Embedding ISQM 1 into the DNA of Your Audit Firm: A Risk-Based Approach to Quality Management

With the introduction of ISQM 1, audit firms face a paradigm shift: from quality control to quality management. This transformation demands not only compliance with new standards but also a fundamental cultural change in how firms integrate quality into their operations.

Instead of applying a fixed checklist of procedures, ISQM 1 introduces a risk-based framework, where each firm defines its own quality objectives, identifies related risks, and implements controls tailored to its size, services, and operational context. The goal is to embed quality into the DNA of the firm—within its people, processes, and governance structures.

Understanding the ISQM Framework

The International Standards on Quality Management (ISQM), issued by the IAASB, comprise a suite of standards aimed at strengthening audit quality across firms:

• ISQM 1 focuses on establishing and maintaining a system of quality management at the firm level.

• ISQM 2 covers engagement quality reviews, applicable to selected assurance engagements.

• ISA 220 (Revised) addresses quality management within individual audit engagements.

This article focuses specifically on ISQM 1, as it forms the foundation for firm-wide quality and risk management practices, influencing how an audit firm operates, governs, and improves itself continuously.

From ISQC to ISQM: Moving Beyond Compliance

Previously, under ISQC 1, audit firms operated with a standard set of controls. These prescriptive measures did not account for the unique risks and structures of individual firms. ISQM 1 redefines this approach by requiring firms to establish their own quality objectives and assess risks relevant to achieving them. Rather than mandating uniform controls, the standard calls for firms to respond to identified risks with fit-for-purpose controls and processes.

This shift also introduces a clear distinction between design and implementation and operational effectiveness of controls—both must be addressed and monitored continuously.

Structuring ISQM Through the Risk and Control Cycle

A well-structured ISQM system follows a continuous risk and control cycle:

1. Set Quality Objectives – These should reflect the firm’s strategy, services, and professional responsibilities.

2. Identify and Assess Risks – Analyze what could prevent the firm from achieving these objectives.

3. Design and Implement Controls – Put in place measures that mitigate risks to an acceptable level.

4. Monitor and Test – Evaluate both the design and ongoing effectiveness of controls. Use root cause analysis where failures occur.

5. Take Remedial Actions – Document and implement improvements based on findings.

This cycle supports ongoing improvement and demonstrates a commitment to quality beyond regulatory requirements.

Governance Through the Three Lines of Defense

ISQM 1 implementation requires a strong governance model. A commonly adopted framework is the Three Lines of Defense, adapted for audit firms:

• First Line: Operational leadership—such as heads of assurance, tax, or advisory—own the quality controls within their service lines.

• Second Line: Risk management and compliance functions monitor the implementation and documentation of these controls.

• Third Line: An internal quality monitoring team performs independent testing of controls, ensuring their proper design, implementation, and effectiveness.

This model not only enhances accountability but ensures independence in monitoring and testing. However, it must be adapted to the size and complexity of each firm. In smaller firms, the first line may perform some testing; in larger firms, this responsibility typically shifts to the second or third line.

Practical Challenges and the Role of Culture

Embedding ISQM 1 into the first line of defense is often the most difficult task. Operational leaders may perceive it as a compliance burden rather than an opportunity to improve service quality. However, many ISQM requirements are already present in daily practice—training, client acceptance procedures, and job appraisals, for example. The challenge lies in structuring, documenting, and consistently applying them.

To support this shift, firms need:

• A manual that outlines firm-specific policies and procedures

• A catalogue of quality objectives, associated risks, and corresponding controls

• Structured dialogue between risk owners and operational leaders

This is not merely a documentation exercise—it is about integrating quality management into the firm’s mindset and business rhythms.

Choosing the Right Risk Assessment Approach

Risk assessment is central to ISQM 1 and can be approached in different ways. The most effective implementations often combine several of the following methodologies:

• Objective-based: Tied directly to quality or business objectives.

• Scenario-based: Focuses on "what if" questions to anticipate emerging risks.

• Process-based: Examines risks within core operational processes; highly effective for ISQM.

• Control-based: Starts from known controls and derives associated risks.

• Brainstorming or open format: Encourages broader thinking, though harder to standardize.

Process-based assessment is particularly relevant, as it aligns closely with how work is performed and enables better ownership of risk by operational teams.

The Case for Real-Time Risk Management

Traditional risk assessments often occur quarterly and rely heavily on manual inputs and retrospective data. In today’s fast-paced environment, this lag can leave firms exposed. Leading firms are now exploring data-driven, continuous risk management, which enables:

• Real-time monitoring of Key Risk Indicators (KRIs)

• Alerts for control failures or exceptions

• Rapid escalation and remediation of issues

By integrating systems that monitor risks dynamically—based on staff capacity, sector volatility, or external events—firms can shift from reactive to proactive quality management.

Looking Ahead

ISQM 1 represents more than a regulatory requirement—it’s a strategic framework for building a culture of quality. Firms that invest in embedding ISQM 1 into their governance and operations not only comply with international standards, but also improve resilience, transparency, and trust with stakeholders.

As regulatory scrutiny increases and expectations for audit quality rise, firms that align early and deeply with ISQM 1 will be better positioned to lead.

Want to gain practical insights into firm-wide quality management and risk governance under ISQM 1? Access the on-demand webinar now!

‍