Key Points
- ISQC 1 prescribed six elements of quality control; ISQM 1 restructures these into eight components with two new additions.
- Firms had until 15 December 2022 to design and implement a system of quality management under ISQM 1, with an evaluation required within one year.
- Use ISQM 1 on every engagement accepted after that date; ISQC 1 no longer applies.
- The FRC's 2025 Annual Review found a persistent quality gap between larger PIE auditors and smaller firms in establishing systems of quality management.
Side-by-side comparison
| Dimension | ISQC 1 | ISQM 1 |
|---|---|---|
| Underlying approach | Policies-and-procedures based; the firm adopts prescribed requirements | Risk-based; the firm sets quality objectives, identifies risks, designs responses, and evaluates effectiveness |
| Number of components | Six elements (leadership, ethics, acceptance/continuance, human resources, engagement performance, monitoring) | Eight components (adds the firm's risk assessment process and information and communication) |
| Resource scope | Addressed human resources only | Covers human, technological, intellectual, and financial resources |
| Monitoring mechanism | Cyclical inspection of completed engagements | Ongoing monitoring plus root cause analysis of identified deficiencies, with remediation tracking |
| Evaluation obligation | No explicit self-assessment requirement | ISQM 1.53-54 require the firm to evaluate whether the system provides reasonable assurance, at least annually |
| Scalability to firm size | One-size-fits-all requirements | Explicitly scalable; the firm's risk assessment drives the nature and extent of responses based on its own size, complexity, and engagement portfolio |
Decision rule: ISQC 1 no longer applies. Every firm performing audits or other assurance engagements under IAASB standards designs and operates its quality management system under ISQM 1 from 15 December 2022 onward.
When the distinction matters on an engagement
The distinction is not academic. Under ISQC 1, a firm could document its quality control policies once and revisit them periodically. ISQM 1.16 requires something different: the firm must establish quality objectives across all eight components, then identify and assess the quality risks that could prevent those objectives from being achieved. The responses the firm designs must be tailored to those risks, not copied from a template.
Where this bites in practice is during the annual evaluation required by ISQM 1.53. The firm must conclude whether its system of quality management provides reasonable assurance that its objectives are being achieved. If the conclusion is negative, the firm documents the deficiencies and their severity. ISA 220 (Revised) paragraph 3 connects the engagement level to the firm level: the engagement partner operates within the firm's system and relies on its functioning. When the system evaluation reveals deficiencies in acceptance and continuance or engagement quality review processes, the consequences flow directly to engagement-level audit quality.
Worked example: Groupe Lefevre S.A.
Client: Belgian holding company, FY2024, revenue EUR 185M, IFRS reporter. The audit firm transitioned from ISQC 1 to ISQM 1 in December 2022. Groupe Lefevre is a recurring audit client with four operating subsidiaries across Belgium and Luxembourg.
Under ISQC 1 (pre-transition)
The firm maintained a quality control manual covering leadership, ethics, acceptance and continuance, human resources, engagement performance, and monitoring. The manual applied identically to every engagement regardless of client complexity. No client-specific quality risk assessment existed.
Under ISQM 1 (post-transition)
The firm established quality objectives for each of the eight ISQM 1 components. For the Groupe Lefevre engagement, the relevant objectives included ensuring sufficient competence in IFRS consolidation (the holding structure involves four subsidiaries with intercompany eliminations totalling EUR 23M) and maintaining independence across all group entities.
Quality risks identified
The firm identified two quality risks specific to the Groupe Lefevre engagement type: first, that the group audit structure increases the risk of insufficient review of component work when all components are audited internally; second, that long tenure (nine years) creates familiarity threats not addressed by the previous ISQC 1 rotation policies alone.
Responses designed
For the consolidation risk, the firm assigned a second review partner with IFRS 10 experience to examine the elimination entries. For the familiarity risk, the firm implemented a mandatory pre-issuance engagement quality review triggered by the tenure threshold in its ISQM 1 policies, despite Groupe Lefevre not being a public interest entity.
Conclusion: Under ISQC 1, the firm would have applied the same manual to Groupe Lefevre as to a EUR 6M single-entity audit. Under ISQM 1, the firm identified risks specific to this engagement type and designed proportionate responses.
Why it matters in practice
The FRC's 2025 Annual Review of Audit Quality found that smaller PIE audit firms had not consistently identified quality risks at a sufficiently granular level under ISQM 1. Risks were described in generic terms that mirrored ISQC 1 policy language rather than reflecting the firm's specific circumstances. Where risks are not granular, the responses cannot be targeted, and the system defaults to the checkbox approach ISQM 1 was designed to replace.
Firms treat the annual evaluation required by ISQM 1.53-54 as a formality. The evaluation must conclude whether the system provides reasonable assurance that quality objectives are being achieved. Copying the prior year's evaluation without reassessing whether responses operated as intended fails the standard's intent. The evaluation closes the feedback loop between monitoring and remediation and the firm's quality objectives.
Related terms
Frequently asked questions
What is the difference between ISQM 1 and ISQC 1?
ISQC 1 required firms to establish policies and procedures for quality control across six elements. ISQM 1 replaces it with a risk-based system across eight components, requiring firms to set quality objectives and identify quality risks, then design tailored responses that address them. ISQM 1.16-19 set out the system's objectives and the firm's obligations. The shift is from prescribed compliance to active risk management.
When did ISQM 1 replace ISQC 1?
ISQM 1 became effective on 15 December 2022. Firms were required to have designed and implemented their systems of quality management by that date. ISQM 1.54 then requires the firm to evaluate whether the system is functioning within one year of that date, meaning the first evaluation was due by 15 December 2023.
Do sole practitioners need to comply with ISQM 1?
Yes. ISQM 1.A4 confirms the standard applies to all firms, including sole practitioners, that perform audits and reviews, as well as other assurance and related services engagements. The standard is scalable: a sole practitioner's system will be less complex than that of a large firm, but the risk-based approach (setting objectives, identifying risks, designing responses, and evaluating effectiveness) still applies. The firm's size determines the extent of responses, not whether the standard applies.