Key Points
- Every quality response must trace back to a specific quality risk; responses without a linked risk are orphaned controls with no demonstrable purpose.
- Firms must design responses that are proportionate to the nature and significance of the quality risks they address.
- ISQM 1.26 requires responses to be designed and implemented, not merely documented on paper.
- Inspection findings from regulators such as the AFM and FRC most frequently target gaps between documented responses and actual firm behaviour.
What are Quality Responses?
ISQM 1.26 requires the firm to design and implement responses to address the quality risks it has identified. The logic is sequential: the firm sets quality objectives (ISQM 1.23–24), identifies risks that threaten those objectives, and then designs responses that reduce those risks to an acceptable level. A response might be a policy (the firm requires all engagement partners to complete a conflict check before acceptance), a procedure (the engagement team runs a materiality calculation tool at planning), or a combination of both.
ISQM 1.27 adds a scalability requirement. A sole practitioner with twelve statutory audits does not need the same apparatus as a 200-person firm. The responses must be proportionate to the nature and circumstances of the firm, including the types of engagements it performs and how it is organised. This is where many smaller firms either over-engineer (copying Big 4 templates wholesale) or under-engineer (treating responses as a checklist exercise with no link to specific risks).
The connection to monitoring and remediation matters here. ISQM 1.40 requires the firm to monitor whether its responses are operating as designed. A response that exists on paper but is not followed in practice fails ISQM 1.26 just as completely as having no response at all.
Worked example: Byrne & Associates
Client context: Irish SaaS firm with EUR 8M revenue, but here the "client" is the audit firm itself. The worked example applies to a fictional mid-sized Irish audit practice, Byrne & Associates, with 14 professionals performing 45 statutory audits annually under ISAs (Ireland and the UK).
Step 1 — Link response to quality risk
Byrne & Associates identified a quality risk that engagement teams may accept new clients without adequate consideration of competence and ethical requirements. The risk threatens the quality objective at ISQM 1.30(a) relating to acceptance and continuance decisions.
Step 2 — Design the response
The firm implements a two-stage acceptance and continuance procedure. First, the prospective engagement partner completes a structured assessment form covering competence, independence, client integrity, and anti-money-laundering requirements. Second, the managing partner reviews and approves or rejects the assessment before the engagement letter is issued. For high-risk clients (defined as public interest entities, entities in regulated industries, and entities with prior-year qualified opinions), the firm requires an additional review by a second partner.
Step 3 — Implement and communicate
Byrne & Associates updates its quality management manual, distributes the revised acceptance form to all partners, and runs a 90-minute training session. The firm sets a go-live date of 1 January 2026 and logs the date of implementation.
Step 4 — Monitor operating effectiveness
Six months after go-live, the firm's monitoring function reviews a sample of eight new client acceptances. Two files are missing the managing partner's sign-off. The firm logs the deficiency and requires retrospective approval within ten days.
Conclusion: the acceptance procedure is a defensible quality response because it traces directly to an identified risk, is proportionate to a 14-person firm, and has been tested for operating effectiveness within the first monitoring cycle.
Why it matters in practice
- The AFM's 2023 thematic inspection of ISQM 1 implementation at non-PIE audit firms found that many firms had documented quality responses but could not demonstrate that those responses were operating in practice. The gap between design and operation is the single most common deficiency.
- Firms frequently design responses at a generic level without linking them to specific quality risks. A firm-wide "training policy" is not a quality response unless the firm can articulate which quality risk the training addresses and how the training reduces that risk.
Quality responses vs. quality risks
| Dimension | Quality responses | Quality risks |
|---|---|---|
| Definition | Policies and procedures the firm designs to address quality risks (ISQM 1.26) | Conditions that have a reasonable possibility of individually or in combination adversely affecting a quality objective (ISQM 1.25) |
| Sequence | Come after risk identification; cannot be designed without a risk to address | Come after quality objectives are set; identified before responses are designed |
| Scalability test | Must be proportionate to the firm's size and engagement portfolio (ISQM 1.27) | Must reflect the firm's actual conditions, not a generic risk list |
| Monitoring focus | Whether the response is operating as designed (ISQM 1.40) | Whether risks have changed or new risks have emerged (ISQM 1.39) |
| Inspection finding pattern | Responses exist on paper but are not followed | Risks are listed generically without firm-specific analysis |
The distinction matters because inspectors assess the chain from objective to risk to response. A firm that documents 40 responses but only 15 quality risks has a broken chain, and the excess responses are untraceable controls that add cost without satisfying ISQM 1.
Related terms
Frequently asked questions
How many quality responses does a small firm need?
There is no fixed number. ISQM 1.27 requires responses to be proportionate to the firm's nature and circumstances. A sole practitioner performing only compilation engagements will have fewer responses than a 50-person statutory audit practice. The test is whether every identified quality risk has at least one designed response that reduces it to an acceptable level, not whether the firm has reached a minimum count.
What happens if a quality response is not working?
ISQM 1.42 requires the firm to evaluate deficiencies identified through monitoring. If a response is not operating as designed, the firm must determine the root cause and take remedial action. If the deficiency is severe enough to indicate the system of quality management is not providing reasonable assurance, ISQM 1.54 requires the firm to communicate that conclusion to engagement partners affected by the deficiency and to take appropriate action on the affected engagements.
Do quality responses apply to non-audit engagements?
Yes. ISQM 1.3 applies to firms performing audits or reviews of financial statements, other assurance engagements, and related services engagements. The quality responses must cover all engagement types the firm performs, though the nature of responses for a compilation engagement will differ from those for a statutory audit.