Ask most accounting firm leaders whether their firm manages risk well, and most will say yes. Ask them to describe how risk insight influenced their last 10 major growth decisions — including client acceptance, practice expansion, geographic entry, and talent investment — and their answers become considerably less clear.
Across the industry, 6 in 10 organizations agree that risk management must transform to adapt to today’s environment. Yet only 14% report having fully made that change. To get started, firms should assess their current readiness, envision the desired future state, and define the action plan to get there.
The good news? The path forward is well defined, and every step creates meaningful, measurable value.
Why the regulatory moment reinforces the opportunity
The regulatory context has raised the stakes and clarified the destination for accounting firms. ISQM 1, the IAASB’s International Standard on Quality Management, replaced the prior quality control framework in December 2022 and has since been adopted or adapted across the world [2]. The standard requires firms to “design, implement, and operate a system of quality management” built on a continuous risk assessment process — not periodic reviews or point-in-time attestations.
The FRC in the U.K. has been direct about what this means in practice: Firms must demonstrate that quality management operates at the firm level with leadership accountability, not just at the engagement level. [3] The International Forum of Independent Audit Regulators (IFIAR), whose members include oversight bodies across 52 jurisdictions, similarly highlighted in its annual inspection survey that regulators are increasingly examining patterns and systems rather than individual deficiencies. [4]
The direction from global regulators is consistent: Episodic compliance is a floor, not a ceiling. The firms investing in risk maturity should be building well above it.
The four stages of risk maturity
How effectively does your firm approach risk? See which stage your firm is at:
Stage 1: Defensive compliance
Risk is treated as a box-checking exercise. The goal is to avoid findings, not enable decisions. Processes are manual, episodic, and siloed. Engagement teams manage their own approvals, risk data lives in disconnected systems, and ownership is unclear. Issues typically surface through inspection or incident, not proactive monitoring. Firms at this stage are often simply operating with infrastructure built for a smaller, simpler era.
Stage 2: Coordinated oversight
Risk activities are partially centralized. Some automation exists, often around conflicts checking or independence attestations, but processes still rely heavily on individual partner judgment. Data quality is inconsistent across practice areas. The firm responds faster than Stage 1 but remains largely backward-looking, reviewing what happened rather than anticipating what’s emerging.
Most midmarket accounting firms operate somewhere between Stages 1 and 2. They have risk functions, tools, and policies, but these don’t yet connect in ways that deliver portfolio-level insight or meaningful decision support for leadership.
Solutions like Intapp Intake, Intapp Conflicts, and Employee Compliance are designed for exactly this transition, moving key compliance workflows out of manual disconnected processes and into a consistent, auditable system. Intapp Walls extends this to engagement-level data security and — when connected to the firm’s independence systems or Employee Compliance — provides a critical safeguard against independence, conflict, and firm policy violations.
Each solution delivers meaningful capability on its own. Firms that integrate them with one another and with the broader engagement lifecycle — from business development through time tracking and billing — see significantly greater lift.
Stage 3: Integrated risk intelligence
Risk operates across the firm with shared data, common frameworks, and consistent standards. Conflicts, independence, and delivery risks are monitored in real time. Risk insight informs strategic decisions before commitments are made, not after. Partners, teams, and firm leaders have access to the information they need to make faster, better decisions without waiting for escalation.
Reaching Stage 3 requires deliberate investment in systems that connect workflows and centralize data. It’s a governance and process question as much as a technology one: Who owns risk data, how is it structured, and how does it flow across the firm?
Stage 4: Strategic risk enablement
Risk is embedded in the operating model. Leadership uses risk insight as a competitive differentiator, shaping client selection, pricing, staffing, and investment priorities. Portfolio-level visibility is continuous. Patterns emerge before they become problems. Trust, compliance, and growth reinforce one another systematically.
A useful way to think about this stage: The most sophisticated investors don’t just manage risk episodically. They define a strategy, determine which risks to pursue and which to avoid, structure their activities accordingly, deploy resources to match, and monitor performance continuously, adjusting based on what the data shows. A firm at Stage 4 approaches risk the same way. The risk framework is not a filter applied after strategy is set, but rather a part of how strategy is built and service delivery is provided.
Getting to Stage 4 requires connecting risk data to every point in the engagement lifecycle, starting in business development. Whether through Intapp DealCloud or a firm’s existing CRM system, the principle is the same: Risk intelligence should inform which clients a firm pursues, not just whether to accept them once they’ve been identified.
On the monitoring side, time data from Intapp Time or a firm’s existing time tracking solution can surface early warning signals when the engagement scope shifts unexpectedly, or when team members who weren’t anticipated in the original risk assessment begin logging time. Both instances may indicate independence or quality risks that need attention before they escalate.
Intapp Intake and Conflicts also offer continuous monitoring for risk and compliance exposure by proactively tracking client and engagement risk factors — including adverse media, sanctions, or potential threats to independence of conflicts of interest.
Intapp Celeste, Intapp’s governed AI platform built specifically for accounting firms, reflects what Stage 4 capability looks like in practice. It applies Firm AI not as a general-purpose layer, but as one designed around the specialized compliance frameworks, relationship data, and engagement workflows that define how these firms operate.
A diagnostic for firm leaders
Need help determining which stage your firm is at? These questions are designed to prompt honest reflection, not grade your firm on a scale:
- Visibility: Can you articulate your firm’s cumulative exposure across client industries, geographies, and delivery models — not just engagement by engagement, but as a portfolio?
- Speed: When a significant opportunity surfaces, how long does it typically take to get a defensible risk assessment? Hours? Days? Weeks?
- Consistency: If you reviewed the risk rationale behind the last 20 client-acceptance decisions, would you find a consistent framework, or individual judgment calls with limited documentation?
- Forward-looking insight: Does your risk function primarily tell you what happened, or does it surface patterns and emerging exposures before they become issues?
- AI readiness: As AI increasingly informs client work, quality management, and internal operations, are your data governance and risk frameworks designed to cover it, or is AI risk managed separately?
Where the path leads
Advancing risk maturity isn’t about spending more. It’s about connecting what already exists across people, processes, and data in ways that enable better decisions at speed. Very few accounting firms operate consistently at Stage 4 today. The firms investing now are building a durable advantage. The goal is to know where you are, understand where the gaps are most consequential, and take the next step forward.
We’d like to hear where your firm is on this spectrum and what has moved the needle. What has worked, what hasn’t, and what would you do differently?
Join the conversation at intapp.com/accounting-risk-intelligence.