Key Takeaways
- Monitoring must include inspection of completed engagements, not just policy-level reviews of the firm's quality system.
- Remedial actions must respond to root causes, not just surface symptoms, and the firm must evaluate whether those actions actually worked.
- ISQM 1 requires an annual evaluation that concludes on whether the system of quality management provides reasonable assurance that its objectives are being achieved.
- The FRC's 2024/25 inspection cycle found that firms outside the largest tier still struggle with monitoring and remediation processes despite the standard being effective since December 2022.
What is Monitoring and Remediation?
ISQM 1.36 requires the firm to design and perform monitoring activities that provide a basis for identifying deficiencies in the system of quality management. These activities sit on a spectrum. At one end: reviewing whether firm policies and procedures are properly designed. At the other: selecting completed engagements and inspecting the working papers to test whether responses to quality risks actually operated as intended. ISQM 1.38 makes engagement inspection mandatory, not optional.
The individuals performing monitoring activities must be competent, have sufficient time, and be objective. ISQM 1.39 prohibits engagement team members or the engagement quality reviewer from inspecting their own engagement. When monitoring reveals findings, ISQM 1.40 requires the firm to evaluate whether those findings constitute deficiencies. If they do, ISQM 1.41 requires investigation of root causes before designing remedial actions. ISQM 1.42 then requires the firm to design and implement remedial actions that respond to those root causes. The cycle closes at ISQM 1.43–44: the firm evaluates whether the remedial actions worked, and if they did not, modifies them until they do.
The annual evaluation under ISQM 1.53–54 draws on all of this. The firm concludes on whether its system of quality management provides reasonable assurance that its quality objectives are being achieved. That conclusion rests on the monitoring evidence, not on a general assertion that the system is operating.
Worked example: Rossi Alimentari S.p.A.
Client context: An Italian mid-tier audit firm, Studio Contabile Ferrara, performs the statutory audit of Rossi Alimentari S.p.A. (Italian food production company, FY2025, revenue €67M, IFRS reporter). Studio Contabile Ferrara has 14 partners and 85 professional staff. The firm's monitoring and remediation process is illustrated through its annual cycle.
Step 1 — Design monitoring activities
The firm's quality management leader selects four completed audit engagements for cold file review, including one public interest entity engagement and one first-year engagement. Selection criteria also target two engagement partners who were not inspected in the prior year. The firm additionally schedules a policy-level review of its independence procedures and its acceptance and continuance process.
Step 2 — Perform engagement inspections
The cold file review of the Rossi Alimentari engagement identifies two findings. First, the engagement team did not document its evaluation of a key supplier rebate estimate under ISA 540.18. Second, the team accepted management's going concern assessment without documenting its own evaluation of the cash flow forecast assumptions.
Step 3 — Investigate root causes
The firm's quality management leader determines that the ISA 540 documentation gap recurred on two of the four inspected engagements. Root cause analysis identifies that the firm's audit methodology template does not prompt teams to document the evaluation of estimation methods separately from the testing of inputs. The going concern finding is isolated to one engagement.
Step 4 — Design and implement remedial actions
For the ISA 540 deficiency, the firm revises its methodology template to include a discrete section requiring documentation of the evaluation of the entity's estimation method before testing begins. The firm schedules a 90-minute training session for all managers and partners. For the going concern finding, the engagement partner receives targeted coaching. The firm sets a follow-up inspection of two engagements in six months to verify whether the revised template is being used.
Conclusion: Studio Contabile Ferrara's annual evaluation concludes that the system of quality management provides reasonable assurance that quality objectives are being achieved, with one identified deficiency (ISA 540 documentation) for which remedial action has been designed and implemented but not yet evaluated for effectiveness. The conclusion is defensible because it rests on documented monitoring activities, root cause analysis, and specific remedial actions with a defined follow-up timeline.
Why it matters in practice
- The FRC's 2024/25 inspection cycle (the first conducted solely under ISQM (UK) 1) found that firms outside the largest tier need to improve how they monitor the operation of responses and elements of their annual evaluation. Firms treated the initial ISQM 1 implementation as a one-off project rather than an iterative process, and their monitoring activities have not kept pace with changes to the system. ISQM 1.37 requires the firm to consider changes in the system of quality management when determining the nature, timing, and extent of monitoring activities.
- Firms frequently repeat the same remedial action (typically firm-wide training) year after year when a deficiency recurs, without evaluating whether the prior training was effective. ISQM 1.44 requires modification of remedial actions that are not working. Delivering identical training in consecutive years without evidence of behavioural change does not satisfy this requirement.
Monitoring and remediation vs. engagement quality review
| Dimension | Monitoring and remediation (ISQM 1) | Engagement quality review (ISQM 2 / ISA 220) |
|---|---|---|
| Timing | After the engagement is completed (cold file review) and on an ongoing basis throughout the period | Before the engagement report is issued |
| Scope | The entire system of quality management, including firm-level policies and individual engagement files | A single engagement, focused on significant judgments and the proposed opinion |
| Performed by | Individuals assigned by the firm with objectivity from the engagement under review | The engagement quality reviewer, appointed for that specific engagement |
| Output | Findings, deficiency evaluations, root cause analysis, remedial actions, and the annual evaluation conclusion | The engagement quality reviewer's conclusion on whether to provide concurrence with the report |
| Standard | ISQM 1.36–47 | ISQM 2; ISA 220.35–37 |
The two processes serve different purposes at different points in time. An engagement quality review catches problems before the report goes out. Monitoring catches systemic patterns after reports have been issued and feeds those patterns back into the firm's quality system. A firm that relies on engagement quality reviews alone has no mechanism for detecting recurring deficiencies across its portfolio.
Related terms
Frequently asked questions
How often do I need to inspect completed engagements under ISQM 1?
ISQM 1.38 requires the firm to include inspection of completed engagements in its monitoring activities but does not prescribe a fixed frequency or number. The firm determines the cycle based on the nature, timing, and extent of monitoring needed to identify deficiencies. Most regulatory bodies expect every engagement partner to be subject to inspection within a defined cycle (the FRC expects coverage within a three-year rotation for registered firms).
What happens if monitoring reveals no deficiencies at all?
A monitoring cycle that produces zero findings warrants scepticism, not celebration. ISQM 1.40 requires the firm to evaluate findings to determine whether deficiencies exist. If the monitoring activities are insufficiently rigorous or narrowly scoped, the absence of findings reflects the quality of the monitoring, not the quality of the system. Regulators have flagged this pattern as an indicator that monitoring activities need to be redesigned.
Does monitoring and remediation apply to non-audit engagements?
Yes. ISQM 1.3 applies to firms that perform audits or reviews of financial statements, or other assurance or related services engagements. The monitoring and remediation process covers the entire system of quality management, which encompasses all engagement types the firm performs. The scope and intensity of monitoring may differ, but the requirement itself is not limited to audit.