Each year, the American Institute of Certified Public Accountants (AICPA) Enhancing Audit Quality (EAQ) initiative identifies key focus areas that reflect not just policy shifts but practical pressure points within the audit profession. These priorities serve as a directional signal for firms, reviewers, and practitioners alike, indicating where quality lapses are most common and where audit execution needs to evolve.

In 2025, the list is not surprising. But it is urgent.

With risk assessment still raising red flags, quality management systems nearing their deadline for implementation, and rapid technology shifts transforming expectations, this year demands more than familiarity—it demands follow-through.

Here’s a closer look at the 2025 focus areas and how auditors can respond with insight and intention.

Risk Assessment: Revisit, Refine, Reapply

The implementation of SAS No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, marked a pivotal update to how auditors understand and respond to risk. Yet despite increased clarity in the standard, common practice still falls short, particularly around connecting the dots between identified risks and audit procedures.

For 2025, auditors should:

• Reevaluate their understanding of client systems of internal control. Risk assessment is not just about identifying risk factors—it’s about evaluating how controls mitigate them, or fail to.
• Use the full spectrum of inherent risk, as outlined in SAS 145, to determine which risks merit greater focus.
• Tailor responses thoughtfully, particularly for less complex entities, where “scaling down” should not mean “skipping over.”

Risk assessment remains one of the most significant contributors to audit deficiencies. Addressing it means treating it as a dynamic process—one that starts early and adjusts as the audit progresses.

Quality Management: From Policy to Practice

By December 15, 2025, firms must have a fully operational system of quality management in place under Statement on Quality Management Standards No. 1 (SQMS 1). This isn’t about updating documentation—it’s about building a system that actively manages risk across all stages of engagement delivery.

Key actions for firms and professionals:

• Engage leadership now to identify quality objectives and assess firm-specific risks.
• Establish clear, documented responses to those risks, including assigning responsibility and monitoring outcomes.
• Prepare for ongoing evaluation, which will be required within one year of system implementation.

Quality management under the new standards is iterative, not static. Auditors must prepare to embed this mindset in firm culture and daily workflows.

Technology-Enabled Auditing: Use with Purpose

Technology continues to reshape how audits are conducted. However, leveraging data analytics, automation, or AI isn’t an automatic improvement—it depends entirely on how these tools are integrated into professional judgment.

In 2025, auditors should ask:

• Are we using technology in ways that enhance audit evidence, or just streamline tasks?
• Have we evaluated risks related to client-deployed AI systems, particularly in areas like revenue recognition or control environments?
• Do our teams understand how tools work, or are we outsourcing judgment to systems we don’t control?

A thoughtful approach to tech adoption means recognizing where automation fits—and where human oversight must remain central.

Single Audits: Technical, High-Stakes, and Often Underserved

Single audits are among the most technically demanding assurance engagements. They require specialized knowledge, a working familiarity with evolving Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (known as Uniform Guidance), and careful attention to the OMB Compliance Supplement.

Given recent revisions and the long gap since the last major guide overhaul, auditors must:

• Stay current on updated requirements and program-specific risks.
• Evaluate whether they have the capacity and training to perform these audits or need specialized support.
• Communicate expectations clearly with clients, many of whom are unaware of their obligations as auditees.

With government scrutiny increasing, the pressure to get single audits right will only grow.

Emerging Attestation Engagements: Proceed with Clarity

Whether it’s ESG reporting, AI governance, or cybersecurity risk, demand for assurance over non-financial subject matter is accelerating. But the frameworks are often vague, and the criteria non-standardized.

Before accepting such engagements, practitioners should:

• Confirm that suitable criteria exist—this is the foundation of any credible attestation.
• Assess whether their team has the skills, data familiarity, and independence to perform the work.
• Avoid overcommitting in areas where the risk outweighs the readiness.

These new frontiers offer opportunity—but only when approached with clarity, caution, and compliance at the core.

KNAV Comments: Staying Ahead Is the Standard

The AICPA’s 2025 focus areas are not simply areas of concern—they are invitations to act. For audit professionals, that means shifting from reactive correction to proactive quality.

Whether it’s revisiting your firm’s risk assessment methodology, implementing a scalable QM framework, or training staff to think critically about tech and client controls, the work starts now.

Because audit quality isn’t an outcome—it’s a process. And that process is only as strong as the questions we’re willing to ask of ourselves, and of each engagement.