Key Points
- ISQM 1 prescribes eight quality objectives that every firm must address, regardless of size or number of partners.
- Each quality objective requires the firm to identify specific quality risks and design responses before the system becomes operational.
- Failing to tailor objectives to the firm's own circumstances is the single most common inspection finding on ISQM 1 implementation.
- Firms had until 15 December 2023 to evaluate whether their quality management system achieved its objectives for the first time.
What are Quality Objectives?
ISQM 1.23–27 requires the firm to establish quality objectives for each of the following components: governance and leadership, relevant ethical requirements, acceptance and continuance, engagement performance, resources (human, technological, intellectual), information and communication, and the monitoring and remediation process. The standard sets these objectives at a high level. ISQM 1.24 then requires the firm to establish additional objectives if it identifies conditions, events, or circumstances beyond those contemplated by the standard.
The logic runs in one direction. Quality objectives sit at the top. Underneath each objective, the firm identifies quality risks (the conditions that could prevent the objective from being achieved). Underneath each risk, the firm designs quality responses (the policies and procedures that address the risk). This three-layer architecture replaced the old ISQC 1 approach, which prescribed a fixed set of policies without requiring the firm to connect them to specific risks.
ISQM 1.A30–A47 provides application material with examples of quality risks for each objective, but the standard is explicit that these examples are not a checklist. A two-partner firm performing only statutory audits of owner-managed companies faces different risks than a 200-person firm with listed-entity clients. The firm must assess its own practice and document why each identified risk threatens a specific objective.
Worked example: Studio Contabile Marchetti
Client context: Rossi Alimentari is an Italian food production company, but this example focuses on the audit firm that audits Rossi. The firm is Studio Contabile Marchetti, a 14-person practice in Milan with four partners, performing statutory audits of mid-market Italian manufacturers. FY2024 is the first evaluation year.
Step 1 — Map quality objectives to the firm's circumstances
The managing partner documents the eight ISQM 1 quality objectives. For the engagement performance component, ISQM 1.25 requires the objective that engagements are performed in accordance with professional standards and applicable requirements. The partner tailors this by noting that 60% of the firm's audit clients report under IFRS while 40% report under Italian GAAP (OIC), creating a dual-framework competence requirement.
Step 2 — Identify quality risks for the engagement performance objective
The firm identifies two quality risks. First, audit teams may apply IFRS recognition criteria to OIC-reporting clients (or vice versa) when staff rotate between engagements. Second, the firm's standard audit programmes were developed for IFRS engagements and may not capture OIC-specific disclosure requirements. Both risks threaten the quality objective because they could result in engagements not being performed in accordance with the applicable framework.
Step 3 — Design quality responses
For the first risk, the firm implements a mandatory pre-engagement briefing confirming the applicable framework, with a sign-off by the engagement partner before fieldwork begins. For the second risk, the firm develops a parallel OIC audit programme and assigns a partner with OIC specialisation to review all OIC engagements. Both responses are documented in the firm's quality management manual with assigned responsibilities and implementation dates.
Step 4 — Evaluate and conclude
At the end of the first evaluation period (15 December 2024), the managing partner reviews monitoring results. Two OIC engagements were tested by the firm's monitoring and remediation process. Neither showed framework misapplication. The partner concludes that the quality objective for engagement performance is being achieved for the OIC-related risks identified.
Conclusion: the quality objective is supported by a documented chain from objective to risk to response to monitoring evidence, defensible because each layer is specific to the firm's dual-framework practice rather than copied from generic templates.
Why it matters in practice
- The AFM's 2023 inspection findings on ISQM 1 implementation noted that firms frequently adopted the quality objectives verbatim from the standard without tailoring them to the firm's own circumstances. ISQM 1.24 requires the firm to establish additional quality objectives when conditions beyond those in paragraphs 23–27 exist.
- Firms often treat quality objectives as a one-time documentation exercise completed at initial implementation. ISQM 1.54–56 requires ongoing evaluation of whether the system (and therefore the objectives) remains appropriate as the firm's circumstances change.
Quality objectives vs. quality risks
| Dimension | Quality objectives (ISQM 1.23–27) | Quality risks (ISQM 1.25–26) |
|---|---|---|
| What it is | The outcome the firm must achieve | The condition that could prevent the outcome |
| Direction | Set first; drives the rest of the system | Identified second; flows from the objective |
| Source | Prescribed by the standard, plus firm-specific additions | Identified by the firm based on its circumstances |
| Level of specificity | High-level, component-based | Granular, firm-specific |
| Documentation focus | Why the objective applies to this firm | What threatens the objective and how likely/severe the threat is |
The distinction matters because reversing the order (identifying policies first, then retrofitting objectives to justify them) produces a system that looks complete on paper but lacks the diagnostic power ISQM 1 intended. Root cause analysis becomes impossible when the firm cannot trace a deficiency back through the risk layer to a specific objective that was or was not achieved.
Related terms
Frequently asked questions
How many quality objectives does ISQM 1 require?
ISQM 1.23–27 prescribes objectives across eight components, but the standard does not cap the total number. Firms must establish additional objectives under ISQM 1.24 when they identify risks not covered by the prescribed set. A firm with unusual engagement types (agreed-upon procedures across multiple jurisdictions, for instance) will need objectives beyond the baseline eight.
What happens if a quality objective is not achieved?
ISQM 1.42 requires the firm to investigate the root cause of any identified deficiency and determine whether the deficiency is severe enough to conclude that the system does not provide reasonable assurance. If the conclusion is negative, ISQM 1.54(b) requires the firm to take prompt and appropriate action, which may include halting acceptance of new engagements until the deficiency is remediated.
Do sole practitioners need to set quality objectives?
Yes. ISQM 1 applies to all firms that perform audits or reviews of financial statements, or other assurance or related services engagements. ISQM 1.A3 acknowledges that smaller firms may address the requirements differently, but the obligation to establish quality objectives and connect them to identified risks applies regardless of firm size.