Audit Quality Indicators: How to Build and Monitor an AQI Framework Under ISQM 1

What ISQM 1 actually requires for monitoring

ISQM 1.30 requires the firm to establish a monitoring and remediation process. That process has to include monitoring activities that provide information about the design and operation of the system of quality management: information that is relevant, reliable, complete, and timely enough to act on. Paragraph 31 goes further. The firm must design and perform monitoring activities, evaluate findings, identify deficiencies, and evaluate both the severity and pervasiveness of those deficiencies.

The standard doesn’t prescribe specific indicators. It doesn’t say “track partner-to-staff ratios” or “measure realization rates.” What it requires is that your monitoring produces evidence that the system works. AQIs are the mechanism most firms use to produce that evidence, and they’re what inspectors look for when they test your monitoring process.

The IAASB’s implementation guide for ISQM 1 distinguishes between inspection of completed engagements and ongoing monitoring of the system as a whole. AQIs sit in the second category. They don’t replace file inspections under ISQM 1.37. They supplement them with continuous data points that can surface problems between inspection cycles. Think of file inspections as the annual health check. AQIs are the blood pressure readings you take every quarter.

The distinction between inspection and monitoring matters for how you resource the quality function. File inspections require qualified reviewers to spend days in completed files. AQI monitoring requires someone to collect data, compare it to thresholds, and escalate when something is off. The second task is less skilled, more automatable, and should happen more frequently. Most firms that struggle with monitoring are trying to do both tasks with the same people on the same annual schedule.

Why most existing monitoring fails inspection

Most mid-tier firms already track some form of quality data. Completion rates. Review turnaround times. Staff utilization.

The problem isn’t that firms have no data. The problem is that the data they track wasn’t selected because it connects to a quality risk. It was selected because it was easy to measure or because a Big 4 firm published a list and it got copied without adaptation. ISQM 1.30 requires the connection to be deliberate: each indicator should trace back to a specific quality risk identified in your risk assessment under ISQM 1.23–24.

The AFM’s inspection approach tests this chain directly. Inspectors pull the firm’s risk assessment, then pull the monitoring plan, then ask: which indicator monitors which risk? If the answer is a generic list of KPIs with no mapping to the risk assessment, the monitoring process fails regardless of how much data the firm collects.

A second common failure is firms that track indicators but set no thresholds. They produce annual reports that say “the system operated effectively” based on a qualitative narrative with no defined tolerance levels and no documented basis for the conclusion. ISQM 1.A77 expects the firm to use professional judgment in setting tolerance levels, and an annual narrative with no quantitative criteria doesn’t demonstrate that judgment was applied.

Both failures share the same root cause. The firm treated ISQM 1 monitoring as a documentation exercise rather than an operational process. Documentation exercises produce binders. Operational processes produce decisions.

Selecting indicators that connect to quality risks

The selection process starts with your risk assessment, not with a list of popular AQIs. ISQM 1.23 requires firms to identify quality risks that have a reasonable possibility of occurring and, if they occur, a reasonable possibility of individually or in combination adversely affecting the achievement of quality objectives. Your AQIs should map directly to those quality risks.

Here’s what that looks like in practice. Suppose your firm’s risk assessment identified “insufficient engagement partner involvement during planning” as a quality risk under the governance and leadership component. A useful AQI for this risk might be the percentage of engagement files where the partner signed the planning memorandum before fieldwork began. If that number drops below 80%, something in your system isn’t working.

Contrast that with tracking total billable hours per partner. That’s a useful management metric. It tells you nothing about whether partners are involved at the right stages of the engagement. The metric measures activity. What the AQI should measure is the quality behaviour you’re trying to ensure.

The four categories of useful indicators

Most firms need a mix of indicators across four categories. No single category covers all quality risks, and relying on only one type leaves gaps in your monitoring.

Engagement-level indicators

Measure what happens on individual files. The percentage of files where the audit materiality calculation was revised at completion per ISA 320.12 is a common one. Others include the number of files with open review points at signing, the percentage of files where the going concern assessment was completed before the audit report date, and the average number of days between fieldwork completion and partner sign-off. These indicators are the most direct measure of audit quality but can only be collected after engagements close or at defined milestones.

Firm-level resource indicators

Measure whether the firm has the capacity to deliver quality work. Average hours of technical training per qualified staff member per year. Staff turnover rate among senior associates with more than two years’ experience. The number of engagements per partner during peak season. These indicators are leading rather than lagging. A spike in turnover predicts future file quality problems before those problems appear in individual engagements.

Resource indicators deserve special attention at smaller firms, where the departure of a single experienced senior can degrade file quality across an entire portfolio within one busy season.

Compliance indicators

Measure adherence to firm policies and professional standards. Examples include the percentage of engagement quality reviews completed where required under ISQM 1.34(f), independence breaches reported and remediated within 30 days, the percentage of engagements where the risk assessment was documented before fieldwork commenced, and the number of overdue client confirmation requests at the end of fieldwork. These tend to be the easiest indicators to automate because most engagement management systems already capture the relevant dates and sign-offs.

Outcome indicators

Measure the results of the audit process after the fact. The number of material misstatements identified after the audit report was issued, the rate of restatements for audited financial statements, and the number of inspection findings per engagement all fall here. Outcome indicators are the most powerful evidence of whether the system works, but they’re lagging by definition. By the time a restatement appears, the quality failure happened months or years earlier.

If your entire dashboard is engagement-level metrics with no resource indicators, you’re blind to the structural problems (understaffing, inadequate training) that cause engagement-level failures. If you only have outcome indicators, you’ll catch problems too late to prevent them. The balance matters more than the total count.

Setting thresholds that mean something

An indicator without a threshold is just a number on a page. ISQM 1.31(d) requires the firm to evaluate findings from monitoring activities and determine whether deficiencies exist. You can’t evaluate a finding if you haven’t defined what “acceptable” looks like.

Thresholds come in two forms. Investigation triggers are the levels at which the firm must look into what’s happening. Remediation triggers are the levels at which the firm must take corrective action. Not every breach of an investigation trigger leads to remediation. Sometimes the investigation reveals a reasonable explanation. But every remediation trigger breach must produce a documented response under ISQM 1.42.

Setting thresholds is where most firms go wrong in one of two directions. Over-engineering looks like 47 indicators with tolerances defined to one decimal place and a 30-page quarterly report that nobody reads. Under-engineering looks like tracking indicators with no defined thresholds at all, reviewing them once a year, and writing “results are satisfactory” without stating what satisfactory means.

For new indicators with no historical baseline, set an initial threshold based on professional judgment, measure for two reporting periods, then recalibrate. State this approach explicitly in your monitoring plan. Inspectors accept “we’re establishing a baseline” in year one. They don’t accept it in year four.

One more practical point: don’t set thresholds so tight that every quarter triggers an investigation. If your investigation trigger fires every period, the indicator is either miscalibrated or the underlying process is genuinely broken. Constant alerts produce alert fatigue, and eventually no one investigates at all. Set triggers that fire occasionally but meaningfully. Two to four investigations per year across your full dashboard is a reasonable expectation for a firm with 10–15 indicators.

Worked example: Van Leeuwen Accountants builds an AQI dashboard

Van Leeuwen Accountants is a 14-partner firm in Utrecht with 85 audit clients (annual revenues ranging from €8M to €120M). The firm completed its ISQM 1 risk assessment in 2023 and identified 11 quality risks across four components. The quality management partner, Anneke de Groot, needs to build an AQI dashboard that connects to those risks and satisfies the AFM’s expectations for monitoring evidence.

Step 1: Map risks to indicators

Anneke maps each of the 11 quality risks to at least one measurable indicator. For the risk “insufficient partner involvement at planning,” she selects “percentage of files with partner-signed planning memo before fieldwork start date.”

Step 2: Set thresholds using baseline data

She sets thresholds using the firm’s 2023 internal inspection data as a baseline. The 2023 data shows partner sign-off before fieldwork in 88% of files. She sets the investigation trigger at 82% and the remediation trigger at 70%.

Step 3: Assign data collection responsibility

The engagement management system already captures partner sign-off dates and fieldwork start dates. She asks the IT manager to create a quarterly report that calculates the percentage automatically rather than relying on manual file reviews.

Step 4: Investigate first breach

After the first quarter of 2024, the report shows 79%. Below the investigation trigger but above the remediation trigger. Anneke investigates and discovers that four files involved partner transitions mid-engagement. The incoming partners signed the planning memo after fieldwork had started because they were appointed late.

Step 5: Report and remediate

She presents the Q1 results and the policy recommendation to the firm’s quality management team. The policy change is approved and added to the firm’s procedures manual. ISQM 1.42 requires the firm to evaluate whether remedial actions are appropriately designed and to determine that they were implemented. The Q2 report will measure whether the new policy resolves the decline.

At the end of year one, Anneke has four quarterly data points for each of 12 AQIs. The annual monitoring report under ISQM 1.48 now contains actual trend data rather than a narrative conclusion. When the AFM reviews the firm, the inspector can trace from risk assessment to indicator to data to investigation to remediation. That evidence chain is what ISQM 1 monitoring looks like when it works.

Practical checklist for your firm

1. Pull your ISQM 1 risk assessment and list every quality risk your firm identified. If any risk has no measurable indicator attached to it, that’s the first gap to close.
2. For each indicator, confirm the data source exists and can produce results at least quarterly. If data collection requires more than 30 minutes per indicator per quarter, automate it or pick a simpler indicator.
3. Set investigation and remediation triggers for every indicator, documented with rationale. Use your own historical data as a baseline where available. Where you have no baseline, state that you’re establishing one and set a provisional threshold.
4. Assign a named person (not a committee) responsible for collecting each indicator’s data and escalating breaches to the quality management partner (ISQM 1.20(b)).
5. Build a one-page quarterly AQI summary that the quality management partner can review in under 15 minutes. If the dashboard takes longer than that, you have too many indicators or too little automation.
6. After two complete reporting cycles, review whether each indicator actually detected a problem or provided useful trend data. Drop indicators that generated zero signal and replace them with indicators that address your current risk profile.

Common mistakes

• Firms copy Big 4 AQI lists without mapping indicators to their own quality risks. The AFM’s 2023 inspection report specifically noted that monitoring programs at smaller firms often lacked a clear connection between the indicators tracked and the risks identified in the firm’s own assessment.
• Thresholds exist on paper but never trigger action. A 2022 FRC thematic review of audit quality monitoring found that firms frequently tracked indicators below threshold levels for multiple quarters without initiating investigation, undermining the entire monitoring framework.
• Monitoring reports conclude that “the system operated effectively” without presenting the underlying data. ISQM 1.48 requires the firm to communicate monitoring results to the engagement partner and other appropriate personnel. A conclusion without supporting data doesn’t satisfy the communication requirement under paragraph 49.

Related tools and reading

Put audit concepts into practice with these free tools:

Related guides:

Frequently asked questions

Source references

• ISQM 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements (effective 15 December 2022)
• IAASB, Implementation Guide for ISQM 1
• AFM, 2023 Inspection Cycle Results
• FRC, Thematic Review of Audit Quality Monitoring, 2022