Even though the Dec. 15, 2025, deadline to implement the AICPA's new quality management standards has passed, many small firms that only perform preparation, compilations or reviews of financial statements still haven't fully complied. Many are overwhelmed by practice aids and toolkits designed for larger firms that perform audits.
The good news for small firms that don't perform audits is that building your quality management system is simpler than you think. While the effective date has passed, you can create a system that works for you.
Another piece of good news is that most small firms are already informally doing many things right, especially in ethics, governance, leadership and communication. Building quality objectives in these areas can be as simple as formally documenting and tracking to provide evidence of what you already do.
Mistakes firms are making
In our discussions with smaller firms, we're seeing several recurring patterns.
1. The reactive approach. Because these standards have recently become effective, no one knows what peer reviewers will be looking for in smaller firms that only require engagement reviews, not the complete system reviews that audit firms need. In an engagement review, reviewers evaluate selected engagements to determine whether the work and reports were appropriate in the circumstances.
This leads some firms to do little, or even nothing, in the hope that peer review won't probe their QMS as deeply as a system review would.
2. Starting with an audit-centric toolkit. Other firms take the opposite approach and start with a toolkit designed for audit practices and try to make it fit. The broad risk lists in these toolkits include risks that are unlikely to occur in firms that don't perform audits.
Once you start with an audit-inclusive toolkit, it's hard to trim it down to an appropriate size, so the result is a system that's far too complex. You still need a QMS, but your system can be much simpler.
3. Treating GAAP as optional. Because compilations provide no assurance and reviews provide only limited assurance, firms have a tendency to become lax in complying with the standards related to the reporting framework. This is a mistake. Following GAAP (or the appropriate reporting framework) is not negotiable, even when you're providing no assurance. Your QMS must support processes to ensure compliance with the reporting framework (e.g., GAAP).
A five-step approach to your QMS
The most effective way for small firms to build a QMS is to stop thinking of it as a massive new system and instead treat it as a structured way to document, test and improve what you already do. Here's a five-step approach for firms where the highest level of assurance is a review.
Step 1: Anchor everything in the standards. The first step is to anchor your QMS in the core objectives of SQMS 1 and 2, and SSARS 26. The firm's system should help ensure that personnel fulfill professional standards and that engagement reports are appropriate in the circumstances, serving the public interest through quality engagements. Starting with the standards enables you to avoid overcomplicating your QMS.
Write down what "appropriate" means for your specific engagement mix of preparations, compilations and reviews. Then use that statement as a filter. If a policy or procedure doesn't connect back to the issuance of appropriate reports, it probably doesn't belong in your QMS. This keeps the system aligned with your actual services.
Step 2: Memorialize what you already do. Before you buy a template or build a risk spreadsheet, take inventory:
- How do you ensure independence and ethics?
- How do you decide which clients to accept?
- How do you plan and supervise engagements?
- How do you ensure staff have the competence for the work assigned?
- How do you communicate firm expectations?
Most firms already have answers, but they live in partners' heads or in informal practices. Memorializing those practices becomes the foundation of your QMS and prevents you from building policies you don't need and won't follow.
Step 3: Compare your practices to SQMS 1 and SSARS 26. Now overlay your inventory onto the requirements, especially SSARS 26, which ties directly to the idea that engagement reports must be appropriate in the circumstances. One repeated emphasis in SSARS 26 is partner involvement in engagement planning. Small firms often do this naturally. Your QMS simply requires it to be explicit.
This comparison step reveals gaps without forcing you to adopt a vendor's entire framework.
Step 4: Identify and assess only the risks that truly apply. Many firms confuse "risk identification" and "risk assessment." The result is they list dozens (or hundreds) of "what-if" risks and feel obligated to address them all.
Risk identification is not the same as risk assessment. The goal isn't to imagine every possible failure, but to identify quality risk events that are more than remote for your firm and determine which policies and procedures address them. Many of the risks tied to audits, single audits or the use of service providers won't apply to a firm that provides compilations and reviews for privately held clients.
Firms also often assume that if a toolkit or checklist lists a risk, it must be addressed. But a generic list of potential risks is not your firm's risk assessment. A true assessment asks:
- Does this risk apply to our services?
- How likely is it?
- If the risk event occurs, what is the magnitude?
- What are we already doing that mitigates it?
- What evidence do we have that our mitigation is operating effectively?
If you skip that assessment step, you may end up performing procedures on risks that are below the threshold of "more than remote." You also waste scarce time documenting controls for risks that will never happen in your practice.
At Accountability Plus, we have helped over 20 firms design and tailor their QMS to match the size, risk and complexity of their client bases. Typically, we find around 50 to 60 quality risk events for audit firms with clients in various industries. If your firm doesn't issue audit reports and you find yourself identifying a similar number of risk events, you likely need to revise your risk assessment approach.
Step 5: Keep monitoring simple. A QMS isn't static. It should include a basic monitoring process to confirm the system is working and to trigger remediation when it isn't. For small firms, monitoring can be simple. Periodic meetings, internal file reviews or documentation checks tied to key objectives may be all you need. A monitoring system ensures your QMS supports quality on a dynamic basis.
Build a QMS that fits your firm
For small firms, a QMS is not about building an audit firm's system in miniature. It's about ensuring your firm issues reports that are appropriate in the circumstances, and that your people and processes consistently support that goal.
To support small firms with building a right-sized QMS tailored to the size, risk and complexity of your clients, we are creating a toolkit and other resources for small firms, which you can access
Start simple. Focus on your services. Assess what actually applies. Document what you do. Fill the gaps. Then monitor it just enough to keep it real.
Your QMS doesn't need to be as big or as complicated as those of audit firms. For review and compilation practices, a well-designed QMS can be lean, defensible and sustainable, which is precisely what small firms need.
