Download Whitepaper

We collaborate with best-in-class platforms, consultants, and technology providers to deliver seamless, future-proof solutions, built to grow with your organization.

Embedding ISQM 1 into the DNA of Your Audit Firm: A Risk-Based Approach to Quality Management

Phuong Pham
11 Jan 2022
5 min read

With the introduction of ISQM 1, audit firms face a paradigm shift: from quality control to quality management. This transformation demands not only compliance with new standards but also a fundamental cultural change in how firms integrate quality into their operations.

Instead of applying a fixed checklist of procedures, ISQM 1 introduces a risk-based framework, where each firm defines its own quality objectives, identifies related risks, and implements controls tailored to its size, services, and operational context. The goal is to embed quality into the DNA of the firm—within its people, processes, and governance structures.

Understanding the ISQM Framework

The International Standards on Quality Management (ISQM), issued by the IAASB, comprise a suite of standards aimed at strengthening audit quality across firms:

  • ISQM 1 focuses on establishing and maintaining a system of quality management at the firm level.
  • ISQM 2 covers engagement quality reviews, applicable to selected assurance engagements.
  • ISA 220 (Revised) addresses quality management within individual audit engagements.

This article focuses specifically on ISQM 1, as it forms the foundation for firm-wide quality and risk management practices, influencing how an audit firm operates, governs, and improves itself continuously.

From ISQC to ISQM: Moving Beyond Compliance

Previously, under ISQC 1, audit firms operated with a standard set of controls. These prescriptive measures did not account for the unique risks and structures of individual firms. ISQM 1 redefines this approach by requiring firms to establish their own quality objectives and assess risks relevant to achieving them. Rather than mandating uniform controls, the standard calls for firms to respond to identified risks with fit-for-purpose controls and processes.

This shift also introduces a clear distinction between design and implementation and operational effectiveness of controls—both must be addressed and monitored continuously.

Structuring ISQM Through the Risk and Control Cycle

A well-structured ISQM system follows a continuous risk and control cycle:

Picture

  1. Set Quality Objectives – These should reflect the firm’s strategy, services, and professional responsibilities.
  1. Identify and Assess Risks – Analyze what could prevent the firm from achieving these objectives.
  1. Design and Implement Controls – Put in place measures that mitigate risks to an acceptable level.
  1. Monitor and Test – Evaluate both the design and ongoing effectiveness of controls. Use root cause analysis where failures occur.
  1. Take Remedial Actions – Document and implement improvements based on findings.

This cycle supports ongoing improvement and demonstrates a commitment to quality beyond regulatory requirements.

Governance Through the Three Lines of Defense

ISQM 1 implementation requires a strong governance model. A commonly adopted framework is the Three Lines of Defense, adapted for audit firms:

  • First Line: Operational leadership—such as heads of assurance, tax, or advisory—own the quality controls within their service lines.
  • Second Line: Risk management and compliance functions monitor the implementation and documentation of these controls.
  • Third Line: An internal quality monitoring team performs independent testing of controls, ensuring their proper design, implementation, and effectiveness.

This model not only enhances accountability but ensures independence in monitoring and testing. However, it must be adapted to the size and complexity of each firm. In smaller firms, the first line may perform some testing; in larger firms, this responsibility typically shifts to the second or third line.

Practical Challenges and the Role of Culture

Embedding ISQM 1 into the first line of defense is often the most difficult task. Operational leaders may perceive it as a compliance burden rather than an opportunity to improve service quality. However, many ISQM requirements are already present in daily practice—training, client acceptance procedures, and job appraisals, for example. The challenge lies in structuring, documenting, and consistently applying them.

To support this shift, firms need:

  • A manual that outlines firm-specific policies and procedures
  • A catalogue of quality objectives, associated risks, and corresponding controls
  • Structured dialogue between risk owners and operational leaders

This is not merely a documentation exercise—it is about integrating quality management into the firm’s mindset and business rhythms.

Choosing the Right Risk Assessment Approach

Risk assessment is central to ISQM 1 and can be approached in different ways. The most effective implementations often combine several of the following methodologies:

  • Objective-based: Tied directly to quality or business objectives.
  • Scenario-based: Focuses on "what if" questions to anticipate emerging risks.
  • Process-based: Examines risks within core operational processes; highly effective for ISQM.
  • Control-based: Starts from known controls and derives associated risks.
  • Brainstorming or open format: Encourages broader thinking, though harder to standardize.

Process-based assessment is particularly relevant, as it aligns closely with how work is performed and enables better ownership of risk by operational teams.

The Case for Real-Time Risk Management

Traditional risk assessments often occur quarterly and rely heavily on manual inputs and retrospective data. In today’s fast-paced environment, this lag can leave firms exposed. Leading firms are now exploring data-driven, continuous risk management, which enables:

  • Real-time monitoring of Key Risk Indicators (KRIs)
  • Alerts for control failures or exceptions
  • Rapid escalation and remediation of issues

By integrating systems that monitor risks dynamically—based on staff capacity, sector volatility, or external events—firms can shift from reactive to proactive quality management.

Looking Ahead

ISQM 1 represents more than a regulatory requirement—it’s a strategic framework for building a culture of quality. Firms that invest in embedding ISQM 1 into their governance and operations not only comply with international standards, but also improve resilience, transparency, and trust with stakeholders.

As regulatory scrutiny increases and expectations for audit quality rise, firms that align early and deeply with ISQM 1 will be better positioned to lead.

Want to gain practical insights into firm-wide quality management and risk governance under ISQM 1? Access the on-demand webinar now!

Download your guide for ISQM implementation within Audit firms

Share this post

Related content

From Spreadsheets to GRC Software: Why Pension Funds Need a Modern Approach to Risk Management

What to know about GRC software for nis2

Explore how GRC software helps businesses comply with the NIS2 Directive, enhancing cybersecurity and risk management.

Can automation reduce compliance costs?

Explore how automation can reduce compliance costs, enhancing efficiency and ensuring regulatory adherence.

What industries benefit from compliance automation?

Discover which 6 industries benefit most from compliance automation and how it transforms regulatory burdens into strategic advantages through risk reduction and operational efficiency.

How automation streamlines compliance processes

Discover how compliance process automation reduces costs by 40-60% while minimizing errors and risks. Transform manual workflows into strategic advantages for your organization.

Is cybersecurity compliance automation secure?

Discover if cybersecurity compliance automation strengthens or risks your security posture. Learn implementation best practices that enhance protection while simplifying regulatory management.

Does automation reduce compliance risks?

Explore how automation impacts compliance risks, its benefits, limitations, and integration strategies.

Key sectors affected by NIS2 compliance

Explore the impact of NIS2 compliance on key sectors like energy and healthcare, enhancing cybersecurity and data protection.

Are automated compliance tools reliable?

Exploring the reliability of automated compliance tools and their role in cybersecurity.

DORA compliance checklist for beginners

An essential guide for beginners to understand and implement DORA compliance effectively.

Key benefits of adhering to DORA compliance

Explore the key benefits of DORA compliance, enhancing security, efficiency, and regulatory adherence.

NIS2 compliance: top strategies for success

Explore effective strategies for NIS2 compliance to enhance cybersecurity and regulatory adherence.

EU AI Act vs. GDPR: what's the difference?

Explore the key differences and overlaps between the EU AI Act and GDPR, focusing on regulation, impact, and compliance.

Can GRC tools predict compliance risks?

Exploring if GRC tools can predict compliance risks and their role in risk management.

Can a GRC tool adapt to regulatory changes?

Explore if GRC tools can adapt to regulatory changes, covering compliance management and risk assessment.

How does AI governance impact compliance?

Explore the impact of AI governance on compliance, focusing on regulation, ethics, and risk management.

How to prepare for the EU AI Act implementation?

Learn how to prepare for the EU AI Act implementation with practical steps for compliance.

Is your business ready for the EU AI Act?

Explore readiness for the EU AI Act with insights on compliance, challenges, and strategic planning for businesses.

How does DORA compliance impact financial sectors?

Discover how DORA compliance strengthens financial sectors, enhancing risk management, digital resilience, and regulatory standards.

What is DORA compliance and why does it matter?

Explore DORA compliance, its significance in financial services, and strategies for effective implementation.

DORA compliance vs other regulatory standards

Explore the differences between DORA compliance and other regulatory standards, focusing on financial regulations and cybersecurity.

Can automation improve DORA compliance efforts?

Explore how automation can enhance DORA compliance efforts by streamlining processes and ensuring ongoing monitoring.

How to integrate GRC with existing systems?

Integrating GRC with existing systems enhances compliance, risk management, and efficiency.

Can settlement discipline improve market stability?

Exploring how settlement discipline can enhance market stability, focusing on its benefits and challenges.

Why real-time analytics in GRC are vital

Real-time analytics in GRC is crucial for proactive risk management and continuous compliance monitoring.

What features should a GRC tool have?

Explore essential GRC tool features like integration, risk management, compliance, governance, and customization.

How to prepare your business for CSDR compliance?

Guide to preparing your business for CSDR compliance, covering key strategies, challenges, and technology solutions.

Embedding ISQM 1 into the DNA of Your Audit Firm: A Risk-Based Approach to Quality Management

Discover how to implement ISQM 1 with a risk-based approach. Learn how audit firms can embed quality management into daily operations and governance.

CERRIX User Conference 2025

On March 12, 2025, industry leaders, assurance experts, and CERRIX customers came together for the CERRIX User Conference 2025—a day of knowledge-sharing, insightful discussions, and collaboration on the future of risk management, compliance, and AI-driven GRC solutions.

From Spreadsheets to GRC Software: Why Pension Funds Need a Modern Approach to Risk Management

CERRIX and BR1GHT Strengthen Long-term Partnership to Enhance Governance, Risk, Compliance and Audit Solutions

Implementing DORA: From Compliance to Long-Term Resilience

GRC Software Adoption: Overcoming Challenges & Achieving Compliance Success