search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
FOCUS ON DATA CULTURE


relevant to the firm because of the nature and circumstances of the firm or its engagements.” SQMS 1, par. A29, gives examples


of when requirements may not be relevant to your firm. Less complex organizations need to read these examples carefully. Tis is not a complete list. SQMS 1, par. 24: “Te firm should design and implement a risk assessment process to establish quality objectives, identify and assess quality risks, and design and implement responses to address the quality risks.” Keep in mind not all objectives in


the standard may apply to your firm, and your firm may find that additional quality objectives in addition to those in the standard apply. Over time the applicable quality objectives that are relevant to your firm will change as the circumstances of your firm and your engagements change. State law or other regulations may require you to establish additional quality objectives to address requirements laid out in those laws or regulations. Using sub-objectives may help in


your identification and assessment of quality risks. Using a lower level of objective may also help in your design and implementation of responses to quality risks. While you are identifying and assessing quality risks, you may find that additional quality objectives apply to your firm. When designing and implementing responses to risks you may find a quality risk that was not previously identified and assessed, and you need to loop back around in your process. Tis is the iterative nature of the process.


SQMS 1, par. A42, will help you think about the information needed to


complete this process. Tis is a good list, but it is not all inclusive. You are required to assess quality risks as a basis for designing and implementing responses to mitigate those risks. You are required to obtain an understanding of the conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives. A partial list of these can be found in par. 26. A risk arises from how and the


degree to which those things listed in par. 26 will adversely affect the achievement of any of your quality objectives. Not all risks meet the definition of a quality risk. Professional judgment is key in determining quality risk. If there is a reasonable possibility of the risk occurring, and individually, or in combination with other risks, it will adversely affect the achievement of a quality objective you must mitigate this risk. Te assessment of quality risks does not have to use scores or ratings, although you are not precluded from using them. Tis reminds me of the likelihood and magnitude diagrams we all know so well. Te circumstance of our firm or engagement may have a high likelihood of occurrence but a low magnitude of harm. Tis circumstance may not rise to the level of a quality risk. However, a different circumstance may have a moderate likelihood of occurrence and a high magnitude of harm which would likely be a quality risk. SQMS 1, par. A48, gives examples of conditions, events, circumstances, actions or inactions that may adversely affect the achievement of the quality objectives. Again, this is a good list, but it will not include everything that might apply to your firm.


I have discussed establishing quality


objectives and identifying and assessing quality risk, now on to designing and implementing responses. SQMS 1, par. 27: “Te firm should design and implement responses to address the quality risks in a manner that is based on, and responsive to, the reasons for the assessments given to the quality risks. Te firm’s responses should include the responses specified in par. 35. However, the responses specified in par. 35 alone are not sufficient to achieve the objectives of the system of quality management.”


Te final paragraph of the risk assessment section reiterates that you need appropriately designed policies and procedures to identify when changes in your firm, or engagements, occur. Ideally these policies and procedures would help you to catch the changes before the occur and not after. Tis would be like your own firm Doppler radar you can use to see the storm coming to avoid being swept away by it.


Tis last section also makes clear


that as your policies and procedures capture information you may need to establish new quality objectives, identify and assess quality risk and design and implement new responses. Or you may need to remove quality objectives, quality risks and procedures that are no longer applicable. Te point is, someone has keep watch over the system. Tere is more to come on risk assessment. You can stay up to date on the QM standards by visiting the following link: https://www.aicpa. org/topic/audit-assurance/quality- management.


July/August 2023


CPAFOCUS


15


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32