Key Points
- Every firm performing audits or other assurance engagements must operate a quality management system under ISQM 1, with no size exemption.
- ISQM 1 replaced ISQC 1 and became effective on 15 December 2022 for all firms.
- The firm must evaluate at least annually whether the system provides reasonable assurance that its objectives are achieved (ISQM 1.54(a)).
- AFM inspection reports since 2023 consistently flag incomplete risk assessments and weak monitoring as the two most common ISQM 1 deficiencies.
What is ISQM 1?
The AFM's 2023 inspection cycle found that several non-PIE firms treated their quality management system as a one-time documentation exercise: they built the risk register at the effective date, filed it, and never touched it again. That's the gap ISQM 1 was designed to close, and it's the gap inspectors look for first.
ISQM 1 replaced ISQC 1 by shifting from a policies-and-procedures approach to a risk-based quality management system. It requires every audit firm to design, implement, and operate a system with defined quality objectives, quality risks, and responses. Eight components are specified in ISQM 1.23-37: governance and leadership, relevant ethical requirements, acceptance and continuance, engagement performance, resources, information and communication, monitoring and remediation, and network requirements where applicable. For each objective, the firm identifies quality risks that could prevent it from being achieved, then designs and implements responses.
ISQM 1.53-54 assigns specific responsibilities. Someone must hold ultimate responsibility and accountability for the system. At most mid-tier firms, that's the managing partner. A separate individual must hold operational responsibility for the monitoring and remediation process, and ISQM 1 prohibits combining both roles where the firm has more than one partner.
What makes or breaks the system is the annual evaluation required by ISQM 1.54(a). The firm must conclude whether the system provides reasonable assurance that its objectives are achieved. That conclusion feeds into every engagement quality review (EQR) and every acceptance and continuance decision during the period.
Worked example: Prufstein & Partner WPG
Firm: a four-partner German audit firm based in Stuttgart, performing approximately 45 statutory audits and 20 review engagements per year.
Setting quality objectives and governance
At Prufstein, the managing partner holds ultimate responsibility for the quality management system. A second partner takes operational responsibility for monitoring and remediation, and the firm documents eight quality objectives aligned to ISQM 1.23-37.
Identifying quality risks and designing responses
Across the eight components, the firm identifies 14 quality risks. For engagement performance, one risk is that teams on manufacturing clients lack sufficient expertise to evaluate inventory valuation under HGB Section 253. Response: a mandatory pre-engagement competence checklist and access to an external technical panel for HGB-specific questions.
Running the monitoring and remediation process
For monitoring, the partner responsible selects four completed audits (approximately 9% of the portfolio) for in-process and post-issuance inspection. One inspection reveals that an engagement file lacks documentation of the auditor's evaluation of management's going concern assessment under ISA 570.16 . After root cause analysis, the deficiency traces to an outdated engagement completion checklist. Fix: an updated checklist distributed to all teams within 30 days.
The annual evaluation
At 30 September 2025, the managing partner evaluates the system. One deficiency identified, root cause analysed, remediation implemented. No systemic failure. Conclusion: the system provides reasonable assurance that its objectives are being achieved. TGIF: the numbers foot, the documentation holds, and the file is ready if the WPK comes calling.
What makes this system defensible isn't the volume of documentation. It's that quality risks map to specific objectives, responses trace to identified risks, monitoring covers a real sample of engagements, and the annual evaluation is documented with an explicit conclusion.
Where firms actually fail inspections on ISQM 1
Static documentation is the recurring theme. ISQM 1.57 requires the firm to account for changes in its nature and circumstances when evaluating the system. In practice, that means updating the risk register when you lose a partner, gain a new industry client, or shift from in-person to remote auditing. Firms that don't revisit the register between annual evaluations are the ones that fail.
It's exhausting, honestly. You build the register, you respond to every risk, you document every response, and then twelve months later someone asks you to prove the system was alive the whole time, not just at the point you wrote it up.
Firms with fewer than five partners frequently assign both ultimate responsibility and monitoring responsibility to the same person. ISQM 1.20(b)(ii) requires the monitoring role to be held separately where the firm has more than one partner. In its 2024 Audit Quality Inspection report, the FRC flagged this separation-of-duties failure as a recurring finding among smaller firms, noting that combined responsibility weakens the objectivity of monitoring conclusions.
ISQM 1 vs. ISQM 2
| Dimension | ISQM 1 | ISQM 2 |
|---|---|---|
| Scope | Firm-level quality management system covering all engagements | Individual engagement quality reviews on selected engagements |
| Who is responsible | Managing partner (ultimate) and monitoring partner (operational) | The engagement quality reviewer, appointed per engagement |
| What it produces | An annual conclusion on whether the system achieves its objectives | A conclusion on whether significant judgments on a specific engagement are appropriate |
| Frequency | Continuous operation with at least annual evaluation | Performed once per engagement (at or before the report date) |
| Relationship | ISQM 1 determines which engagements require an engagement quality review | ISQM 2 operates within the framework established by ISQM 1 |
The practical difference surfaces during inspection. When an inspector reviews a single engagement file, they're checking ISQM 2 compliance: was an EQR performed, and was it adequate? When the inspector reviews the firm as a whole, that's ISQM 1: does the system identify risks, operate responses, monitor outcomes, and reach a defensible annual conclusion?
Related terms
Related reading
Frequently asked questions
Does ISQM 1 apply to sole practitioners?
Yes. ISQM 1 applies to every firm that performs audits or reviews of financial statements, or other assurance or related services engagements. A sole practitioner may hold both the ultimate responsibility and monitoring responsibility roles because the separation requirement in ISQM 1.20(b)(ii) applies only where the firm has more than one partner. The system must still include documented quality objectives, risk assessments, and monitoring procedures scaled to the firm's size.
How often must the firm evaluate its quality management system?
ISQM 1.54(a) requires the evaluation to occur at least annually. The firm selects the evaluation date and must apply it consistently. The evaluation considers all monitoring findings, deficiencies identified, and remedial actions taken since the previous evaluation. If a significant deficiency emerges mid-year (for example, a regulatory finding from an external inspection), the firm should evaluate whether an interim reassessment is needed rather than waiting for the annual cycle.
What happens if the firm cannot conclude that the system provides reasonable assurance?
The firm must assess the severity of the deficiencies preventing a positive conclusion and determine what corrective actions are needed. ISQM 1.54(b) requires the firm to communicate the conclusion to engagement partners and engagement quality reviewers. A qualified or adverse conclusion raises questions about whether engagement-level opinions issued during the period are supportable. In regulated environments, the firm may also need to notify its professional body or national competent authority depending on local transposition requirements.