In this special episode of THE SAMPLE, Leita Hart-Fanta, CPA talks to Charles Hall, CPA about the new Quality Management Standards.
Welcome to The Sample, a quick discussion of auditing concepts and terms that will help you do your work. Conducting an audit in accordance with auditing standards is no small feat and I want to support you. We’ll be referring to the GAO, IIA and AICPA literature to bolster our conversations. Let’s get started.
Transcript
In this special episode of The Sample, Leita talks to Charles Hall, CPA. Charles Hall has worked in CPA firms for most of his career and is an expert on AICPA standards. He is a clear and entertaining writer and offers several self-study courses through YellowBook-CPE.com. Charles has his own podcast and allowed us to use this footage on our side as well. In this session, Charles and Leita talk about quality management standards.
Charles Hall:
Today we’re going to talk about quality management. As you probably already know, the AICPA has issued some massive quality management standards. I’ve got those here. I’ve been sleeping with these, not a lot of fun, but there’s a lot of stuff here, isn’t there, Leita?
Leita Hart-Fanta:
Put it under your pillow.
Charles Hall:
Well, it just makes these funny noises when I do that. So, I try not to. But the Yellow Book, it sleeps better so I can sleep. Put this up under my head and it works better.
Leita Hart-Fanta:
I’ve been living and breathing this thing, too, to try to understand because the Yellow Book just copied the AICPA standards.
Charles Hall:
Right. And you and I have been talking some about the Yellow Book, and is it the same as AICPA? You want to say anything about that now?
Leita Hart-Fanta:
As far as I can tell, it’s pretty much the same except there’s some terminology differences, but the concepts and requirements are the same.
Charles Hall:
When I think about quality management, it’s in terms of an alarm system. Like when I’m driving down I-75 and I get out of my lane, my car beeps at me. *Beep! beep!* I’m like, thank you for beeping… I almost hit that guy. So, it brings me back to where I need to be. That really is a quality management system, and we’ll call this a QM system. We used to call it QC for quality control. So, we’re changing some terminology.
And so, in the governmental world, Leita, you do a lot of work with single audits and Yellow Book. Give me an example of an error that single audit people make.
Leita Hart-Fanta:
Sometimes it revolves around internal control. Because when you do compliance testing in the single audit, you need to make sure you identify relevant key internal controls and test those controls. On the financial side, there are two pieces to the single audit, right? The financial side and the compliance side. On the financial side, you can kind of opt out of internal controls if you want to. Can’t do that on the compliance side.
And so, I think clearly labeling… This is a compliance test. This is a control test. That gets a little fuzzy in the single audit, too, because some of the compliance items are actually controls. However, you must be really intentional and very clearly document you satisfied that requirement on the single audit.
Charles Hall:
Yeah, it’s funny you say that. I actually saw that this week in reviewing some the single audit files. So, this is an example if you do the single audit and you don’t document the internal controls, like Leita just said. If you have a good QM system, you’re going to start hearing “beep, beep, beep.” You’ll get some kind of feedback to correct you. That’s what we’re after. A lot of people look at this QM change as, “Oh, no!” Really, the way we should look at it is, “Oh, yes! This will help me stay in my lane. It will help me do what I need to do.”
Leita Hart-Fanta:
The way I think about this is a little different. I think it’s kind of a karma issue because we have been holding our auditees to the internal controls required by the COSO model, and this is the COSO model applied to us.
Charles Hall:
I see.
Leita Hart-Fanta:
So, we expect there to be a risk assessment at the auditee. We expect there to be control activities, information and communication, monitoring, control environment. We expect all these things of the auditee, and now this is just turning that COSO model back on us. So, we can’t be hypocritical and ask somebody else to do something that we’re not willing to do ourselves.
Charles Hall:
Yeah, exactly. Now it’s time to put the shoe on our foot. And Leita just referenced some items what we now call components. And this would be, as she just said, kind of like our internal controls. You’ll see eight components here. Now, this is out of the SQMS No. 1, which is the AICPA standard. You will see six components if you’re in a CPA firm. Or, if you do performance audits on the Yellow Book side, you need to develop quality objectives, quality risk and quality responses for these six areas.
Then let’s talk about risk assessment. It’s a process. So, you won’t develop these three things for the process. You’ll only to do it for these. Same on monitoring. You won’t develop these for monitoring, but you will for these. So, let’s talk about risk assessment for a minute.
Leita, when you work with other CPA firms and they’re doing single audits, sometimes they don’t document their internal controls, right? If you help a CPA firm develop their QM standards and you help them risk assess, how would that work? What would that look like in reference to single auditing? And there are probably other areas you notice with single audits that they don’t get right.
Leita Hart-Fanta:
Well, it’s the same. I call it the trifecta that the GAO and the AICPA call forward every time they want us to think about something. It’s a three step process:
- Understand the subject matter
- Assess risk
- Respond
We do that for the audit. Every time we go audit, we do a risk assessment where we understand things. We do that for fraud. We have those fraud responsibilities. So, we’re used to it on an audit project. But this is not for the project, it’s for the whole firm. It’s not looking at the auditee. It’s looking at us. It is just shifting that same skill that you use to do an audit and just turning the table on your own team.
Charles Hall:
And so this is something we don’t have a lot of experience with. I know I’ve been doing audits for about 40 years. I’ve never really done a self-assessment. Now I have looked at quality control, what we used to call quality control processes, and tried to remediate those. But this is really more holistic in nature. In the old days, we would see issues when I would review an audit file. I’d see things not right. I’d make a note of that. But, under this new QM standard, you’re really looking at, and I’ll go back here. You’re looking at all of these things holistically, and you’re really doing this 24/7. It’s not like every moment you’re doing this, but it’s more hands-on day by day. In the past, it was more like once a year we’d do an inspection and look at some files.
This is, I told Leita before, it’s kind of like Captain Kirk sitting in his chair and he’s looking out. He’s looking for any kind of risk. That’s what we do as we look at the CPA firm itself.
Leita’s done governmental work a long time. Probably not as long as I have, but a long time. So, because she has that background and sees all the mistakes that people can make, it’s easier if you’re like her. With this experiential knowledge over several years, I think you can look at yourself and know where your weaknesses are. If you’re young and you’ve been doing audits for two or three years, you may not have the experiences of falling down like I have many times. Then you know where the problems are. Don’t you think this will be easier for people that have been in public accounting longer than the newer people?
Leita Hart-Fanta:
Oh, yeah. But how helpful is it to share this? That was one thing that I didn’t enjoy about being a new staff auditor in public accounting. I felt like I was being treated like a mushroom sometimes. Kept in the dark and fed poo and not having any idea what’s going on. If you share this risk assessment and you do it alongside your team, they get the bigger picture of how all this stuff fits together.
Charles Hall:
Yeah, great idea.
Leita Hart-Fanta:
It would be a real benefit to doing this for the firm.
Charles Hall:
So, if we can bring everybody on the team into this process, everybody is better off. Even as an older guy, I’ve done this forever. I still learn from the younger people. And we can all do this as we go through this QM process.
Leita Hart-Fanta:
And they can actually recommend – the younger people who are natives to technology – can recommend ways that you can put controls in place and respond to these risks that are much more efficient.
Charles Hall:
And one interesting part of this… we talked about resources as a component. A part of resources is personnel, like hiring. But a new part of it is IT, information technology. So, as Leita was just saying, if you’re an old guy like me, you probably need the young people to come tell you about the information technology and how that’s going to make your quality management system better.
Leita Hart-Fanta:
Yep.
Charles Hall:
Okay. Let’s talk about who’s responsible for the system.
Leita Hart-Fanta:
Well, that’s new, too. That’s kind of a new thing, too, where they’re naming specific roles that have to do specific things, and that’s not the way it looked in the past.
Charles Hall:
Yeah, it’s another interesting change in here. But what we’re going to see is, and I’m trying to pull up, yeah, I got it now. I’m pulling up the AICPA guidance on this. So, the people responsible, you have mainly two people. You’ve got somebody with ultimate responsibility. I’ll go to Leita in a moment. This is a little bit different in the Yellow Book.
Leita Hart-Fanta:
In the Yellow Book, it’s called the senior-level official assigned accountability and responsibility for quality is what they call that person. It’s a mouthful.
Charles Hall:
Yeah. So, here’s Chapter Five in the Yellow Book, and here’s that language for the senior-level here. So, it looks a little bit different from the AICPA. Here they say “ultimate responsibility.” Over here they say “senior-level official.” And then you’ve got the person with operational responsibility. The senior-level person in the AICPA standards, they talk about managing partner or the firms managing board of partners. Over here in the Yellow Book, it doesn’t use that kind of language. It’s a little bit of a difference. Yeah.
Leita Hart-Fanta:
Yeah.
Charles Hall:
Okay. But then we’ve got operational responsibility, and that would be like I used to be the QC partner in our firm. So, on a day-to-day basis, I would be responsible for making sure the processes work. But at the end of the day, the person with ultimate responsibility, they’re going to conclude at the end of the year about whether or not this QM system works the way it should.
Leita Hart-Fanta:
Does the AICPA make it clear that the operational responsibility thing could be divided up among multiple people?
Charles Hall:
It does. And actually here, let’s see if I can bring this up a little bit. They divide in that Step C. They’re basically saying, “Hey, this person can delegate out independence monitoring and also just general monitoring.” The monitoring piece will be really interesting as you get into this. Pretty complicated. We don’t have time to attack that today, but just know that that will be quite different.
One more thing I wanted to show you in the AICPA’s SQMS No. 1, they actually provide you with the objective. This process, first of all, you develop a quality objective, then you develop a quality risk, and then you develop a response. So, the AICPA actually gives you the objectives for each component. You can just grab these straight out of SQMS No. 1. There’s also some specified responses. You want to use those particular responses. Now everywhere you’ve got an objective and a risk and there’s not a specified response, that’s where you’re going to develop yourself what that response would be.
So, I think we’ve given this a good go today. Leita, anything else you want to say before we wind up?
Leita Hart-Fanta:
No, I really do think it’s a matter of us turning the same expectations we have for our auditees back on ourselves. If we expect them to create quality services and products and implement internal controls, we’re just turning that same expectation back on ourselves and applying the same expectations. It’s going to be really, I think, helpful, too, to auditors who have more of a righteous ‘gotcha’ attitude toward their auditees, who’ve always told the auditee, “You should have monitoring in place. You should have someone in charge of this.” And now that we have to do it, I think it’s going to soften and give us a little bit more grace toward the auditees because we are going to have to do it ourselves. So, I think it’s going to be good all the way around.
Want to learn more about the new quality management standards?
Want to learn more about this topic and earn some NASBA qualifying CPE at the same time? Try the 2024 Yellow Book Interpreted course, which includes a tool to help you comply with the new standards.
And that wraps it up for another episode of the Sample. True to the nature of a sample, we didn’t talk about everything, so you’ve probably got questions. Write to me at leita@yellowbook-cpe.com and I’ll do my best to fill in the blanks. Thanks for playing.
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: