Hi {{first_name | there}},
There’s an invisible risk that’s lurking around in your firm. Did you know that?
Small and Medium Practitioner (SMP) CPA / CA firms don’t fail only because of technical incompetence. Sometimes, they fail because of this silent risk.
Think about this harmless request from a client:
“Can you just post these few adjusting entries?“
Soon, this quietly escalates to something like:
“This client’s accounting team is quite poor. Nowadays, we help them not just with routine accounting entries, preparing estimates and reconciliations, but also with account code set-up, MIS reporting and sometimes even determining the accounting policy choice to implement. At times, we don’t even feel like we need to ask the client before posting entries — we just do it. Additionally at yearend, we also prepare their financial statements.”
What’s the big deal? You ask, because accountants can help clients with certain non-assurance services.
You’re right.
However, where this becomes a problem is when you help with:
Posting recurring, complex entries with zero client involvement
authorizing or making their decisions
Drafting full financial statements by making accounting policy choices
Building reporting systems or MIS reporting processes
Performing extensive reconciliations independently
And performing assurance services (audit or review).
At that point, you are no longer just performing an audit or a review. But, you’re taking on management role in your client.
QUALITY OR RISK TOPIC
Quality Risk (Use this quality risk definition as a starting point for your firm. And tweak it if you’d like to):
Scope creep in assurance engagements (e.g., management functions, valuation, or other non-assurance services) is not identified, evaluated, or formally reassessed resulting in unmitigated self-review and management participation threats, impairing independence, engagement quality and increasing regulatory and firm-level risk exposure.
Scope creep on assurance engagements is a pervasive risk, because, it creates multiple exposures in your firm, if unaddressed. For e.g.,:
Independence threats
Destroys margins
Staff capacity crunches
Documentation gaps
Fee vs. risk misalignment
Inspection failure
Reputational damage
INSIGHTS, INNOVATION AND SYSTEMS
Basically, there are two types of services that can amplify this risk:
Services that are prohibited
Services subject to threats and safeguards assessment.
Prohibitions are a clear “No”, because no safeguards can be implemented in these cases that can bring down the risk to a manageable level.
Talking about providing bookkeeping or other types of non-assurance services, a firm (or a member in a firm must not perform an assurance engagement for a client if the member makes a management decision or performs a management function for the client.
Performing management functions is a clear prohibition, and there are no safeguards that can reduce any threats to a low level.
What happens if you do?
When non-permissible services creep in, it signals:
weak acceptance and continuance decisions at engagement levels,
poor quality and risk management function (or the lack of it),
leadership tolerance for professional standard non-compliance, and
fee decisions being prioritized over risk implications.
Under the Quality Management Standards, this directly affects various components:
Governance & Leadership,
Relevant Ethical Requirements,
Acceptance & Continuance,
Engagement Performance and the
Risk Assessment Process.
Illustrative scenario:
A small firm performed a review engagement for a long-standing client. Over time, “helping out” expanded into rebuilding inventory records independently, drafting key accounting estimates, and preparing full financial statements including making accounting policy choices.
No formal reassessment of independence was performed because “we’ve always done it this way.” During a practice inspection, the regulator asked a simple question: Who determined the valuation methodology and key assumptions? The working papers showed the firm had designed the valuation model and later reviewed it.
What started as client support became a clear self-review and management participation threat. The inspection finding in this case will not be about technical errors — but about independence erosion. The firm had blurred its role, and their SoQM never captured it as a quality risk.
FREQUENTLY ASKED QUESTIONS:
We’re a small firm. Clients expect us to “help out.” If we say no, we risk losing them. How do we balance commercial reality vs. compliance?
Helping is never the issue. Failing to evaluate the threat is the issue.
And you must do this by answering questions like:
Are we making management decisions?
Are we later providing assurance over work we performed?
If the banker has a question on the Financials, who can answer it in greater detail and accurately — the client or us?
Have we documented safeguards?
Have we updated engagement terms and fees to reflect expanded risk?
Ultimately, commercial realities must not override the professional standards.
If scope expansion gets real, you must stop, evaluate, re-scope and proceed with guardrails in place, if feasible.
If not, decline the engagement as anything else is unmanaged exposure.
RESOURCE OR ACTION ITEM
What can I do about it? You ask.
The solution is structural — dual-layered.
At the top layer, begin with defining clear scope escalation triggers that are communicated (and operate) firm-wide. For e.g.,
no preparation of source records,
no drafting estimates,
no designing accounting policies or making policy choices,
no performing valuation activities, or
no handling recurring entries beyond year-end adjustments
At the bottom layer, require mandatory mandatory reassessment when they occur, including":
updating engagement terms
evaluating independence threats
documenting safeguards and
adjusting fees where risk has changed.
Embed this into your system through an annual scope confirmation review for each assurance client. Once procedural, scope management becomes controlled.
Actions you can take this week.
Keep it simple but intentional:
Add scope creep as a specific quality risk in your SoQM.
Reassess your firm’s standard engagement letter for scope expansion.
Train staff to escalate “just one more thing” requests.
Document safeguards and add this to your engagement file.
Obtain documented client approval for all permissible non-assurance work.
Obtain the signed management representation letter before issuing the opinion.
Host a 30-minute session with your entire team to talk about 1-6 above.
Remember, if it’s happening repeatedly, it’s no longer an exception. It’s a system failure.
Final thought
Managing the System of Quality Management is managing your firm.
Implementing an effective System of Quality Management under any professional standard — whether under SQMS 1, QC 1000, or CSQM 1 — is not the quality team’s or your side-hustle.
It’s your job and it begins with a massive shift in mindset, and how your entire firm thinks and operates around quality.
It’s not easy. But it’s doable — only with the right leadership, right mindset, tools, and support.
And that leadership begins with YOU.
Firms fail because of unmanaged micro-risks, and scope creep is one of them.
Don’t make the client’s problem, your problem.
If you like this newsletter, consider joining The ARQ — Assurance, Risk and Quality Network for SMP CPA and CA Firms.
It’s free.
You will get:
1 hour learning credit,
1 digital certificate
Peer insights and practical resources
Networking opportunity.
Click the image below to register for the next session of The ARQ.
Well, that's it for now — hope you found this useful.
If you've any feedback or questions, write to me at [email protected], and I will personally respond to your email.
Until next time,
Athreya
Join us for the full experience.
Thanks for reading this issue of The AQRM Compass.
If you would like to try our affordable, yet powerful AQRM technology and consulting solutions, get started here.
Professional Disclaimer:
This email is intended as a professional outreach and knowledge sharing initiative that is consistent with applicable CPA Codes of Professional Conduct. If you prefer not to receive any further communications, please "unsubscribe" using the link below or email us, and we will immediately remove you from our list. Audimatiq Consulting Inc. is an independent consulting services, learning, thought leadership and technology solutions provider to CPA firms. We do not offer audit, review, or any type of assurance services and are not a registered CPA firm. Read our full disclosure here.