The FRC's 2025 Audit Quality Review on a Tier 2 UK firm landed with one sentence that should make any engagement partner (EP) uncomfortable: the engagement quality control reviewer (EQCR) file showed the reviewer had signed off in under forty minutes, on a PIE audit with three significant estimates and a going concern flag. The reviewer hadn't challenged a single judgment. He'd ticked the form on a Friday afternoon. We used to call that the TGIF sign-off, and the profession has a ticking and bashing problem it still hasn't fully admitted to.
Here's the honest version: I've sat in both chairs. I've been the EP who sent a file to the reviewer at 4pm on Thursday knowing the report had to go out Friday morning, and I've been the reviewer who signed the form because the partner had already committed the date to the client. ISA 220 (Revised) exists to make that harder. The AFM, FRC, WPK, and H3C have all published inspection findings showing it still happens.
ISA 220 (Revised), effective for periods beginning on or after 15 December 2022, requires the EP to manage quality at the engagement level by taking responsibility for leadership, ethical requirements, resources, direction and supervision, and the engagement quality review (EQR) process.
Key takeaways
- ISA 220 (Revised) governs quality management at the individual engagement level. It makes the EP personally responsible for achieving audit quality on every engagement they lead.
- The revised standard (effective for periods beginning on or after 15 December 2022) represents a shift from "quality control" (compliance-based) to proactive "quality management." The EP must actively manage quality, not merely comply with firm policies.
- The EP has overall responsibility for managing and achieving quality on the audit, covering leadership and professional skepticism, ethical requirements and independence, client acceptance and continuance, engagement resources, direction/supervision/review, and the EQR process.
- ISA 220 operates as the engagement-level implementation of the firm's system of quality management established under ISQM 1. The firm sets the policies. The EP applies them to the specific audit.
- The standard strengthens requirements around professional skepticism. The EP must create an environment where the team can raise concerns without fear and where skepticism is expected rather than tolerated.
- Documentation requirements are stronger under the revision. The EP must document how they exercised their responsibilities, including the basis for key judgments and how they determined their involvement was sufficient and appropriate.
- What is ISA 220 (Revised)?
- The objective of the auditor under ISA 220
- The shift from quality control to quality management
- The engagement partner's responsibilities
- The relationship between ISA 220 and ISQM 1
- Documentation requirements
- Practical implications for different firm sizes
- ISA 220 in your jurisdiction
- Frequently asked questions
What is ISA 220 (Revised)?
ISA 220 (Revised), titled "Quality Management for an Audit of Financial Statements," deals with the EP's specific responsibilities for quality management on an individual audit engagement. Where ISQM 1 establishes the firm-wide system of quality management and ISQM 2 governs engagement quality reviews, ISA 220 (Revised) connects these firm-level systems to the day-to-day reality of running an actual audit.
The simplest way to think about the relationship:
| Standard | Level | Focus |
|---|---|---|
| ISQM 1 | Firm-wide | Designing, implementing, and operating the quality management system |
| ISQM 2 | Engagement (review) | The EQR process and the reviewer's responsibilities |
| ISA 220 (Revised) | Engagement (execution) | The EP's and team's responsibilities for quality on a specific audit |
ISA 220 (Revised) replaced the previous ISA 220 and became effective for audits of financial statements (FS) for periods beginning on or after 15 December 2022. The revision was part of a major overhaul of the IAASB's quality management standards. It was a direct response to persistent regulatory findings about inconsistent audit quality and insufficient professional skepticism.
The standard should be read in conjunction with ISA 200 (which establishes the overall objectives that quality management supports), ISA 210 (which establishes the engagement terms), ISQM 1, and ISQM 2.
The objective of the auditor under ISA 220
ISA 220.9 states the objective:
The objective of the auditor is to manage quality at the engagement level to obtain reasonable assurance that quality has been achieved such that:
(a) The auditor has fulfilled the auditor’s responsibilities, and has conducted the audit, in accordance with professional standards and applicable legal and regulatory requirements; and
(b) The auditor’s report issued is appropriate in the circumstances.
Two things stand out. First, the word "manage." This is not about compliance with a checklist. It requires active, ongoing management of quality throughout the engagement lifecycle. Second, the standard ties quality directly to the two outputs that matter: proper conduct of the audit and an appropriate report.
The shift from quality control to quality management
The previous ISA 220 used the language of "quality control," a reactive concept focused on ensuring compliance with established procedures. The revised standard uses "quality management," a proactive concept focused on identifying risks to quality and designing responses to address them.
Under the old approach, a firm would have a quality control manual, and the EP's job was to follow it. If the manual said "review all audit files within 60 days of sign-off," compliance meant meeting that deadline. Whether the review actually improved quality was secondary.
Under the new approach, the EP must think about what could go wrong with quality on this specific engagement and take steps to prevent it. If the engagement involves a complex IFRS 9 expected credit loss estimate and no team member has ECL expertise, the quality risk is obvious. The partner must respond by adding the right resource, not by checking a generic compliance box.
This shift matters most for smaller firms, where the EP may also be responsible for designing many of the firm's quality management responses (ISA 220.A13 explicitly acknowledges this scalability).
The engagement partner's responsibilities
ISA 220 (Revised) structures the EP's responsibilities across seven interconnected areas. These are not independent requirements. They operate as a system.
1. Leadership and professional skepticism
ISA 220.13–14 requires the EP to take overall responsibility for managing and achieving quality on the audit, including through creating an environment that emphasises the expected behaviour of engagement team members.
Setting the tone is where it starts. The EP's attitude (what they question, what they accept, how they respond to bad news) defines the quality culture of the engagement. If the partner routinely accepts management's explanations without challenge, the team will learn to do the same. If the partner asks probing questions and rewards team members for raising concerns, skepticism becomes embedded in the work.
Addressing impediments to professional skepticism is equally important. ISA 220.A18–A22 identifies specific impediments: unconscious biases (anchoring on prior-year results, confirmation bias, groupthink, sunk-cost thinking), time pressure that discourages thorough investigation, intimidation by dominant management, and over-reliance on management representations. The EP must be alert to these and take concrete steps: encouraging team members to challenge assumptions, scheduling sufficient time for complex areas, creating safe channels for raising concerns, and visibly acting on those concerns when they are raised.
Sufficient and appropriate involvement throughout the engagement is one of the biggest shifts in the revision. The EP cannot delegate everything and appear only at sign-off. ISA 220.14 requires sufficient involvement throughout the audit (during planning, at key decision points during fieldwork, at the conclusion, and when difficult issues surface mid-engagement) such that the partner has a basis for determining whether the significant judgments made and conclusions reached are appropriate.
What "sufficient involvement" looks like in practice
Regulators consistently flag insufficient partner involvement as an audit quality deficiency. The AFM in the Netherlands, the FRC in the UK, and the WPK in Germany have all identified this in inspection findings. At minimum, the EP should be actively involved in setting the overall audit strategy (ISA 300), determining materiality (ISA 320), assessing significant risks (ISA 315), evaluating key audit judgments (particularly around estimates under ISA 540), reviewing proposed audit adjustments (ISA 450), and forming the audit opinion (ISA 700). My test: if I'm the EP and I cannot explain (in my own words, without the working papers in front of me) why a significant judgment was made the way it was, my involvement was not sufficient. The file will show it.
2. Relevant ethical requirements
ISA 220.16–20 requires the EP to have an understanding of relevant ethical requirements, including those relating to independence, and to determine through observation and inquiry whether members of the engagement team have complied.
Independence is not a one-time check. The EP must form a conclusion on compliance with independence requirements that apply to the audit engagement (ISA 220.17). This includes identifying and evaluating threats to independence (self-interest, self-review, advocacy, familiarity, intimidation) and determining whether safeguards reduce those threats to an acceptable level.
Breaches must be addressed promptly. If a breach of ethical requirements or independence is identified, the EP must (in consultation with others in the firm) determine the appropriate action (ISA 220.20). This might include eliminating the threat, applying safeguards, withdrawing the affected team member, or in serious cases, withdrawing from the engagement entirely.
In the EU, ethical requirements are reinforced by the EU Audit Regulation (537/2014), which imposes specific independence rules for PIE audits: mandatory firm rotation (maximum 10 years, extendable to 20 with tendering or 24 with joint audit), a blacklist of prohibited non-audit services, a 70% fee cap on non-audit services relative to the average audit fee over three consecutive years, and cooling-off requirements for key audit partners.
3. Acceptance and continuance
ISA 220.21–22 requires the EP to determine that the firm's policies and procedures for acceptance and continuance of client relationships and audit engagements have been followed, and that conclusions reached are appropriate.
This is not merely administrative. The EP must exercise judgment about whether accepting or continuing the engagement is appropriate, considering matters such as the integrity of the entity's principal owners and key management, the competence and resources available to the firm, ethical issues including independence threats, and any information from the predecessor auditor.
If doubts arise during the engagement, the partner must consider the implications. Information obtained during the audit (for example, evidence of management integrity concerns or previously unrecognised complexity) may call into question whether the engagement should continue. ISA 220.22 requires the partner to communicate such information to the firm and to determine together whether it is appropriate to continue.
4. Engagement resources
ISA 220.25–28 requires the EP to determine that sufficient and appropriate resources are assigned or made available to the engagement team in a timely manner.
Resources under ISA 220 are broader than just people.
| Resource Type | Examples | Quality Consideration |
|---|---|---|
| Human resources | Team members, specialists, experts | Do they have the competence and time to perform their assigned roles? |
| Technological resources | Audit software, data analytics tools, IT audit tools | Are they appropriate for the engagement's complexity? Are team members trained to use them? |
| Intellectual resources | Firm methodology, industry guidance, templates, professional literature | Is the methodology current and applicable? Are industry-specific resources available? |
The EP's responsibility extends to competence assessment. It is not enough to have bodies on the engagement. Those people must have the right skills. If the audit involves a complex pension valuation (IAS 19), someone on the team (or an engaged expert under ISA 620) must understand actuarial concepts. If the entity operates in a regulated industry (banking or insurance), the team must have relevant industry knowledge.
When resources are insufficient, the EP must take appropriate action. ISA 220.25 requires the partner to determine that appropriate action is taken if insufficient or inappropriate resources are provided by the firm. This might mean escalating the resource gap to firm leadership, adjusting the audit timeline, engaging an external specialist, or (in extreme cases) concluding that the engagement cannot be performed to an adequate standard and communicating this to the firm.
5. Engagement performance: direction, supervision, and review
ISA 220.29–33 addresses the core of day-to-day quality management: how work is directed, supervised, and reviewed.
Direction means ensuring the engagement team understands their responsibilities, the objectives of the work to be performed, the nature of the entity's business, risk-related issues, and the detailed approach to the audit. Direction happens at the start (through team briefings, planning meetings, and the audit programme) and continues as circumstances change.
Supervision means monitoring the progress of the audit, considering the competence and capabilities of team members performing the work, identifying emerging issues early, and determining whether changes to the planned approach are needed. This is where mid-engagement check-ins and coaching moments occur. Supervision is not just about catching errors. It is about ensuring work is on track and that emerging issues are identified and escalated promptly.
Review means evaluating whether the work has been performed in accordance with professional standards and the firm's policies, whether significant matters have been raised for further consideration, whether appropriate consultation has taken place, and whether the work supports the conclusions reached. ISA 220.33 specifically requires the EP to review audit documentation relating to significant matters and significant judgments, along with other matters that in the EP's professional judgment are relevant.
Scaling direction, supervision, and review
The nature and extent of direction, supervision, and review should vary based on the experience of team members and the complexity of the work. A first-year associate testing trade receivables confirmations needs more direction and closer supervision than a senior manager evaluating an impairment model. The standard explicitly acknowledges this scalability (ISA 220.A84). But scaling down requires judgment, not assumption. If a team member's performance during the engagement reveals competence gaps, supervision and review must be increased, even if the original plan assumed less. I've made the mistake of assuming a second-year could handle bank reconciliation testing unsupervised because they'd done it before. The prior year was a simple entity. This year it wasn't.
6. Engagement quality review
ISA 220.34–36 addresses the EQR, which is governed in detail by ISQM 2 but has engagement-level implications under ISA 220.
The firm's quality management policies under ISQM 1 determine which engagements require an EQR. At minimum, the EU Audit Regulation requires an EQR for all PIE audits. At firms like ours, EQRs are also triggered for listed entities, high-risk clients, first-year engagements, and engagements where significant difficulties or disagreements arose.
The EP has four responsibilities in relation to the EQR.
- Cooperate with the engagement quality reviewer (ISA 220.35).
- Discuss significant matters and significant judgments with the reviewer.
- Provide the reviewer with access to documentation on a timely basis, not the night before the report date.
- Not date the auditor's report until the EQR is completed (ISA 220.36). This is a firm prohibition. The audit report cannot be issued until the EQR process is finished.
The engagement quality reviewer evaluates (under ISQM 2) the following areas.
- The engagement team's basis for significant judgments, including judgments about materiality, significant risks, going concern, and key accounting estimates.
- Whether appropriate consultation has taken place on difficult or contentious matters and whether conclusions were implemented.
- The engagement team's evaluation of the firm's independence.
- Whether the proposed auditor's report is appropriate.
The EQR is not a re-performance of the audit. It is an objective evaluation of the engagement team's significant judgments and conclusions. A second set of experienced eyes before the report is issued.
7. Differences of opinion
ISA 220.37–38 addresses what happens when the engagement team, the EP, the engagement quality reviewer, or those performing consultation disagree.
The principle is clear: differences of opinion must be resolved before the auditor's report is dated. The firm's policies and procedures must provide a mechanism for identifying and resolving such differences. The EP must not date the report until any differences of opinion are resolved.
This requirement exists because unresolved disagreements (particularly between the EP and the engagement quality reviewer) can indicate fundamental problems with the audit's conclusions. A report issued while a significant disagreement persists may be inappropriate.
The relationship between ISA 220 and ISQM 1
ISQM 1 and ISA 220 only make sense when you read them together.
ISQM 1 creates the infrastructure. The firm establishes quality objectives, identifies quality risks, and designs responses (policies and procedures) to address those risks. These responses cover governance and leadership, ethical requirements, client acceptance, engagement performance, resources, information and communication, and monitoring and remediation.
ISA 220 operationalises that infrastructure on each engagement. The EP takes the firm's policies and procedures and applies them to the specific audit. But ISA 220 goes further. The EP must also exercise professional judgment about whether the firm's policies are sufficient for the particular engagement. If they are not, the partner must take additional action.
The engagement team provides information back to the firm. ISA 220.39 requires the EP to remain alert for information that may be relevant to the firm's monitoring and remediation process, and to communicate such information to those responsible within the firm. This creates a feedback loop: the firm's system informs the engagement, and the engagement informs the firm's system.
For smaller firms, this relationship is even more direct. ISA 220.A13 notes that in a smaller firm, the EP may also be responsible for designing many of the firm's quality management responses. The firm-level and engagement-level responsibilities may be performed by the same person. But both sets of responsibilities must still be addressed.
Documentation requirements
ISA 220 (Revised) strengthens documentation requirements significantly. ISA 220.40 requires the EP to include in the audit documentation evidence of how they fulfilled their responsibilities.
This is not about documenting every conversation, but about evidencing the basis for key judgments about quality. How the partner determined their involvement was sufficient, how they assessed team competence, how they evaluated independence, and how they satisfied themselves that the significant judgments and conclusions were appropriate.
Beyond that, ISA 220.40 names specific matters the file must capture.
| Documentation Requirement | What to Document |
|---|---|
| Ethical requirements | Issues identified regarding compliance and how they were resolved |
| Independence | Conclusions on independence, including identified threats and safeguards applied |
| Acceptance and continuance | Conclusions reached and how conditions were met |
| Consultations | The nature and scope of consultations, conclusions reached, and how those conclusions were implemented |
| Engagement quality review | That the EQR was completed on or before the date of the auditor’s report |
| Differences of opinion | How differences were resolved |
The documentation test
Regulators apply a simple standard when reviewing quality management documentation: could an experienced auditor, with no previous connection to the engagement, understand the significant judgments made about quality and the basis for the EP's conclusions? If your quality management documentation consists only of signed-off checklists with no narrative explaining the reasoning behind key decisions, you will receive an inspection finding. We've seen this on about half the cold file reviews we've observed. The stronger documentation requirements in ISA 220 (Revised) are a direct response to this persistent regulatory concern.
Practical implications for different firm sizes
Large and mid-tier firms
For larger firms, ISA 220 (Revised) reinforces and formalises practices that should already exist. The main change areas are stronger documentation of the EP's involvement, more rigorous evidence of independence conclusions (particularly for PIE engagements), and explicit consideration of whether the firm's standardised methodology is sufficient for the specific engagement.
Smaller firms
For smaller firms, the revised standard has more significant practical implications. When the EP is also the firm's quality management leader (or the only partner), several challenges arise: who provides the "second pair of eyes" when there is no engagement quality reviewer within the firm? How does the partner document their own involvement when they are directly performing much of the audit work?
ISA 220 (Revised) acknowledges these realities through its scalability provisions (ISA 220.A13), but scalability does not mean reduced rigour. Smaller firms may need to use external practitioners for EQRs, engage in formal consultation arrangements with other firms for complex matters, be particularly disciplined about documenting the reasoning behind quality judgments, and budget the cost of that external review into their engagement fees. Precisely because there are fewer people to corroborate those judgments.
ISA 220 in your jurisdiction
In the Netherlands, COS 220 (Revised) follows ISA 220 (Revised) closely. The NBA's guidance emphasises the EP's responsibility in the context of the AFM's inspection framework, which has consistently flagged professional skepticism and partner involvement as priority areas. For OOB (Public Interest Entity) engagements, the AFM directly inspects compliance with quality management requirements, including the EQR process and independence documentation. Dutch firms should pay particular attention to documenting how EPs exercised their responsibilities. The AFM's inspection approach is increasingly focused on substance over form.
In Germany, the WPK has adopted ISA 220 (Revised) within the German auditing standards framework. German practice traditionally placed significant emphasis on the Wirtschaftsprüfer's personal responsibility for audit quality, which aligns well with the revised standard's focus on the EP. However, the stronger documentation requirements represent a practical change for some German firms, particularly regarding the documentation of the partner's involvement in significant judgments. The BaFin inspection regime for PIE auditors adds an additional layer of oversight.
In the United Kingdom, ISA (UK) 220 (Revised) is substantively aligned with the international standard. The FRC's inspection findings have been a significant driver of the quality management reforms globally. Recurring themes include insufficient challenge of management and inadequate review of audit evidence supporting key judgments. The FRC's Audit Quality Review (AQR) process directly assesses compliance with ISA (UK) 220, and published inspection reports name individual firms and identify specific quality shortcomings.
In France, ISA 220 (Revised) is adopted through NEP standards under H3C supervision. The French system of joint audit (co-commissariat aux comptes), which requires two audit firms for certain entities, creates unique quality management considerations, including how EP responsibilities are allocated between the joint auditors and how the EQR process is coordinated across firms.
Frequently asked questions
What is the difference between ISA 220, ISQM 1, and ISQM 2?
ISQM 1 establishes requirements for the firm's overall system of quality management (the policies, procedures, and infrastructure that apply across all engagements). ISA 220 (Revised) deals with how the EP and engagement team manage quality on a specific audit engagement, applying and supplementing the firm's system. ISQM 2 specifically governs the EQR process (the independent evaluation of significant judgments before the auditor's report is issued). Together, these three standards form an integrated quality management framework.
Who is the "engagement partner" under ISA 220?
The EP is the partner or other person in the firm who is responsible for the audit engagement and its performance, and for the auditor's report that is issued on behalf of the firm (ISA 220.12(e)). This person has ultimate accountability for quality on the engagement. In some jurisdictions and firm structures, the EP may delegate certain tasks to other experienced team members, but responsibility for quality cannot be delegated. The EP remains accountable.
Can the engagement partner delegate their ISA 220 responsibilities?
The EP can assign tasks to other experienced team members to assist in fulfilling their responsibilities (ISA 220.15). However, the EP retains overall responsibility for managing and achieving quality. Delegation of tasks does not transfer accountability. The EP must still be satisfied (through their own involvement, direction, supervision, and review) that the significant judgments and conclusions are appropriate.
What is an engagement quality review and when is it required?
An EQR is an objective evaluation of the significant judgments made by the engagement team and the conclusions reached in formulating the auditor's report. The firm's quality management policies under ISQM 1 determine which engagements require an EQR. The EU Audit Regulation mandates EQRs for all PIE audits. Many firms also require them for listed entities, first-year engagements, high-risk clients, or engagements where significant difficulties arose. The auditor's report cannot be dated until the EQR is completed.
What changed from the old ISA 220 to the revised version?
The most significant changes include: a shift from "quality control" (compliance-based) to "quality management" (risk-based and proactive); stronger requirements for the EP's involvement throughout the audit; stronger emphasis on professional skepticism including identification of impediments; expanded resource requirements covering human, technological, and intellectual resources; stronger documentation requirements; and a clearer connection between the engagement-level standard (ISA 220) and the firm-level standards (ISQM 1 and ISQM 2).
How does ISA 220 address professional skepticism?
ISA 220.A18–A22 specifically addresses impediments to professional skepticism, including unconscious biases, time pressure, and intimidation. The EP is required to create an environment that supports skepticism by encouraging team members to raise concerns, scheduling sufficient time for complex areas, and demonstrating skeptical behaviour themselves. This goes beyond the general requirement in ISA 200. ISA 220 makes the EP responsible for creating the conditions in which skepticism can flourish.
What should happen if the EP identifies insufficient resources?
ISA 220.25 requires the EP to determine that appropriate action is taken when resources are insufficient or inappropriate. This might include requesting additional resources from the firm, adjusting the audit timeline, engaging external specialists, reassigning work to more experienced team members, or (if the resource gap cannot be resolved) communicating to the firm that the engagement cannot be performed to the required standard. The EP should not simply proceed with inadequate resources and hope for the best.
Does ISA 220 apply to review engagements or other assurance engagements?
ISA 220 (Revised) specifically applies to audits of FS. However, the quality management principles are relevant to all assurance engagements. ISRE 2400 (Reviews of Financial Statements) and ISAE 3000 (Assurance Engagements Other Than Audits or Reviews) contain their own quality management requirements that are conceptually aligned with ISA 220, and firms' quality management systems under ISQM 1 cover all types of engagements.
Further reading and source references
- IAASB Handbook 2024, ISA 220 (Revised) full text. The authoritative source including all application material (paragraphs A1–A112).
- ISQM 1, Quality Management for Firms. The firm-level standard that ISA 220 (Revised) implements at the engagement level.
- ISQM 2, Engagement Quality Reviews. The detailed requirements for the EQR process referenced in ISA 220.
- ISA 200, Overall Objectives of the Independent Auditor. Establishes the objectives that quality management is designed to achieve.
- ISA 220 (Revised) First-Time Implementation Guide (IAASB). Practical guidance for firms transitioning from the previous standard.
- EU Audit Directive (2014/56/EU) and Regulation (537/2014). European legislative framework for quality management requirements, including mandatory EQR for PIE audits and independence requirements.
- IESBA Code of Ethics. The ethical requirements referenced throughout ISA 220, including independence provisions.
This guide reflects the ISA 220 (Revised) text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard (for example, COS 220 in the Netherlands, ISA (UK) 220 in the UK, the WPK's adaptation in Germany, or NEP standards in France) alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.
Production-ready audit templates
Related ciferi content
Related guides:
Put audit concepts into practice with these free tools: