish a monitoring and remediation process to: (Ref: Para. A138) 

  • Provide relevant, reliable and timely information about the system of quality management. 
  • Take appropriate actions to respond to identified deficiencies and remediate them on a timely basis. 
  • Design and perform monitoring activities to provide a basis for the identification of deficiencies.
  • Include the inspection of completed engagements in its monitoring activities. (Ref: Para. A141, A151–A154)
  • Assess the competency and objectivity of individuals performing monitoring. (Ref: Para. A155–A156) 
  • Evaluate findings to determine whether deficiencies exist. (Ref: Para. A157–A162)
  • Evaluate the severity and pervasiveness of identified deficiencies. (Ref: Para. A161, A163–A164)
  • Design and implement remedial actions to address identified deficiencies. (Ref: Para. A170–A172)
  • Communicate on a timely basis monitoring and remediation process. (Ref: Para. A174) 

From Planning to Practice: 10 Steps to Build Your Firm’s Quality Management System

By Jackson Johnson September 30, 2025
With the effective date for SQMS 1 and QC 1000 fast approaching, firms of all sizes—especially small and sole practitioners—must take action to implement a system of quality management (SQM) that meets the new standards. The good news? You don’t have to start from scratch. Despite QC 1000’s implementation date deferral, the AICPA’s date hasn’t changed, and the international standards are already effective. It’s important to maintain momentum on the efforts toward implementation of all applicable standards for your firm. This article outlines 10 practical steps to help firms build their SQM. Each step includes actionable guidance and considerations for firms with limited resources, and ties into JGA’s broader thought leadership on quality management, risk assessment, and system evaluation. The 10 Steps to Build Your SQM Step 1: Establish a Project Team Form a team with the right mix of quality expertise and operational insight. For small firms, this may mean involving a manager who can grow into a leadership role or setting aside dedicated time as a sole practitioner. Recommended actions to consider: Identify internal champions with interest or experience in quality. Schedule recurring project meetings to maintain momentum. Join a peer group for support and shared learning. Step 2: Understanding and Awareness Document your firm’s business strategy, service offerings, and operational conditions. This step helps identify factors that may impact quality—such as remote work, new industries, or staff turnover. Recommended actions to consider: Conduct a strategy review with firm leadership. List recent changes in firm structure or engagement types. Use these insights to inform your risk assessment. Step 3: Assign Responsibilities Define who is accountable for the SQM. The new standards require clear delineation of ultimate and operational responsibility, including oversight of independence and monitoring. Recommended actions to consider: Assign roles based on existing responsibilities. Clarify delegation boundaries for managing partners. Document responsibilities in your quality manual. Step 4: Establish a Risk Assessment Function Design a process to identify and assess quality risks. This includes understanding conditions or events that could impact quality objectives. Recommended actions to consider: Create a risk assessment policy tailored to your firm. Use relatable examples to demystify risk factors. Leverage AICPA practice aids for structure and templates. Step 5: Perform the Initial Risk Assessment Conduct brainstorming sessions by component and document risks using the AICPA Risk Assessment Template. Include both formal and informal responses. Recommended actions to consider: Use the AICPA risk library to identify common risks. Tailor risks to your firm’s size and services. Include existing responses—even if informal—for evaluation. Step 6: Finalize the Gap Analysis Evaluate where your current responses fall short. This may include undocumented policies or areas where responses don’t fully address the risk. Recommended actions to consider: Identify gaps in governance, ethics, and technology. Determine which informal practices need formalization. Prioritize gaps based on risk severity and regulatory impact. Step 7: Implement Responses to Address the Gaps Develop policies and procedures to close gaps. Responses must be documented and operational. Recommended actions to consider: Draft policies that reflect your firm’s values and risks. Link procedures to specific quality objectives. Use existing documentation as a starting point. Step 8: Update Your Monitoring Process Move beyond peer review prep—monitoring should be continuous and system-wide. Recommended actions to consider: Assign monitoring responsibilities across the team. Incorporate testing of responses into internal inspections. Use dashboards or checklists to track progress. Step 9: Formalize Root Cause and Remediation Procedures Investigate deficiencies and document why they occurred. This step is essential for both system and engagement-level reviews. Recommended actions to consider: Conduct interviews to understand root causes. Use findings to improve policies and training. Apply remediation even if your firm only undergoes engagement reviews. Step 10: Initial Test of Design and Implementation Review documentation and walk through processes to ensure your system is operational and testable. Recommended actions to consider: Validate that each component is supported by evidence. Simulate a peer review to test your system. Confirm that objectives, risks, and responses align. Conclusion Implementing a system of quality management is not just a compliance exercise—it’s an opportunity to strengthen your firm’s foundation for audit quality, risk management, and long-term success. Whether you’re a sole practitioner or a small firm with a few partners, these 10 steps offer a scalable roadmap to meet the new standards. Ready to get started or need help refining your approach? Contact your JGA audit expert today to schedule a consultation and ensure your implementation is tailored to your firm’s needs. At Johnson Global Advisory , we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®.

Timely Quality Management: Joe Lynch, JGA Managing Director, Insights Featured in Journal of Accountancy

By Jackson Johnson August 18, 2025
Learn how to build your firm’s quality management system on time with actionable insights from Joe Lynch , Managing Director at JGA, as featured in the Journal of Accountancy . This article outlines eight strategic steps to ensure effective and timely implementation of quality management practices for your business.

Rethinking Engagement Acceptance: Why “Yes” Isn’t Always the Right Answer

By Jackson Johnson July 30, 2025
Introduction In today’s regulatory climate, audit firms must take a fresh look at how they evaluate engagement acceptance and client continuance. The stakes have never been higher. With the PCAOB’s newly adopted QC 1000 standard and the AICPA’s SQMS 1 framework now in effect , firms are expected to demonstrate a more rigorous, risk-based approach to quality control—starting with the very first decision: "Should we take this engagement?" The PCAOB recently released a new Audit Focus: Engagement Acceptance on this topic (Audit Focus). At the same time, we’ve been speaking, writing, and helping firms improve their process in this area. On the steps of PCAOB’s recent and timely guidance, this article explores the evolving risk landscape and offers practical guidance for firms to strengthen their engagement acceptance protocols in line with new regulatory expectations and JGA’s quality management insights. The New Risk Landscape: What QC 1000 and SQMS 1 Require The PCAOB’s QC 1000 standard introduces a scalable, risk-based framework that applies to all firms performing PCAOB engagements. It emphasizes that engagement acceptance is not just a procedural checkpoint, it’s a critical quality control decision that must reflect the firm’s risk profile, independence safeguards, and capacity to deliver a high-quality audit. Key risks highlighted in QC 1000 include: Independence and ethics violations: Firms must have systems to identify and escalate potential conflicts, including automated tracking of financial interests. Monitoring of in-process engagements: Firms are expected to assess quality risks before and during engagements, not just after the fact. Scalability and oversight: Larger firms face enhanced requirements, including external oversight and formal complaint tracking mechanisms. Similarly, SQMS 1 requires firms to design and implement a system of quality management that includes robust procedures for engagement acceptance and continuance. These procedures must consider: integrity and reputation of the client firm competence and resources ethical and legal requirements, and risks to audit quality and compliance. Issues arising from poor or inconsistent client or engagement acceptance policies and procedures isn’t new, but is being looked at in new ways by firms and their regulators with the: decrease in public company auditors qualified or going to market on conducting public company audits increasing number of firms that have been stripped of their privilege to conduct public company audits, and movement of companies to different auditors (think BF Borgers as the most egregious example, but your typical attrition in the most common case). The PCAOB, AICPA, and other regulators around the world, will take these business risks and apply them in a new lens in their inspection, peer review, and enforcement processes as they look at how firms have identified and addressed risks when implementing their QC system when it comes to client acceptance. Improving Communications: Predecessor Auditors & Audit Committees Recent PCAOB inspection findings and the Audit Focus document emphasize that engagement acceptance decisions are under increasing scrutiny. Deficiencies in areas like AS 1301 (Communications with Audit Committees) and AS 2610 (Successor Auditor Communications) often stem from weak or incomplete risk assessments at the outset of the engagement. Firms must be prepared to engage in transparent, candid conversations with audit committees, especially when the going gets tough. Whether it’s disclosing an unanticipated CAM , identifying a material weakness in internal control , or explaining a shift in audit scope, the ability to communicate openly and credibly is a hallmark of audit quality. Similarly, in our article on audit committees , we emphasized that audit committees are becoming more sophisticated and assertive. They expect auditors to be proactive, risk-aware, and ready to explain their judgments—not just their procedures. The Audit Focus does a great job of asking questions for firms to consider in assessing the quality of both management and the AC. As part of your engagement acceptance process, assess not only the technical risks of the engagement, but also the firm’s ability to maintain transparency and trust with the audit committee. Ask: Will we be able to have frank conversations with this client’s governance team? Are we prepared to deliver difficult messages if needed? Do we have the right people and protocols in place to support those conversations Internal Inspections: Engagement Acceptance as a Root Cause The Audit Focus also highlights how engagement acceptance decisions can directly impact audit quality and inspection outcomes. We encourage firms to examine their internal inspection programs to see how/whether outcomes can inform or rise to potential root causes targeting the firm’s engagement/client acceptance process. For example, a risk-based selection for the annual internal inspection process should include certain jobs tied specifically to new client and new engagements:
Show More