Key Points
- A quality risk is not a deficiency; it is a condition or circumstance that could prevent a quality objective from being met.
- Firms must assess quality risks by considering both the likelihood of the risk occurring and the severity of its effect on quality objectives.
- The FRC's 2025 annual review found a persistent gap between larger and smaller firms in implementing quality management systems, with monitoring processes flagged most often.
- Each identified quality risk must have at least one documented response that is proportionate to the assessed risk.
What are Quality Risks?
ISQM 1.25 requires the firm to identify and assess quality risks that provide a reasonable basis for the design and implementation of responses. The identification starts with the firm's quality objectives. For each objective, the firm considers conditions that could prevent the objective from being achieved. ISQM 1.25(a) directs the firm to take into account the nature and circumstances of the firm, the types of engagements it performs, and its organisational structure.
The assessment step is where smaller firms often stumble. ISQM 1.26 requires the firm to assess each quality risk by considering how, and the degree to which, the conditions, events, or circumstances could adversely affect the achievement of the quality objective. A ten-partner, four-office firm faces different quality risks from a sole practitioner. The standard does not prescribe a scoring matrix or a red-amber-green grid; it requires the firm to exercise judgment and to document that judgment. ISA 220.22 then connects the firm-level quality risk assessment to the engagement level, because the engagement partner must determine whether the firm's quality responses are appropriate for the specific engagement.
Worked example: Rossi Alimentari S.p.A.
Client context: Rossi Alimentari S.p.A. is an Italian food production company, FY2025, revenue EUR 67M, IFRS reporter. The audit firm performing the engagement is a mid-sized Italian practice with 14 partners across two offices (Milan and Bologna). The firm is conducting its annual evaluation of its system of quality management under ISQM 1.48.
Step 1 — Identify quality objectives relevant to the engagement
The firm selects the quality objective under ISQM 1.24(b) relating to ethical requirements: "personnel comply with relevant ethical requirements, including those related to independence." Rossi Alimentari is a significant client representing 8% of the Milan office's fee income.
Step 2 — Identify quality risks
The firm identifies two quality risks attached to this objective. First, a self-interest threat arising from the fee concentration (the Milan office may be reluctant to challenge management on contentious positions because losing the client would materially affect office revenue). Second, a familiarity threat because the engagement partner has served the client for four consecutive years.
Step 3 — Assess each quality risk
The firm assesses the self-interest threat as high severity and moderate likelihood (Rossi is a profitable client, but the firm has not historically lost clients over audit disagreements). The familiarity threat is assessed as moderate severity and increasing likelihood (year four of five before mandatory rotation under local rules).
Step 4 — Design responses
For the self-interest threat, the firm assigns the engagement quality review to a Bologna-based partner with no prior involvement. For the familiarity threat, the firm implements a pre-issuance consultation requirement on all significant judgments for the final year of the engagement partner's tenure.
Conclusion: the firm's quality risk assessment for the Rossi engagement is defensible because each risk ties to a documented condition, carries a reasoned severity and likelihood assessment, and triggers a specific response proportionate to the assessed level.
Why it matters in practice
- The FRC's 2025 annual review of audit quality found that firms outside the largest tier struggled most with monitoring and remediation processes within their systems of quality management. A recurring observation was that firms identified quality risks at a generic level rather than tailoring the risk identification to their own circumstances.
- Teams frequently treat the quality risk assessment as a one-time exercise completed at ISQM 1 adoption in December 2022, then left unchanged. ISQM 1.54 requires the firm to monitor its system on an ongoing basis and ISQM 1.56 requires remediation when deficiencies are identified.
Quality risks vs. quality objectives
| Dimension | Quality risks | Quality objectives |
|---|---|---|
| Definition | Conditions or circumstances that could prevent an objective from being achieved (ISQM 1.16(r)) | The desired outcomes the firm's system of quality management is designed to achieve (ISQM 1.16(q)) |
| Direction | Look at what could go wrong | State what should go right |
| Prescribed by standard | Not prescribed; firm must identify its own based on its circumstances | Eight components with prescribed objectives in ISQM 1.24, plus firm-specified additional objectives |
| Assessment required | Yes; severity and likelihood must be assessed per ISQM 1.25 | No assessment of objectives; they are the fixed reference points against which risks are measured |
| Triggers a response | Each quality risk must have at least one designed response under ISQM 1.26 | Objectives do not directly trigger responses; they trigger risk identification |
The distinction matters because firms that skip the risk identification step and jump straight from objectives to responses produce a checklist-based system rather than a risk-based one. ISQM 1 was designed to replace the prescriptive approach of the former ISQC 1 with a system that adapts to each firm's circumstances. Conflating objectives with risks undermines that design.
Related terms
Frequently asked questions
How do I document quality risks for a small audit firm?
Scale the documentation to the firm's size, but do not skip it. ISQM 1.A4 acknowledges that less complex firms may document their system of quality management in a less formalised way. Record each quality objective, the risks you identified against it, your assessment of severity and likelihood, and the response you designed. A single spreadsheet with those four columns satisfies the requirement if it reflects genuine judgment rather than copied templates.
Do quality risks change from year to year?
Yes. ISQM 1.54 requires the firm to design and perform monitoring activities on an ongoing basis. New clients, staff turnover, changes in the firm's service lines, and external events (such as a new regulatory requirement) all alter the firm's risk profile. The annual evaluation under ISQM 1.48 must consider whether previously identified quality risks remain current and whether new risks have emerged.
What happens if a quality risk has no documented response?
An unaddressed quality risk is a deficiency in the system of quality management under ISQM 1.39. The firm must evaluate the severity and pervasiveness of the deficiency per ISQM 1.42 and take remedial action. If the unaddressed risk relates to a quality objective concerning ethical requirements or engagement performance, the deficiency may affect the firm's overall evaluation of whether the system provides reasonable assurance under ISQM 1.53.