Statement on June 2022

Quality Management Standards 1

Issued by the Auditing Standards Board

A Firm’s System of Quality Management

(AICPA, Professional Standards, QM sec. 10; supersedes Statement on Quality Control
Standards [SQCS] No. 8, A Firm’s System of Quality Control, as amended [AICPA,
Professional Standards, QC sec. 10])

Copyright © 2022 by American Institute of Certified Public Accountants, Inc. All rights reserved.

For information about the procedure for requesting permission to make copies of any part of this work,
please e-mail [email protected] with your request. Otherwise, requests should be written and mailed
to the Permissions Department, AICPA, 220 Leigh Farm Road, Durham, NC 27707-8110.
This Statement on Quality Management Standards uses certain International Federation of Accountants
(IFAC) copyright material, used with the permission of IFAC.
 Auditing Standards Board
(2021–2022)

Tracy W. Harding, Chair Robert R. Harris

Brad C. Ames Kathleen K. Healy
Maxene Bardwell Jon Heath
Patricia Bottomly Clay Huffman
Samantha Bowling Greg Jenkins
Sherry Chesser Maria C. Manasses
Harry Cohen Andrew Prather
Jeanne M. Dee Chris Rogers
Horace Emery Tania DeSilva Sergott
Diane Hardesty

Quality Management Task Forces

SQMS No. 1 Task Force SQMS No. 2/220 Task Force

Sara Lord, Chair Jon Heath, Chair
Phyllis Anderson Harry Cohen
Sherry Chesser Thomas Parry
Kathryn Fletcher Jeff Rapaglia
Alan Long Rick Reeder
Tania DeSilva Sergott Michael Westervelt
Kimberly Stazyk

AICPA Staff

Jennifer Burns Ahava Z. Goldman

Chief Auditor Associate Director
AICPA Audit and Attest Standards —
Public Accounting
Teighlor S. March
Assistant General Counsel —
Office of General Counsel

Note: Statements on Quality Management Standards (previously titled Statements on Quality

Control Standards) are issued by the Auditing Standards Board, the senior technical body of the
AICPA designated to issue pronouncements on auditing, attestation, and quality control matters.
The “Compliance With Standards Rule” (ET sec. 1.310.001)1 of the AICPA Code of Professional

1
All ET sections can be found in AICPA Professional Standards.
Page 2 of 80
Conduct requires compliance with these standards when firms perform auditing and accounting
services for a nonissuer.

Page 3 of 80
 CONTENTS

Paragraph
Introduction
Scope of This Statement on Quality Management Standards 1–6
The Firm's System of Quality Management 7–12
Authority of This SQMS 13
Effective Date 14
Objective 15–16
Definitions 17
Requirements
Applying, and Complying with, Relevant Requirements 18–19
System of Quality Management 20–23
The Firm's Risk Assessment Process 24–28
Governance and Leadership 29
Relevant Ethical Requirements 30
Acceptance and Continuance of Client Relationships and Specific Engagements 31
Engagement Performance 32
Resources 33
Information and Communication 34
Specified Responses 35
Monitoring and Remediation Process 36–48
Network Requirements or Network Services 49–53
Evaluating the System of Quality Management 54–57
Documentation 58–61
Application and Other Explanatory Material
Scope of This Statement on Quality Management Standards A1
The Firm's System of Quality Management A2–A4
Authority of This SQMS A5–A8
Definitions A9–A28
Applying, and Complying with, Relevant Requirements A29
System of Quality Management A30–A39
The Firm's Risk Assessment Process A40–A56
Governance and Leadership A57–A63
Relevant Ethical Requirements A64–A68
Acceptance and Continuance of Client Relationships and Specific Engagements A69–A78
Engagement Performance A79–A89
Resources A90–A115
Information and Communication A115–A123
Specified Responses A124–A147
Monitoring and Remediation Process A148–A190
Network Requirements or Network Services A191–A205
Evaluating the System of Quality Management A206–A223
Documentation A224–A228

Page 5 of 80
 Statement on Quality Management Standards No. 1,
A Firm’s System of Quality Management
Introduction
Scope of This Statement on Quality Management Standards

1. This Statement on Quality Management Standards (SQMS) deals with a firm’s

responsibilities to design, implement, and operate a system of quality management for its
accounting and auditing practice.
2. Engagement quality reviews form part of the firm’s system of quality management and
a. this SQMS addresses the firm’s responsibility to establish policies or procedures
addressing engagements that are required to be subject to engagement quality
reviews.
b. SQMS No. 2, Engagement Quality Reviews, deals with the appointment and
eligibility of the engagement quality reviewer, and the performance and
documentation of the engagement quality review.
3. Other professional standards include requirements for engagement partners and other
engagement team members regarding quality management at the engagement level. For example,
Statement on Auditing Standards (SAS) No. 146, Quality Management for an Engagement
Conducted in Accordance With Generally Accepted Auditing Standards, deals with the specific
responsibilities of the auditor regarding quality management at the engagement level for an audit
of financial statements and the related responsibilities of the engagement partner. Other
professional standards, including AT-C section 105, Concepts Common to All Attestation
Engagements,‡ and AR-C section 60, General Principles for Engagements Performed in
Accordance With Statements on Standards for Accounting and Review Services,‖ also establish
requirements for the engagement partner for the management of quality at the engagement level.
4. This SQMS is to be read in conjunction with the AICPA Code of Professional Conduct
(AICPA code) and other relevant ethical requirements. Law, regulation, or relevant ethical
requirements may establish responsibilities for the firm’s management of quality beyond those
described in this SQMS. (Ref: par. A1)
5. This SQMS applies to audit and attestation engagements performed by a firm in accordance
with Government Auditing Standards. This SQMS does not apply to government audit
organizations. Instead, those government audit organizations are subject to the quality control and
assurance requirements of Government Auditing Standards.
6. This SQMS applies to all firms that perform any engagement included in a firm’s
accounting and auditing practice. The system of quality management that is established in
accordance with the requirements of this SQMS enables the consistent performance by the firm of
all such engagements.

‡
All AT-C sections can be found in AICPA Professional Standards.
‖
All AR-C sections can be found in AICPA Professional Standards.

Page 6 of 80
The Firm’s System of Quality Management

7. A system of quality management operates in a continual and iterative manner and is

responsive to changes in the nature and circumstances of the firm and its engagements. It does not
operate in a linear manner. However, for the purposes of this SQMS, a system of quality
management addresses the following eight components: (Ref: par. A2)
a. The firm’s risk assessment process
b. Governance and leadership
c. Relevant ethical requirements
d. Acceptance and continuance of client relationships and specific engagements
e. Engagement performance
f. Resources
g. Information and communication
h. The monitoring and remediation process
8. This SQMS requires the firm to apply a risk-based approach in designing, implementing,
and operating the components of the system of quality management in an interconnected and
coordinated manner such that the firm proactively manages the quality of engagements performed
by the firm. (Ref: par. A3)
9. The risk-based approach is embedded in the requirements of this SQMS through the
following:
a. Establishing quality objectives. The quality objectives established by the firm consist
of objectives in relation to the components of the system of quality management that
are to be achieved by the firm. The firm is required to establish the quality objectives
specified by this SQMS and any additional quality objectives considered necessary
by the firm to achieve the objectives of the system of quality management.
b. Identifying and assessing risks to the achievement of the quality objectives (referred
to in this SQMS as quality risks). The firm is required to identify and assess quality
risks to provide a basis for the design and implementation of responses.
c. Designing and implementing responses to address the quality risks. The nature,
timing, and extent of the firm’s responses to address the quality risks are based on,
and responsive to, the reasons for the assessments given to the quality risks.
10. This SQMS requires that, at least annually, the individual or individuals assigned ultimate
responsibility and accountability for the system of quality management, on behalf of the firm,
evaluate the system of quality management and conclude whether the system of quality
management provides the firm with reasonable assurance that the objectives of the system, stated
in paragraph 15a–b, are being achieved. (Ref: par. A4)
Scalability
11. In applying a risk-based approach, the firm is required to take into account
a. the nature and circumstances of the firm, and

Page 7 of 80
 b. the nature and circumstances of the engagements performed by the firm.
Accordingly, the design of the firm’s system of quality management — in particular, the
complexity and formality of the system — will vary. For example, a firm that performs different
types of engagements for a wide variety of entities, such as audits of specialized industries or group
audits for multinational entities, will likely need to have a more complex and formalized system
of quality management and supporting documentation than a firm that performs only reviews of
financial statements or compilation engagements.
Networks and Service Providers

12. This SQMS addresses the firm’s responsibilities when the firm
a. belongs to a network, and the firm complies with network requirements or uses
network services in the system of quality management or in performing engagements,
or
b. uses resources from a service provider in the system of quality management or in
performing engagements.
Even when the firm complies with network requirements or uses network services or resources
from a service provider, the firm is responsible for its system of quality management.
Authority of This SQMS

13. Paragraph 15 contains the objective of the firm in following this SQMS. This SQMS
contains the following: (Ref: par. A5)
a. Requirements designed to enable the firm to meet the objective in paragraph 15 (Ref:
par. A6)
b. Related guidance in the form of application and other explanatory material (Ref: par.
A7)
c. Introductory material that provides context relevant to a proper understanding of this
SQMS
d. Definitions (Ref: par. A8)

Effective Date
14. Systems of quality management in compliance with this SQMS are required to be designed
and implemented by December 15, 2025, and the evaluation of the system of quality management
required by paragraphs 54–55 is required to be performed within one year following December
15, 2025.
Objective
15. The objective of the firm is to design, implement, and operate a system of quality
management for engagements performed by the firm in its accounting and auditing practice that
provides the firm with reasonable assurance that
a. the firm and its personnel fulfill their responsibilities in accordance with professional
standards and applicable legal and regulatory requirements and conduct engagements

Page 8 of 80
 in accordance with such standards and requirements, and
b. engagement reports issued by the firm are appropriate in the circumstances.
16. The public interest is served by the consistent performance of quality engagements. The
design, implementation, and operation of the system of quality management enables the consistent
performance of quality engagements by providing the firm with reasonable assurance that the
objectives of the system of quality management, stated in paragraph 15a–b, are achieved. Quality
engagements are achieved through planning and performing engagements and reporting on them
in accordance with professional standards and applicable legal and regulatory requirements.
Achieving the objectives of those standards and complying with the requirements of applicable
law or regulation involves exercising professional judgment and, when applicable to the type of
engagement, maintaining professional skepticism.

Definitions
17. For purposes of the SQMSs, the following terms have the meanings attributed as follows:
Accounting and auditing practice. A practice that performs engagements covered by this
SQMS, which are audit, attestation, review, compilation, and any other services for
which standards have been promulgated by the AICPA Auditing Standards Board (ASB)
or the AICPA Accounting and Review Services Committee (ARSC) under the “General
Standards Rule” (ET sec. 1.300.001)† or the “Compliance With Standards Rule” (ET sec.
1.310.001) of the AICPA code. (Ref: par. A9)
Deficiency in the firm’s system of quality management (referred to as deficiency in
this SQMS). This exists when (Ref: par. A10 and A174–A175)
• a quality objective required to achieve the objective of the system of quality
management is not established;
• a quality risk, or combination of quality risks, is not identified or properly
assessed; (Ref: par. A11)
• a response, or combination of responses, does not reduce to an acceptably low
level the likelihood of a related quality risk occurring because the responses are
not properly designed, implemented, or operating effectively; or
• another aspect of the system of quality management is absent, or not properly
designed, implemented, or operating effectively, such that a requirement of this
SQMS has not been addressed. (Ref: par. A12–A13)
Engagement documentation. The record of work performed, results obtained, and
conclusions the practitioner reached (terms such as working papers or work papers are
sometimes used).

Engagement partner. The partner or other individual appointed by the firm who is
responsible for the engagement and its performance, and for the report that is issued on

†
All ET sections can be found in AICPA Professional Standards.

Page 9 of 80
 behalf of the firm, and who, when required, has the appropriate authority from a
professional, legal, or regulatory body.

Engagement quality review. An objective evaluation of the significant judgments made by

the engagement team and the conclusions reached thereon performed by the engagement
quality reviewer and completed before the engagement report is released.
Engagement quality reviewer. A partner, other individual in the firm, or an external
individual appointed by the firm to perform the engagement quality review.

Engagement team. All partners and staff performing the engagement, and any other
individuals who perform procedures on the engagement, excluding an external specialist1
and internal auditors who provide direct assistance on an engagement. (Ref: par. A14)

External inspections. Inspections or investigations, undertaken by an external oversight

authority, related to the firm’s system of quality management or engagements performed
by the firm. (Ref: par. A15)
Findings (in relation to a system of quality management). Information about the design,
implementation, and operation of the system of quality management that has been
accumulated from the performance of monitoring activities, external inspections, and
other relevant sources, which indicates that one or more deficiencies may exist. (Ref: par.
A16–A18)

Firm. A form of organization permitted by law or regulation whose characteristics conform

to resolutions of the Council of the AICPA and that is engaged in public practice. (Ref:
par. A19)

Inspection. Inspection is an evaluation of the adequacy of aspects of the firm’s quality

management policies and procedures, its personnel’s understanding of those policies and
procedures, and the extent of the firm’s compliance with them.
Network. As defined in “Definitions” (ET sec. 0.400) in the AICPA code, an association of
entities that includes one or more firms. (Ref: par. A20)
Network firm. As defined in “Definitions” (ET sec. 0.400) in the AICPA code, a firm or
other entity that belongs to a network. References to a network firm are to be read
hereafter as “another firm or entity that belongs to the same network as the firm.”

Partner. Any individual with authority to bind the firm with respect to the performance of
a professional services engagement. For purposes of this definition, partner may include
an employee with this authority who has not assumed the risks and benefits of ownership.
Firms might use different titles to refer to individuals with this authority.

Personnel. Partners and staff in the firm. (Ref: par. A21–A22)

1
Paragraph .06 of AU-C section 620, Using the Work of an Auditor’s Specialist, defines the term auditor’s
specialist.

Page 10 of 80
Professional judgment. The application of relevant training, knowledge, and experience,
within the context of professional standards, in making informed decisions about the
courses of action that are appropriate in the design, implementation, and operation of
the firm’s system of quality management.

Professional standards. Standards promulgated by the ASB or ARSC under the “General
Standards Rule” (ET sec. 1.300.001) or the “Compliance With Standards Rule” (ET
sec. 1.310.001) of the AICPA code or other standard-setting bodies that set auditing
and attest standards applicable to the engagement being performed and relevant ethical
requirements.

Quality objectives. The desired outcomes in relation to the components of the system of
quality management to be achieved by the firm.

Quality risk. A risk that has a reasonable possibility of

• occurring, and
• individually, or in combination with other risks, adversely affecting the
achievement of one or more quality objectives.
Reasonable assurance. In the context of the SQMSs, a high, but not absolute, level of
assurance.

Relevant ethical requirements. Principles of professional ethics and ethical requirements

to which the firm, engagement team, engagement quality reviewer, and other firm
personnel are subject when undertaking engagements in the firm’s accounting and
auditing practice that consist of the AICPA code together with rules of applicable state
boards of accountancy and applicable regulatory agencies that are more restrictive.
(Ref: par. A23–A24 and A64)
Response (in relation to a system of quality management). Policies or procedures
designed and implemented by the firm to address one or more quality risks. (Ref: par.
A25–A27 and A52)
• Policies are statements of what should, or should not, be done to address
quality risks. Such statements may be documented, explicitly stated in
communications, or implied through actions and decisions.
• Procedures are actions to implement policies.
Service provider (in the context of this SQMS). An individual or organization external to
the firm that provides a resource that is used in the system of quality management or
in performing engagements. Service providers exclude the firm’s network, other
network firms, or other structures or organizations in the network. (Ref: par. A28 and
A110)

Staff. Professionals, other than partners, including any specialists the firm employs.

System of quality management. A system designed, implemented, and operated by a firm

to provide the firm with reasonable assurance that

Page 11 of 80
 a. the firm and its personnel fulfill their responsibilities in accordance with
professional standards and applicable legal and regulatory requirements, and
conduct engagements in accordance with such standards and requirements; and
b. engagement reports issued by the firm are appropriate in the circumstances.
Requirements
Applying and Complying With Relevant Requirements

18. The firm should comply with each requirement of this SQMS unless the requirement is not
relevant to the firm because of the nature and circumstances of the firm or its engagements. (Ref:
par. A29)
19. The individual or individuals assigned ultimate responsibility and accountability for the
firm’s system of quality management, and the individual or individuals assigned operational
responsibility for the firm’s system of quality management, should have an understanding of this
SQMS, including the application and other explanatory material, to understand the objective of
this SQMS and to apply its requirements properly.

System of Quality Management

20. The firm should design, implement, and operate a system of quality management. In doing
so, the firm should exercise professional judgment, taking into account the nature and
circumstances of the firm and its engagements. The governance and leadership component of the
system of quality management establishes the environment that supports the design,
implementation, and operation of the system of quality management. (Ref: par. A30–A31)

Responsibilities
21. The firm should assign (Ref: par. A32–A36)
a. ultimate responsibility and accountability for the system of quality management to
the firm’s CEO or the firm’s managing partner (or equivalent) or, if appropriate, the
firm’s managing board of partners (or equivalent);
b. operational responsibility for the system of quality management; and
c. operational responsibility for specific aspects of the system of quality management,
including
i. compliance with independence requirements, and (Ref: par. A37)
ii. the monitoring and remediation process.

22. In assigning the roles in paragraph 21, the firm should determine that the individual or
individuals (Ref: par. A38)
a. have the appropriate experience, knowledge, influence, and authority within the firm and
sufficient time to fulfill their assigned responsibility, and (Ref: par. A39)

Page 12 of 80
 b. understand their assigned roles and that they are accountable for fulfilling them.
23. The firm should determine that the individual or individuals assigned operational responsibility
for the system of quality management, compliance with independence requirements, and the
monitoring and remediation process have a direct line of communication to the individual or
individuals assigned ultimate responsibility and accountability for the system of quality management.
The Firm’s Risk Assessment Process

24. The firm should design and implement a risk assessment process to establish quality
objectives, identify and assess quality risks, and design and implement responses to address the
quality risks. (Ref: par. A40–A42)
25. The firm should establish the quality objectives specified by this SQMS and any additional
quality objectives considered necessary by the firm to achieve the objectives of the system of
quality management. (Ref: par. A43–A45)
26. The firm should identify and assess quality risks to provide a basis for the design and
implementation of responses. In doing so, the firm should do the following:
a. Obtain an understanding of the conditions, events, circumstances, actions, or inactions
that may adversely affect the achievement of the quality objectives, including the
following: (Ref: par. A46–A48)
i. With respect to the nature and circumstances of the firm, those relating to
(1) the complexity and operating characteristics of the firm;
(2) the strategic and operational decisions and actions, business processes, and
business model of the firm;
(3) the characteristics and management style of leadership;
(4) the resources of the firm, including the resources provided by service
providers;
(5) law, regulation, professional standards, and the environment in which the firm
operates; and
(6) in the case of a firm that belongs to a network, the nature and extent of the
network requirements and network services, if any
ii. With respect to the nature and circumstances of the engagements performed by the
firm, those relating to
(1) the types of engagements performed by the firm and the reports to be issued,
and
(2) the types of entities for which such engagements are undertaken
b. Take into account how, and the degree to which, the conditions, events, circumstances,
actions, or inactions in paragraph 26a may adversely affect the achievement of the
quality objectives. (Ref: par. A49–A50)
27. The firm should design and implement responses to address the quality risks in a manner
that is based on, and responsive to, the reasons for the assessments given to the quality risks. The

Page 13 of 80
firm’s responses should include the responses specified in paragraph 35. However, the responses
specified in paragraph 35 alone are not sufficient to achieve the objectives of the system of quality
management. (Ref: par. A51–A53)
28. The firm should establish policies or procedures that are designed to identify information
that indicates additional quality objectives, or additional or modified quality risks or responses,
are needed due to changes in the nature and circumstances of the firm or its engagements. If such
information is identified, the firm should consider the information and, when appropriate, (Ref:
par. A54–A55)
a. establish additional quality objectives or modify additional quality objectives
previously established by the firm; (Ref: par. A56)
b. identify and assess additional quality risks, modify the quality risks, or reassess the
quality risks; or
c. design and implement additional responses or modify the responses.

Governance and Leadership

29. The firm should establish the following quality objectives that address the firm’s
governance and leadership, which establishes the environment that supports the system of quality
management:
a. The firm demonstrates a commitment to quality through a culture that exists throughout
the firm, which recognizes and reinforces the following: (Ref: par. A57–A58)
i. The firm’s role in serving the public interest by consistently performing quality
engagements
ii. The importance of professional ethics, values, and attitudes
iii. The responsibility of all personnel for quality relating to the performance of
engagements or activities within the system of quality management and their
expected behavior
iv. The importance of quality in the firm’s strategic decisions and actions, including
the firm’s financial and operational priorities
b. Leadership is responsible and accountable for quality. (Ref: par. A59)
c. Leadership demonstrates a commitment to quality through its actions and behaviors.
(Ref: par. A60)
d. The organizational structure and assignment of roles, responsibilities, and authority is
appropriate to enable the design, implementation, and operation of the firm’s system of
quality management. (Ref: par. A32–A35 and A61)
e. Resource needs, including financial resources, are planned for, and resources are
obtained, allocated, or assigned in a manner that is consistent with the firm’s
commitment to quality. (Ref: par. A62–A63)

Page 14 of 80
Relevant Ethical Requirements
30. The firm should establish the following quality objectives that address the fulfillment of
responsibilities in accordance with relevant ethical requirements, including those related to
independence: (Ref: par. A64–A66 and A68)
a. The firm and its personnel
i. understand the relevant ethical requirements to which the firm and the firm’s
engagements are subject, and (Ref: par. A23)
ii. fulfill their responsibilities in relation to the relevant ethical requirements to which
the firm and the firm’s engagements are subject.
b. Others, including the network, network firms, individuals in the network or network
firms, or service providers, who are subject to the relevant ethical requirements to
which the firm and the firm’s engagements are subject
i. understand the relevant ethical requirements that apply to them, and (Ref: par. A23
and A67)
ii. fulfill their responsibilities in relation to the relevant ethical requirements that apply
to them. (Ref: par. A68)

Acceptance and Continuance of Client Relationships and Specific Engagements

31. The firm should establish the following quality objectives that address the acceptance and
continuance of client relationships and specific engagements:
a. Judgments by the firm about whether to accept or continue a client relationship or
specific engagement are appropriate based on the following:
i. Information obtained about the nature and circumstances of the engagement and the
integrity and ethical values of the client (including management and, when
appropriate, those charged with governance) that is sufficient to support such
judgments (Ref: par. A69–A74)
ii. The firm’s ability to perform the engagement in accordance with professional
standards and applicable legal and regulatory requirements (Ref: par. A75–A76)
b. The financial and operational priorities of the firm do not lead to inappropriate
judgments about whether to accept or continue a client relationship or specific
engagement. (Ref: par. A77–A78)

Engagement Performance

32. The firm should establish the following quality objectives that address the performance of
quality engagements:
a. Engagement teams understand and fulfill their responsibilities in connection with the
engagements, including, as applicable, the overall responsibility of engagement
partners for managing and achieving quality on the engagement and being

Page 15 of 80
 sufficiently and appropriately involved throughout the engagement. (Ref: par. A79)
b. The nature, timing, and extent of direction and supervision of engagement teams and
review of the work performed is appropriate based on the nature and circumstances
of the engagements and the resources assigned or made available to the engagement
teams; the work performed by less experienced engagement team members is
directed, supervised, and reviewed by suitably experienced engagement team
members. (Ref: par. A80–A81)
c. Engagement teams exercise appropriate professional judgment and, when applicable
to the type of engagement, maintain professional skepticism. (Ref: par. A82)
d. Consultation on difficult or contentious matters is undertaken, and the conclusions
agreed to are implemented. (Ref: par. A83–A85)
e. Differences of opinion within the engagement team, or between the engagement team
and the engagement quality reviewer or individuals performing activities within the
firm’s system of quality management, are brought to the attention of the firm and
resolved. (Ref: par. A86)
f. Engagement documentation is assembled on a timely basis after the date of the
engagement report and is appropriately maintained and retained to meet the needs of
the firm and comply with law, regulation, relevant ethical requirements, and
professional standards. (Ref: par. A87–A89)
Resources

33. The firm should establish the following quality objectives that address appropriately
obtaining, developing, using, maintaining, allocating, and assigning resources in a timely manner
to enable the design, implementation, and operation of the system of quality management: (Ref:
par. A90–A91)
Human Resources
a. Personnel are hired, developed, and retained and have the competence and capabilities
to (Ref: par. A92–A94)
i. consistently perform quality engagements, including having knowledge or
experience relevant to the engagements the firm performs, or
ii. perform activities or carry out responsibilities in relation to the operation of the
firm’s system of quality management.
b. Personnel demonstrate a commitment to quality through their actions and behaviors,
develop and maintain the appropriate competence to perform their roles, and are held
accountable or recognized through timely evaluations, compensation, promotion, and
other incentives. (Ref: par. A95–A97)
c. Individuals are obtained from external sources (that is, the network, another network
firm, or a service provider) when the firm does not have sufficient or appropriate
personnel to enable the operation of firm’s system of quality management or
performance of engagements. (Ref: par. A98)

Page 16 of 80
 d. Engagement team members, including an engagement partner, who have appropriate
competence and capabilities to consistently perform quality engagements, including
being given sufficient time, are assigned to each engagement. (Ref: par. A92–A93 and
A99–A101)
e. Individuals who have appropriate competence and capabilities, including sufficient
time, to perform such activities are assigned to perform activities within the system of
quality management.
Technological Resources
f. Appropriate technological resources are obtained or developed, implemented,
maintained, and used to enable the operation of the firm’s system of quality management
and the performance of engagements. (Ref: par. A102–A106 and A109)
Intellectual Resources
g. Appropriate intellectual resources are obtained or developed, implemented, maintained,
and used to enable the operation of the firm’s system of quality management and the
consistent performance of quality engagements, and such intellectual resources are
consistent with professional standards and applicable legal and regulatory requirements,
where applicable. (Ref: par. A107–A109)
Service Providers
h. Human, technological, or intellectual resources from service providers are appropriate
for use in the firm’s system of quality management and in performing engagements,
taking into account the quality objectives in paragraph 33d–g. (Ref: par. A110–A115)

Information and Communication

34. The firm should establish the following quality objectives that address obtaining,
generating, or using information regarding the system of quality management and communicating
information within the firm and to external parties on a timely basis to enable the design,
implementation, and operation of the system of quality management: (Ref: par. A116)
a. The information system identifies, captures, processes, and maintains relevant and
reliable information that supports the system of quality management, whether from
internal or external sources. (Ref: par. A117–A119)
b. The culture of the firm recognizes and reinforces the responsibility of personnel to
exchange information with the firm and with one another. (Ref: par. A120)
c. Relevant and reliable information is exchanged throughout the firm and with
engagement teams, including the following: (Ref: par. A120)
i. Information is communicated to personnel and engagement teams, and the nature,
timing, and extent of the information is sufficient to enable them to understand and
carry out their responsibilities relating to performing activities within the system of
quality management or engagements.
ii. Personnel and engagement teams communicate information to the firm when
performing activities within the system of quality management or engagements.

Page 17 of 80
 d. Relevant and reliable information is communicated to external parties, including the
following:
i. Information is communicated by the firm to or within the firm’s network or to
service providers, if any, enabling the network or service providers to fulfill their
responsibilities relating to the network requirements or network services or
resources provided by them. (Ref: par. A121)
ii. Information is communicated externally when required by law, regulation, or
professional standards or to support external parties’ understanding of the system of
quality management. (Ref: par. A122–A123)
Specified Responses

35. In designing and implementing responses in accordance with paragraph 27, the firm should
include the following responses: (Ref: par. A124)
a. The firm establishes policies or procedures for
i. identifying, evaluating, and addressing threats to compliance with the relevant
ethical requirements. (Ref: par. A125)
ii. identifying, communicating, evaluating, and reporting of any breaches of the
relevant ethical requirements and appropriately responding to the causes and
consequences of the breaches in a timely manner. (Ref: par. A126–A127)
b. The firm obtains, at least annually, a documented confirmation of compliance with
independence requirements from all personnel required by relevant ethical
requirements to be independent.
c. The firm establishes policies or procedures for receiving, investigating, and resolving
complaints and allegations about failures to perform work in accordance with
professional standards and applicable legal and regulatory requirements or
noncompliance with the firm’s policies or procedures established in accordance with
this SQMS. (Ref: par. A128–A129)
d. The firm establishes policies or procedures that address the following circumstances:
i. The firm becomes aware of information subsequent to accepting or continuing a
client relationship or specific engagement that would have caused it to decline the
client relationship or specific engagement had that information been known prior to
accepting or continuing the client relationship or specific engagement. (Ref: par.
A130–A131)
ii. The firm is obligated by law or regulation to accept a client relationship or specific
engagement. (Ref: par. A132–A133)
e. The firm establishes policies or procedures that (Ref: par. A134–A137)
i. address when it is appropriate to communicate with external parties about the
firm’s system of quality management, and (Ref: par. A138–A140)
ii. address the information to be provided when communicating externally about the
firm’s system of quality management, including the nature, timing, and extent

Page 18 of 80
 and appropriate form of communication. (Ref: par. A141–A142)
f. The firm establishes policies or procedures that address engagement quality reviews in
accordance with SQMS No. 2 and requires an engagement quality review for the
following:
i. Audits or other engagements for which an engagement quality review is required
by law or regulation (Ref: par. A143)
ii. Audits or other engagements for which the firm determines that an engagement
quality review is an appropriate response to address one or more quality risks (Ref:
par. A144–A147)
Monitoring and Remediation Process
36. The firm should establish a monitoring and remediation process to (Ref: par. A148)
a. provide relevant, reliable, and timely information about the design, implementation,
and operation of the system of quality management.
b. take appropriate actions to respond to identified deficiencies such that deficiencies
are remediated on a timely basis.
Designing and Performing Monitoring Activities
37. The firm should design and perform monitoring activities to provide a basis for the
identification of deficiencies.
38. In determining the nature, timing, and extent of the monitoring activities, the firm should
take the following into account: (Ref: par. A149–A152)
a. The reasons for the assessments given to the quality risks
b. The design of the responses
c. The design of the firm’s risk assessment process and monitoring and remediation
process (Ref: par. A153–A155)
d. Changes in the system of quality management (Ref: par. A156)
e. The results of previous monitoring activities, whether previous monitoring activities
continue to be relevant in evaluating the firm’s system of quality management and
whether remedial actions to address previously identified deficiencies were effective
(Ref: par. A157–A158)
f. Other relevant information, including complaints and allegations about failures to
perform work in accordance with professional standards and applicable legal and
regulatory requirements or noncompliance with the firm’s policies or procedures
established in accordance with this SQMS, information from external inspections,
and information from service providers (Ref: par. A159–A161)
39. The firm should include the inspection of completed engagements in its monitoring
activities and should determine which engagements and engagement partners to select. In doing
so, the firm should (Ref: par. A150 and A162–A166)
a. take into account the matters in paragraph 38;

Page 19 of 80
 b. consider the nature, timing, and extent of other monitoring activities undertaken by
the firm and the engagements and engagement partners subject to such monitoring
activities; (Ref: par. A167–A168) and
c. select at least one completed engagement for each engagement partner on a cyclical
basis determined by the firm.
40. The firm should establish policies or procedures that
a. require the individuals performing the monitoring activities to have the competence
and capabilities, including sufficient time, to perform the monitoring activities
effectively; and
b. address the objectivity of the individuals performing the monitoring activities, based
on the premise that objectivity is enhanced when the engagement team members or
the engagement quality reviewer of an engagement are not involved in performing
any monitoring activities related to that engagement. (Ref: par. A169–A173)

Evaluating Findings and Identifying Deficiencies

41. The firm should evaluate findings to determine whether deficiencies exist, including in the
monitoring and remediation process. (Ref: par. A174–A178)
Evaluating Identified Deficiencies
42. The firm should evaluate the severity and pervasiveness of identified deficiencies by (Ref:
par. A177 and A179–A180)
a. investigating the root causes of the identified deficiencies. In determining the nature,
timing, and extent of the procedures to investigate the root causes, the firm should
take into account the nature of the identified deficiencies and their possible severity.
(Ref: par. A181–A185)
b. evaluating the effect of the identified deficiencies, individually and in aggregate, on
the system of quality management.
Responding to Identified Deficiencies
43. The firm should design and implement remedial actions to address identified deficiencies
that are responsive to the results of the root cause analysis. (Ref: par. A186–A188)
44. The individual or individuals assigned operational responsibility for the monitoring and
remediation process should evaluate whether the remedial actions
a. are appropriately designed to address the identified deficiencies and their related root
causes and determine that they have been implemented.
b. implemented to address previously identified deficiencies are effective.
45. If the evaluation indicates that the remedial actions are not appropriately designed and
implemented or are not effective, the individual or individuals assigned operational responsibility
for the monitoring and remediation process should take appropriate action to determine that the
remedial actions are appropriately modified such that they are effective.
Findings About a Particular Engagement

Page 20 of 80
46. The firm should respond to circumstances in which findings indicate that there is an
engagement for which required procedures were omitted during the performance of the
engagement, or that the report issued may be inappropriate. The firm’s response should include
the following: (Ref: par. A189)
a. Taking appropriate action to comply with relevant professional standards and
applicable legal and regulatory requirements
b. When the report is considered to be inappropriate, considering the implications and
taking appropriate action, including considering whether to obtain legal advice
Ongoing Communication Related to Monitoring and Remediation
47. The individual or individuals assigned operational responsibility for the monitoring and
remediation process should communicate the following on a timely basis to the individual or
individuals assigned ultimate responsibility and accountability for the system of quality
management and the individual or individuals assigned operational responsibility for the system of
quality management: (Ref: par. A190)
a. A description of the monitoring activities performed
b. The identified deficiencies, including the severity and pervasiveness of such
deficiencies
c. The remedial actions to address the identified deficiencies
48. The firm should communicate the matters described in paragraph 47 to engagement teams
and other individuals assigned activities within the system of quality management to enable them
to take prompt and appropriate action in accordance with their responsibilities.
Network Requirements or Network Services

49. When the firm belongs to a network, the firm should understand the following, when
applicable: (Ref: par. A20 and A191–A193)
a. The requirements established by the network regarding the firm’s system of quality
management, including requirements for the firm to implement or use resources or
services designed or otherwise provided by or through the network (that is, network
requirements)
b. Any services or resources provided by the network that the firm chooses to implement
or use in the design, implementation, or operation of the firm’s system of quality
management (that is, network services)
c. The firm’s responsibilities for any actions that are necessary to implement the network
requirements or use network services (Ref: par. A194)
The firm remains responsible for its system of quality management, including professional
judgments made in the design, implementation, and operation of the system of quality
management. The firm should not allow compliance with the network requirements or use
of network services to contravene the requirements of this SQMS. (Ref: par. A20 and
A195)
50. Based on the understanding obtained in accordance with paragraph 49, the firm should

Page 21 of 80
 a. determine how the network requirements or network services are relevant to, and are
taken into account in, the firm’s system of quality management, including how they
are to be implemented. (Ref: par. A196)
b. evaluate whether and, if so, how the network requirements or network services need
to be adapted or supplemented by the firm to be appropriate for use in its system of
quality management. (Ref: par. A197–A199)
Monitoring Activities Undertaken by the Network on the Firm’s System of Quality
Management
51. For circumstances in which the network performs monitoring activities relating to the
firm’s system of quality management, the firm should
a. determine the effect of the monitoring activities performed by the network on the
nature, timing, and extent of the firm’s monitoring activities performed in accordance
with paragraphs 37–39;
b. determine the firm’s responsibilities in relation to the monitoring activities, including
any related actions by the firm; and
c. as part of evaluating findings and identifying deficiencies in paragraph 41, obtain the
results of the monitoring activities from the network in a timely manner. (Ref: par.
A200)
Monitoring Activities Undertaken by the Network Across the Network Firms
52. The firm should
a. understand the overall scope of the monitoring activities undertaken by the network
across the network firms, including monitoring activities to determine that network
requirements have been appropriately implemented across the network firms, and
how the network will communicate the results of its monitoring activities to the firm.
b. at least annually, obtain information from the network about the overall results of the
network’s monitoring activities across the network firms, if applicable, and (Ref: par.
A201–A203)
i. communicate the information to engagement teams and other individuals
assigned activities within the system of quality management, as appropriate, to
enable them to take prompt and appropriate action in accordance with their
responsibilities, and
ii. consider the effect of the information on the firm’s system of quality
management.
Deficiencies in Network Requirements or Network Services Identified by the Firm
53. If the firm identifies a deficiency in the network requirements or network services, the firm
should (Ref: par. A204)
a. communicate to the network relevant information about the identified deficiency, and
b. in accordance with paragraph 43, design and implement remedial actions to address
the effect of the identified deficiency in the network requirements or network

Page 22 of 80
 services. (Ref: par. A205)
Evaluating the System of Quality Management

54. The individual or individuals assigned ultimate responsibility and accountability for the
system of quality management should evaluate, on behalf of the firm, the system of quality
management. The evaluation should be undertaken as of a point in time and performed at least
annually. (Ref: par. A206–A209)
55. Based on the evaluation, the individual or individuals assigned ultimate responsibility and
accountability for the system of quality management should conclude, on behalf of the firm, one
of the following: (Ref: par. A210 and A217)
a. The system of quality management provides the firm with reasonable assurance that
the objectives of the system of quality management are being achieved. (Ref: par.
A2011)
b. Except for matters related to identified deficiencies that have a severe but not
pervasive effect on the design, implementation, and operation of the system of quality
management, the system of quality management provides the firm with reasonable
assurance that the objectives of the system of quality management are being achieved.
(Ref: par. A212)
c. The system of quality management does not provide the firm with reasonable
assurance that the objectives of the system of quality management are being achieved.
(Ref: par. A212–A216)
56. If the individual or individuals assigned ultimate responsibility and accountability for the
system of quality management reaches the conclusion described in paragraph 55b or 55c, the firm
should do the following: (Ref: par. A218)
a. Take prompt and appropriate action.
b. Communicate to
i. engagement teams and other individuals assigned activities within the system
of quality management to the extent that it is relevant to their responsibilities,
and (Ref: par. A219)
ii. external parties in accordance with the firm’s policies or procedures required
by paragraph 35e. (Ref: par. A220)
57. The firm should undertake periodic performance evaluations of the individual or individuals
assigned ultimate responsibility and accountability for the system of quality management and the
individual or individuals assigned operational responsibility for the system of quality management.
In doing so, the firm should take into account the evaluation of the system of quality management.
(Ref: par. A221–A223)
Documentation

58. The firm should prepare documentation of its system of quality management that is
sufficient to (Ref: par. A224–A226)
a. support a consistent understanding of the system of quality management by personnel,

Page 23 of 80
 including an understanding of their roles and responsibilities with respect to the
system of quality management and performing engagements.
b. support the consistent implementation and operation of the responses.
c. provide evidence of the design, implementation, and operation of the responses to
support the evaluation of the system of quality management by the individual or
individuals assigned ultimate responsibility and accountability for the system of
quality management.
59. In preparing documentation, the firm should include the following:
a. Identification of the individual or individuals assigned ultimate responsibility and
accountability for the system of quality management and operational responsibility
for the system of quality management
b. The firm’s quality objectives and quality risks (Ref: par. A227)
c. A description of the responses and how the firm’s responses address the quality risks
d. Regarding the monitoring and remediation process,
i. evidence of the monitoring activities performed;
ii. the evaluation of findings, and identified deficiencies and their related root causes;
and
iii. remedial actions to address identified deficiencies and the evaluation of the design
and implementation of such remedial actions
iv. communications about monitoring and remediation
e. The conclusion reached pursuant to paragraph 55 and the basis for that conclusion

60. The firm should document the matters in paragraph 59 as they relate to network requirements
or network services and the evaluation of the network requirements or network services in accordance
with paragraph 50b. (Ref: par. A228)
61. The firm should establish a period of time for the retention of documentation for the system
of quality management that is sufficient to enable the firm and its peer reviewer to monitor the
design, implementation, and operation of the firm’s system of quality management or for a longer
period if required by law or regulation.

Application and Other Explanatory Material

Scope of This Statement on Quality Management Standards (Ref: par. 3–4)

A1. The AICPA code establishes the fundamental principles of professional ethics, which
include the obligation to act in a way that serves the public interest.2 As indicated in paragraph 16,
in the context of engagement performance as described in this SQMS, the consistent performance
of quality engagements forms part of the obligation to act in the public interest.

2
Paragraph .01 of ET section 0.300.030.

Page 24 of 80
The Firm’s System of Quality Management (Ref: par. 7–10)

A2. The firm may use different terminology or frameworks to describe the components of its
system of quality management.
A3. Examples of the interconnected nature of the components include the following:
• The firm’s risk assessment process sets out the process the firm is required to follow
in implementing a risk-based approach across the system of quality management.
• The governance and leadership component establishes the environment that
supports the system of quality management.
• The resources and information and communication components enable the design,
implementation, and operation of the system of quality management.
• The monitoring and remediation process is designed to monitor the entire system of
quality management. The results of the monitoring and remediation process provide
information that is relevant to the firm’s risk assessment process.
• There may be relationships between specific matters; for example, certain aspects
of relevant ethical requirements are relevant to accepting and continuing client
relationships and specific engagements.
A4. Reasonable assurance is obtained when the system of quality management reduces to an
acceptably low level the risk that the objectives stated in paragraph 15a–b are not achieved.
Reasonable assurance is not an absolute level of assurance because there are inherent limitations
of a system of quality management. Such limitations include the fact that human judgment in
decision making can be faulty and that breakdowns in a firm’s system of quality management may
occur, for example, due to human error or behavior or failures in IT applications.
Authority of This Standard (Ref: par. 13)

A5. The objective of this SQMS provides the context in which the requirements of this SQMS
are set, establishes the desired outcome of this SQMS, and is intended to assist the firm in
understanding what needs to be accomplished and, when necessary, the appropriate means of doing
so.
A6. The requirements of this SQMS are expressed using the word should.
A7. When necessary, the application and other explanatory material provides further
explanation of the requirements and guidance for carrying them out. In particular, it may
• explain more precisely what a requirement means or is intended to cover, and
• include examples that illustrate how the requirements might be applied.
Although such guidance does not, in itself, impose a requirement, it is relevant to the proper
application of the requirements. The application and other explanatory material may also provide
background information on matters addressed in this SQMS. These additional considerations assist
in the application of the requirements in this SQMS. They do not, however, limit or reduce the
responsibility of the firm to apply and comply with the requirements in this SQMS.

Page 25 of 80
A8. This SQMS includes, under the heading “Definitions,” a description of the meanings
attributed to certain terms for purposes of this SQMS. These definitions are provided to assist in
the consistent application and interpretation of this SQMS and are not intended to override
definitions that may be established for other purposes, whether in law, regulation, or otherwise.

Definitions

Accounting and Auditing Practice (Ref: par. 17)

A9. Standards promulgated by the ASB and ARSC that apply to engagements covered
by this SQMS comprise the following:
• Statements on Auditing Standards (SASs)
• Statements on Standards for Attestation Engagements (SSAEs)
• Statements on Standards for Accounting and Review Services (SSARSs)
Although standards for other engagements may be promulgated by other AICPA technical
committees, engagements performed in accordance with those standards are not encompassed in
the definition of an accounting and auditing practice.

Deficiency (Ref: par. 17)

A10. The firm identifies deficiencies by evaluating findings. A deficiency may arise from a
finding or a combination of findings.
A11. When a deficiency is identified as a result of a quality risk, or combination of quality risks,
not being identified or properly assessed, the responses to address such quality risks may also be
absent or not appropriately designed or implemented.
A12. The other aspects of the system of quality management consist of the requirements in this
SQMS addressing the following:
• Assigning responsibilities (paragraphs 21–22)
• The firm’s risk assessment process
• The monitoring and remediation process
• The evaluation of the system of quality management
A13. Examples of deficiencies related to other aspects of the system of quality management
include the following:
• The firm’s risk assessment process fails to identify information that indicates changes
in the nature and circumstances of the firm and its engagements and the need to
establish additional quality objectives or modify the quality risks or responses.
• The firm’s monitoring and remediation process is not designed or implemented in a
manner that
— provides relevant, reliable, and timely information about the design,
implementation, and operation of the system of quality management.

Page 26 of 80
 — enables the firm to take appropriate actions to respond to identified deficiencies
such that deficiencies are remediated on a timely basis.
• The individual or individuals assigned ultimate responsibility and accountability for the
system of quality management do not undertake the annual evaluation of the system of
quality management.

Engagement Team (Ref: par. 17)

A14. SAS No. 1463 provides guidance in applying the definition of engagement team in the
context of an audit of financial statements. AU-C section 600, Special Considerations — Audits of
Group Financial Statements (Including the Work of Component Auditors),4 expands on how SAS
No. 146 is to be applied in relation to an audit of group financial statements. The quality risks and
responses to those risks relevant to group audit engagements may be different for engagement team
members who are firm personnel than for engagement team members who are external to the firm
(for example, engagement team members who are from network firms or are service providers,
such as component auditors from firms not within the firm’s network).
External Inspections (Ref: par. 17)
A15. In some circumstances, an external oversight authority, such as the U.S. Department of
Labor, may undertake other types of inspections, for example, reviews that focus on, for a selection
of firms, particular aspects of audit engagements or firm-wide practices.
Findings (Ref: par. 17)
A16. As part of accumulating findings from monitoring activities, external inspections, and other
relevant sources, the firm may identify other observations about the firm’s system of quality
management, such as positive outcomes or opportunities for the firm to improve, or further
enhance, the system of quality management. Paragraph A168 explains how other observations may
be used by the firm in the system of quality management.
A17. Paragraph A157 provides examples of information from other relevant sources.
A18. Monitoring activities include monitoring at the engagement level, such as inspection of
engagements. Furthermore, external inspections and other relevant sources may include
information that relates to specific engagements. As a result, information about the design,
implementation, and operation of the system of quality management includes engagement-level
findings that may be indicative of findings in relation to the system of quality management.
Firm (Ref: par. 17)
A19. The definition of firm in relevant ethical requirements may differ from the definition set
out in this SQMS.
Network (Ref: par. 17 and 49)

3
Paragraphs A15–A21 of Statement on Auditing Standards (SAS) No. 146, Quality Management for an
Engagement Conducted in Accordance With Generally Accepted Auditing Standards.
4
All AU-C sections can be found in AICPA Professional Standards.

Page 27 of 80
A20. Networks and the firms within the network may be structured in a variety of ways. For
example, in the context of a firm’s system of quality management,
• the network may establish requirements for the firm related to its system of quality
management or provide services that are used by the firm in its system of quality
management or in performing engagements.
• other firms within the network may provide services (for example, resources) that are
used by the firm in its system of quality management or in performing engagements.
• other structures or organizations within the network may establish requirements for the
firm related to its system of quality management or provide services.
For the purposes of this standard, any network requirements or network services that are
obtained from the network, another firm within the network, or another structure or
organization in the network are considered “network requirements or network services.”
Personnel (Ref: par. 17)
A21. In addition to personnel (that is, individuals in the firm), the firm may use individuals
external to the firm in performing activities in the system of quality management or in performing
engagements. For example, individuals external to the firm may include individuals from other
network firms (for example, individuals in a service delivery center of a network firm) or
individuals employed by a service provider (for example, a component auditor from another firm
not within the firm’s network).
A22. Personnel also includes partners and staff in other structures of the firm, such as a service
delivery center in the firm.
Relevant Ethical Requirements (Ref: par. 17 and 30)
A23. The relevant ethical requirements that are applicable in the context of a system of quality
management may vary, depending on the nature and circumstances of the firm and its
engagements. The AICPA code acknowledges that federal, state, or local statutes, rules, or
regulations may be more restrictive than the AICPA code.
A24. Various provisions of the relevant ethical requirements may apply only to individuals in
the context of the performance of engagements and not the firm itself. For example, the “Integrity
and Objectivity Rule” of the AICPA code (ET sec. 1.100.001) prohibits individuals from
knowingly misrepresenting facts or subordinating their judgment when performing professional
services for a client or for an employer. Compliance with such relevant ethical requirements by
individuals may need to be addressed by the firm’s system of quality management.
Response (Ref: par. 17)
A25. Policies are implemented through the actions of personnel and other individuals whose
actions are subject to the policies (including engagement teams) or through their restraint from
taking actions that would conflict with the firm’s policies.
A26. Procedures may be mandated, through formal documentation or other communications, or
may result from behaviors that are not mandated but, rather, are conditioned by the firm’s culture.
Procedures may be enforced through the actions permitted by IT applications or other aspects of
the firm’s IT environment.

Page 28 of 80
A27. If the firm uses individuals external to the firm in the system of quality management or in
performing engagements, different policies or procedures may need to be designed by the firm to
address the actions of the individuals. SAS No. 1465 provides guidance when different policies or
procedures may need to be designed by the firm to address the actions of individuals external to
the firm in the context of an audit of financial statements.
Service Provider (Ref: par. 17)
A28. Service providers include component auditors from other firms not within the firm’s
network.
Applying, and Complying With, Relevant Requirements (Ref: par. 18)

A29. Examples of when a requirement of this SQMS may not be relevant to the firm include the
following:
• The firm is a sole practitioner. For example, the requirements addressing the
organizational structure and assigning roles, responsibilities, and authority within the
firm; direction, supervision, and review; and addressing differences of opinion may not
be relevant.
• The firm only performs engagements that are preparation of financial statements
engagements in accordance with AR-C section 70, Preparation of Financial
Statements. For example, because the firm is not required to maintain independence for
preparation of financial statements engagements, the requirement to obtain a
documented confirmation of compliance with independence requirements from all
personnel would not be relevant.

System of Quality Management

Design, Implement, and Operate a System of Quality Management (Ref: par. 20)
A30. Quality management is not a separate function of the firm; it is the integration of a culture
that demonstrates a commitment to quality with the firm’s strategy, operational activities, and
business processes. As a result, designing the system of quality management and the firm’s
operational activities and business processes in an integrated manner may promote a harmonious
approach to managing the firm and enhance the effectiveness of quality management.
A31. The quality of professional judgments exercised by the firm is likely to be enhanced when
individuals making such judgments demonstrate an attitude that includes an inquiring mind, which
involves
• considering the source, relevance, and sufficiency of information obtained about the
system of quality management, including information related to the nature and
circumstances of the firm and its engagements, and
• being open and alert to a need for further investigation or other action.

5
Paragraphs A23–A25 of SAS No. 146.

Page 29 of 80
Responsibilities (Ref: par. 21–22 and 29d)
A32. The governance and leadership component includes a quality objective that the firm has an
organizational structure and assignment of roles, responsibilities, and authority that is appropriate
to enable the design, implementation, and operation of the firm’s system of quality management.
A33. Notwithstanding the assignment of responsibilities related to the system of quality
management in accordance with paragraph 21, the firm remains ultimately responsible for the
system of quality management and holding individuals responsible and accountable for their
assigned roles. For example, in accordance with paragraphs 54 and 55, although the firm assigns
the evaluation of the system of quality management and conclusion thereon to the individual or
individuals assigned ultimate responsibility and accountability for the system of quality
management, the firm is responsible for the evaluation and conclusion.
A34. Individuals who have the appropriate influence and authority within the firm, as required by
paragraph 22, to be assigned responsibility for the matters in paragraph 21 are typically partners
of the firm. However, based on the legal structure of the firm, there may be circumstances in which
an individual may not be a partner of the firm, but the individual has the appropriate influence and
authority within the firm to perform the assigned role because of formal arrangements made by
the firm or the firm’s network.
A35. How the firm assigns roles, responsibilities, and authority within the firm may vary, and
law or regulation may impose certain requirements for the firm that affect the leadership and
management structure or their assigned responsibilities. An individual assigned responsibility for
a matter in paragraph 21 may further assign roles, procedures, tasks, or actions to other individuals
to assist the individual in fulfilling the responsibilities. However, an individual assigned
responsibility for a matter in paragraph 22 remains responsible and accountable for the
responsibilities assigned to the individual.
A36. An example of scalability to demonstrate how assigning roles and responsibilities may be
undertaken in firms of different complexity is as follows:
• In a less complex firm, ultimate responsibility and accountability for the system of quality
management may be assigned to a single managing partner with sole responsibility for the
oversight of the firm. This individual may also assume responsibility for all aspects of the
system of quality management, including operational responsibility for the system of
quality management, compliance with independence requirements, and the monitoring and
remediation process.
• In a more complex firm, the organizational structure of the firm may include multiple levels
of leadership, and the firm may have an independent governing body that has nonexecutive
oversight of the firm, which may comprise external individuals. Furthermore, the firm may
assign operational responsibility for specific aspects of the system of quality management
beyond those specified in paragraph 21c, such as operational responsibility for compliance
with ethical requirements or operational responsibility for managing a service line.
A37. Compliance with independence requirements is essential to the performance of
engagements in a firm’s accounting and auditing practice and is an expectation of stakeholders
relying on the firm’s reports. The individual or individuals assigned operational responsibility for
compliance with independence requirements are ordinarily responsible for the oversight of all

Page 30 of 80
matters related to independence so that a robust and consistent approach is designed and
implemented by the firm to deal with independence requirements.
A38. Law, regulation, or professional standards may establish additional requirements for an
individual assigned responsibility for a matter in paragraph 21, such as requirements for
professional licensing, professional education, or continuing professional development.
A39. The appropriate experience and knowledge for the individual or individuals assigned
operational responsibility for the system of quality management ordinarily includes an
understanding of the firm’s strategic decisions and actions and experience with the firm’s business
operations.
The Firm’s Risk Assessment Process (Ref: par. 24)

A40. How the firm designs the firm’s risk assessment process may be affected by the nature and
circumstances of the firm, including how the firm is structured and organized.
Examples of scalability to demonstrate how the firm’s risk assessment process may differ from
that of other firms include the following:
• In a less complex firm, the individual or individuals assigned operational responsibility for
the system of quality management may have a sufficient understanding of the firm and its
engagements to undertake the risk assessment process. Furthermore, the documentation of
the quality objectives, quality risks, and responses may be less extensive than for a more
complex firm (for example, it may be documented in a single document).
• In a more complex firm, there may be a formal risk assessment process involving multiple
individuals and numerous activities. The process may be centralized (for example, the
quality objectives, quality risks, and responses are established centrally for all business
units, functions, and service lines) or decentralized (for example, the quality objectives,
quality risks, and responses are established at a business unit, function, or service line level,
with the outputs combined at the firm level). The firm’s network may also provide the firm
with quality objectives, quality risks, and responses to be included in the firm’s system of
quality management.
A41. The process of establishing quality objectives, identifying and assessing quality risks, and
designing and implementing responses is iterative, and the requirements of this SQMS are not
intended to be addressed in a linear manner. Examples of the iterative and nonlinear nature of the
firm’s risk assessment process include the following:
• In identifying and assessing quality risks, the firm might determine that an additional
quality objective needs to be established.
• When designing and implementing responses, the firm might determine that a quality
risk was not identified and assessed.
A42. Information sources that enable the firm to establish quality objectives, identify and assess
quality risks, and design and implement responses are part of the firm’s information and
communication component and include the following:
• The results of the firm’s monitoring and remediation process (see paragraphs 43 and
A169)

Page 31 of 80
 • Information from the network or service providers, including
— information about network requirements or network services (see paragraph 49)
— other information from the network, including information about the results of
monitoring activities undertaken by the network across the network firms (see
paragraphs 51–52)
Other information, whether internal or external, may also be relevant to the firm’s risk
assessment process, such as the following:
• Information regarding complaints and allegations about failures to perform work in
accordance with professional standards and applicable legal and regulatory
requirements or noncompliance with the firm’s policies or procedures established in
accordance with this SQMS
• The results of external inspections
• Information from regulators about the entities for whom the firm performs
engagements that is made available to the firm, such as information from a securities
regulator about an entity for whom the firm performs engagements (for example,
irregularities in the entity’s financial statements or noncompliance with securities
regulations)
• Changes in the system of quality management that affect other aspects of the system;
for example, changes in the firm’s resources
• Other external sources, such as regulatory actions and litigation against the firm or
other firms in the jurisdiction that may highlight areas for the firm to consider
Establish Quality Objectives (Ref: par. 25)

A43. Law, regulation, or professional standards may establish requirements that give rise to
additional quality objectives. For example, if a firm is required by law or regulation to appoint
nonexecutive individuals to the firm’s governance structure, the firm may consider it necessary to
establish additional quality objectives to address the requirements.
A44. While the nature and circumstances of the firm and its engagements are specific to the firm,
the quality objectives are sufficiently comprehensive such that it is unlikely that the firm would
find it necessary to establish additional quality objectives.
A45. The firm may establish sub-objectives to enhance the firm’s identification and assessment
of quality risks and design and implementation of responses.
Identify and Assess Quality Risks (Ref: par. 26)
A46. There may be other conditions, events, circumstances, actions, or inactions not described
in paragraph 26a that may adversely affect the achievement of a quality objective.
A47. A risk arises from how, and the degree to which, a condition, event, circumstance, action,
or inaction may adversely affect the achievement of a quality objective. Not all risks meet the
definition of a quality risk. Professional judgment assists the firm in determining whether a risk is
a quality risk, which is based on the firm’s consideration of whether there is a reasonable

Page 32 of 80
possibility of the risk occurring and, individually or in combination with other risks, adversely
affecting the achievement of one or more quality objectives.
A48. Examples of the firm’s understanding of the conditions, events, circumstances, actions, or
inactions that may adversely affect the achievement of the quality objectives and the related quality
risks are as follows:

Examples of the firm’s understanding of the Examples of quality risks that may
conditions, events, circumstances, actions, or arise
inactions that may adversely affect the
achievement of the quality objectives

The strategic and operational decisions and In the context of governance and
actions, business processes, and business model leadership, this may give rise to a number
of the firm: The firm’s overall financial goals are of quality risks such as the following:
overly dependent on the extent of services
provided by the firm not within the scope of this • Resources are allocated or assigned in
SQMS. a manner that prioritizes the services
not within the scope of this SQMS and
may negatively affect the quality of
engagements within the scope of this
SQMS.

• Decisions about financial and

operational priorities do not fully or
adequately consider the importance of
quality in performing engagements
within the scope of this SQMS.

The characteristics and management style of In the context of governance and

leadership: The firm is a smaller firm with a few leadership, this may give rise to a number
engagement partners with shared authority. of quality risks such as the following:

• Leadership’s responsibilities and

accountability for quality are not
clearly defined and assigned.

• The actions and behaviors of

leadership that do not promote quality
are not questioned.

Page 33 of 80
The complexity and operating characteristics of In the context of resources, this may give
the firm: The firm has recently completed a rise to a number of quality risks, including
merger with another firm. the following:

• Technological resources used by the

two merged firms may be
incompatible.

• Engagement teams may use

intellectual resources developed by a
firm prior to the merger, which are no
longer consistent with the new
methodology being used by the new
merged firm.

A49. Given the evolving nature of the system of quality management, the responses designed
and implemented by the firm may give rise to conditions, events, circumstances, actions, or
inactions that result in further quality risks. For example, the firm may implement a resource (for
example, a technological resource) to address a quality risk, and quality risks may arise from the
use of such resource.
A50. The degree to which a risk, individually or in combination with other risks, may adversely
affect the achievement of a quality objective may vary based on the conditions, events,
circumstances, actions, or inactions giving rise to the risk, taking matters such as the following
into account:
• How the condition, event, circumstance, action, or inaction would affect the
achievement of the quality objective
• How frequently the condition, event, circumstance, action, or inaction is expected to
occur
• How long it would take after the condition, event, circumstance, action, or inaction
occurred for it to have an effect, and whether in that time the firm would have an
opportunity to respond to mitigate the effect of the condition, event, circumstance,
action, or inaction
• How long the condition, event, circumstance, action, or inaction would affect the
achievement of the quality objective once it has occurred
The assessment of quality risks need not comprise formal ratings or scores, although firms are
not precluded from using them.

Design and Implement Responses to Address the Quality Risks (Ref: par. 17 and 27)
A51. The nature, timing, and extent of the responses are based on the reasons for the assessment
given to the quality risks.

Page 34 of 80
A52. The responses designed and implemented by the firm may operate at the firm level or
engagement level, or there may be a combination of responsibilities for actions to be taken at the
firm and engagement level. An example of a response designed and implemented by the firm that
operates at both the firm and engagement level is as follows:
The firm establishes policies or procedures for consultation, which include with whom
consultation should be undertaken by engagement teams and the specific matters for which
consultation is required. The firm appoints suitably qualified and experienced individuals to
provide the consultations. The engagement team is responsible for identifying when matters
for consultation occur, initiating consultation, and implementing the conclusions from
consultation.6

A53. The need for formally documented policies or procedures may be greater for firms that
have many personnel or that are geographically dispersed, in order to achieve consistency across
the firm.
Changes in the Nature and Circumstances of the Firm or Its Engagements (Ref: par. 28)

A54. Examples of scalability to demonstrate how policies or procedures for identifying

information about changes in the nature and circumstances of the firm and its engagements may
vary from other firms include the following:
• In a less complex firm, the firm may have informal policies or procedures to identify
information about changes in the nature and circumstances of the firm or its engagements,
particularly when the individual or individuals responsible for establishing quality
objectives, identifying and assessing quality risks, and designing and implementing
responses are able to identify such information in the normal course of their activities.
• In a more complex firm, the firm may need to establish more formal policies or procedures
to identify and consider information about changes in the nature and circumstances of the
firm or its engagements. This may include, for example, a periodic review of information
relating to the nature and circumstances of the firm and its engagements, including
ongoing tracking of trends and occurrences in the firm’s internal and external
environment.
A55. Additional quality objectives may need to be established, or quality risks and responses
added to or modified, as part of the remedial actions undertaken by the firm to address an identified
deficiency in accordance with paragraph 43.
A56. The firm may have established quality objectives in addition to those specified by this
SQMS. The firm may also identify information that indicates that additional quality objectives
previously established by the firm are no longer needed or need to be modified.
Governance and Leadership

Commitment to Quality (Ref: par. 29a)

A57. The firm’s culture is an important factor in influencing the behavior of personnel. Relevant
ethical requirements ordinarily establish the principles of professional ethics and are further

6
Paragraph 35 of SAS No. 146.

Page 35 of 80
addressed in the “Relevant Ethical Requirements” section of this SQMS. Professional values and
attitudes may include the following:
• Professional manner; for example, timeliness, courteousness, respect, accountability,
responsiveness, and dependability
• A commitment to teamwork
• Maintaining an open mind to new ideas or different perspectives in the professional
environment
• Pursuit of excellence
• A commitment to continual improvement (for example, setting expectations beyond
the minimum requirements and placing a focus on continual learning)
• Social responsibility
A58. The firm’s strategic decision-making process, including the establishment of a business
strategy, may include matters such as the firm’s decisions about financial and operational matters,
the firm’s financial goals, how financial resources are managed, growth of the firm’s market share,
industry specialization, or new service offerings. The firm’s financial and operational priorities
may directly or indirectly affect the firm’s commitment to quality; for example, the firm may have
incentives focused on financial and operational priorities that may discourage behaviors that
demonstrate a commitment to quality.

Leadership (Ref: par. 29b and 29c)

A59. The responses designed and implemented by the firm to hold leadership responsible and
accountable for quality include the performance evaluations required by paragraph 57.
A60. Although leadership establishes the tone at the top through its actions and behaviors, clear,
consistent, and frequent actions and communications at all levels within the firm collectively
contribute to the firm’s culture and demonstrate a commitment to quality.

Organizational Structure (Ref: par. 29d)

A61. The organizational structure of the firm may include operating units, operational processes,
divisions, or geographical locations and other structures. In some instances, the firm may
concentrate or centralize processes or activities in a service delivery center, and engagement teams
may include personnel from the firm’s service delivery center who perform specific tasks that are
repetitive or specialized in nature.

Resources (Ref: par. 29e)

A62. The individual or individuals assigned ultimate responsibility and accountability or
operational responsibility for the system of quality management are, in most cases, able to
influence the nature and extent of resources that the firm obtains, develops, uses, and maintains
and how those resources are allocated or assigned, including the timing of when they are used.
A63. Because resource needs may change over time, it may not be practicable to anticipate all
resource needs. The firm’s resource planning may involve determining the resources currently

Page 36 of 80
required, forecasting the firm’s future resource needs, and establishing processes to deal with
unanticipated resource needs when they arise.
Relevant Ethical Requirements (Ref: par. 17 and 30)
A64. The AICPA code sets out the fundamental principles of ethics that provide the framework
for the rules that govern the performance of professional responsibilities. The fundamental
principles are responsibilities, the public interest, integrity, objectivity and independence, due care,
and scope and nature of services. Independence requirements are set forth in the “Independence
Rule” (ET sec. 1.200.001) and related interpretations of the AICPA code and the rules of state
boards of accountancy and applicable regulatory agencies. Guidance on threats to independence
and safeguards to mitigate such threats involving matters that are not explicitly addressed in the
AICPA code are set forth in the “Conceptual Framework for Independence” (ET sec. 1.210.010).
A65. In some cases, the matters addressed by the firm in its system of quality management may
be more specific than, or additional to, the provisions of relevant ethical requirements. Examples
of matters that a firm may include in its system of quality management that are more specific than,
or additional to, the provisions of relevant ethical requirements include the following:
• The firm prohibits the acceptance of gifts and hospitality from a client, even if the value
is trivial and inconsequential.
• The firm sets rotation periods for all engagement partners, including those performing
attestation, review, and compilation engagements.
A66. Other components may affect or relate to the relevant ethical requirements component.
Examples of relationships between the relevant ethical requirements component and other
components include the following:
• The information and communication component may address the communication of
various matters related to relevant ethical requirements, including
— the firm communicating the independence requirements to all personnel and others
subject to independence requirements.
— personnel and engagement teams communicating relevant information to the firm
without fear of reprisals, such as situations that may create threats to independence
or breaches of relevant ethical requirements.
• As part of the resources component, the firm may
— assign individuals to manage and monitor compliance with relevant ethical
requirements or to provide consultation on matters related to relevant ethical
requirements.
— use IT applications to monitor compliance with relevant ethical requirements,
including recording and maintaining information about independence.
A67. The relevant ethical requirements that apply to others depend on the provisions of the
relevant ethical requirements and how the firm uses others in its system of quality management or
in performing engagements. Examples of relevant ethical requirements that apply to others include
the following:

Page 37 of 80
 • Relevant ethical requirements may include requirements for independence that apply to
network firms or employees of network firms; for example, the AICPA code includes
independence requirements that apply to network firms.
• Relevant ethical requirements may include a definition of engagement team or other
similar concept, and the definition may include any individual who performs assurance
procedures on the engagement (for example, a service provider engaged to attend a
physical inventory count at a remote location). Accordingly, any requirements of the
relevant ethical requirements that apply to the engagement team as defined in the relevant
ethical requirements, or other similar concept, may also be relevant to such individuals.
• The principle of confidentiality may apply to the firm’s network, other network firms, or
service providers when they have access to client information obtained by the firm.
A68. AU-C section 6007 states that when the component auditor is not subject to the AICPA
code, compliance with the ethics and independence requirements set forth in the International
Ethics Standards Board for Accountants (IESBA) International Code of Ethics for Professional
Accountants is sufficient to fulfill the component auditor’s ethical responsibilities in the group
audit.8 The firm may use, for example, confirmations, letters of representation, or other
affirmations from network firms, employees of network firms, or service providers regarding the
fulfillment of ethical requirements that are relevant to the firm.
Acceptance and Continuance of Client Relationships and Specific Engagements

The Nature and Circumstances of the Engagement and the Integrity and Ethical Values of the
Client (Ref: par. 31a(i))
A69. The information obtained about the nature and circumstances of the engagement may
include the following:
• The industry of the entity for which the engagement is being undertaken and relevant
regulatory factors
• The nature of the entity; for example, its operations, organizational structure,
ownership and governance, its business model, and how it is financed
• The nature of the underlying subject matter and the applicable criteria; for example, in
the case of sustainability reporting,
— the underlying subject matter may include social, environmental, or health and
safety information.
— the applicable criteria may be performance measures established by a recognized
body of specialists.

7
Paragraph .A46 of AU-C section 600, Special Considerations — Audits of Group Financial Statements (Including
the Work of Component Auditors).
8
The section, “Application of the AICPA Code” (ET sec. 0.200.020), of the AICPA Code of Professional Conduct
(AICPA code) explains that an AICPA member who is the group engagement partner will not be considered in
violation of the AICPA code if a component auditor practicing outside the United States departs from the AICPA
code with respect to the audit or review of group financial statements, as long as the component auditor’s conduct, at
a minimum, is in accordance with the ethics and independence requirements set forth in the International Ethics
Standards Board for Accountants International Code of Ethics for Professional Accountants.

Page 38 of 80
A70. The information obtained to support the firm’s judgments about the integrity and ethical
values of the client may include the identity and business reputation of the client’s principal
owners, key management, and those charged with its governance.
A71. Examples of factors that may affect the nature and extent of information obtained about
the integrity and ethical values of the client include the following:
• The nature of the entity for which the engagement is being performed, including the
complexity of its ownership and management structure
• The nature of the client’s operations, including its business practices
• Information concerning the attitude of the client’s principal owners, key management,
and those charged with its governance toward such matters as aggressive interpretation
of accounting standards and the internal control environment
• Whether the client is aggressively concerned with keeping the firm’s fees as low as
possible
• Indications of a client-imposed limitation in the scope of work
• Indications that the client might be involved in money laundering or other criminal
activities
• The reasons for the proposed appointment of the firm and non-reappointment of the
previous firm
• The identity and business reputation of related parties
A72. The firm may obtain the information from a variety of internal and external sources,
including the following:
• In the case of an existing client, information from current or previous engagements, if
applicable, or inquiry of other personnel who have performed other engagements for
the client.
• In the case of a new client, inquiry of existing or previous providers of auditing
services to the client, in accordance with relevant ethical requirements.
• Discussions with other third parties, such as bankers, legal counsel, and industry peers.
• Background searches of relevant databases (which may be intellectual resources). In
some cases, the firm may use a service provider to perform the background search.
A73. Information that is obtained during the firm’s acceptance and continuance process also may
often be relevant to the engagement team when planning and performing the engagement.
Professional standards may specifically require the engagement team to obtain or consider such
information. For example, SAS No. 1469 requires the engagement partner to take into account
information obtained in the acceptance and continuance process in planning and performing the
audit engagement.
A74. Professional standards or applicable legal and regulatory requirements may include
specific provisions that need to be addressed before accepting or continuing a client relationship

9
Paragraph 23 of SAS No. 146.

Page 39 of 80
or specific engagement and may also require the firm to make inquiries of an existing or
predecessor firm when accepting an engagement. For example, when there has been a change of
auditors, AU-C section 210, Terms of Engagement,10 requires the auditor, prior to starting an initial
audit, to request management to authorize the predecessor auditor to respond fully to the auditor’s
inquiries regarding matters that will assist the auditor in determining whether to accept the
engagement. The “Conflicts of Interest for Members in Public Practice” interpretation of the
AICPA code also addresses consideration of conflicts of interest in accepting or continuing a client
relationship or specific engagement (ET sec. 1.110.010).

The Firm’s Ability to Perform Engagements (Ref: par. 31a(ii))

A75. The firm’s ability to perform the engagement in accordance with professional standards and
applicable legal and regulatory requirements may be affected by the following:
• The availability of appropriate resources to perform the engagement
• Having access to information to perform the engagement or to the persons who provide
such information
• Whether the firm and the engagement team are able to fulfill their responsibilities in
relation to the relevant ethical requirements
A76. Examples of factors the firm may consider in determining whether appropriate resources
are available to perform the engagement include the following:
• The circumstances of the engagement and the reporting deadline.
• The availability of individuals with the appropriate competence and capabilities, including
sufficient time, to perform the engagement. This includes having
— individuals to take overall responsibility for directing and supervising the
engagement,
— individuals with knowledge of the relevant industry or the underlying subject matter
or criteria to be applied in the preparation of the subject matter information and
experience with relevant regulatory or reporting requirements, and
— individuals to perform audit procedures on the financial information of a component
for purposes of an audit of group financial statements.
• The availability of specialists, if needed.
• If an engagement quality review is needed, whether there is an individual available who
meets the eligibility requirements in SQMS No. 2.
• The need for technological resources; for example, IT applications that enable the
engagement team to perform procedures on the entity’s data.
• The need for intellectual resources; for example, a methodology, industry or subject-
matter-specific guides, or access to information sources.

10
Paragraph .11 of AU-C section 210, Terms of Engagement.

Page 40 of 80
The Firm’s Financial and Operational Priorities (Ref: par. 31b)
A77. Financial priorities may focus on the profitability of the firm, and fees obtained for
performing engagements have an effect on the firm’s financial resources. Operational priorities
may include strategic focus areas, such as growth of the firm’s market share, industry
specialization, or new service offerings. There may be circumstances in which the firm is satisfied
with the fee quoted for an engagement, but it is not appropriate for the firm to accept or continue
the engagement or client relationship (for example, when the client lacks integrity and ethical
values).
A78. There may be other circumstances in which the fee quoted for an engagement is not
sufficient given the nature and circumstances of the engagement, and it may diminish the firm’s
ability to perform the engagement in accordance with professional standards and applicable legal
and regulatory requirements. The “Fees and Other Types of Remuneration” rule of the AICPA
code addresses fees and other types of remuneration (ET section 1.500).
Engagement Performance

Responsibilities of the Engagement Team and Direction, Supervision, and Review (Ref: par.
32a and 32b)
A79. Professional standards or applicable legal and regulatory requirements may include
specific provisions regarding the overall responsibility of the engagement partner. For example,
SAS No. 146 deals with the overall responsibility of the engagement partner for managing and
achieving quality on the engagement and for being sufficiently and appropriately involved
throughout the engagement, including taking responsibility for appropriate direction and
supervision of the engagement team and review of its work.
A80. Examples of direction, supervision, and review include the following:
• Direction and supervision of the engagement team may include
— tracking the progress of the engagement,
— considering the following with respect to members of the engagement team:
o Whether they understand their instructions
o Whether the work is being carried out in accordance with the planned approach
to the engagement
— addressing matters arising during the engagement, considering their significance, and
modifying the planned approach appropriately, and
— identifying matters for consultation or consideration by more experienced engagement
team members during the engagement.
• A review of work performed may include considering whether
— the work has been performed in accordance with the firm’s policies or procedures,
professional standards, and applicable legal and regulatory requirements;
— significant matters have been raised for further consideration;

Page 41 of 80
 — appropriate consultations have been undertaken, and the resulting conclusions have
been documented and implemented;
— there is a need to revise the nature, timing, and extent of planned work;
— the work performed supports the conclusions reached and is appropriately
documented;
— the evidence obtained for an assurance engagement is sufficient and appropriate to
support the report; and
— the objectives of the engagement procedures have been achieved.
A81. In some circumstances, the firm may use personnel from a service delivery center in the
firm or individuals from a service delivery center in another network firm to perform procedures
on the engagement (that is, the personnel or other individuals are included in the engagement
team). In such circumstances, the firm’s policies or procedures may specifically address the
direction and supervision of the individuals and review of their work, such as
• what aspects of the engagement may be assigned to individuals in the service delivery
center;
• how the engagement partner, or their designee, is expected to direct, supervise, and
review the work undertaken by individuals in the service delivery center; and
• the protocols for communication between the engagement team and individuals in the
service delivery center.

Professional Judgment and Professional Skepticism (Ref: par. 32c)

A82. Professional skepticism supports the quality of judgments made on an assurance
engagement and, through these judgments, the overall effectiveness of the engagement team in
performing the assurance engagement. Other professional standards may address the exercise of
professional judgment or maintenance of professional skepticism at the engagement level. For
example, SAS No. 14611 provides examples of impediments to the maintenance of professional
skepticism at the engagement level, unconscious auditor biases that may impede the maintenance
of professional skepticism, and possible actions that the engagement team may take to mitigate
such impediments.

Consultation (Ref: par. 32d)

A83. Consultation typically involves a discussion at the appropriate professional level, with
individuals within or outside the firm who have specialized expertise on difficult or contentious
matters. An environment that reinforces the importance and benefit of consultation and encourages
engagement teams to consult may contribute to supporting a culture that demonstrates a
commitment to quality.
A84. Difficult or contentious matters on which consultation is needed may either be specified
by the firm, or the engagement team may identify matters that require consultation. The firm may
also specify how conclusions should be agreed upon and implemented.

11
Paragraphs A34–A36 of SAS No. 146.

Page 42 of 80
A85. SAS No. 14612 includes requirements for the engagement partner related to consultation.

Differences of Opinion (Ref: par. 32e)

A86. The firm may encourage identifying differences of opinion at an early stage and may
specify the steps to be taken in raising and dealing with them, including how the matter is to be
resolved and how the related conclusions should be implemented and documented. In some
circumstances, resolving differences of opinion may be achieved through consulting with another
practitioner or firm, or a professional or regulatory body.

Engagement Documentation (Ref: par. 32f )

A87. Law, regulation, or professional standards may prescribe the time limits by which the
assembly of final engagement files for specific types of engagements are to be completed. When
no such time limits are prescribed, the time limit may be determined by the firm. For example, in
the case of engagements conducted in accordance with the SSAEs or SSARSs, an appropriate time
limit within which to complete the assembly of the final engagement file is ordinarily not more
than 60 days after the date of the engagement report.
A88. The retention and maintenance of engagement documentation may include managing the
safe custody, integrity, accessibility, or retrievability of the underlying data and the related
technology. The retention and maintenance of engagement documentation may involve the use of
IT applications. The integrity of engagement documentation may be compromised if it is altered,
supplemented, or deleted without authorization to do so, or if it is permanently lost or damaged.
A89. Law, regulation, or professional standards may prescribe the retention periods for
engagement documentation. If the retention periods are not prescribed, the firm may consider the
nature of the engagements performed by the firm and the firm’s circumstances, including whether
the engagement documentation is needed to provide a record of matters of continuing significance
to future engagements. In the case of engagements conducted under generally accepted auditing
standards or the SSAEs, the retention period is ordinarily no shorter than five years from the date
of the engagement report or, if later, the date of the auditor’s report on the group financial
statements, when applicable.
Resources (Ref: par. 33)

A90. Resources for the purposes of the resources component include the following:
• Human resources
• Technological resources; for example, IT applications
• Intellectual resources; for example, written policies or procedures, a methodology, or
guides
Financial resources are also relevant to the system of quality management because they are
necessary for obtaining, developing, and maintaining the firm’s human resources, technological
resources, and intellectual resources. Given that the management and allocation of financial
resources is strongly influenced by leadership, the quality objectives in governance and leadership,
such as those that address financial and operational priorities, address financial resources.
12
Paragraph 35 of SAS No. 146.

Page 43 of 80
A91. Resources may be internal to the firm or may be obtained externally from the firm’s
network, another network firm, or service provider. Resources may be used in performing
activities within the firm’s system of quality management or in performing engagements as part of
operating the system of quality management. In circumstances in which a resource is obtained
from the firm’s network or another network firm, paragraphs 49–53 form part of the responses
designed and implemented by the firm in achieving the objectives in this component.

Human Resources
Hiring, Developing, and Retaining Personnel and Personnel Competence and Capabilities (Ref:
par. 33a and d)
A92. Competence is the ability of the individual to perform a role and goes beyond knowledge
of principles, standards, concepts, facts, and procedures; it is the integration and application of
technical competence, professional skills, and professional ethics, values, and attitudes.
Competence can be developed through a variety of methods, including professional education,
continuing professional development, training, work experience, or coaching of less experienced
engagement team members by more experienced engagement team members.
A93. Law, regulation, or professional standards may establish requirements addressing
competence and capabilities. For example, law or regulation may establish requirements for the
professional licensing of engagement partners, including requirements regarding their professional
education and continuing professional development.
A94. The policies or procedures designed and implemented by the firm relating to hiring,
developing, and retaining personnel may address, for example, the following:
• Recruiting individuals who have, or are able to develop, appropriate competence
• Training programs focused on developing the competence of personnel and continuing
professional development
• Evaluation mechanisms that are undertaken at appropriate intervals and include
competency areas and other performance measures
• Compensation, promotion, and other incentives, for all personnel, including
engagement partners and individuals assigned roles and responsibilities related to the
firm’s system of quality management

Personnel’s Commitment to Quality and Accountability and Recognition for Commitment to

Quality (Ref: par. 33b)
A95. Timely evaluations and feedback help support and promote the continual development of
the competence of personnel. Less formal methods of evaluation and feedback may be used, such
as in the case of firms with fewer personnel.
A96. Positive actions or behaviors demonstrated by personnel may be recognized through
various means, such as through compensation, promotion, or other incentives. In some
circumstances, simple or informal incentives that are not based on monetary rewards may be
appropriate.

Page 44 of 80
A97. The manner in which the firm holds personnel accountable for actions or behaviors that
negatively affect quality, such as failing to demonstrate a commitment to quality, develop and
maintain the competence to perform their role, or implement the firm’s responses as designed, may
depend on the nature of the action or behavior, including its severity and frequency of occurrence.
The following are some actions the firm may take when personnel demonstrate actions or
behaviors that negatively affect quality:
• Training or other professional development
• Considering the effect of the matter on the evaluation, compensation, promotion, or
other incentives of those involved
• Disciplinary action, if appropriate

Individuals Obtained From External Sources (Ref: par. 33c)

A98. Professional standards may include responsibilities for the engagement partner regarding
the appropriateness of resources. For example, SAS No. 14613 addresses the responsibility of the
engagement partner for determining that sufficient and appropriate resources to perform the
engagement are assigned or made available to the engagement team in a timely manner in
accordance with the firm’s policies or procedures.

Engagement Team Members Assigned to Each Engagement (Ref: par. 33d)

A99. Engagement team members may be assigned to engagements by
• the firm, including assigning personnel from a service delivery center in the firm.
• the firm’s network or another network firm when the firm uses individuals from the
firm’s network or another network firm to perform procedures on the engagement (for
example, a component auditor or a service delivery center of the network or another
network firm).
• a service provider when the firm uses individuals from a service provider to perform
procedures on the engagement (for example, a component auditor from a firm not
within the firm’s network).
A100. SAS No. 14614 addresses the responsibility of the engagement partner to determine that
members of the engagement team, and any auditor’s external specialists and internal auditors who
provide direct assistance (who are not part of the engagement team), collectively have the
appropriate competence and capabilities, including sufficient time, to perform the engagement. The
responses designed and implemented by the firm to address the competence and capabilities of
engagement team members assigned to the engagement may include policies or procedures that
address the following:
• Information that may be obtained by the engagement partner and factors to consider in
determining that the engagement team members assigned to the engagement, including
those assigned by the firm’s network, another network firm, or service provider, have
the competence and capabilities to perform the engagement

13
Paragraph 25 of SAS No. 146.
14
Paragraph 26 of SAS No. 146.

Page 45 of 80
 • How concerns about the competence and capabilities of engagement team members, in
particular those assigned by the firm’s network, another network firm, or service
provider, may be resolved
A101. The requirements in paragraphs 49–53 are also applicable when using individuals from the
firm’s network or another network firm on an engagement, including component auditors (see, for
example, paragraph A190).
Technological Resources (Ref: par. 33f )

A102. Technological resources, which are typically IT applications, form part of the firm’s IT
environment. The firm’s IT environment also includes the supporting IT infrastructure and the IT
processes and human resources involved in those processes:
• An IT application is a program or a set of programs that is designed to perform a
specific function directly for the user or, in some cases, for another application
program.
• The IT infrastructure comprises the IT network, operating systems, and databases and
their related hardware and software.
• The IT processes are the firm’s processes to manage access to the IT environment,
program changes or changes to the IT environment, and IT operations, which includes
monitoring the IT environment.
A103. A technological resource may serve multiple purposes within the firm, and some of the
purposes may be unrelated to the system of quality management. Technological resources that are
relevant for the purposes of this SQMS are as follows:
• Technological resources that are directly used in designing, implementing, or operating
the firm’s system of quality management
• Technological resources that are used directly by engagement teams in performing
engagements
• Technological resources that are essential to enabling the effective operation of the
preceding, such as, in relation to an IT application, the IT infrastructure and IT
processes supporting the IT application
A104. Examples of scalability to demonstrate how the technological resources that are relevant
for the purposes of this SQMS may differ in firms of different complexity include the following:
• In a less complex firm, the technological resources may comprise a commercial IT
application used by engagement teams that has been purchased from a service provider.
The IT processes that support the operation of the IT application may also be relevant,
although they may be simple (for example, processes for authorizing access to the IT
application and processing updates to the IT application).
• In a more complex firm, the technological resources may be more complex and may
comprise the following:
— Multiple IT applications, including custom-developed applications or applications
developed by the firm’s network, such as

Page 46 of 80
 o IT applications used by engagement teams (for example, engagement software
and automated audit tools) and
o IT applications developed and used by the firm to manage aspects of the
system of quality management (for example, IT applications to monitor
independence or assign personnel to engagements)
— The IT processes that support the operation of these IT applications, including the
individuals responsible for managing the IT infrastructure and processes and the
firm’s processes for managing program changes to IT applications
A105. The firm may consider the following matters in obtaining, developing, implementing, and
maintaining an IT application:
• The data inputs are complete and appropriate.
• Confidentiality of the data is preserved.
• The IT application operates as designed and achieves the purpose for which it is
intended.
• The outputs of the IT application achieve the purpose for which they will be used.
• The general IT controls necessary to support the IT application’s continued operation
as designed are appropriate.
• The need for specialized skills to use the IT application effectively, including the
training of individuals who will use the IT application.
• The need to develop procedures that set out how the IT application operates.
A106. The firm may specifically prohibit the use of IT applications or features of IT applications
until such time that it has been determined that they operate appropriately and have been approved
for use by the firm. Alternatively, the firm may establish policies or procedures to address
circumstances in which the engagement team uses an IT application that is not approved by the
firm. Such policies or procedures may require the engagement team to determine that the IT
application is appropriate for use prior to using it on the engagement, through considering the
matters in paragraph A102. SAS No. 14615 addresses the engagement partner’s responsibilities for
engagement resources.

Intellectual Resources (Ref: par. 33g)

A107. Intellectual resources include the information and materials the firm uses to enable the
operation of the system of quality management and promote consistency in performing
engagements. Examples of intellectual resources include written policies or procedures, a
methodology, industry or subject-matter-specific guides, accounting guides, standardized
documentation, or access to information sources (for example, subscriptions to websites that

15
Paragraphs 25–28 of SAS No. 146.

Page 47 of 80
provide in-depth information about entities or other information that is typically used in
performing engagements).
A108. Intellectual resources may be made available through technological resources; for example,
the firm’s methodology may be embedded in the IT application that facilitates the planning and
performance of the engagement.

Use of Technological and Intellectual Resources (Ref: par. 33f–g)

A109. The firm may establish policies or procedures regarding the use of the firm’s technological
and intellectual resources. Examples of such policies or procedures include the following:
• Requiring the use of certain IT applications or intellectual resources in performing
engagements, or relating to other aspects of the engagement, such as in archiving the
engagement file
• Specifying the qualifications or experience that individuals need to use the resource,
including the need for a specialist or training; for example, the firm may specify the
qualifications or expertise needed to use an IT application that analyzes data, given that
specialized skills may be needed to interpret the results
• Specifying the responsibilities of the engagement partner regarding the use of
technological and intellectual resources
• Setting out how the technological or intellectual resources are to be used, including
how individuals should interact with an IT application or how the intellectual resource
should be applied, and the availability of support or assistance in using the
technological or intellectual resource

Service Providers (Ref: par. 17 and 33h)

A110. In some circumstances, the firm may use resources that are provided by a service provider,
particularly in circumstances in which the firm does not have access to the appropriate resources
internally. Notwithstanding that a firm may use resources from a service provider, the firm remains
responsible for its system of quality management.
A111. Examples of resources from a service provider include the following:
• Individuals engaged to perform the firm’s monitoring activities or engagement quality
reviews, or to provide consultation on technical matters
• A commercial IT application used to perform audit engagements
• Individuals performing procedures on the firm’s engagements; for example,
component auditors from firms not within the firm’s network or individuals engaged to
attend a physical inventory count at a remote location
• An auditor’s external specialist used by the firm to assist the engagement team in
obtaining audit evidence
A112. In identifying and assessing quality risks, the firm is required to obtain an understanding
of the conditions, events, circumstances, actions, or inactions that may adversely affect the
achievement of the quality objectives, which includes conditions, events, circumstances, actions,
or inactions relating to service providers. In doing so, the firm may consider the nature of the

Page 48 of 80
resources provided by service providers, how and the extent to which they will be used by the firm,
and the general characteristics of the service providers used by the firm (for example, the varying
types of other professional services firms that are used) to identify and assess quality risks related
to the use of such resources.
A113. In determining whether a resource from a service provider is appropriate for use in the
firm’s system of quality management or performing engagements, the firm may obtain information
about the service provider and the resource it provides from a number of sources. The following
are matters the firm may consider:
• The related quality objective and quality risks. For example, in the case of a
methodology from a service provider, there may be quality risks related to the quality
objective in paragraph 33g, such as a quality risk that the service provider does not
update the methodology to reflect changes in professional standards and applicable
legal and regulatory requirements.
• The nature and scope of the resources and the conditions of the service (for example,
in relation to an IT application, how often updates will be provided, limitations on the
use of the IT application, and how the service provider addresses confidentiality of
data).
• The extent to which the resource is used across the firm, how the resource will be used
by the firm, and whether it is suitable for that purpose.
• The extent of customization of the resource for the firm.
• The firm’s previous use of the service provider.
• The service provider’s experience in the industry and reputation in the market.
• The results of attestation engagements performed by independent third parties on the
resource (for example, assurance engagements on quality control materials or reports
on service organization controls).
A114. The firm may have a responsibility to take further actions in using the resource from a
service provider so that the resource functions effectively. For example, the firm may need to
communicate information to the service provider in order for the resource to function effectively
or, in relation to an IT application, the firm may need to have supporting IT infrastructure and IT
processes in place.
A115. The evaluation of a service provider from a firm not within the firm’s network that is used
as a component auditor may be different than that of a service provider engaged directly by the
firm. For example, in understanding the competency of the component auditor to perform the
engagement, it may not be necessary or practicable for the firm to obtain an understanding of how
the component auditor updates its methodology to reflect changes in professional standards.
Rather, the firm could perform procedures such as review of results of regulatory inspections,
transparency or audit quality information published by the component auditor’s firm, or evaluation
of the reputation of the component auditor.
Information and Communication (Ref: par. 34)
A116. Obtaining, generating, or communicating information is generally an ongoing process that
involves all personnel and encompasses the dissemination of information within the firm and

Page 49 of 80
externally. Information and communication are pervasive to all components of the system of
quality management.

The Firm’s Information System (Ref: par. 34a)

A117. Reliable and relevant information includes information that is accurate, complete, timely,
and valid to enable the proper functioning of the firm’s system of quality management and to
support decisions regarding the system of quality management.
A118. The information system may include the use of manual or IT elements, which affect the
manner in which information is identified, captured, processed, maintained, and communicated.
The procedures to identify, capture, process, maintain, and communicate information may be
enforced through IT applications and in some cases may be embedded within the firm’s responses
for other components. In addition, digital records may replace or supplement physical records.
A119. An example of scalability is that less complex firms with fewer personnel and direct
involvement of leadership may not need rigorous policies and procedures that specify how
information should be identified, captured, processed, and maintained.

Communication Within the Firm (Ref: par. 34b–c)

A120. The firm may recognize and reinforce the responsibility of personnel and engagement
teams to exchange information with the firm and one another by establishing communication
channels to facilitate communication across the firm. Examples of communication among the firm,
engagement teams, and other individuals include the following:
• The firm communicates the responsibility for implementing the firm’s responses to
personnel and engagement teams.
• The firm communicates changes to the system of quality management to personnel and
engagement teams to the extent that the changes are relevant to their responsibilities
and enables personnel and engagement teams to take prompt and appropriate action in
accordance with their responsibilities.
• The firm communicates information that is obtained during the firm’s acceptance and
continuance process that is relevant to engagement teams in planning and performing
engagements.
• Engagement teams communicate the following information to the firm:
— Information about the client that is obtained during the performance of an
engagement that may have caused the firm to decline the client relationship or
specific engagement had that information been known prior to accepting or
continuing the client relationship or specific engagement
— Information about the operation of the firm’s responses (for example, concerns
about the firm’s processes for assigning personnel to engagements) which, in some
cases, may indicate a deficiency in the firm’s system of quality management
• Engagement teams communicate information to the engagement quality reviewer or
individuals providing consultation.

Page 50 of 80
 • Group engagement teams communicate matters to component auditors in accordance
with the firm’s policies or procedures, including matters related to quality management
at the engagement level.
• The individual or individuals assigned operational responsibility for compliance with
independence requirements communicate to relevant personnel and engagement teams
changes in the independence requirements and the firm’s policies or procedures to
address such changes.

Communication With External Parties

Communication to or Within the Firm’s Network and to Service Providers (Ref: par. 34d(i))
A121. In addition to the firm communicating information to or within the firm’s network or to a
service provider, the firm may need to obtain information from the network, a network firm, or a
service provider that supports the firm in the design, implementation, and operation of its system
of quality management. For example, the firm may obtain information from the network or other
network firms about clients of other network firms when there are independence requirements that
affect the firm.

Communication With Others External to the Firm (Ref: par. 34d(ii))

A122. Examples of when law, regulation, or professional standards may require the firm to
communicate information to external parties include the following:
• The firm becomes aware of noncompliance with laws and regulations by a client, and
relevant ethical requirements require the firm to report the noncompliance with laws
and regulations to an appropriate authority outside the client entity or to consider
whether such reporting is an appropriate action in the circumstances.
• Law or regulation requires the firm to publish a transparency report and specifies the
nature of the information that is required to be included in the transparency report.
• Securities law or regulation requires the firm to communicate certain matters to those
charged with governance.
Paragraphs A131–A135 address communications to support external parties’ understanding of the
system of quality management beyond those required by law, regulation, or professional standards.

A123. In some cases, law or regulation may preclude the firm from communicating information
related to its system of quality management externally. Examples of when the firm may be
precluded from communicating information externally include the following:
• Confidentiality law or regulation prohibits disclosure of certain information
• Law, regulation, or relevant ethical requirements include provisions addressing the
duty of confidentiality

Page 51 of 80
Specified Responses (Ref: par. 35)

A124. The specified responses may address multiple quality risks related to more than one quality
objective across different components. For example, policies or procedures for complaints and
allegations may address quality risks related to quality objectives in resources (for example,
personnel’s commitment to quality), relevant ethical requirements, and governance and leadership.

Relevant Ethical Requirements (Ref: par. 35a–b)

A125. Relevant ethical requirements may contain provisions regarding the identification and
evaluation of threats and how they should be addressed. For example, the AICPA code provides a
conceptual framework for this purpose and, in applying the conceptual framework, requires that
the firm use the reasonable and informed third-party test.
A126. Relevant ethical requirements may specify how the firm is required to respond to a breach.
For example, the “Breach of an Independence” interpretation (ET sec. 1.298.010) of the
“Independence Rule” (ET sec. 1.200.001) contains guidance addressing a breach of an
independence interpretation of the AICPA code, which also contains guidance addressing a breach
of any other provision of the AICPA code.
A127. Matters the firm may address relating to breaches of the relevant ethical requirements
include the following:
• The communication of breaches of the relevant ethical requirements to appropriate
personnel
• The evaluation of the significance of a breach and its effect on compliance with
relevant ethical requirements
• The actions to be taken to satisfactorily address the consequences of a breach, including
that such actions be taken as soon as practicable
• Determining whether to report a breach to external parties, such as those charged with
governance of the entity to which the breach relates or an external oversight authority
• Determining the appropriate actions to be taken in relation to the individual or
individuals responsible for the breach

Complaints and Allegations (Ref: par. 35c)

A128. Establishing policies or procedures for dealing with complaints and allegations may assist
the firm in preventing engagement reports from being issued that are inappropriate. It also may
assist the firm in
• identifying and dealing with individuals, including leadership, who do not act or
behave in a manner that demonstrates a commitment to quality and supports the firm’s
commitment to quality, or
• identifying deficiencies in the system of quality management.
A129. Complaints and allegations may be made by personnel or others external to the firm (for
example, clients, component auditors, or individuals within the firm’s network).

Page 52 of 80
Information That Becomes Known Subsequent to Accepting or Continuing a Client
Relationship or Specific Engagement (Ref: par. 35d)
A130. Information that becomes known subsequent to accepting or continuing a client
relationship or specific engagement may
• have existed at the time of the firm’s decision to accept or continue the client
relationship or specific engagement, and the firm was not aware of such information,
or
• relate to new information that has arisen since the decision to accept or continue the
client relationship or specific engagement.
A131. Examples of matters addressed in the firm’s policies or procedures for circumstances in
which information becomes known subsequent to accepting or continuing a client relationship or
specific engagement that may have affected the firm’s decision to accept or continue a client
relationship or specific engagement include the following:
• Undertaking consultation within the firm or with legal counsel
• Considering whether there is a professional, legal, or regulatory requirement for the
firm to continue the engagement
• Discussing with the appropriate level of the client’s management and with those
charged with governance or the engaging party the action that the firm might take based
on the relevant facts and circumstances
• When it is determined that withdrawal is an appropriate action:
— Informing the client’s management and those charged with governance or the
engaging party of this decision and the reasons for the withdrawal
— Considering whether there is a professional, legal, or regulatory requirement for the
firm to report the withdrawal from the engagement, or from both the engagement
and the client relationship, together with the reasons for the withdrawal, to
regulatory authorities
A132. In some circumstances, law or regulation may impose an obligation on the firm to accept
or continue a client engagement.
A133. Examples of matters addressed in the firm’s policies or procedures in circumstances in
which the firm is obligated to accept or continue an engagement or the firm is unable to withdraw
from an engagement, and the firm is aware of information that would have caused the firm to
decline or discontinue the engagement, include the following:
• The firm considers the effect of the information on the performance of the engagement.
• The firm communicates the information to the engagement partner and requests the
engagement partner to increase the extent and frequency of the direction and
supervision of the engagement team members and review of their work.
• The firm assigns more experienced personnel to the engagement.
• The firm determines that an engagement quality review should be performed.

Page 53 of 80
Communication With External Parties (Ref: par: 35e)
A134. The firm’s ability to maintain stakeholder confidence in the quality of its engagements may
be enhanced through relevant, reliable, and transparent communication by the firm about the
activities that it has undertaken to address quality and the effectiveness of those activities.
A135. External parties who may use information about the firm’s system of quality management,
and the extent of their interest in the firm’s system of quality management, may vary based on the
nature and circumstances of the firm and its engagements.
A136. Examples of external parties who may use information about the firm’s system of quality
management include the following:
• Management or those charged with governance of the firm’s clients may use the
information to determine whether to appoint the firm to perform an engagement.
• External oversight authorities may have indicated a desire for the information to
support their responsibilities in monitoring the quality of engagements across a
jurisdiction and in understanding the work of firms.
• Other firms who use the work of the firm in performing engagements (for example, in
relation to a group audit) may have requested such information.
• Other users of the firm’s engagement reports, such as investors who use engagement
reports in their decision making, may have indicated a desire for the information.
A137. The information about the system of quality management provided to external parties,
including information communicated to those charged with governance about how the system of
quality management supports the consistent performance of quality engagements, may address
such matters as the following:
• The nature and circumstances of the firm, such as the organizational structure, business
model, strategy, and operating environment
• The firm’s governance and leadership, such as
— its culture;
— how it demonstrates a commitment to quality; and
— how roles, responsibilities, and authority with respect to the system of quality
management are assigned
• How the firm fulfills its responsibilities in accordance with relevant ethical
requirements, including those related to independence
• Factors that contribute to quality engagements; for example, such information may be
presented in the form of engagement quality indicators with narrative to explain the
indicators
• The results of the firm’s monitoring activities and external inspections and how the
firm has remediated identified deficiencies or is otherwise responding to them
• The evaluation undertaken in accordance with paragraphs 54–55 of whether the system
of quality management provides the firm with reasonable assurance that the objectives

Page 54 of 80
 of the system are being achieved and the conclusion thereon, including the basis for
the judgments made in evaluating and concluding
• How the firm has responded to emerging developments and changes in the
circumstances of the firm or its engagements, including how the system of quality
management has been adapted to respond to such changes
• The relationship between the firm and the network, the overall structure of the network,
a description of network requirements and network services, the responsibilities of the
firm and the network (including that the firm is ultimately responsible for the system
of quality management), and information about the overall scope and results of network
monitoring activities across the network firms

Determining When It Is Appropriate to Communicate With External Parties (Ref: par. 35e(i))
A138. The firm’s determination of when it is appropriate to communicate with external parties
about the firm’s system of quality management is a matter of professional judgment and may be
influenced by matters such as the following:
• The types of engagements performed by the firm
• The types of entities for which such engagements are undertaken; for example, entities
that may have public interest or public accountability characteristics, such as
— entities that hold a significant amount of assets in a fiduciary capacity for a large
number of stakeholders, including financial institutions, such as certain banks,
insurance companies, and pension funds;
— entities with a high public profile or whose management or owners have a high
public profile; and
— entities with a large number and wide range of stakeholders.
• The nature and circumstances of the firm
• The nature of the firm’s operating environment, such as customary business practice in
the firm’s jurisdiction and the characteristics of the financial markets in which the firm
operates
• The extent to which the firm has already communicated with external parties in
accordance with law or regulation (that is, whether further communication is needed
and, if so, the matters to be communicated)
• The expectations of stakeholders in the firm’s jurisdiction, including the understanding
and interest that external parties have expressed about the engagements undertaken by
the firm, and the firm’s processes in performing the engagements
• Jurisdictional trends
• The information that is already available to external parties
• How external parties may use the information, and their general understanding of
matters related to firms’ systems of quality management and engagements performed
by the firm in its accounting and auditing practice

Page 55 of 80
 • The public interest benefits of external communication and whether it would
reasonably be expected to outweigh the costs (monetary or otherwise) of such
communication
The preceding matters may also affect the information provided by the firm in the
communication and the nature, timing, and extent and appropriate form of communication.

A139. AU-C section 260, The Auditor’s Communication With Those Charged With Governance,
deals with the auditor’s responsibility to communicate with those charged with governance in an
audit of financial statements and addresses the auditor’s determination of the appropriate person
or persons within the entity’s governance structure with whom to communicate16 and the
communication process.17 In some circumstances, it may be appropriate to include information
about the firm’s system of quality management in those communications with those charged with
governance (or when performing other engagements, for example, review or examination
engagements). How the communication with those charged with governance is undertaken (that
is, by the firm or the engagement team) may depend on the firm’s policies or procedures and the
circumstances of the engagement.

Considerations for Engagements for Governmental Organizations

A140. The firm may determine it is appropriate to communicate to those charged with governance
of a governmental organization about how the firm’s system of quality management supports the
consistent performance of quality engagements, taking into account the size and complexity of the
governmental organization, the range of its stakeholders, the nature of the services it provides, and
the roles and responsibilities of those charged with governance.
Nature, Timing, and Extent and Appropriate Form of Communication With External Parties (Ref:
par: 35e(ii))
A141. The firm may consider the following attributes in preparing information that is
communicated to external parties:
• The information is specific to the circumstances of the firm. Relating the matters in the
firm’s communication directly to the specific circumstances of the firm may help to
minimize the potential that such information becomes overly standardized and less
useful over time.
• The information is presented in a clear and understandable manner, and the manner of
presentation is neither misleading nor would inappropriately influence the users of the
communication (for example, the information is presented in a manner that is
appropriately balanced toward positive and negative aspects of the matter being
communicated).
• The information is accurate and complete in all material respects and does not contain
information that is misleading.
• The information takes into consideration the information needs of the users for whom
it is intended. In considering the information needs of the users, the firm may consider
16
Paragraphs .07–.09 of AU-C section 260, The Auditor’s Communication With Those Charged With Governance.
17
Paragraphs .15–.20 of AU-C section 260.

Page 56 of 80
 matters such as the level of detail that users would find meaningful and whether users
have access to relevant information through other sources (for example, the firm’s
website).
A142. The firm uses professional judgment in determining, in the circumstances, the appropriate
form of communication with the external party, including communication with those charged with
governance when performing an audit of financial statements of listed entities, which may be made
orally or in writing. Accordingly, the form of communication may vary.
Examples of forms of communication to external parties include the following:
• A publication such as a transparency report or audit quality report
• Targeted written communication to specific stakeholders (for example, information
about the results of the firm’s monitoring and remediation process)
• Direct conversations and interactions with the external party (for example, discussions
between the engagement team and those charged with governance)
• A web page
• Other forms of digital media, such as social media, or interviews or presentations via
webcast or video

Engagements Subject to an Engagement Quality Review

Engagement Quality Review Required by Law or Regulation (Ref: par. 35f(i))
A143. Law or regulation may require an engagement quality review to be performed, for example,
for audit engagements for entities that
• are public interest entities as defined in a particular jurisdiction,
• are governmental organizations or recipients of government funding, or entities with
public accountability,
• operate in certain industries (for example, financial institutions such as banks,
insurance companies, and pension funds),
• meet a specified asset threshold, or
• are under the management of a court or judicial process (for example, liquidation).

Engagement Quality Review as a Response to Address One or More Quality Risks (Ref: par.
35f(ii))
A144. The firm’s understanding of the conditions, events, circumstances, actions, or inactions
that may adversely affect the achievement of the quality objectives as required by paragraph 26a(ii)
relates to the nature and circumstances of the engagements performed by the firm. In designing
and implementing responses to address one or more quality risks, the firm may determine that an
engagement quality review is an appropriate response based on the reasons for the assessments
given to the quality risks.
A145. Criteria established by the firm to determine whether an engagement quality review is an
appropriate response for one or more quality risks may relate to the types of engagements

Page 57 of 80
performed by the firm and reports to be issued, and the types of entities for which engagements
are undertaken. Examples of conditions, events, circumstances, actions, or inactions giving rise to
such quality risks include the following:
Those relating to the types of engagements performed by the firm and reports to be issued:
• Engagements that involve a high level of complexity or judgment, such as the
following:
— Audits of financial statements for entities operating in an industry that typically
has accounting estimates with a high degree of estimation uncertainty (for
example, certain large financial institutions or mining entities) or for entities for
which uncertainties exist related to events or conditions that may cast significant
doubt on their ability to continue as a going concern
— Assurance engagements that require specialized skills and knowledge in
measuring or evaluating the underlying subject matter against the applicable
criteria (for example, a greenhouse gas statement in which there are significant
uncertainties associated with the quantities reported therein)
• Engagements on which issues have been encountered, such as audit engagements with
recurring internal or external inspection findings, unremediated significant deficiencies
in internal control, or a material restatement of comparative information in the financial
statements
• Engagements for which unusual circumstances have been identified during the firm’s
acceptance and continuance process (for example, a new client that had a disagreement
with its previous auditor or assurance practitioner)
• Engagements that involve reporting on financial or nonfinancial information that is
expected to be included in a regulatory filing and that may involve a higher degree of
judgment, such as pro forma financial information to be included in a prospectus
Those relating to the types of entities for which engagements are undertaken:
• Entities in emerging industries or for which the firm has no previous experience
• Entities for which concerns were expressed in communications from regulators
• Entities that may have public interest or public accountability characteristics, such as
the following:
— Entities that hold a significant amount of assets in a fiduciary capacity for a large
number of stakeholders, including financial institutions such as certain banks,
insurance companies, and pension funds for which an engagement quality review
is not otherwise required by law or regulation
— Entities with a high public profile or whose management or owners have a high
public profile
— Entities with a large number and wide range of stakeholders
— Governmental organizations
o Due to their size and complexity, the range of their stakeholders or the

Page 58 of 80
 nature of the services they provide
o Due to the complexity, and importance to users, of additional reporting
requirements established by law or regulation (for example, a separate
report on instances of noncompliance with law or regulation to the
legislature or other governing body or communicating such instances in the
auditor’s report on the financial statements)
A146. The firm’s responses to address quality risks may include other forms of engagement
reviews that are not an engagement quality review. For example, for audits of financial statements,
the firm’s responses may include reviews of the engagement team’s procedures relating to
significant risks, or reviews of certain significant judgments, by personnel who have specialized
technical expertise. In some cases, these other types of engagement reviews may be undertaken in
addition to an engagement quality review.
A147. In some cases, the firm may determine that there are no audits or other engagements for
which an engagement quality review or another form of engagement review is an appropriate
response to address the quality risks.

Monitoring and Remediation Process (Ref: par. 36–48)

A148. In addition to enabling the evaluation of the system of quality management, the monitoring
and remediation process facilitates the proactive and continual improvement of engagement
quality and the system of quality management. Examples follow:
• Given the inherent limitations of a system of quality management, the firm’s
identification of deficiencies is not unusual, and it is an important aspect of the system
of quality management because prompt identification of deficiencies enables the firm
to remediate them in a timely and effective manner and contributes to a culture of
continual improvement.
• The monitoring activities may provide information that enables the firm to prevent a
deficiency through responding to a finding that could, over a period of time, lead to a
deficiency.
Designing and Performing Monitoring Activities (Ref: par. 38–39)
A149. The firm’s monitoring activities may comprise a combination of ongoing monitoring
activities and periodic monitoring activities. Ongoing monitoring activities are generally routine
activities built into the firm’s processes and performed on a real-time basis. Periodic monitoring
activities are conducted at certain intervals by the firm. In most cases, ongoing monitoring
activities provide information about the system of quality management in a timelier manner.
A150. Monitoring activities may include the inspection of in-process engagements. Inspections
of engagements are designed to monitor whether an aspect of the system of quality management
is designed, implemented, and operating in the manner intended. In some circumstances, the
system of quality management may include responses that are designed to review engagements
while they are in the process of being performed that appear similar in nature to an inspection of
in-process engagements (for example, reviews that are designed to detect failures or shortcomings
in the system of quality management so that they can prevent a quality risk from occurring). The
purpose of the activity drives its design and implementation and where it fits within the system of

Page 59 of 80
quality management (that is, whether it is an inspection of an in-process engagement that is a
monitoring activity or a review of an engagement that is a response to address a quality risk).
A151. The nature, timing, and extent of the monitoring activities may also be affected by other
matters, including
• the size, structure, and organization of the firm,
• the involvement of the firm’s network in monitoring activities, and
• the resources that the firm intends to use to enable monitoring activities, such as the
use of IT applications.
A152. When performing monitoring activities, the firm may determine that changes to the nature,
timing, and extent of the monitoring activities are needed, such as when findings indicate the need
for more extensive monitoring activities.

The Design of the Firm’s Risk Assessment Process and Monitoring and Remediation Process
(Ref: par. 38c)
A153. How the firm’s risk assessment process is designed (for example, a centralized or
decentralized process, or the frequency of review) may affect the nature, timing, and extent of the
monitoring activities, including monitoring activities over the firm’s risk assessment process.
A154. How the firm’s monitoring and remediation process is designed (that is, the nature, timing,
and extent of the monitoring and remediation activities, taking into account the nature and
circumstances of the firm) may affect the monitoring activities undertaken by the firm to determine
whether the monitoring and remediation process is achieving the intended purpose as described in
paragraph 36.
A155. An example of scalability to demonstrate how the monitoring activities for the monitoring
and remediation process may differ in firms of different complexity is as follows:
• In a less complex firm, the monitoring activities may be simple because information about
the monitoring and remediation process may be readily available in the form of leadership’s
knowledge, based on their frequent interaction with the system of quality management, of
the nature, timing, and extent of the monitoring activities undertaken, the results of the
monitoring activities, and the firm’s actions to address the results.
• In a more complex firm, the monitoring activities for the monitoring and remediation
process may be specifically designed to determine that the monitoring and remediation
process is providing relevant, reliable, and timely information about the system of quality
management, and responding appropriately to identified deficiencies.

Changes in the System of Quality Management (Ref: par. 38d)

A156. Changes in the system of quality management may include
• changes to address an identified deficiency in the system of quality management, and
• changes to the quality objectives, quality risks, or responses as a result of changes in
the nature and circumstances of the firm and its engagements.

Page 60 of 80
When changes occur, previous monitoring activities undertaken by the firm may no longer provide
the firm with information to support the evaluation of the system of quality management and,
therefore, the firm’s monitoring activities may include monitoring of those areas of change.

Previous Monitoring Activities (Ref: par. 38e and 44b)

A157. The results of the firm’s previous monitoring activities may indicate areas of the system
where a deficiency may arise, particularly areas where there is a history of identified deficiencies.
A158. Previous monitoring activities undertaken by the firm may no longer provide the firm with
information to support the evaluation of the system, including on areas of the system of quality
management that have not changed, particularly when time has elapsed since the monitoring
activities were undertaken.

Other Relevant Information (Ref: par. 38f )

A159. In addition to the sources of information indicated in paragraph 38f, other relevant
information may include the following:
• Information communicated by the firm’s network in accordance with paragraphs 51c
and 52b about the firm’s system of quality management, including the network
requirements or network services that the firm has included in its system of quality
management
• Information communicated by a service provider about the resources the firm uses in
its system of quality management
• Information from regulators about the entities for whom the firm performs
engagements that is made available to the firm, such as information from a securities
regulator about an entity for whom the firm performs engagements (for example,
irregularities in the entity’s financial statements)
A160. The results of external inspections or other relevant information, both internal and external,
may indicate that previous monitoring activities undertaken by the firm failed to identify a
deficiency in the system of quality management. This information may affect the firm’s
consideration of the nature, timing, and extent of the monitoring activities.
A161. External inspections are not a substitute for the firm’s internal monitoring activities.
Nevertheless, the results of external inspections inform the nature, timing, and extent of the
monitoring activities.
Engagement Inspections (Ref: par. 39)

A162. Examples of matters in paragraph 38 that may be considered by the firm in selecting
completed engagements for inspection include the following:
• In relation to the conditions, events, circumstances, actions, or inactions giving rise to
the quality risks:
— The types of engagements performed by the firm, and the extent of the firm’s
experience in performing the type of engagement

Page 61 of 80
 — The types of entities for which engagements are undertaken, such as the
following:
o Entities operating in emerging industries
o Entities operating in industries associated with a high level of complexity
or judgment
o Entities operating in an industry that is new to the firm
— The tenure and experience of engagement partners
• The results of previous inspections of completed engagements, including for each
engagement partner
• In relation to other relevant information:
— Complaints or allegations about an engagement partner
— The results of external inspections, including for each engagement partner
— The results of the firm’s evaluation of each engagement partner’s commitment to
quality
A163. The firm may undertake multiple monitoring activities, other than inspection of completed
engagements, that focus on determining whether engagements have complied with policies or
procedures. These monitoring activities may be undertaken on certain engagements or engagement
partners. The nature and extent of these monitoring activities, and the results, may be used by the
firm in determining the following:
• How often to select completed engagements for inspection, and which completed
engagements to select, based on the factors described in paragraph A159
• Which engagement partners to select for inspection, and how frequently to select an
engagement partner for inspection, based on factors such as how long it has been since
the engagement partner was subject to inspection, the results of previous inspections
of the engagement partner, or the engagement partner’s experience with performing
engagements at different levels of service, in new industries, or with complex financial
reporting matters
• Which aspects of the engagement to consider when performing the inspection of
completed engagements
For example, if the firm has undertaken inspections of in-process engagements,
• the firm may determine it appropriate to reduce the extent of selection of completed
engagements for inspection;
• the results of the inspections of in-process engagements may indicate areas of risk that
may affect which completed engagements are selected for inspection; or
• the results of the inspections of in-process engagements may identify negative quality
issues that prompt the firm to shorten the inspection cycle or expand the extent of
completed engagement inspections.

Page 62 of 80
A164. The inspection of completed engagements for engagement partners on a cyclical basis may
assist the firm in monitoring whether engagement partners have fulfilled their overall
responsibility for managing and achieving quality on the engagements to which they are assigned.
A165. Examples of policies and procedures that a firm may establish to apply a cyclical basis for
the inspection of completed engagements for each engagement partner include the following
policies or procedures that
• set forth the standard period of the inspection cycle, such as the inspection of a completed
engagement for each engagement partner performing audits of financial statements once
every, for example, three years, and for all other engagement partners, once every, for
example, five years.
• set out the criteria for selecting completed engagements, including that for an engagement
partner performing audits of financial statements, the engagements selected include an
audit engagement.
• address the selection of engagement partners in a manner that is unpredictable.
• address when it is necessary or appropriate to select engagement partners more, or less,
frequently than the standard period set out in the policy. Examples follow:
— The firm may select engagement partners more frequently than the standard period set
out in the firm’s policy when the following apply:
o Multiple deficiencies have been identified by the firm that have been evaluated as
severe, and the firm determines that a more frequent cyclical inspection is needed
across all engagement partners.
o The engagement partner performs engagements for entities operating in a certain
industry in which there are high levels of complexity or judgment.
o An engagement performed by the engagement partner has been subject to other
monitoring activities, and the results of the other monitoring activities were
unsatisfactory.
o The engagement partner has performed an engagement for an entity operating in
an industry in which the engagement partner has limited experience.
o The engagement partner has limited experience in performing that level of service
engagements.
o The engagement partner is a newly appointed engagement partner or has recently
joined the firm from another firm or another jurisdiction.
— The firm may defer the selection of the engagement partner (for example, deferring for
a year beyond the standard period set out in the firm’s policy) when
o engagements performed by the engagement partner have been subject to other
monitoring activities during the standard period set out in the firm’s policy, and
o the results of the other monitoring activities provide sufficient information about
the engagement partner; that is, performing the inspection of completed

Page 63 of 80
 engagements would unlikely provide the firm with further information about the
engagement partner.
A166. The matters considered in an inspection of an engagement depend on how the inspection
will be used to monitor the system of quality management. Ordinarily, the inspection of an
engagement includes determining that responses that are implemented at the engagement level (for
example, the firm’s policies and procedures in respect of engagement performance) have been
implemented as designed and are operating effectively.

The Relationship of Peer Review to Monitoring

A167. A peer review is not a substitute for all monitoring activities. However, because the
objective of a peer review is similar to that of an inspection, the firm’s quality management policies
or procedures may provide that a peer review conducted under standards established by the AICPA
may be a substitute for the inspection of engagement documentation, reports, and clients’ financial
statements for some or all engagements for the period covered by the peer review.

A168. A peer review may result in findings or deficiencies. However, the definitions of findings
and deficiencies in this SQMS are different from the definitions of those terms in AICPA Standards
for Performing and Reporting on Peer Reviews.18 Accordingly, findings and deficiencies may be
evaluated differently for peer review purposes than for purposes of this SQMS. Findings or
deficiencies identified in a firm’s system of quality management may not necessarily result in a
peer review finding or deficiency; similarly, peer review findings or deficiencies may not
necessarily equate to findings or deficiencies in a firm’s system of quality management. As with
other items identified in the firm’s monitoring activities, the firm would need to assess any peer
review findings or deficiencies to determine the impact on the firm’s evaluation of its system of
quality management.

Individuals Performing the Monitoring Activities (Ref: par. 40)

A169. It is important that individuals performing the monitoring activities have the competence,
capabilities, including sufficient time, and objectivity to perform the monitoring activities. Each
of these attributes is equally essential. In some circumstances, there may not be personnel who
have the competence, capabilities, including sufficient time, and objectivity to perform the
monitoring activities. In these circumstances, the firm may use network services or a service
provider to perform the monitoring activities.
A170. The provisions of relevant ethical requirements are relevant in designing the policies or
procedures addressing the objectivity of the individuals performing the monitoring activities. A
self-review threat may arise when an individual who performs an inspection of an engagement was
an engagement team member or the engagement quality reviewer of that engagement. A self-
review threat may also arise when an individual involved in operating the response to a quality
risk is performing the monitoring of that response. For example, a self-review threat may arise if

18
Paragraphs 70 and 110, PRP section 1000, AICPA Standards for Performing and Reporting on Peer Reviews
(AICPA, Professional Standards).

Page 64 of 80
an individual responsible for accepting client engagements is also responsible for monitoring
compliance with the firm’s client acceptance policies and procedures.
A171. This SQMS does not preclude an individual from performing monitoring activities,
including inspections, of their own compliance with a quality management system. However, such
self-inspections may be less effective than compliance inspections by another qualified individual.
When an individual inspects their own compliance with the firm’s policies and procedures, the
firm has a higher risk that noncompliance with policies and procedures will not be detected or
reported. To effectively monitor one’s own compliance, it is necessary that an individual be able
to critically review their own performance, assess their own strengths and weaknesses, and
maintain an attitude of continual improvement.
A172. Responses that may provide safeguards against the self-review threat and lessen the
likelihood of deficiencies in the system of quality management include the following actions:
• Fostering a commitment to continuing professional education and providing effective
training programs so that personnel stay current on accounting, auditing, and quality
management standards
• Providing training on how to perform monitoring inspections and requiring the use of
peer review or other inspection checklists
• Requiring the passage of time after the completion of an engagement before self-
inspections are performed

A173. The firm may have responses in place to address quality risks other than the self-review
threat that may be particularly helpful when self-inspections are performed, such as the following
actions:
• Establishing strong client acceptance and engagement continuance policies that address
the risk of the firm accepting or continuing engagements it doesn’t have the competency
and resources to perform
• Establishing consultation policies that require engagement teams to consult when they
encounter technical accounting and auditing difficulties
• Taking corrective action in response to the results identified by the firm’s internal
monitoring, engagement quality reviews, peer review results or other external
inspections; for example, inspections by the U.S. Department of Labor
• Requiring the use of an external service provider to perform engagement quality reviews
or monitoring activities when
— deficiencies identified by the firm’s monitoring activities, peer reviewers, or other
external inspections indicate that self-inspection is not effective, or
— changes in conditions and the environment within the firm (such as obtaining
clients in an industry not previously serviced or significantly changing the size of the
firm) occur.

Evaluating Findings and Identifying Deficiencies (Ref: par. 17 and 41–42)

A174. The firm accumulates findings from the performance of monitoring activities, external
inspections, and other relevant sources. Information accumulated by the firm from the monitoring

Page 65 of 80
activities, external inspections, and other relevant sources may reveal other observations about the
firm’s system of quality management, such as
• actions, behaviors, or conditions that have given rise to positive outcomes in the context
of quality or the effectiveness of the system of quality management, or
• similar circumstances in which no findings were noted (for example, engagements in
which no findings were noted, and the engagements have a similar nature to the
engagements in which findings were noted).
Other observations may be useful to the firm because they may assist the firm in investigating the
root causes of identified deficiencies, indicate practices that the firm can support or apply more
extensively (for example, across all engagements), or highlight opportunities for the firm to
enhance the system of quality management.
A175. The firm exercises professional judgment in determining whether findings, individually or
in combination with other findings, give rise to a deficiency in the system of quality management.
In making the judgment, the firm may need to take into account the relative importance of the
findings in the context of the quality objectives, quality risks, responses, or other aspects of the
system of quality management to which they relate. The firm’s judgments may be affected by
quantitative and qualitative factors relevant to the findings. In some circumstances, the firm may
determine it appropriate to obtain more information about the findings in order to determine
whether a deficiency exists. Not all findings, including engagement findings, will be a deficiency.
A176. Examples of quantitative and qualitative factors that a firm may consider in determining
whether findings give rise to a deficiency include the following:
Quality risks and responses
• If the findings relate to a response, factors such as the following:
— How the response is designed; for example, the nature of the response, the
frequency of its occurrence (if applicable), and the relative importance of the
response to addressing the quality risks and achieving the quality objectives to
which it relates
— The nature of the quality risk to which the response relates and the extent to which
the findings indicate that the quality risk has not been addressed
— Whether there are other responses that address the same quality risk and whether
there are findings for those responses

Nature of the findings and their pervasiveness

• The nature of the findings; for example, findings related to leadership actions and
behaviors may be qualitatively significant, given the pervasive effect this could have
on the system of quality management as a whole
• Whether the findings, in combination with other findings, indicate a trend or systemic
issue; for example, similar engagement findings that appear on multiple engagements
may indicate a systemic issue

Extent of Monitoring Activity and Extent of Findings

Page 66 of 80
 • The extent of the monitoring activity from which the findings arose, including the
number or size of the selections.
• The extent of the findings in relation to the selection covered by the monitoring activity
and in relation to the expected deviation rate; for example, in the case of inspection of
engagements, the number of engagements selected in which the findings were
identified relative to the total number of engagements selected, and the expected
deviation rate set by the firm
A177. Evaluating findings and identifying deficiencies and evaluating the severity and
pervasiveness of an identified deficiency, including investigating the root causes of an identified
deficiency, are part of an iterative and nonlinear process. Examples follow:
• In investigating the root causes of an identified deficiency, the firm may identify a
circumstance that has similarities to other circumstances in which there were findings
that were not considered deficiencies. As a result, the firm adjusts its evaluation of the
other findings and classifies them as deficiencies.
• In evaluating the severity and pervasiveness of an identified deficiency, the firm may
identify a trend or systemic issue that correlates with other findings that are not
considered deficiencies. As a result, the firm adjusts its evaluation of the other findings
and also classifies them as deficiencies.
A178. The results of monitoring activities, results of external inspections, and other relevant
information (for example, network monitoring activities or complaints and allegations) may reveal
information about the effectiveness of the monitoring and remediation process. For example, the
results of external inspections may provide information about the system of quality management
that has not been identified by the firm’s monitoring and remediation process, which may highlight
a deficiency in that process.
Evaluating Identified Deficiencies (Ref: par. 42)
A179. Factors the firm may consider in evaluating the severity and pervasiveness of an identified
deficiency include the following:
• The nature of the identified deficiency, including the aspect of the firm’s system of
quality management to which the deficiency relates, and whether the deficiency is in
the design, implementation, or operation of the system of quality management
• In the case of identified deficiencies related to responses, whether there are
compensating responses to address the quality risk to which the response relates
• The root causes of the identified deficiency
• The frequency with which the matter giving rise to the identified deficiency occurred
• The magnitude of the identified deficiency, how quickly it occurred, and the duration
of time that it existed and had an effect on the system of quality management
A180. The severity and pervasiveness of identified deficiencies affects the evaluation of the
system of quality management that is undertaken by the individual or individuals assigned ultimate
responsibility and accountability for the system of quality management.

Page 67 of 80
Root Cause of the Identified Deficiencies (Ref: par. 42a)
A181. The objective of investigating the root causes of identified deficiencies is to understand the
underlying circumstances that caused the deficiencies to enable the firm to
• evaluate the severity and pervasiveness of the identified deficiency and
• appropriately remediate the identified deficiency.
Performing a root cause analysis involves the exercise of professional judgment based on the
evidence available by those performing the assessment.
A182. The nature, timing, and extent of the procedures undertaken to understand the root causes
of an identified deficiency may also be affected by the nature and circumstances of the firm, such
as the following:
• The complexity and operating characteristics of the firm.
• The size of the firm.
• The geographical dispersion of the firm.
• How the firm is structured or the extent to which the firm concentrates or centralizes
its processes or activities. For example, in the case of a less complex firm with a single
location, the firm’s procedures to understand the root causes of a deficiency may be
simple because the information to inform the understanding may be readily available
and concentrated, and the root causes may be more apparent. In the case of a more
complex firm with multiple locations, the procedures to understand the root causes of
a deficiency may include using individuals specifically trained on investigating the root
causes of identified deficiencies and developing a methodology with more formalized
procedures for identifying root causes.
• The nature of the identified deficiency. For example, the firm’s procedures to
understand the root causes of an identified deficiency may be more rigorous in
circumstances when an engagement report related to an audit of financial statements
was issued that was inappropriate, or the identified deficiency relates to leadership’s
actions and behaviors regarding quality.
• The possible severity of the identified deficiency. For example, the firm’s procedures
to understand the root causes of an identified deficiency may be more rigorous in
circumstances in which the deficiency has been identified across multiple
engagements, or there is an indication that policies or procedures have high rates of
noncompliance.
A183. In investigating the root causes of identified deficiencies, the firm may consider why
deficiencies did not arise in other circumstances that are of a similar nature to the matter to which
the identified deficiency relates. Such information may also be useful in determining how to
remediate an identified deficiency. For example, the firm may determine that a deficiency exists
because similar findings have occurred across multiple engagements. However, the findings have
not occurred in several other engagements within the same population being tested. By contrasting
the engagements, the firm concludes that the root cause of the identified deficiency is a lack of
appropriate involvement by the engagement partners at key stages of the engagements.

Page 68 of 80
A184. Identifying root causes that are appropriately specific may support the firm’s process for
remediating identified deficiencies. For example, the firm may identify that engagement teams
performing audits of financial statements are failing to obtain sufficient appropriate audit evidence
on accounting estimates when management’s assumptions have a high degree of subjectivity.
Although the firm notes that these engagement teams are not maintaining appropriate professional
skepticism, the underlying root cause of this issue may relate to another matter, such as a cultural
environment that does not encourage engagement team members to question individuals with
greater authority or insufficient direction, supervision, and review of the work performed on the
engagements.
A185. In addition to investigating the root causes of identified deficiencies, the firm may also
investigate the root causes of positive outcomes because doing so may reveal opportunities for the
firm to improve, or further enhance, the system of quality management.
Responding to Identified Deficiencies (Ref: par. 43)
A186. The nature, timing, and extent of remedial actions may depend on a variety of other factors,
including the following:
• The root causes
• The severity and pervasiveness of the identified deficiency and, therefore, the urgency
with which it needs to be addressed
• The effectiveness of the remedial actions in addressing the root causes, such as whether
the firm needs to implement more than one remedial action in order to effectively
address the root causes, or needs to implement remedial actions as interim measures
until the firm is able to implement more effective remedial actions
A187. In some circumstances, the remedial action may include establishing additional quality
objectives, or quality risks or responses may be added or modified, because it is determined that
they are not appropriate.
A188. In circumstances in which the firm determines that the root cause of an identified deficiency
relates to a resource provided by a service provider, the firm may also
• consider whether to continue using the resource provided by the service provider, or
• communicate the matter to the service provider.
The firm is responsible for addressing the effect of the identified deficiency related to a resource
provided by a service provider on the system of quality management and taking action to prevent
the deficiency from recurring with respect to the firm’s system of quality management. However,
the firm is not ordinarily responsible for remediating the identified deficiency on behalf of the
service provider or further investigating the root cause of the identified deficiency at the service
provider.
Findings About a Particular Engagement (Ref: par. 46)
A189. AU-C section 585, Consideration of Omitted Procedures After the Report Release Date,
addresses the auditor’s responsibilities in circumstances in which procedures were omitted, or the
report issued is inappropriate. In such circumstances relating to other assurance and attest
engagements, the action taken by the firm may include the following:
• Consulting with appropriate individuals regarding the appropriate action

Page 69 of 80
 • Discussing the matter with management of the entity or those charged with governance
• Performing the omitted procedures
The actions taken by the firm do not relieve the firm of the responsibility to take further actions
relating to the finding in the context of the system of quality management, including evaluating
the findings to identify deficiencies and, when a deficiency exists, investigating the root causes of
the identified deficiency.
Ongoing Communication Related to the Monitoring and Remediation (Ref: par. 47)
A190. The information communicated about the monitoring and remediation to the individual or
individuals assigned ultimate responsibility and accountability for the system of quality
management may be communicated on an ongoing basis or periodically. The individual or
individuals may use the information in multiple ways. Examples follow:
• As a basis for further communications to personnel about the importance of quality
• To hold individuals accountable for their roles assigned to them
• To identify key concerns about the system of quality management in a timely manner
The information also provides a basis for the evaluation of the system of quality management, and
conclusion thereon, as required by paragraphs 54–56.

Network Requirements or Network Services (Ref: par. 49)

A191. In some circumstances, the firm may belong to a network. Networks may establish
requirements regarding the firm’s system of quality management or may make services or
resources available that the firm may choose to implement or use in the design, implementation,
and operation of its system of quality management. Such requirements or services may be intended
to promote the consistent performance of quality engagements across the firms that belong to the
network. The extent to which the network will provide the firm with quality objectives, quality
risks, and responses that are common across the network will depend on the firm’s arrangements
with the network.
A192. Examples of network requirements include the following:
• Requirements for the firm to include additional quality objectives or quality risks in the
firm’s system of quality management that are common across the network firms.
• Requirements for the firm to include responses in the firm’s system of quality
management that are common across the network firms. Such responses designed by the
network may include network policies or procedures that specify the leadership roles and
responsibilities, including how the firm is expected to assign authority and responsibility
within the firm, or resources, such as network-developed methodologies for performing
engagements or IT applications.
• Requirements that the firm be subject to the network’s monitoring activities. These
monitoring activities may relate to network requirements (for example, monitoring that
the firm has implemented the network’s methodology appropriately) or to the firm’s
system of quality management in general.

Page 70 of 80
A193. Examples of network services include services or resources that are optional for the firm
to use in its system of quality management or in performing engagements, such as voluntary
training programs, use of component auditors or specialists from within the network, or use
of a service delivery center established at the network level, or by another network firm or
group of network firms.
A194. The network may establish responsibilities for the firm in implementing the network
requirements or network services. Examples follow:
• The firm is required to have certain IT infrastructure and IT processes in place to support
an IT application provided by the network that the firm uses in the system of quality
management.
• The firm is required to provide firm-wide training on the methodology provided by the
network, including when updates are made to the methodology.
A195. The firm’s understanding of the network requirements or network services and the firm’s
responsibilities relating to the implementation thereof may be obtained through inquiries of, or
documentation provided by, the network about matters such as the following:
• The network’s governance and leadership
• The procedures undertaken by the network in designing, implementing, and, if
applicable, operating, the network requirements or network services
• How the network identifies and responds to changes that affect the network
requirements or network services or other information, such as changes in the
professional standards or information that indicates a deficiency in the network
requirements or network services
• How the network monitors the appropriateness of the network requirements or network
services, which may include through the network firms’ monitoring activities, and the
network’s processes for remediating identified deficiencies
Network Requirements or Network Services in the Firm’s System of Quality Management
(Ref: par. 50)
A196. The characteristics of the network requirements or network services are a condition, event,
circumstance, action, or inaction in identifying and assessing quality risks. An example of a
network requirement or network service that gives rise to a quality risk is as follows.
The network may require the firm to use an IT application for the acceptance and continuance of
client relationships and specific engagements that is standardized across the network. This may
give rise to a quality risk that the IT application does not address matters in local law or regulation
that need to be considered by the firm in accepting and continuing client relationships and specific
engagements.
A197. The purpose of the network requirements may include the promotion of consistent
performance of quality engagements across the network firms. The firm may be expected by the
network to implement the network requirements; however, the firm may need to adapt or
supplement the network requirements such that they are appropriate for the nature and
circumstances of the firm and its engagements.

Page 71 of 80
A198. Examples of how the network requirements or network services may need to be adapted or
supplemented include the following:

Network requirement or network How the firm adapts or supplements the

service network requirement or network service

The network requires the firm to As part of identifying and assessing quality
include certain quality risks in the risks, the firm assesses the quality risks that are
system of quality management so required by the network.
that all firms in the network
address the quality risks. The The firm also designs and implements
network does not provide an responses to address the assessed quality risks
assessment of the quality risks. that are required by the network.

The network requires that the firm As part of designing and implementing
design and implement certain responses, the firm determines
responses.
• which assessed quality risks the
responses address.

• how the responses required by the

network will be incorporated into the
firm’s system of quality management,
given the nature and circumstances of
the firm. This may include tailoring the
response to reflect the nature and
circumstances of the firm and the
engagements performed by the firm
(for example, tailoring a methodology
to include matters related to law or
regulation).

The firm uses individuals from The firm establishes policies or procedures that
other network firms as component require the engagement team to confirm with
auditors. Network requirements the component auditor (that is, the other
are in place that drive a high network firm) that the individuals assigned to
degree of commonality across the the component meet the specific criteria set out
network firms’ systems of quality in the network requirements.
management. The network
requirements include specific

Page 72 of 80
 criteria that apply to individuals
assigned to work on a component
for a group audit.

A199. In some circumstances, in adapting or supplementing the network requirements or network

services, the firm may identify possible improvements to the network requirements or network
services and may communicate these improvements to the network.
Monitoring Activities Undertaken by the Network on the Firm’s System of Quality
Management (Ref: par. 51c)
A200. The results of the network’s monitoring activities of the firm’s system of quality
management may include information such as the following:
• A description of the monitoring activities, including their nature, timing, and extent
• Findings, identified deficiencies, and other observations about the firm’s system of
quality management (for example, positive outcomes or opportunities for the firm to
improve, or further enhance, the system of quality management)
• The network’s evaluation of the root causes of the identified deficiencies, the assessed
effect of the identified deficiencies, and recommended remedial actions
Monitoring Activities Undertaken by the Network Across the Network Firms (Ref: par. 52b)
A201. The information from the network about the overall results of the network’s monitoring
activities undertaken across the network firms’ systems of quality management may be an
aggregation or summary of the information described in paragraph A193, including trends and
common areas of identified deficiencies across the network, or positive outcomes that may be
replicated across the network. Such information may
• be used by the firm
— in identifying and assessing quality risks, and
— as part of other relevant information considered by the firm in determining
whether deficiencies exist in the network requirements or network services used
by the firm in its system of quality management.
• be communicated to group engagement partners, in the context of considering the
competence and capabilities of component auditors from a network firm who are
subject to common network requirements (for example, common quality objectives,
quality risks, and responses).
A202. In some circumstances, the firm may obtain information from the network about
deficiencies identified in a network firm’s system of quality management that affects the firm. The
network may also gather information from network firms regarding the results of external
inspections over network firms’ systems of quality management. In some instances, law or
regulation in a particular jurisdiction may prevent the network from sharing information with other
network firms or may restrict the specificity of such information.

Page 73 of 80
A203. In circumstances in which the network does not provide the information about the overall
results of the network’s monitoring activities across the network firms, the firm may take further
actions, such as
• discussing the matter with the network, and
• determining the effect on the firm’s engagements and communicating the effect to
engagement teams.
Deficiencies in Network Requirements or Network Services Identified by the Firm (Ref: par.
53)
A204. As network requirements or network services used by the firm form part of the firm’s
system of quality management, they are also subject to the requirements of this SQMS regarding
monitoring and remediation. The network requirements or network services may be monitored by
the network, the firm, or a combination of both; for example, a network may undertake monitoring
activities at a network level for a common methodology. The firm may also monitor the application
of the methodology by engagement team members through performing engagement inspections.
A205. In designing and implementing the remedial actions to address the effect of the identified
deficiency in the network requirements or network services, the firm may
• understand the planned remedial actions by the network, including whether the firm
has any responsibilities for implementing the remedial actions, and
• consider whether supplementary remedial actions need to be taken by the firm to
address the identified deficiency and the related root causes, such as when
— the network has not taken appropriate remedial actions, or
— the network’s remedial actions will take time to effectively address the identified
deficiency.
Evaluating the System of Quality Management (Ref: par. 54)

A206. The individual or individuals assigned ultimate responsibility and accountability for the
system of quality management may be assisted by other individuals in performing the evaluation.
Nevertheless, the individual or individuals assigned ultimate responsibility and accountability for
the system of quality management remain responsible and accountable for the evaluation.
A207. The point in time at which the evaluation is undertaken may depend on the circumstances
of the firm and may coincide with the fiscal year-end of the firm or the completion of an annual
monitoring cycle.
A208. The information that provides the basis for the evaluation of the system of quality
management includes the information communicated to the individuals assigned ultimate
responsibility and accountability for the system of quality management in accordance with
paragraph 47.
A209. An example of scalability to demonstrate how the information that provides the basis for
the evaluation of the system of quality management may be obtained in firms of different
complexity is as follows:

Page 74 of 80
 • In a less complex firm, the individual or individuals assigned ultimate responsibility and
accountability for the system of quality management may be directly involved in the
monitoring and remediation and, therefore, will be aware of the information that supports
the evaluation of the system of quality management.
• In a more complex firm, the individual or individuals assigned ultimate responsibility and
accountability for the system of quality management may need to establish processes to
collate, summarize, and communicate the information needed to evaluate the system of
quality management.

Concluding on the System of Quality Management (Ref: par. 55)

A210. In the context of this SQMS, it is intended that the operation of the system as a whole
provides the firm with reasonable assurance that the objectives of the system of quality
management are being achieved. In concluding on the system of quality management, the
individual or individuals assigned ultimate responsibility and accountability for the system of
quality management may, in using the results of the monitoring and remediation process, consider
the following:
• The severity and pervasiveness of identified deficiencies and the effect on the
achievement of the objectives of the system of quality management
• Whether remedial actions have been designed and implemented by the firm and
whether the remedial actions taken up to the time of the evaluation are effective
• Whether the effect of identified deficiencies on the system of quality management have
been appropriately corrected, such as whether further actions have been taken in
accordance with paragraph 46
A211. There may be circumstances in which identified deficiencies that are severe (including
identified deficiencies that are severe and pervasive) have been appropriately remediated and the
effect of them corrected at the point in time of the evaluation. In such cases, the individual or
individuals assigned ultimate responsibility and accountability for the system of quality
management may conclude that the system of quality management provides the firm with
reasonable assurance that the objectives of the system of quality management are being achieved.
A212. An identified deficiency may have a pervasive effect on the design, implementation, and
operation of the system of quality management when, for example, the deficiency
• affects several components or aspects of the system of quality management.
• is confined to a specific component or aspect of the system of quality management but
is fundamental to the system of quality management.
• affects several business units or geographical locations of the firm.
• is confined to a business unit or geographical location, but the business unit or location
affected is fundamental to the firm overall.
• affects a substantial portion of engagements that are of a certain type or nature.

Page 75 of 80
A213. An example of an identified deficiency that may be considered severe but not pervasive is
as follows:
The firm identifies a deficiency in one of its smaller regional offices. The identified deficiency
relates to noncompliance with many firm policies or procedures. The firm determines that the
culture in the regional office, particularly the actions and behavior of leadership in the regional
office, which were overly focused on financial priorities, has contributed to the root cause of
the identified deficiency. The firm determines that the effect of the identified deficiency is as
follows:

• Severe, because it relates to the culture of the regional office and overall compliance
with firm policies or procedures
• Not pervasive, because it is limited to the smaller regional office
A214. The individual or individuals assigned ultimate responsibility and accountability for the
system of quality management may conclude that the system of quality management does not
provide the firm with reasonable assurance that the objectives of the system of quality management
are being achieved in circumstances in which identified deficiencies are severe and pervasive,
actions taken to remediate the identified deficiencies are not appropriate, and the effect of the
identified deficiencies have not been appropriately corrected.
A215. An example of an identified deficiency that may be considered severe and pervasive is as
follows:
The firm identifies a deficiency in a regional office, which is the firm’s largest office and
provides financial, operational, and technical support for the entire region. The identified
deficiency relates to noncompliance with many firm policies or procedures. The firm
determines that the culture in the regional office, particularly the actions and behavior of
leadership in the regional office, which were overly focused on financial priorities, has
contributed to the root cause of the identified deficiency. The firm determines that the effect
of the identified deficiency is as follows:

• Severe, because it relates to the culture of the regional office and overall compliance
with firm policies or procedures
• Pervasive, because the regional office is the largest office and provides support to many
other offices, and the noncompliance with firm policies or procedures may have had a
broader effect on the other offices
A216. It may take time for the firm to remediate identified deficiencies that are severe and
pervasive. As the firm continues to take action to remediate the identified deficiencies, the
pervasiveness of the identified deficiencies may be diminished, and it may be determined that the
identified deficiencies are still severe but no longer severe and pervasive. In such cases, the
individual or individuals assigned ultimate responsibility and accountability for the system of
quality management may conclude that, except for matters related to identified deficiencies that
have a severe but not pervasive effect on the design, implementation, and operation of the system
of quality management, the system of quality management provides the firm with reasonable
assurance that the objectives of the system of quality management are being achieved.

Page 76 of 80
A217. This SQMS does not require the firm to obtain an independent evaluation (for example, a
peer review report or report on service organization controls) on its system of quality management
annually or preclude the firm from doing so.
Taking Prompt and Appropriate Action and Further Communication (Ref: par. 56)
A218. In circumstances in which the individual or individuals assigned ultimate responsibility and
accountability for the system of quality management reach the conclusion described in paragraph
55b or 55c, the prompt and appropriate action taken by the firm may include the following:
• Taking measures to support performing engagements through assigning more
resources or developing more guidance and to confirm that reports issued by the firm
are appropriate in the circumstances, until such time as the identified deficiencies are
remediated, and communicating such measures to engagement teams
• Obtaining legal advice
A219. In some circumstances, the firm may have an independent governing body that has
nonexecutive oversight of the firm. In such circumstances, communications may include informing
the independent governing body.
A220. Examples of circumstances in which it may be appropriate for the firm to communicate to
external parties about the evaluation of the system of quality management include the following:
• When the firm belongs to a network
• When other network firms use the work performed by the firm, for example, in the case
of a group audit
• When a report issued by the firm is determined by the firm to be inappropriate as a
result of the failure of the system of quality management, and management or those
charged with governance of the entity need to be informed
• When law or regulation requires the firm to communicate to an oversight authority or
a regulatory body

Performance Evaluations (Ref: par. 57)

A221. Periodic performance evaluations promote accountability. In considering the performance
of an individual, the firm may take the following into account:
• The results of the firm’s monitoring activities for aspects of the system of quality
management that relate to the responsibility of the individual. In some circumstances,
the firm may set targets for the individual and measure the results of the firm’s
monitoring activities against those targets.
• The actions taken by the individual in response to identified deficiencies that relate to
the responsibility of that individual, including the timeliness and effectiveness of such
actions.
A222. An example of scalability to demonstrate how firms of different complexity may undertake
the performance evaluations is as follows:

Page 77 of 80
 • In a less complex firm, the firm may engage a service provider to perform the evaluation,
or the results of the firm’s monitoring activities may provide an indication of the
performance of the individual.
• In a more complex firm, the performance evaluations may be undertaken by an
independent nonexecutive member of the firm’s governing body or a special committee
overseen by the firm’s governing body.
A223. A positive performance evaluation may be rewarded through compensation, promotion,
and other incentives that focus on the individual’s commitment to quality and reinforce
accountability. On the other hand, the firm may take corrective actions to address a negative
performance evaluation that may affect the firm’s achievement of its quality objectives.

Documentation (Ref: par. 58–60)

A224. Documentation provides evidence that the firm complies with this SQMS, as well as law,
regulation, or relevant ethical requirements. It may also be useful for training personnel and
engagement teams, ensuring the retention of organizational knowledge, and providing a history of
the basis for decisions made by the firm about its system of quality management. It is neither
necessary nor practicable for the firm to document every matter considered, or judgment made,
about its system of quality management. Furthermore, compliance with this SQMS may be
evidenced by the firm through its information and communication component, documents or other
written materials, or IT applications that are integral to the components of the system of quality
management.
A225. Documentation may be formal (for example, written manuals, checklists, and forms),
informal (for example, email communication or postings on websites), or held in IT applications
or other digital forms (for example, in databases). Factors that may affect the firm’s judgments
about the form, content, and extent of documentation, including how often documentation is
updated, may include the following:
• The complexity of the firm and the number of offices
• The nature and complexity of the firm’s practice and organization
• The nature of engagements the firm performs and the nature of the entities for whom
engagements are performed
• The nature and complexity of the matter being documented, such as whether it relates
to an aspect of the system of quality management that has changed or an area of greater
quality risk, and the complexity of the judgments relating to the matter
• The frequency and extent of changes in the system of quality management
In a less complex firm, it may not be necessary to have documentation supporting matters
communicated because informal communication methods may be effective. Nevertheless, a less
complex firm may determine it appropriate to document such communications in order to provide
evidence that they occurred.
A226. In some instances, an external oversight authority may establish documentation
requirements, either formally or informally, for example, as a result of the outcome of external

Page 78 of 80
inspection findings. Relevant ethical requirements may also include specific requirements
addressing documentation; for example, the AICPA code requires documentation of particular
matters, including certain situations related to conflicts of interest, noncompliance with laws and
regulations, and independence.
A227. The firm is not required to document the consideration of every condition, event,
circumstance, action, or inaction for each quality objective or each risk that may give rise to a
quality risk. However, in documenting the quality risks and how the firm’s responses address the
quality risks, the firm may document the reasons for the assessment given to the quality risks (that
is, the considered occurrence and effect on the achievement of one or more quality objectives) to
support the consistent implementation and operation of the responses.
A228. The documentation may be provided by the network, other network firms, or other
structures or organizations within the network.

Page 79 of 80