Key takeaways

  • How to determine which engagements require an EQR at your firm, including the mandatory categories and the firm-level criteria you need to set under ISQM 2.15
  • How to assess whether a proposed reviewer meets the eligibility and independence requirements of ISQM 2.18–21
  • What the reviewer actually needs to do on the file (the specific procedures ISQM 2.24–27 requires, not just "review the significant judgments")
  • How to document an EQR so it survives regulatory inspection without turning into a parallel audit file

When is an engagement quality review required?

ISQM 2.13 sets out two categories. Audits of financial statements of listed entities always require an EQR. That's a hard requirement from the standard, not a firm-level policy decision. The firm can't opt out.

Beyond listed entities, ISQM 2.14 requires the firm to determine additional types of engagements for which an EQR is required. ISQM 1.34(f) reinforces this by requiring the firm's quality management system to include policies addressing when an EQR is an appropriate response to quality risks.

This is where mid-tier firms need to make deliberate decisions rather than defaulting to "PIE audits only." The standard provides guidance in ISQM 2.A16–A18 on factors to consider when setting these criteria. The nature and complexity of the engagement matters. The client's risk profile matters. A first-year engagement with a client that was declined by another firm warrants more scrutiny than a long-standing client with clean inspection history.

Most Dutch firms subject to AFM supervision have set their EQR criteria to include PIE audits plus any engagement where a going concern conclusion other than unmodified is being considered, any engagement involving a first-year client above a revenue threshold, any engagement where the engagement partner has requested a consultation on a complex accounting or auditing matter, and any audit where significant related party transactions exceed materiality. If your firm's criteria consist solely of "PIE audits," you're likely underweight on ISQM 2.14's requirements.

ISQM 2.15 also requires the firm to consider whether an EQR should be a quality response for specific engagements that don't meet the firm's general criteria but present unusual circumstances. The decision must be documented and justified, not left implicit.

Who can perform the review: eligibility, independence, and cooling-off

The eligibility requirements under ISQM 2.18–21 are more specific than many firms realize. The engagement quality reviewer must be a partner or another individual within the firm, or an external individual, who has the competence and capabilities to perform the review (ISQM 2.18). At a small firm, this can create a genuine resource constraint. If only two partners have PIE audit experience and one of them is the engagement partner, the pool of eligible reviewers is exactly one person.

ISQM 2.19 adds the independence dimension. The reviewer cannot have been a member of the engagement team for the engagement under review. The standard goes further: ISQM 2.19(b) requires the reviewer to not have made decisions on significant matters that would compromise their objectivity. A partner who advised the engagement team on the treatment of a complex IFRS 15 contract during the audit cannot then serve as the engagement quality reviewer for that file.

The cooling-off period is the rule firms most frequently misapply. ISQM 2.20 states that a former engagement partner must observe a cooling-off period before serving as the engagement quality reviewer for that engagement. The IESBA Code of Ethics sets this at two years for PIE audits. If Partner A signed the audit opinion for a client in 2023, Partner A cannot serve as the EQR reviewer for that client's 2024 or 2025 audits.

For firms with limited partner resources, ISQM 2.21 permits the use of an external individual as the reviewer. This could be a partner from a different firm within the same network, or an independent practitioner. The firm retains responsibility for determining that the external reviewer meets the competence and independence requirements.

What the reviewer must do on the file

ISQM 2.24 defines the scope. The reviewer must discuss significant matters and significant judgments with the engagement partner. "Discuss" means an actual conversation about the basis for judgments, not a read-through of the engagement partner's conclusions. The reviewer is not re-performing the audit. But the reviewer is evaluating whether the significant judgments are reasonable and supported by the evidence in the file.

ISQM 2.25 specifies the procedures. The reviewer must review selected engagement documentation relating to significant judgments made by the engagement team. "Selected" is important. The reviewer focuses on the areas where judgment was exercised and where the risk of material misstatement is highest. For a manufacturing company, that might mean the going concern assessment, the inventory valuation, the revenue recognition policy, and the materiality calculation. For a financial services entity, it's the expected credit loss model, the fair value hierarchy classifications, and the regulatory capital adequacy assessment.

The reviewer must also evaluate the engagement team's basis for the audit opinion (ISQM 2.25(e)). This isn't a re-audit. It's a question: based on the documentation in this file, does the evidence support the conclusion in the audit report?

ISQM 2.26 requires the reviewer to evaluate whether appropriate consultations have been undertaken and whether the conclusions from those consultations have been implemented. A consultation that produces a recommendation the engagement team didn't follow is a significant matter the reviewer must discuss with the engagement partner.

ISQM 2.27 adds documentation requirements. The reviewer must document the procedures performed, the basis for the determination that the reviewer's eligibility requirements were met, and the date and basis for the reviewer's conclusion that no unresolved matters remain. The documentation must be completed before the engagement report is dated. Not "shortly after." Before.

The reviewer's veto authority

Under ISQM 2.28, if the engagement quality reviewer identifies concerns that are not resolved to the reviewer's satisfaction, the engagement report cannot be issued. The reviewer has an effective veto. This isn't a recommendation or an advisory opinion. An unresolved concern raised by the EQR reviewer means the engagement partner cannot override it. The firm must have a process under ISQM 1 for resolving disagreements (ISQM 2.29), but until the matter is resolved, the report stays unsigned.

The difference between an EQR and a second partner review

A second partner review (sometimes called a consultation or a pre-issuance review) is an internal quality control measure the firm may choose to apply. It has no specific standard governing its scope, timing, or documentation. Many firms use it as a lighter-touch quality control on non-PIE engagements that don't trigger a formal EQR requirement.

An engagement quality review under ISQM 2 has specific procedural requirements (ISQM 2.24–27), specific eligibility and independence requirements (ISQM 2.18–21), and a specific conclusion that must be reached and documented before the report is issued. Veto authority rests with the reviewer. Documentation must be assembled in the engagement file.

Where firms run into trouble is treating the EQR as if it were just a more formal version of the second partner review. The reviewer shows up the day before the opinion date, reads the key working papers, has a brief conversation with the engagement partner, and signs off. ISQM 2.24 requires the reviewer to discuss significant matters, and ISQM 2.25 requires review of selected documentation relating to significant judgments. A reviewer who spends two hours on a PIE audit file with a material going concern uncertainty, a complex revenue recognition judgment, and an IFRS 9 ECL calculation has not performed the procedures the standard requires.

The practical test: can the reviewer demonstrate, from their documentation, which specific working papers they reviewed, what their assessment of each significant judgment was, and why they were satisfied that the engagement team's conclusions were supported? If the documentation doesn't answer those questions, the EQR doesn't meet ISQM 2.27 regardless of how experienced the reviewer is.

Worked example: Dijkstra & Vermeer Accountants N.V.

Client scenario: Dijkstra & Vermeer is a mid-tier Dutch firm with 6 audit partners. The firm is performing the statutory audit of Groot Techniek B.V., a manufacturing company with €67M in revenue. Groot Techniek is a PIE-class entity, triggering a mandatory EQR. The engagement partner is Ms. Van der Berg. Mr. Janssen, a partner with 14 years of PIE audit experience who has had no involvement with Groot Techniek in the past four years, is assigned as the engagement quality reviewer.

Step 1: Verify reviewer eligibility

Mr. Janssen checks the firm's independence records. He confirms he was not a member of the Groot Techniek engagement team at any point during the current or prior year, has not provided any advisory or consultation services to Groot Techniek, and has not served as engagement partner for this client within the past two years (satisfying the IESBA cooling-off requirement under ISQM 2.20).

Documentation note: Record the eligibility assessment in the EQR documentation file. Include the reviewer's name, the basis for competence, and the specific independence confirmations obtained. Reference the firm's independence register and the cooling-off period calculation. Link to ISQM 2.18–20.

Step 2: Identify significant judgments to review

Ms. Van der Berg provides Mr. Janssen with a summary of the significant judgments made during the audit. These include the going concern assessment (Groot Techniek's current ratio is 0.94 and the client is renegotiating a €12M revolving credit facility that matures in eight months), the inventory valuation (€18.4M of finished goods with an estimated NRV write-down of €1.1M), and the revenue recognition treatment for a €4.2M long-term contract where percentage-of-completion estimates changed significantly during the year.

Documentation note: Record the significant judgments identified. For each, note the source of identification. Document any additional areas the reviewer identified as significant beyond those flagged by the engagement team.

Step 3: Perform EQR procedures

Mr. Janssen reviews the going concern working paper. The assessment identifies the credit facility renegotiation as a material uncertainty event. Management has provided a letter of intent from the bank indicating willingness to extend, but no signed term sheet exists at the date of the auditor's report. The engagement team concluded that a material uncertainty exists, disclosed under IAS 1.25, with a "Material Uncertainty Related to Going Concern" paragraph in the audit report under ISA 570.22.

Mr. Janssen discusses this with Ms. Van der Berg. His concern: the working paper relies heavily on the letter of intent without assessing the conditions the bank attached to the extension. Ms. Van der Berg confirms the team obtained the bank's conditions and assessed them against management's latest forecast but documented this in a separate memo that wasn't cross-referenced in the main going concern working paper.

Documentation note: Record the discussion, the concern raised, and the resolution. Note the specific working papers reviewed. Document the cross-referencing gap as a file completion point, not an EQR finding, since the work was done but the documentation linkage was incomplete.

Step 4: Conclude and document

Mr. Janssen completes his review of the inventory valuation and revenue recognition working papers. He identifies no unresolved matters. His overall conclusion: the significant judgments are supported by the engagement documentation and the proposed audit opinion (unmodified with a material uncertainty going concern paragraph) is appropriate given the evidence in the file. He documents this conclusion and dates it two days before the audit report date.

Documentation note: Record the overall EQR conclusion, the date of the conclusion, and confirmation that all procedures were completed before the engagement report date. This documentation must be assembled and finalised before the audit report is signed per ISQM 2.27.

Practical checklist for your next EQR

  1. Before starting the review, document your eligibility assessment (ISQM 2.18–20). Confirm no involvement with the engagement team, no advisory services to the client, and cooling-off period compliance. Record this in the EQR file.
  2. Obtain the engagement team's list of significant judgments, but don't rely on it as the complete population. Cross-check against the risk assessment summary, any consultations performed, and the areas flagged in the prior year's review or inspection. ISQM 2.25 gives the reviewer scope to expand.
  3. For each significant judgment, review the engagement documentation that supports the conclusion. Focus on whether the documentation records the basis for the judgment and whether contrary evidence was considered.
  4. Discuss the significant judgments with the engagement partner before finalizing your conclusion. ISQM 2.24 requires this discussion. A review performed entirely from the file, without engagement partner dialogue, doesn't meet the standard.
  5. If you identify unresolved matters, document them and communicate to the engagement partner that the report cannot be issued until they're resolved (ISQM 2.28). Don't soften this into a suggestion.
  6. Date your EQR conclusion before the engagement report date. Not on the same day "in practice but documented later." Before. ISQM 2.27 is explicit on timing.

Common mistakes

  • The AFM's review of EQR practices found cases where the reviewer's documentation consisted entirely of a signed checklist with "yes/no" responses and no record of the discussions held with the engagement partner or the specific documentation reviewed. ISQM 2.27 requires the procedures performed to be documented, not just the conclusion.
  • The FRC's 2022–23 inspection cycle identified instances where the engagement quality reviewer was involved in resolving a significant accounting matter during the audit and then served as the EQR reviewer for the same engagement. ISQM 2.19(b) prohibits this because the reviewer has effectively made a decision that they're now asked to evaluate objectively.
  • At smaller firms, reviewers sometimes complete the EQR after the audit report is dated, relying on the argument that the review was "substantially complete" before the report date. ISQM 2.27 requires documentation of the conclusion before the report is issued. A reviewer who signs off post-issuance hasn't performed a compliant EQR, regardless of when the underlying review work happened.

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

No spam — we're auditors, not marketers.

Related Ciferi content

Related guides:

ISQM 1: Quality Management at Non-Big 4 Firms
The firm-level quality management system within which EQRs operate
ISAE 3000: Assurance Engagements Guide
Non-audit assurance engagements subject to EQR requirements

Put audit concepts into practice with these free tools:

Materiality Calculator
ISA 320
Analytical Review Tool
ISA 520
Sampling Calculator
ISA 530
Going Concern Checklist
ISA 570

Frequently asked questions

Which engagements require an engagement quality review under ISQM 2?

Audits of financial statements of listed entities always require an EQR (ISQM 2.13). Beyond that, ISQM 2.14 requires the firm to determine additional engagement types warranting an EQR based on quality risk factors such as engagement complexity, client risk profile, first-year engagements above a revenue threshold, going concern issues, and significant related party transactions exceeding materiality.

What is the cooling-off period for engagement quality reviewers?

Under ISQM 2.20, a former engagement partner must observe a cooling-off period before serving as the EQR reviewer. The IESBA Code of Ethics sets this at two years for PIE audits. If a partner signed the audit opinion in 2023, that partner cannot serve as the EQR reviewer for the 2024 or 2025 audits of the same client.

What is the difference between an EQR and a second partner review?

An EQR under ISQM 2 has specific procedural requirements (ISQM 2.24–27), eligibility and independence requirements (ISQM 2.18–21), and veto authority. A second partner review is an informal internal quality control measure with no specific standard governing its scope, timing, or documentation. The EQR cannot be scaled down to a quick read-through regardless of how straightforward the engagement appears.

Can the engagement quality reviewer block the issuance of the audit report?

Yes. Under ISQM 2.28, if the engagement quality reviewer identifies concerns that are not resolved to the reviewer's satisfaction, the engagement report cannot be issued. The reviewer has an effective veto. The firm must have a process for resolving disagreements, but until the matter is resolved, the report stays unsigned.

Further reading and source references

  • IAASB Handbook 2024: The authoritative source for the complete ISQM 2 text.
  • ISQM 1: The firm-level quality management standard within which engagement quality reviews operate.
  • ISA 220 (Revised): Quality management for an audit of financial statements, including the engagement partner's responsibilities for engagement quality.
  • IESBA Code of Ethics: Independence and cooling-off requirements applicable to engagement quality reviewers.

This guide reflects the ISQM 2 text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and doesn't constitute legal or professional advice.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook