Key Takeaways
- ISA 220 (Revised) governs quality management at the individual engagement level — it makes the engagement partner personally responsible for achieving audit quality on every engagement they lead.
- The revised standard (effective 15 December 2022) shifts from "quality control" to a proactive quality management mindset — the engagement partner must actively manage quality, not merely comply with firm policies.
- The engagement partner has overall responsibility for: leadership and professional skepticism, ethical requirements, client acceptance, engagement resources, direction/supervision/review, and the engagement quality review process.
- ISA 220 operates as the engagement-level implementation of the firm's system of quality management established under ISQM 1.
- The standard strengthens requirements around professional skepticism — the engagement partner must create an environment where the team can raise concerns without fear.
- Documentation requirements are enhanced: the engagement partner must document how they exercised their responsibilities, including the basis for key judgments.
What is ISA 220 (Revised)?
ISA 220 (Revised), titled "Quality Management for an Audit of Financial Statements," deals with the engagement partner's specific responsibilities for quality management on an individual audit engagement. Where ISQM 1 establishes the firm-wide system and ISQM 2 governs engagement quality reviews, ISA 220 (Revised) connects these firm-level systems to the day-to-day reality of running an actual audit.
| Standard | Level | Focus |
|---|---|---|
| ISQM 1 | Firm-wide | Designing, implementing, and operating the quality management system |
| ISQM 2 | Engagement (review) | The engagement quality review process and the reviewer's responsibilities |
| ISA 220 (Revised) | Engagement (execution) | The engagement partner's and team's responsibilities for quality on a specific audit |
The revision was part of a comprehensive overhaul of the IAASB's quality management standards — a direct response to persistent regulatory findings about inconsistent audit quality, insufficient professional skepticism, and inadequate partner involvement.
The standard should be read in conjunction with ISA 200, ISA 210, ISQM 1, and ISQM 2.
The Objective of the Auditor Under ISA 220
ISA 220.9 states the objective:
The objective of the auditor is to manage quality at the engagement level to obtain reasonable assurance that quality has been achieved such that: (a) The auditor has fulfilled the auditor's responsibilities, and has conducted the audit, in accordance with professional standards and applicable legal and regulatory requirements; and (b) The auditor's report issued is appropriate in the circumstances.
Two things stand out. First, the word "manage" — this is not about compliance with a checklist. It requires active, ongoing management of quality throughout the engagement lifecycle. Second, the standard ties quality directly to the two outputs that matter: proper conduct of the audit and an appropriate report.
The Shift from Quality Control to Quality Management
Understanding the philosophy behind the revision is essential to applying it correctly. The previous ISA 220 used "quality control" — a reactive concept. The revised standard uses "quality management" — a proactive concept focused on identifying risks to quality and designing responses.
Under the old approach, a firm would have a quality control manual, and the engagement partner's job was to follow it. If the manual said "review all audit files within 60 days of sign-off," compliance meant meeting that deadline. Whether the review actually improved quality was secondary.
Under the new approach, the engagement partner must think about what could go wrong with quality on this specific engagement and take steps to prevent it. If the engagement involves a complex IFRS 9 expected credit loss estimate and no team member has ECL expertise, the quality risk is obvious — and the partner must respond by adding the right resource, not by checking a generic compliance box.
This shift is particularly significant for smaller firms, where the engagement partner may also be responsible for designing many of the firm's quality management responses (ISA 220.A13 explicitly acknowledges this scalability).
The Engagement Partner's Responsibilities
ISA 220 (Revised) structures the engagement partner's responsibilities across seven interconnected areas.
1. Leadership and professional skepticism
ISA 220.13–14 requires the engagement partner to take overall responsibility for managing and achieving quality, including through creating an environment that emphasises expected behaviour. This includes:
Setting the tone. The engagement partner's attitude — what they question, what they accept, how they respond to bad news — defines the quality culture of the engagement. If the partner routinely accepts management's explanations without challenge, the team will learn to do the same.
Addressing impediments to professional skepticism. ISA 220.A18–A22 identifies specific impediments: unconscious biases (anchoring on prior-year results, confirmation bias, groupthink), time pressure that discourages thorough investigation, intimidation by dominant management, and over-reliance on management representations.
Sufficient and appropriate involvement throughout the engagement. The engagement partner cannot delegate everything and appear only at sign-off. ISA 220.14 requires sufficient involvement throughout — during planning, at key decision points during fieldwork, and at the conclusion.
What "sufficient involvement" looks like in practice
Regulators consistently flag insufficient partner involvement as an audit quality deficiency. The AFM in the Netherlands, the FRC in the UK, and the WPK in Germany have all identified this in inspection findings. At minimum, the engagement partner should be actively involved in: setting the overall audit strategy (ISA 300), determining materiality (ISA 320), assessing significant risks (ISA 315), evaluating key audit judgments (particularly estimates under ISA 540), reviewing proposed audit adjustments (ISA 450), and forming the audit opinion (ISA 700). If you're the partner and you cannot explain — in your own words — why a significant judgment was made the way it was, your involvement was not sufficient.
2. Relevant ethical requirements
ISA 220.16–20 requires the engagement partner to understand relevant ethical requirements, including independence, and to determine whether team members have complied.
Independence is not a one-time check. The engagement partner must form a conclusion on compliance with independence requirements (ISA 220.17), including identifying threats (self-interest, self-review, advocacy, familiarity, intimidation) and determining whether safeguards reduce them to an acceptable level.
Breaches must be addressed. If a breach is identified, the engagement partner must determine the appropriate action (ISA 220.20) — eliminating the threat, applying safeguards, withdrawing the affected team member, or withdrawing from the engagement entirely.
3. Acceptance and continuance
ISA 220.21–22 requires the engagement partner to determine that the firm's policies for acceptance and continuance have been followed and conclusions are appropriate.
This is not merely administrative. The partner must exercise judgment about whether accepting or continuing is appropriate — considering management integrity, the firm's competence and resources, and ethical issues including independence threats.
If doubts arise during the engagement, the partner must consider the implications. Information obtained during the audit may call into question whether the engagement should continue (ISA 220.22).
4. Engagement resources
ISA 220.25–28 requires sufficient and appropriate resources assigned in a timely manner. Resources are broader than just people:
| Resource Type | Examples | Quality Consideration |
|---|---|---|
| Human resources | Team members, specialists, experts | Do they have the competence and time? |
| Technological resources | Audit software, data analytics, IT audit tools | Are they appropriate for the engagement's complexity? |
| Intellectual resources | Firm methodology, industry guidance, templates | Is the methodology current and applicable? |
When resources are insufficient, the engagement partner must take appropriate action — escalating the gap to firm leadership, adjusting the timeline, or concluding that the engagement cannot be performed to an adequate standard (ISA 220.25).
5. Direction, supervision, and review
ISA 220.29–33 addresses the core of day-to-day quality management.
Direction means ensuring the team understands their responsibilities, the entity's business, risk-related issues, and the detailed audit approach. Direction happens at the start and continues as circumstances change.
Supervision means monitoring progress, considering team members' competence, and determining whether changes to the approach are needed. This is where mid-engagement check-ins, progress reviews, and coaching moments occur.
Review means evaluating whether work was performed in accordance with professional standards, whether significant matters were raised for further consideration, whether appropriate consultation took place, and whether the work supports the conclusions reached.
Scaling direction, supervision, and review
The nature and extent should vary based on team experience and work complexity. A first-year associate testing trade receivables needs more direction than a senior manager evaluating an impairment model. The standard explicitly acknowledges this scalability (ISA 220.A84) — but scaling down requires judgment, not assumption. If a team member's performance reveals competence gaps, supervision must be increased.
6. Engagement quality review
ISA 220.34–36 addresses the engagement quality review (EQR), governed in detail by ISQM 2.
When is an EQR required? The firm's policies under ISQM 1 determine this. The EU Audit Regulation requires an EQR for all PIE audits. Many firms also require EQRs for listed entities, high-risk clients, first-year engagements, or engagements with significant difficulties.
The engagement partner must:
- Cooperate with the engagement quality reviewer (ISA 220.35).
- Discuss significant matters and significant judgments with the reviewer.
- Not date the auditor's report until the EQR is completed (ISA 220.36).
The EQR is not a re-performance of the audit. It is an objective evaluation of the engagement team's significant judgments and conclusions — a second set of experienced eyes before the report is issued.
7. Differences of opinion
ISA 220.37–38: differences of opinion must be resolved before the auditor's report is dated. The firm's policies must provide a mechanism for identifying, considering, and resolving such differences. A report issued while a significant disagreement persists may be inappropriate.
The Relationship Between ISA 220 and ISQM 1
ISQM 1 creates the infrastructure. The firm establishes quality objectives, identifies quality risks, and designs responses covering governance, ethics, client acceptance, engagement performance, resources, communication, and monitoring.
ISA 220 operationalises that infrastructure on each engagement. But ISA 220 goes further — the engagement partner must also exercise professional judgment about whether the firm's policies are sufficient for the particular engagement. If they are not, the partner must take additional action.
The engagement team provides information back to the firm. ISA 220.39 requires the engagement partner to remain alert for information relevant to the firm's monitoring and remediation process. This creates a feedback loop: the firm's system informs the engagement, and the engagement informs the firm's system.
For smaller firms, this relationship is even more direct. The engagement partner may also be responsible for designing many of the firm's quality management responses — but both sets of responsibilities must still be addressed.
Documentation Requirements
ISA 220 (Revised) strengthens documentation significantly. ISA 220.40 requires the engagement partner to include in audit documentation:
How they fulfilled their responsibilities — evidencing the basis for key judgments about quality, how they determined their involvement was sufficient, how they assessed team competence, and how they evaluated independence.
| Documentation Requirement | What to Document |
|---|---|
| Ethical requirements | Issues identified regarding compliance and how they were resolved |
| Independence | Conclusions on independence, including identified threats and safeguards applied |
| Acceptance and continuance | Conclusions reached and how conditions were met |
| Consultations | Nature and scope of consultations, conclusions reached, and how they were implemented |
| Engagement quality review | That the EQR was completed on or before the date of the auditor's report |
| Differences of opinion | How differences were resolved |
The documentation test
Regulators apply a simple standard: could an experienced auditor, with no previous connection to the engagement, understand the significant judgments made about quality and the basis for the engagement partner's conclusions? If your quality management documentation consists only of signed-off checklists with no narrative explaining the reasoning behind key decisions, you will likely receive an inspection finding.
Practical Implications for Different Firm Sizes
Large and mid-tier firms
For larger firms, the revised standard primarily reinforces existing practices. The main changes are enhanced documentation of partner involvement, more rigorous independence conclusions (particularly for PIE engagements), and explicit consideration of whether firm methodology is sufficient for the specific engagement.
Smaller firms
For smaller firms, the implications are more significant. When the engagement partner is also the firm's quality management leader, several challenges arise: who provides the "second pair of eyes"? How does the partner document their own involvement when performing much of the audit work? How are independence threats managed with a concentrated client base?
Smaller firms may need external practitioners for EQRs, formal consultation arrangements with other firms, and particular discipline about documenting the reasoning behind quality judgments — precisely because there are fewer people to corroborate those judgments.
ISA 220 in Your Jurisdiction
Netherlands. COS 220 (Revised) follows ISA 220 closely. The AFM's inspection framework has consistently flagged professional skepticism and partner involvement as priority areas. For OOB engagements, the AFM directly inspects compliance with quality management requirements. Dutch firms should focus on documenting how engagement partners exercised their responsibilities — the AFM's approach is increasingly focused on substance over form.
Germany. The WPK has adopted ISA 220 (Revised) within the German framework. German practice traditionally emphasised the Wirtschaftsprüfer's personal responsibility, which aligns well with the revised standard. However, the enhanced documentation requirements represent a practical change, particularly regarding documentation of partner involvement in significant judgments.
United Kingdom. ISA (UK) 220 (Revised) is substantively aligned. The FRC's inspection findings have been a significant driver of the reforms — recurring themes include insufficient challenge of management and inadequate partner involvement. The FRC's Audit Quality Review process directly assesses compliance and published reports name individual firms.
France. Adopted through NEP standards under H3C supervision. The French system of joint audit creates unique quality management considerations — including how engagement partner responsibilities are allocated between joint auditors and how the EQR process is coordinated across firms.
Related Ciferi Content
Continue building your understanding of the ISA framework:
Put audit concepts into practice with these free tools:
Frequently Asked Questions
What is the difference between ISA 220, ISQM 1, and ISQM 2?
ISQM 1 establishes requirements for the firm's overall system of quality management — the policies, procedures, and infrastructure that apply across all engagements. ISA 220 (Revised) deals with how the engagement partner and engagement team manage quality on a specific audit engagement. ISQM 2 specifically governs the engagement quality review process. Together, these three standards form an integrated quality management framework.
Who is the "engagement partner" under ISA 220?
The engagement partner is the partner or other person in the firm who is responsible for the audit engagement and its performance, and for the auditor's report that is issued on behalf of the firm (ISA 220.12(e)). This person has ultimate accountability for quality on the engagement.
Can the engagement partner delegate their ISA 220 responsibilities?
The engagement partner can assign tasks to other experienced team members to assist in fulfilling their responsibilities (ISA 220.15). However, the engagement partner retains overall responsibility. Delegation of tasks does not transfer accountability. The engagement partner must still be satisfied that the significant judgments and conclusions are appropriate.
What is an engagement quality review and when is it required?
An engagement quality review (EQR) is an objective evaluation of the significant judgments made by the engagement team and the conclusions reached in formulating the auditor's report. The EU Audit Regulation mandates EQRs for all PIE audits. Many firms also require them for listed entities, first-year engagements, high-risk clients, or engagements where significant difficulties arose. The auditor's report cannot be dated until the EQR is completed.
What changed from the old ISA 220 to the revised version?
The most significant changes include: a shift from "quality control" to "quality management"; enhanced requirements for the engagement partner's involvement throughout the audit; stronger emphasis on professional skepticism including identification of impediments; expanded resource requirements covering human, technological, and intellectual resources; enhanced documentation requirements; and a clearer connection between the engagement-level and firm-level standards.
How does ISA 220 address professional skepticism?
ISA 220.A18–A22 specifically addresses impediments to professional skepticism, including unconscious biases, time pressure, and intimidation. The engagement partner is required to create an environment that supports skepticism by encouraging team members to raise concerns, scheduling sufficient time for complex areas, and demonstrating skeptical behaviour themselves.
What should happen if the engagement partner identifies insufficient resources?
ISA 220.25 requires the engagement partner to determine that appropriate action is taken. This might include requesting additional resources from the firm, adjusting the audit timeline, engaging external specialists, reassigning work, or communicating to the firm that the engagement cannot be performed to the required standard.
Does ISA 220 apply to review engagements or other assurance engagements?
ISA 220 (Revised) specifically applies to audits of financial statements. However, the quality management principles are relevant to all assurance engagements. ISRE 2400 and ISAE 3000 contain their own quality management requirements that are conceptually aligned with ISA 220.
Further Reading and Source References
- IAASB Handbook 2024 — The authoritative source for the complete ISA 220 (Revised) text, including all application material (paragraphs A1–A112).
- ISQM 1 — Quality Management for Firms — the firm-level standard that ISA 220 implements at the engagement level.
- ISQM 2 — Engagement Quality Reviews — detailed requirements for the EQR process referenced in ISA 220.
- ISA 200 — Overall Objectives of the Independent Auditor — establishes the objectives that quality management is designed to achieve.
- ISA 220 (Revised) First-Time Implementation Guide (IAASB) — practical guidance for firms transitioning from the previous standard.
- EU Audit Directive (2014/56/EU) and Regulation (537/2014) — European legislative framework for quality management requirements.
- IESBA Code of Ethics — the ethical requirements referenced throughout ISA 220, including independence provisions.