Connect with us

Accounting

Quality management standards: Time is running out!

Published

on

Has your firm started work on implementing the new quality management standards? If you haven’t already started, it may be challenging getting it done by the Dec. 15, 2025, deadline for having a quality management system in place. 

That may seem like a long way off, with plenty of time to update your existing quality control document. Many firms are underestimating the level of effort required, and seem to think that simply changing the wording from “document” to “system” will be sufficient. However, that just isn’t the case. 

What’s the difference between a QCD and a QMS?

The biggest — and most obvious — difference is that the QCD was a document while the QMS is a system. The defining point of QMS is the “S” for system. Your firm needs to develop a system to ensure that the output meets the standards of quality. 

The reality is that the quality control document often sat on a shelf to be dusted off every three years for peer review. When working with firms on their QMS, we start by talking through their QCD with leaders who are often surprised by the differences between what the document says the firm does versus what is actually happening at the firm. Trying to comply by switching the name from QCD to QMS and folding in a few things, like adding snippets about technology and IP resources to the human resources section of the QCD, simply won’t work. Your firm’s QMS must also include accountabilities and tracking measures that are lacking in a QCD.

Quality objectives in a QMS

The new standards require firms to establish quality objectives around each of eight components, which you can read about in the standard. Because every firm is different, this isn’t just a boilerplate document that can be slightly edited. Each firm’s objectives and the path to achieving those objectives will be different. 

At AccountAbility Plus, we recommend using the long-standing SMART approach to establishing quality objectives for each of the eight components.

  • Specific: Objectives are stated in clear and specific terms to ensure that every team member is on the same page. For example, “As a firm we will not do PCAOB A&A work.” 
  • Measurable: Objectives must be measurable. Has this objective been completed? How will feedback be assessed? What will be the standard for acceptable feedback?
  • Attainable: These objectives must also be attainable within the firm’s capacity, with adequate resources, competencies, and methodologies to ensure they can be achieved.
  • Relevant: Quality objectives must be relevant to the firm’s strategic goals. They must align with the quality standards of the profession and the firm and ensure that regulatory requirements are met.
  • Time-oriented: Each objective must also be time-oriented with a clear and unambiguous date for achievement. Firms must also determine the timing of responses to risks depending on the severity.

A firm risk assessment process in a QMS

In the old QCD standards, it wasn’t clear how you were supposed to respond when you had a quality issue. QCDs could also be vague about the timeframes for evaluating and responding to risks, using words such as “periodically” and “timely,” which are left up to interpretation of each person in the firm. 

In contrast, your firm’s QMS must be actionable and must include a risk assessment process to be implemented by your firm. This process is used to identify risk events that could occur based on the firm’s quality objectives, and must include a process for tracking and documenting when you have risk events. You also need to determine the specific timing of your response to risk events by carrying out a root cause analysis to determine the remediation plan.

For a minor risk event, like issuing financials with a typo, or a staff member being short of CPE, but they don’t do Yellow Book audits, you can likely bundle these risks and respond to them once or twice a year. 

However, if this staff person does governmental audits for which Yellow Book CPE is required, the response needs to be much quicker. You need to determine what went wrong in your system and fix it to ensure that team members don’t miss their Yellow Book CPE in the future. 

Severe risk events — like issuing the wrong opinion or finding out the firm is not independent after the report has been issued — will require immediate attention to gather facts, determine the impact, and develop a response. 

Root cause analysis and the ‘Five Whys’ approach

When a risk event occurs, you need to determine why it happened by doing a root cause analysis, then you need to remediate the problem. 

For example, let’s say you have to reissue a financial statement. Sometimes the reason for reissuance isn’t a big deal, such as a typo that doesn’t affect the numbers or the opinion or anything significant, but you still need to reissue the financials to correct the minor error. Since this is a minor risk, you would track how many times it happened and at least once a year perform a root cause analysis. 

To perform a root cause analysis, we teach firms to use the ‘Five Whys’ approach. You start by asking what happened, and then repeatedly ask why that happened. By the time you get to the fifth why, you should find the root cause for the problem. Using our example of the typo, you start by asking what happened. Why did this typo happen? Then you keep asking why until you get to the root cause. 

You also need to consider how pervasive each risk event is. If it only occurred once or twice during the year, you’ll want to make sure your proofing system is robust enough to minimize the risk of typos. However, it’s not worth spending a significant amount of time and money to absolutely eliminate all risk of typos. However, if you’re reissuing financials to fix typos dozens of times a year, then there’s clearly something wrong with your proofing process. Using the Five Whys method, you should be able to determine the root cause and figure out how to mitigate this from happening as often. 

On the other hand, if you need to reissue financials due to a material misstatement, this is clearly a more severe risk event. You’ll need to immediately perform the root cause analysis as to why it happened and determine next steps to remediate the issue.

This standard was designed to be scalable, and firms should take advantage of this to right-size their response to risk events.

Don’t delay — start now

Ideally, you have already started this time-consuming and mandatory process. Your firm needs to consider each of the eight components and determine quality objectives that are both SMART and reflective of your firm’s characteristics. 

Several of the firms that we’ve been working with over the last year will be ready to start piloting their new QMS early in 2025. They’ll have the chance to see what’s working and what’s not working so they can make any necessary adjustments before the effective date. 

For firms that are truly committed to quality, this is more of a cost burden than a value add, although it’s never a bad idea to make enhancements that will improve quality. You may find some process improvements along the way that improve more than just quality. 

Dec. 15, 2025, will be here sooner than you think — start today, not tomorrow. 

Continue Reading

Accounting

IAASB tweaks standards on working with outside experts

Published

on

The International Auditing and Assurance Standards Board is proposing to tailor some of its standards to align with recent additions to the International Ethics Standards Board for Accountants’ International Code of Ethics for Professional Accountants when it comes to using the work of an external expert.

The proposed narrow-scope amendments involve minor changes to several IAASB standards:

  • ISA 620, Using the Work of an Auditor’s Expert;
  • ISRE 2400 (Revised), Engagements to Review Historical Financial Statements;
  • ISAE 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information;
  • ISRS 4400 (Revised), Agreed-upon Procedures Engagements.

The IAASB is asking for comments via a digital response template that can be found on the IAASB website by July 24, 2025.

In December 2023, the IESBA approved an exposure draft for proposed revisions to the IESBA’s Code of Ethics related to using the work of an external expert. The proposals included three new sections to the Code of Ethics, including provisions for professional accountants in public practice; professional accountants in business and sustainability assurance practitioners. The IESBA approved the provisions on using the work of an external expert at its December 2024 meeting, establishing an ethical framework to guide accountants and sustainability assurance practitioners in evaluating whether an external expert has the necessary competence, capabilities and objectivity to use their work, as well as provisions on applying the Ethics Code’s conceptual framework when using the work of an outside expert.  

Continue Reading

Accounting

Tariffs will hit low-income Americans harder than richest, report says

Published

on

President Donald Trump’s tariffs would effectively cause a tax increase for low-income families that is more than three times higher than what wealthier Americans would pay, according to an analysis from the Institute on Taxation and Economic Policy.

The report from the progressive think tank outlined the outcomes for Americans of all backgrounds if the tariffs currently in effect remain in place next year. Those making $28,600 or less would have to spend 6.2% more of their income due to higher prices, while the richest Americans with income of at least $914,900 are expected to spend 1.7% more. Middle-income families making between $55,100 and $94,100 would pay 5% more of their earnings. 

Trump has imposed the steepest U.S. duties in more than a century, including a 145% tariff on many products from China, a 25% rate on most imports from Canada and Mexico, duties on some sectors such as steel and aluminum and a baseline 10% tariff on the rest of the country’s trading partners. He suspended higher, customized tariffs on most countries for 90 days.

Economists have warned that costs from tariff increases would ultimately be passed on to U.S. consumers. And while prices will rise for everyone, lower-income families are expected to lose a larger portion of their budgets because they tend to spend more of their earnings on goods, including food and other necessities, compared to wealthier individuals.

Food prices could rise by 2.6% in the short run due to tariffs, according to an estimate from the Yale Budget Lab. Among all goods impacted, consumers are expected to face the steepest price hikes for clothing at 64%, the report showed. 

The Yale Budget Lab projected that the tariffs would result in a loss of $4,700 a year on average for American households.

Continue Reading

Accounting

At Schellman, AI reshapes a firm’s staffing needs

Published

on

Artificial intelligence is just getting started in the accounting world, but it is already helping firms like technology specialist Schellman do more things with fewer people, allowing the firm to scale back hiring and reduce headcount in certain areas through natural attrition. 

Schellman CEO Avani Desai said there have definitely been some shifts in headcount at the Top 100 Firm, though she stressed it was nothing dramatic, as it mostly reflects natural attrition combined with being more selective with hiring. She said the firm has already made an internal decision to not reduce headcount in force, as that just indicates they didn’t hire properly the first time. 

“It hasn’t been about reducing roles but evolving how we do work, so there wasn’t one specific date where we ‘started’ the reduction. It’s been more case by case. We’ve held back on refilling certain roles when we saw opportunities to streamline, especially with the use of new technologies like AI,” she said. 

One area where the firm has found such opportunities has been in the testing of certain cybersecurity controls, particularly within the SOC framework. The firm examined all the controls it tests on the service side and asked which ones require human judgment or deep expertise. The answer was a lot of them. But for the ones that don’t, AI algorithms have been able to significantly lighten the load. 

“[If] we don’t refill a role, it’s because the need actually has changed, or the process has improved so significantly [that] the workload is lighter or shared across the smarter system. So that’s what’s happening,” said Desai. 

Outside of client services like SOC control testing and reporting, the firm has found efficiencies in administrative functions as well as certain internal operational processes. On the latter point, Desai noted that Schellman’s engineers, including the chief information officer, have been using AI to help develop code, which means they’re not relying as much on outside expertise on the internal service delivery side of things. There are still people in the development process, but their roles are changing: They’re writing less code, and doing more reviewing of code before it gets pushed into production, saving time and creating efficiencies. 

“The best way for me to say this is, to us, this has been intentional. We paused hiring in a few areas where we saw overlaps, where technology was really working,” said Desai.

However, even in an age awash with AI, Schellman acknowledges there are certain jobs that need a human, at least for now. For example, the firm does assessments for the FedRAMP program, which is needed for cloud service providers to contract with certain government agencies. These assessments, even in the most stable of times, can be long and complex engagements, to say nothing of the less predictable nature of the current government. As such, it does not make as much sense to reduce human staff in this area. 

“The way it is right now for us to do FedRAMP engagements, it’s a very manual process. There’s a lot of back and forth between us and a third party, the government, and we don’t see a lot of overall application or technology help… We’re in the federal space and you can imagine, [with] what’s going on right now, there’s a big changing market condition for clients and their pricing pressure,” said Desai. 

As Schellman reduces staff levels in some places, it is increasing them in others. Desai said the firm is actively hiring in certain areas. In particular, it’s adding staff in technical cybersecurity (e.g., penetration testers), the aforementioned FedRAMP engagements, AI assessment (in line with recently becoming an ISO 42001 certification body) and in some client-facing roles like marketing and sales. 

“So, to me, this isn’t about doing more with less … It’s about doing more of the right things with the right people,” said Desai. 

While these moves have resulted in savings, she said that was never really the point, so whatever the firm has saved from staffing efficiencies it has reinvested in its tech stack to build its service line further. When asked for an example, she said the firm would like to focus more on penetration testing by building a SaaS tool for it. While Schellman has a proof of concept developed, she noted it would take a lot of money and time to deploy a full solution — both of which the firm now has more of because of its efficiency moves. 

“What is the ‘why’ behind these decisions? The ‘why’ for us isn’t what I think you traditionally see, which is ‘We need to get profitability high. We need to have less people do more things.’ That’s not what it is like,” said Desai. “I want to be able to focus on quality. And the only way I think I can focus on quality is if my people are not focusing on things that don’t matter … I feel like I’m in a much better place because the smart people that I’ve hired are working on the riskiest and most complicated things.”

Continue Reading

Trending