top of page

From Risk Assessment to Monitoring: What 2026 Will Really Look Like Under SQMS 1

  • Feb 17
  • 5 min read

For many CPA firms, 2025 has been focused on designing and implementing a System of Quality Management (SOQM) under SQMS No. 1. Risk assessments have been performed, quality objectives documented, and responses designed.


But as firms turn their attention to 2026, a key question emerges:


What actually happens next?

The answer is monitoring — and more importantly, monitoring planned and executed well.


This article explores three areas firms should be thinking about now:

  1. How your risk assessment will evolve in 2026

  2. How to design a practical, risk-focused monitoring plan

  3. The technology considerations that can make or break the process


1. Your Risk Assessment in 2026: It Won’t Stay Static

One of the biggest mindset shifts under SQMS 1 is accepting that the risk assessment is not a one-and-done exercise.


Many firms reached the end of their initial implementation on time — a documented set of quality objectives, identified risks, and mapped responses. Those that haven’t need to catch up fast to demonstrate action to their peer reviewer.


That structure is a solid starting point — but it will not remain unchanged.


What to expect going forward

In 2026, firms should expect and actively consider:

  • Refinement of risks – consolidation of risks will assist firms to ensure easier management and updating of risks and thus eliminate any potential duplication of effort.  This consolidation opportunity reflects the common approach where firms created granular risks aligned to specific response where really multiple risks overlap.

  • Firms will need to identify and capture new risks which will emerge as their business models, client profiles, staffing, and technology change.

  • To capture all elements and processes forming part of their SoQM, firms may consider adding specific additional objectives for their monitoring and remediation policies and procedures.

  • Creating clearer assignment of responsibility for maintaining and updating the risk assessment.


Monitoring will surface issues — and that is exactly the point. The standard expects firms to find deficiencies early and remediate them effectively, not to demonstrate perfection.


2. Designing a Monitoring Plan That Actually Works

Once responses are designed, firms must determine how and when those responses will be monitored. This is where many firms may feel stretched and strained.


When considering your approach and plan it is useful to start by considering the purpose of the monitoring:


Monitoring is the mechanism that allows the firm to conclude whether the system of quality management provides reasonable assurance that its objectives are being achieved.


Key elements of an effective monitoring plan

Thinking about your plan there are 4 key questions to address:


1. What will be monitored?

Your monitoring population will be driven by:

  • Responses to quality risks

  • Issues and changes to the SOQM (new or modified responses)

  • Internal Inspections of Engagement files


2. How will monitoring be performed?

Monitoring procedures can be align directly to the response being tested.

Not all responses need the same level of testing.  Firms may consider several different testing options including:

  • Detailed testing approaches for higher volume or higher risk responses;

  • Standard checks for similar responses including compliance logs and trackers, training responses or review of minutes and agendas;

  • Walkthroughs or spot checks for new or amended responses during the period; or

  • Self-confirmations whereby the Response Owner certifies that the response has been operated with no known deviations or errors in the period.


Obtaining buy-in on test plans before testing begins is critical to avoid rework and misalignment between the monitoring team, Operational Responsible Individual and the Ultimate Responsible Individual. 


3. When will monitoring occur?

Firms are taking different approaches to cadence, including:

  • Annual “once-off” monitoring before the annual evaluation

  • Quarterly or monthly cycles that test groups of responses

  • Continuous monitoring across the entire period to reflect the timing of the execution of the responses.


Firms may choose a specific approach but as there is no single “right” cadence — firms may choose to use multiple approaches based on categorizing their responses (e.g. lower risk responses may only be monitored on a once off basis during a period.). 


Whichever approach is taken it is important that is it documented, and achievable.


4. What happens when deficiencies are identified?

Monitoring inevitably leads to findings. Those findings must be:

  • Evaluated to determine whether they represent deficiencies

  • Remediated on a timely basis

  • Considered as part of the firm’s annual evaluation conclusion


The annual evaluation conclusion will depend heavily on:

  • Whether deficiencies remain open

  • Whether remediation has been effective

  • The overall impact on the achievement of quality objectives


Considering these factors should drive firms to decide on their plan to complete monitoring. 


3. Technology: Supporting Monitoring, Not Complicating It

Many firms begin monitoring using familiar tools — spreadsheets, documents, shared folders — and for some firms, that may be sufficient in year one.


However, monitoring under SQMS 1 is data-heavy and ongoing, and technology can play a critical role in sustainability.


Key technology capabilities to consider

At a minimum, firms should be able to:

  • Define and reassess the monitoring population

  • Track multiple monitoring activities across a single response

  • Assign responsibility and manage timelines

  • Track findings, deficiencies, and remediation activities

  • Assess the impact of deficiencies on risks and objectives

  • Produce clear, reliable, and timely reporting for leadership, peer reviewers, and the Ultimate Responsible Individual.


Just as important is the ability to connect the dots — moving from a remediation item back to the underlying deficiency, response, risk, and quality objective.


A practical reminder

There is a learning curve. Planning matters, but it should not become a barrier to progress through looking for perfection.  There will be multiple iterations of the plan, especially in early years. The key question to ask is:


  • Is it appropriate for our firm?

  • Is it compliant with the standard?

  • Is it clear evidenced?


Progress over perfection is not just acceptable — it is expected.


Final Thoughts: Start Planning Now for 2026

Monitoring under SQMS 1 is not an ad hoc exercise or a year-end scramble. It is a structured, ongoing process that requires planning, coordination, and cross-functional involvement.


Firms that invest time now in:

  • Refining their risk assessment

  • Designing a realistic monitoring plan

  • Establishing clear ownership and timelines

  • Selecting tools that support - rather than hinder - the process will be far better positioned when they reach their 2026 annual evaluation.


The goal is not to avoid deficiencies. The goal is to identify them early, remediate them effectively, and continuously improve the system of quality management.

 

Want to learn more?

  • Click here to schedule a demo with one of our team members.

  • Fill in your details here to get a personalised quote that would best suit your firm.

  • See how QMCore could help your firm in these short, educational videos.

 
 
bottom of page