Quality Management

ISQM1 and ISQM2 impact on quality control implementation

The introductions of new quality management standards ISQM 1 and ISQM 2, together with the revisions to ISA 220, were driven largely by concerns over recurring review findings and the lack of consistency in audit quality across assignments within the same firm. Andrew Collier, director – quality and professional standards at Kreston International, comments


uality management emphasises the importance of ongoing, proactive focus on audit quality, rather than the performance of point-in-time control activities.

A quality management system responds to changes in circumstances and events that generate risks to quality on a timely basis.

The new standards place quality at the heart of audit and assurance services. They significantly increase the responsibility of firm leadership, while ensuring that all involved in the provision of services understand their role in safeguarding quality.
ISQM 1 is designed to be scalable to the size and circumstances of the firm.

This means that firms of all sizes will need to engage with the standard to understand the risks to quality they face and design appropriate responses. This will be a challenge due to the wide range of risks that can arise, but also gives opportunity to consider the approach the firm takes to the provision of audit and assurance services.

A firm’s quality management system will also need to reflect requirements of its network. 

Andrew Collier, director – quality and professional standards, Kreston International

 Preparing for implementation

The quality management system needs to be operational by 15 December 2022. Therefore, it is important to start preparation early.

Implementing the quality management standards will require an individual with the appropriate experience and seniority within the firm to lead the project. It will require time, and consideration should be given to the individual’s other responsibilities, including client workload.

It will also be important to understand the level of central support and direction that will be provided by the network.

Roles under ISQM 1

ISQM 1 identifies roles that must be undertaken including:

  • The person with ultimate responsibility and accountability for the quality management system (the managing partner, chief executive or management board);
  • Operational responsibility for the system of quality management;
  • Responsibility for compliance with independence requirements, and
  • Responsibility for the monitoring and remediation process.

One individual can hold multiple roles, but except in the smallest firm, a team approach will be beneficial. This will bring different perspectives to the risk assessment process and enable greater objectivity in the monitoring and remediation process. Firms may use network resources or service providers for elements of their quality management system.

Direct reporting lines are required 

Individuals are accountable for their performance and appraisal processes and documentation will need to be reviewed to ensure it reflects quality responsibilities.

Risk assessment

The onus is on the firm to carry out a risk assessment process and then to design and implement appropriate responses. The firm will focus on risks that would prevent it delivering the quality objectives. Two overarching objectives are set out in the standard:

ISQM 1 – Quality objectives:

  1. The firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements, and conduct engagements in accordance with such standards and requirements; and
  2. Engagement reports issued by the firm or engagement partners are appropriate in the circumstances.

The firm may also establish additional quality objectives.

Although this may feel like a new process, we are familiar with considering risks in the context of the audit of financial statements and then understanding the design of controls, whether they are likely to be effective and whether they have been implemented effectively.

ISQM 1 paragraph 34 specifies responses to risks that are common to all firms. Where the firm is part of a network there are likely to be network level risks and responses.

There will then be a third level of firm-specific risks and responses.

Risk hierarchy:

  • Firm-assessed risks
  • Network requirements
  • ISQM 1

Identifying risks

ISQM 1 identifies eight components of the quality management system:

  • Governance and leadership
  • Firm’s risk assessment process
  • Monitoring and remediation process
  • Resources
  • Information and communication
  • Ethical requirements
  • Acceptance and continuance
  • Engagement performance

Considering these areas will identify risks that may arise in the firm’s circumstances. Assessment is needed of whether there is a reasonable possibility of the risk occurring, and either individually or in combination with other risks, adversely affecting the achievement of the quality objectives. Professional judgement will be required.

Risks will need to be kept under review and changes in circumstances of the firm or the environment in which it operates, may lead to new risks being identified.

Monitoring and remediation

The cyclical review of completed assignments, required under ISQC 1, continues under the quality management standard.  However, there is added emphasis on the annual assessment of the system of quality management and implementing a wider range of activities to safeguard quality. 

In addition, remediation has a higher profile with the need to carry out root cause analysis in respect of deficiencies. Not all issues identified from monitoring will meet the definition of a deficiency and this will require professional judgement. Root cause analysis requires in depth investigation as to why a deficiency arose; this enables appropriate action to be taken, the impact of which is monitored to ensure the deficiency is corrected.

The network will have an impact on monitoring and remediation through their requirements and the resources available. The network will also share information about matters identified from monitoring that may be relevant to member firms.

The first monitoring review needs to be completed by 15 December 2023.