ISQM 1: How to Implement Quality Management at a Non-Big 4 Audit Firm

What ISQM 1 actually requires (and what it replaced)

ISQC 1, the predecessor, gave firms a checklist. Document your independence policies, document your monitoring procedures, sign off annually. ISQM 1 replaced that model entirely. The shift is from compliance to risk management.

Under ISQM 1.16, the firm must establish quality objectives, identify and assess quality risks to those objectives, then design and implement responses. This is the same risk-assessment logic auditors apply on engagements under ISA 315, turned inward on the firm itself. If your firm's SoQM documentation reads like a set of policies with no underlying risk analysis, the system doesn't meet the standard's requirements regardless of how polished the policy manual looks.

The standard also introduced personal accountability. ISQM 1.20–22 assign ultimate responsibility for the SoQM to the firm's leadership, with specific operational responsibility assigned to an individual (or individuals) with sufficient experience and authority. At a 15-partner firm, that can't be the most junior partner who drew the short straw. The AFM has been explicit about this in its supervisory letters: the person responsible must have actual influence over the firm's operations and resource allocation.

ISQM 1.54 added another structural change. The firm must evaluate whether the SoQM provides reasonable assurance that quality objectives are being achieved, and that evaluation must conclude within one year of the system's required implementation date. For most firms, this initial evaluation happened in late 2023. But ISQM 1.55 requires this evaluation to be ongoing. A one-time pass is not sufficient. The system requires continuous assessment, and the firm's leadership must reach a conclusion (that the SoQM is effective, or that deficiencies exist requiring remediation) at least annually.

The eight components and how they connect

ISQM 1.24 organizes the SoQM into eight components. Understanding how they interrelate matters more than memorizing the list, because a weakness in one component cascades into others.

Governance and leadership (ISQM 1.28) sets the tone. If the firm's culture treats quality management as a compliance exercise rather than an operational priority, every downstream component will reflect that. A firm that ties partner compensation solely to revenue, with no quality metric, has a governance problem ISQM 1 is designed to surface.

Relevant ethical requirements (ISQM 1.29) covers independence, integrity, and objectivity. For non-Big 4 firms, the most common risk here isn't a failure to have independence policies. It's a failure to monitor compliance in real time. A firm with 200 audit clients and no automated independence-checking process has a quality risk that a written policy alone doesn't address.

Acceptance and continuance (ISQM 1.30) requires the firm to assess whether it has the competence, capacity, and resources to take on or retain a client. This is where smaller firms face genuine tension. Turning down a large engagement because the team lacks sector expertise is the right quality response. It's also a conversation most managing partners don't want to have. ISQM 1.30(a) specifically requires consideration of whether the firm can comply with ethical requirements and whether its resources are adequate.

Engagement performance (ISQM 1.31) covers the policies and procedures that support consistent execution across audit files, including direction, supervision, and review of engagement teams. For firms with a mix of experienced partners and relatively junior staff, the quality risk is that supervision becomes perfunctory on smaller engagements. ISQM 1.31(b) specifically requires the firm to address the exercise of professional judgment and professional scepticism.

Resources (ISQM 1.32) covers human, technological, and intellectual resources. The quality risk that hits mid-tier firms hardest is the staffing one. When one senior manager handles 18 engagements, the resources component has a quality risk that no amount of methodology documentation fixes. ISQM 1.32(d) requires that intellectual resources (methodology, templates, guidance) are current and accessible.

Information and communication (ISQM 1.33) requires the firm to obtain, generate, and communicate information necessary for the SoQM to function. A firm where quality policies exist in a manual that nobody opens has an information and communication failure.

The monitoring and remediation process (ISQM 1.40–47) gives the rest of the system its teeth. The firm must design monitoring activities, perform them, evaluate the findings, and remediate identified deficiencies. ISQM 1.42 requires monitoring activities to include the inspection of completed engagements. ISQM 1.43 requires the firm to consider root causes of identified deficiencies, not just fix the individual file.

The network requirements component (ISQM 1.48–50) applies to firms within a network. If your firm adopts methodology or resources from a network, ISQM 1.49 requires you to understand and evaluate the network's quality management activities and determine their effect on your own SoQM.

How to identify quality risks that matter for your firm

ISQM 1.25 requires the firm to identify and assess quality risks. The trap is making this too generic. A quality risk register that lists "insufficient supervision of engagement teams" as a risk, with "ensure adequate supervision" as the response, satisfies no one. The risk must be specific to your firm. The response must be concrete enough that someone could verify whether it's operating.

Start with ISQM 1.25's framework: consider the conditions, events, circumstances, actions, or inactions that could adversely affect the achievement of quality objectives. For a mid-tier Dutch firm with 12 audit partners, that might include the fact that four partners handle 70% of the firm's listed entity work, creating key-person dependency. Or that the firm's audit methodology was last significantly updated in 2021, before ISA 220 (Revised) took effect. The standard doesn't require you to identify every conceivable risk. It requires you to identify the ones that matter given your firm's specific circumstances (ISQM 1.26).

For each identified quality risk, ISQM 1.26(b) requires the firm to assess the risk's likelihood and potential magnitude. This isn't a box-ticking exercise. A quality risk with a high likelihood of occurring and a direct impact on the reliability of the audit opinion requires a different level of response than a low-likelihood administrative risk. The assessment drives the response design. If the assessment is generic, the responses will be too.

Quality responses under ISQM 1.27 must be designed to address the assessed quality risks. The standard gives firms flexibility in how they respond, but the response must be proportionate to the risk. For the key-person dependency risk mentioned above, a proportionate response might include mandatory co-signing on all listed entity audit opinions, a documented succession plan, cross-training of senior managers on the key partners' client portfolios, and a minimum second-partner review for any audit opinion involving a modified conclusion.

Where firms get stuck: the gap between documentation and operation

Having a documented SoQM is not the same as having an operating one. The distinction matters because ISQM 1.54 requires the firm to conclude on whether the system provides reasonable assurance, and that conclusion must be based on evidence that the system is actually running, not just that policy manuals exist.

The most common gap appears in the monitoring and remediation component. Firms document a monitoring plan, select files for inspection, perform the inspections, and file the results. But the remediation loop breaks. A monitoring inspection that finds three files with insufficient going concern documentation produces a finding. The firm records the finding. The three files get remediated. And then nothing changes in the firm's templates, training, or supervision protocols to prevent the same deficiency from recurring next year. ISQM 1.43 explicitly requires root cause analysis. "The engagement team didn't follow the procedure" is not a root cause. Why didn't they follow it? Maybe the procedure was unclear. Maybe the template was missing the prompt. Or maybe the time budget was too tight for the engagement's complexity. Those are root causes, and each one points to a different component of the SoQM.

A second common gap sits in the acceptance and continuance process. The quality response exists on paper: the firm assesses competence and capacity before accepting a new client. In practice, the engagement partner completes a checklist after the engagement letter has already been sent. The assessment becomes a retrospective justification rather than a prospective decision. If your firm's acceptance checklist is completed after the fee proposal, the sequencing undermines the quality response regardless of what the checklist says.

Worked example: Van Houten & Partners Accountants

Client scenario: Van Houten & Partners is a mid-tier Dutch audit firm with 8 partners, 14 senior managers, and approximately 45 audit staff. The firm has 120 audit clients, ranging from €3M to €80M in revenue. Two partners handle all 6 of the firm's PIE audit clients. The firm uses a nationally recognized audit methodology but customizes it locally.

Step 1: Identify quality objectives for the resources component

Van Houten's leadership identifies a quality objective under ISQM 1.32: "Audit engagement teams have the competence and time to perform audit work in accordance with professional standards and applicable legal requirements."

Documentation note: Record the quality objective in the firm's SoQM register. Link it to ISQM 1.32(a) and (b). Include the date of identification and the individual responsible for this component.

Step 2: Identify quality risks to this objective

The firm identifies two quality risks. First, the two PIE partners handle 6 listed entity audits alongside 22 other audit engagements, creating a capacity risk during peak season (January through April). Second, five of the 14 senior managers have fewer than two years of post-qualification experience, meaning their ability to exercise professional judgment on complex areas (going concern, expected credit losses, revenue recognition) without significant partner involvement is limited.

Documentation note: For each quality risk, document the specific condition or circumstance giving rise to the risk. Record the assessed likelihood (high/medium/low) and potential magnitude (effect on quality objectives). Van Houten assessed the PIE partner capacity risk as high likelihood, high magnitude. The junior senior manager risk was assessed as medium likelihood, medium magnitude.

Step 3: Design quality responses

For the PIE partner capacity risk, Van Houten designs two quality responses. A mandatory time budget of 250 hours per PIE engagement for the engagement partner (enforced through the firm's scheduling system, with automatic escalation to the managing partner if a budget is exceeded by more than 15%). And a co-review requirement: every PIE audit opinion must be reviewed by a second partner who is not the engagement partner, in addition to the engagement quality review required under ISQM 2.

For the junior senior manager risk, the firm designs a quality response requiring all senior managers with fewer than four years of post-qualification experience to submit their going concern and IFRS 9 ECL working papers for partner review before the engagement review stage.

Documentation note: For each quality response, document the specific action, the person or role responsible for operating it, the frequency, and the quality risk it addresses.

Step 4: Monitor whether the responses operate

At the end of the first year, Van Houten's monitoring lead (a partner not involved in PIE engagements) inspects four completed PIE audit files and six non-PIE files. The inspection reveals that the 250-hour time budget was exceeded on all six PIE engagements, with automatic escalation triggered on four of them. However, in two cases, the managing partner approved the excess without documented consideration of whether the overrun reflected a resource adequacy issue.

Documentation note: Record the monitoring activity performed, the files inspected, the findings, and the assessed severity of each finding. For the two cases where managing partner approval lacked documentation, classify this as a deficiency in the operation of the quality response and initiate a root cause analysis under ISQM 1.43.

The root cause analysis determines that the firm's escalation protocol didn't require the managing partner to document the basis for approval. The deficiency was in the response design, not in the engagement teams' behaviour. Van Houten updates the protocol to require a written assessment from the managing partner confirming whether the overrun indicates a resource adequacy issue affecting audit quality.

Practical checklist for your next SoQM evaluation

1. Pull your quality risk register and verify that every risk is specific to your firm's current circumstances (client base, staffing levels, methodology version), not copied from a generic template. ISQM 1.25 requires firm-specific identification.
2. For each quality response, confirm that someone can verify it's operating. If the response is "ensure adequate supervision," replace it with a measurable action (minimum hours, mandatory review points, documented consultation). ISQM 1.27 requires responses that address the assessed risks, not restatements of objectives.
3. Verify that your monitoring activities include inspection of completed engagements by individuals not involved in those engagements (ISQM 1.44). If your firm has fewer than ten partners, document how you achieve independence in the monitoring function.
4. Check whether your root cause analysis from the last monitoring cycle resulted in changes to quality responses or resource allocation, or whether findings were remediated only at the individual file level. ISQM 1.43 requires root cause consideration, not just file-level fixes.
5. Confirm that the annual SoQM evaluation under ISQM 1.54 includes a documented conclusion from leadership on whether the system provides reasonable assurance. A monitoring report that lists findings without a conclusion doesn't satisfy the standard.
6. Review your acceptance and continuance decisions from the past year. Identify any engagement where the team raised concerns about capacity or competence during fieldwork. If those concerns existed at acceptance, the process under ISQM 1.30 may not be operating as designed.

Common mistakes

• The AFM's 2023 supervisory findings highlighted firms where the SoQM risk register was completed as a one-time exercise during initial implementation and not updated when firm circumstances changed (new clients, staff departures, methodology updates). ISQM 1.16 requires an ongoing process, not a point-in-time document.
• The FRC's 2022–23 Audit Quality Inspection report found that some firms treated engagement quality reviews as the primary monitoring mechanism, conflating ISQM 2's EQR requirements with ISQM 1's broader monitoring obligation under ISQM 1.40. An EQR is a pre-issuance quality control on a single engagement. Monitoring under ISQM 1 is a post-completion evaluation of whether the system as a whole is functioning.
• Firms with fewer than five partners frequently documented quality responses that were identical to the quality objectives. "The firm will ensure that engagement teams are competent" is an objective, not a response. The response must specify how the firm ensures this (training requirements, minimum staffing ratios, competence assessment procedures). ISQM 1.27(a) requires the response to address the quality risk, which means the response must be different from the objective it protects.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024: The authoritative source for the complete ISQM 1 text.
• ISQM 2: Engagement quality reviews. The companion standard governing EQR procedures and reviewer eligibility.
• ISA 220 (Revised): Quality management for an audit of financial statements. The engagement-level counterpart to ISQM 1's firm-level requirements.
• ISQM 1.40–47: The monitoring and remediation requirements, including root cause analysis obligations.