Quality & Compliance
Operational procedures for firm-level quality management, regulatory compliance, and professional
liability risk control. Synthesized from AICPA SQMS standards, NASBA CPE requirements, Florida
DBPR rules, and professional liability loss prevention data.
State-specific scope: SQMS, peer review, E&O, independence, and engagement inspection
content is nationally applicable. CPE requirements, licensure rules, firm registration, and
disciplinary procedures use Florida DBPR (Chapter 473, FAC 61H1) as the reference
jurisdiction. Practitioners in other states should substitute their board's rules for the
Florida-specific sections below.
SQMS No. 1 Quality Management System
The SQMS framework replaced the prescriptive SQCS checklist model with a risk-based approach.
Firms must design and implement a quality management system by Dec 15, 2025, and evaluate its
effectiveness by Dec 15, 2026.
Risk Assessment Cycle
The entire QM system flows from this four-step cycle:
- Identify quality objectives for each of the eight components below
- Assess quality risks that threaten each objective
- Design and implement responses proportionate to the identified risks
- Monitor and remediate -- ongoing evaluation, root cause analysis, corrective action
Two firms with different sizes and service mixes will have legitimately different QM systems
because their risk profiles differ. Document the rationale for every risk assessment.
Eight QM Components
- Risk Assessment Process -- Foundation. Drives all other components. Reassess when changes
occur (new service lines, staff turnover, regulatory changes).
- Governance and Leadership -- Assign accountability for the QM system. Commit resources
(time, budget, personnel). Communicate that quality is non-negotiable.
- Ethical Requirements -- Independence monitoring, annual confirmations from all professional
staff, AICPA Code compliance, conflict of interest procedures, Florida Chapter 473/FAC 61H1.
- Client Acceptance/Continuance -- Risk-based criteria, annual continuance review, document
rationale, withdrawal procedures when risk is unacceptable. Invoke
firm-operations:engagement-management for acceptance checklist details.
- Engagement Performance -- Planning, supervision, review, consultation policies,
documentation standards, differences-of-opinion resolution.
- Resources -- Human (competency, CPE, assignment), technological (software validation,
IT security, backup), intellectual (methodology, templates, research tools), service
providers (outsourced function oversight).
- Information and Communication -- Policies accessible to all staff, whistleblower/escalation
mechanisms, external regulatory reporting.
- Monitoring and Remediation -- Annual inspection program (select completed engagements),
root cause analysis, remediation plans with timelines, external feedback integration
(peer review findings, regulatory inquiries, litigation).
Small-Firm Scaling (1-5 Professionals)
The standard explicitly permits simpler, less formal systems. A sole practitioner may combine
leadership, engagement partner, and QM monitor roles.
Practical minimum for a small tax/bookkeeping practice:
- Written QM policies document (10-20 pages; template from AICPA, state society, or CAMICO)
- Client acceptance/continuance checklist
- Engagement-level review checklist per return/service type
- Annual self-inspection of 2-3 completed engagements
- CPE tracking and compliance documentation
- Independence confirmation (even sole practitioners confirm for attest clients)
- Annual system evaluation memo
Fatal pitfalls in peer review:
- No documentation of the risk assessment process
- Client acceptance based solely on fees, ignoring risk factors
- No structured engagement review process (sole practitioner reviews own work without checklist)
- Stale policies referencing superseded SQCS instead of SQMS
Peer Review Program
Review Types
- System review -- For firms performing engagements under SAS, SSAE, or Government Auditing
Standards. Evaluates QM system design and operating effectiveness, plus engagement-level testing.
- Engagement review -- For firms performing engagements only under SSARS. Focuses on
engagement-level compliance.
Cycle and Administration
- Frequency: every 3 years
- Florida administering entity: FICPA or other Board-accepted entity
- Results reported to Florida DBPR; unsatisfactory results may trigger Board action
- AICPA members in attest firms must enroll in the AICPA Peer Review Program
SQMS Alignment
Peer reviewers now evaluate whether the firm's QM system is designed appropriately and operating
effectively -- not just engagement-level compliance. Deficiencies in QM system design (not just
execution) can generate findings. The first peer review under SQMS examines both design and
implementation.
Peer Review and Liability
Peer review findings can be used as evidence in malpractice litigation. A pattern of deficiencies
suggests systemic quality issues. Maintaining a clean record is both a quality objective and a
liability defense. Correct deficiencies promptly and document corrective actions.
CPE Compliance
State-Specific CPE Requirements (Florida DBPR)
- Renewal cycle: Biennial (every 2 years), based on license expiration date
- Total hours: 80 hours per biennial period
- Annual minimum: Not less than 20 hours in any single year
- Ethics: 4 hours per renewal, must include Florida-specific content (Board-approved course),
at least 1 hour covering Florida CPA statutes and rules
- A&A requirement: 20 hours in accounting and auditing per renewal for licensees performing
or supervising audit, review, or compilation services
- Documentation retention: 5 years from end of renewal period
NASBA Credit Rules
- 1 CPE credit = 50 minutes of participation
- Minimum unit: half-credit (25 minutes); no rounding up
- Nano-learning (under 10 minutes) not yet universally accepted -- monitor NASBA finalization
Delivery Methods
- Group live -- In-person, live instructor, interaction required
- Group internet -- Real-time webinar with polling/Q&A
- Self-study -- Must include assessment component (exam, case study)
- Instructor/presenter -- Teaching earns credit (typically 2x prep ratio, capped)
- In-house training -- Qualifies if meeting NASBA standards (qualified instructor, learning
objectives, attendance tracking)
Tracking Protocol
- Record credits immediately on completion (do not batch at renewal)
- Track by: field of study, delivery method, year, jurisdiction
- Run compliance check quarterly to identify shortfalls before renewal deadline
- Budget: 40 hrs/year = ~1 hour/week or 5 full days/year
- Retain certificates in both digital and physical form
- Verify sponsor via NASBA National Registry (nasbaregistry.org) or QAS approval for self-study
CPE Exemptions (Florida)
- First-time licensees: prorated based on issue date within cycle
- Inactive status: exempt from CPE but cannot practice
- Hardship: Board may grant extensions for illness, military, documented hardship
- Retired status: no CPE required, license cannot be used for practice
State Board Regulatory Requirements (Florida DBPR)
Firm Registration
- Any firm offering CPA services in Florida must register with DBPR
- Annual renewal required; designate a licensed CPA as managing partner responsible for compliance
- Maintain a Florida office address on file with the Board
License Renewal
- Biennial cycle, odd-numbered years for Florida CPAs
- 80 CPE hours + 4 ethics hours per biennium
- Failure to renew by deadline results in delinquent status
- Inactive status available (no CPE, no practice, no CPA title in practice)
Practice Privilege and Mobility
All 55 U.S. jurisdictions now qualify as substantially equivalent (150 hours, CPA Exam, 1 year
experience). Under UAA Section 23 mobility:
- Most states allow temporary practice without notice or fee
- Establishing a physical office requires separate firm registration
- Tax preparation across state lines may require separate state preparer registration
- Always verify target state rules before commencing practice (nasba.org/licensure)
Disciplinary Process
- Complaint filed (client, colleague, agency, or board-initiated)
- Investigation by board staff
- Probable cause determination
- Administrative hearing (formal proceeding, defense opportunity)
- Final order/sanctions (reprimand, fines, CPE make-up, probation, suspension, revocation)
Common violations: CPE deficiency, failure to respond to board inquiry, client fund
mishandling, expired/inactive license practice, PTIN expiration, independence violations,
failure to maintain firm registration.
Professional Liability (E&O) Management
Coverage Fundamentals
- Claims-made policies (most common): cover claims reported during policy period, regardless of
when the act occurred, subject to retroactive date
- Minimum recommended: $500K-$1M per claim, $1M-$2M aggregate for small tax practices
- Major carriers: CAMICO, AICPA/Aon/CNA program, CPAI, state society programs
- Tail coverage (extended reporting period) is critical when switching carriers or retiring
- Florida does not require E&O for licensure, but some target states do for firm registration
Highest-Frequency Claim Triggers (Small Firms)
Tax practice:
- Missed filing deadlines (most preventable trigger)
- Incorrect tax positions that fail audit
- Failure to advise on planning opportunities or transaction consequences
- Estimated payment errors, NOL/carryforward tracking failures
- Multi-state nexus misses
Bookkeeping/accounting:
- Errors in classification, reconciliation, or financial statement presentation
- Failure to notice obvious fraud red flags
- Incorrect accounting system setup or account mapping errors
Engagement management:
- Scope creep without documented expansion
- Unauthorized third-party reliance on deliverables
- Verbal advice without written documentation
Loss Prevention Protocols
Engagement letters -- Single most effective defense. Claims without an engagement letter
result in higher payouts. Define scope, limit liability, establish dispute resolution.
Documentation standards:
- Document all advice, recommendations, and client decisions in writing
- Memo-to-file for verbal conversations containing advice
- Email follow-up after verbal discussions
- Negative documentation: when client declines advice, document the recommendation,
the declination, and communicated consequences
Deadline management:
- Centralized tracking with redundant reminders
- Never rely on a single person
- Automatic extension filing policy if information not received by cutoff date
Second-pair-of-eyes review:
- All returns and deliverables reviewed by someone other than preparer before delivery
- Review checklist documenting what was examined
- Even sole practitioners: use structured self-review or engage a peer
Client screening red flags:
- Prior firm termination (contact predecessor with client consent)
- History of tax noncompliance or delinquent filings
- Unrealistic outcome expectations, litigious history
- Fee sensitivity disproportionate to complexity
- Related-party complexity without supporting documentation
Statute of Limitations (Florida Reference)
- Professional malpractice: 2 years from discovery, 4-year statute of repose (Florida Statutes Section 95.11)
- Federal tax claims may have longer exposure (3-year assessment, 6 years if >25% understatement)
- Engagement letters can include contractual limitations period (enforceability varies by state)
Insurance Review Cycle
- Review coverage annually with carrier
- Confirm retroactive date covers firm's full history
- Report potential claims promptly (late reporting can void coverage)
- Understand exclusions: intentional acts, criminal conduct, employment practices
- Disengagement does not eliminate exposure for prior work -- maintain tail coverage
Independence and Ethics Compliance
Annual Independence Confirmation
All professional staff must confirm independence from attest clients annually. Even sole
practitioners must document independence for attest engagements.
Key independence threats:
- Performing bookkeeping for a client impairs independence for review engagements (compilation
with disclosure is the ceiling)
- Financial interests, loans, or business relationships with attest clients
- Family relationships with client management
- Fee arrangements contingent on engagement outcomes
Ethics CPE Requirement
Florida requires 4 hours per renewal period, including at least 1 hour on Florida CPA statutes
and rules. Select Board-approved providers covering both AICPA ethics and Florida statutes in
a single course.
Conflict of Interest Procedures
- Identify potential conflicts at client acceptance and annually during continuance review
- Document identified conflicts and resolution steps
- Withdraw from engagements where conflicts cannot be mitigated
Engagement Inspection Program
Annual Inspection Protocol
Select 2-3 completed engagements annually for internal review (minimum for small firms).
Selection should cover a mix of service types and risk levels.
Inspection evaluates:
- Engagement letter signed before work began
- Work performed per applicable standards (SAS, SSARS, SSAE, tax)
- Adequate documentation (workpapers support conclusions)
- Proper review evidence (reviewer sign-off, review notes)
- Timely completion and delivery
- Client communication adequacy
Corrective Action Tracking
When inspections or peer review identify deficiencies:
- Document the finding -- Specific deficiency, engagement reference, standard violated
- Root cause analysis -- Why did it happen (training gap, process failure, resource
constraint, oversight lapse)
- Design remediation -- Specific corrective action, responsible person, target completion
- Implement and verify -- Execute the fix, verify effectiveness
- Follow-up in next inspection cycle -- Confirm the deficiency does not recur
Invoke firm-operations:practice-management for scheduling inspections and tracking remediation
timelines.
Documentation Retention for QM
- Quality management policies manual (written, accessible to all personnel)
- Risk assessment documentation (objectives, risks, responses, rationale)
- Client acceptance/continuance records
- Engagement-level review evidence
- Monitoring/inspection results and remediation actions
- Annual QM system evaluation memo
- Retain for the period required by peer review (typically current + prior review cycle)
SQMS Effective Date Log
- SQMS No. 1 (A Firm's System of Quality Management) -- replaces SQCS No. 8, effective Dec 15, 2025
- SQMS No. 2 (Engagement Quality Reviews) -- effective Dec 15, 2025
- Revised QM-related SAS/SSARS/SSAE -- conforming amendments, effective Dec 15, 2025
- First QM system evaluation -- within one year of effective date (by Dec 15, 2026)
- SSARS 26 -- SQMS integration, periods ending on/after Dec 15, 2025
Supporting References
Read these for detailed coverage beyond the synthesized content above:
references/quality-management.md -- Full SQMS No. 1 component breakdown, implementation
guidance for small firms, documentation requirements checklist, peer review alignment details,
and buy-vs-build decision framework. Read when designing or evaluating a QM system.references/cpe-compliance.md -- Complete NASBA CPE standards, Florida DBPR rule details
(61H1-33), credit measurement rules, self-study vs. group study distinctions, provider/sponsor
requirements, and fields of study taxonomy. Read for CPE tracking system setup or renewal
compliance verification.references/regulatory-state-board.md -- Florida DBPR licensing requirements (education, exam,
experience), firm registration rules, mobility/substantial equivalency framework, PCAOB
registration thresholds, full disciplinary process sequence, common violations list, and
sanctions ranges. Read for multi-state expansion, disciplinary response, or AICPA membership
decisions.references/professional-liability.md -- Detailed claim trigger analysis by service line,
client screening red flags, engagement letter as primary shield, statute of limitations defense,
disengagement risk management, and insurance coverage review guidance. Read for risk
acceptance criteria, pre-claim reporting, or E&O policy evaluation.references/guide-financial-audit.md -- Authoritative standards bibliography (PCAOB, AICPA
AU-C, GAO Yellow Book, COSO, ISA), open textbooks, Big 4 practice guides, fraud examination
resources, and CPA exam references. Read when sourcing audit standards or building a reference
library for attest engagements.
Cross-Plugin References
Invoke these skills for related operational guidance:
- Invoke
firm-operations:practice-management for review scheduling, deadline tracking, and
capacity planning around inspection and peer review cycles
- Invoke
firm-operations:engagement-management for engagement letter standards, client
acceptance/continuance procedures, and scope management
- Invoke
firm-operations:data-governance for data handling compliance, document retention
schedules, and secure file management
Cross-Plugin Consumers
bookkeeping:audit-support -- References this skill for QC standards on compilation/review
engagements, engagement quality review requirements, and SSARS compliance