With the introduction of ISQM 1, audit firms face a paradigm shift: from quality control to quality management. This transformation demands not only compliance with new standards but also a fundamental cultural change in how firms integrate quality into their operations.
Instead of applying a fixed checklist of procedures, ISQM 1 introduces a risk-based framework, where each firm defines its own quality objectives, identifies related risks, and implements controls tailored to its size, services, and operational context. The goal is to embed quality into the DNA of the firm—within its people, processes, and governance structures.
Understanding the ISQM Framework
The International Standards on Quality Management (ISQM), issued by the IAASB, comprise a suite of standards aimed at strengthening audit quality across firms:
- ISQM 1 focuses on establishing and maintaining a system of quality management at the firm level.
- ISQM 2 covers engagement quality reviews, applicable to selected assurance engagements.
- ISA 220 (Revised) addresses quality management within individual audit engagements.
This article focuses specifically on ISQM 1, as it forms the foundation for firm-wide quality and risk management practices, influencing how an audit firm operates, governs, and improves itself continuously.
From ISQC to ISQM: Moving Beyond Compliance
Previously, under ISQC 1, audit firms operated with a standard set of controls. These prescriptive measures did not account for the unique risks and structures of individual firms. ISQM 1 redefines this approach by requiring firms to establish their own quality objectives and assess risks relevant to achieving them. Rather than mandating uniform controls, the standard calls for firms to respond to identified risks with fit-for-purpose controls and processes.
This shift also introduces a clear distinction between design and implementation and operational effectiveness of controls—both must be addressed and monitored continuously.
Structuring ISQM Through the Risk and Control Cycle
A well-structured ISQM system follows a continuous risk and control cycle:
- Set Quality Objectives – These should reflect the firm’s strategy, services, and professional responsibilities.
- Identify and Assess Risks – Analyze what could prevent the firm from achieving these objectives.
- Design and Implement Controls – Put in place measures that mitigate risks to an acceptable level.
- Monitor and Test – Evaluate both the design and ongoing effectiveness of controls. Use root cause analysis where failures occur.
- Take Remedial Actions – Document and implement improvements based on findings.
This cycle supports ongoing improvement and demonstrates a commitment to quality beyond regulatory requirements.
Governance Through the Three Lines of Defense
ISQM 1 implementation requires a strong governance model. A commonly adopted framework is the Three Lines of Defense, adapted for audit firms:
- First Line: Operational leadership—such as heads of assurance, tax, or advisory—own the quality controls within their service lines.
- Second Line: Risk management and compliance functions monitor the implementation and documentation of these controls.
- Third Line: An internal quality monitoring team performs independent testing of controls, ensuring their proper design, implementation, and effectiveness.
This model not only enhances accountability but ensures independence in monitoring and testing. However, it must be adapted to the size and complexity of each firm. In smaller firms, the first line may perform some testing; in larger firms, this responsibility typically shifts to the second or third line.
Practical Challenges and the Role of Culture
Embedding ISQM 1 into the first line of defense is often the most difficult task. Operational leaders may perceive it as a compliance burden rather than an opportunity to improve service quality. However, many ISQM requirements are already present in daily practice—training, client acceptance procedures, and job appraisals, for example. The challenge lies in structuring, documenting, and consistently applying them.
To support this shift, firms need:
- A manual that outlines firm-specific policies and procedures
- A catalogue of quality objectives, associated risks, and corresponding controls
- Structured dialogue between risk owners and operational leaders
This is not merely a documentation exercise—it is about integrating quality management into the firm’s mindset and business rhythms.
Choosing the Right Risk Assessment Approach
Risk assessment is central to ISQM 1 and can be approached in different ways. The most effective implementations often combine several of the following methodologies:
- Objective-based: Tied directly to quality or business objectives.
- Scenario-based: Focuses on "what if" questions to anticipate emerging risks.
- Process-based: Examines risks within core operational processes; highly effective for ISQM.
- Control-based: Starts from known controls and derives associated risks.
- Brainstorming or open format: Encourages broader thinking, though harder to standardize.
Process-based assessment is particularly relevant, as it aligns closely with how work is performed and enables better ownership of risk by operational teams.
The Case for Real-Time Risk Management
Traditional risk assessments often occur quarterly and rely heavily on manual inputs and retrospective data. In today’s fast-paced environment, this lag can leave firms exposed. Leading firms are now exploring data-driven, continuous risk management, which enables:
- Alerts for control failures or exceptions
- Rapid escalation and remediation of issues
By integrating systems that monitor risks dynamically—based on staff capacity, sector volatility, or external events—firms can shift from reactive to proactive quality management.
Looking Ahead
ISQM 1 represents more than a regulatory requirement—it’s a strategic framework for building a culture of quality. Firms that invest in embedding ISQM 1 into their governance and operations not only comply with international standards, but also improve resilience, transparency, and trust with stakeholders.
As regulatory scrutiny increases and expectations for audit quality rise, firms that align early and deeply with ISQM 1 will be better positioned to lead.
Want to gain practical insights into firm-wide quality management and risk governance under ISQM 1? Access the on-demand webinar now!
Download your guide for ISQM implementation within Audit firms
Accessible popup
Welcome to Finsweet's accessible modal component for Webflow Libraries. This modal uses custom code to open and close. It is accessible through custom attributes and custom JavaScript added in the embed block of the component. If you're interested in how this is built, check out the Attributes documentation page for this modal component.
How Audit Firms Embed ISQM into Daily Practice
In our second ISQM webinar, experts from RSM, Grant Thornton, and CERRIX shared practical insights on how audit firms can embed ISQM into the heart of their operations.
What is a risk register and how do you create one?
Wondering what a risk register is? Learn how to create this essential tool to identify, assess, and manage organizational risks effectively and boost compliance.
How often do ISO certifications need to be renewed?
Wondering about ISO certification renewal? Understand the three-year cycle, annual surveillance audits, and preparation strategies to maintain compliance seamlessly.
What documents are required for ISO 27001 implementation?
Discover the mandatory and recommended documents required for successful ISO 27001 implementation. Learn how to organize, create and maintain effective ISMS documentation that satisfies auditors and enhances security.
Do I need a consultant for ISO certification?
Wondering if you need a consultant for ISO certification? Discover key factors to make the right decision for your organization based on expertise, resources, and certification complexity.
What industries benefit most from ISO certification?
Discover which industries gain the most value from ISO certification. Financial services, technology, healthcare, and manufacturing organizations see superior ROI while enhancing compliance and competitive advantage.
Can a company lose its ISO certification?
Can a company lose its ISO certification? Discover the 8 common reasons, consequences, and prevention strategies to protect your business reputation and investment.
How long does it take to get ISO 9001 certified?
Discover how long ISO 9001 certification takes, from 4-12 months depending on your organization's size and complexity. Learn the key phases, challenges, and ways to accelerate your quality management journey.
What is ISO 27001 and why is it important for businesses?
Discover how ISO 27001 certification protects your business data, builds customer trust, and ensures regulatory compliance in today's high-risk digital landscape. A complete implementation guide.
From Spreadsheets to GRC Software: Why Pension Funds Need a Modern Approach to Risk Management
What to know about GRC software for nis2
Explore how GRC software helps businesses comply with the NIS2 Directive, enhancing cybersecurity and risk management.
How automation streamlines compliance processes
Discover how compliance process automation reduces costs by 40-60% while minimizing errors and risks. Transform manual workflows into strategic advantages for your organization.
Does automation reduce compliance risks?
Explore how automation impacts compliance risks, its benefits, limitations, and integration strategies.
Key sectors affected by NIS2 compliance
Explore the impact of NIS2 compliance on key sectors like energy and healthcare, enhancing cybersecurity and data protection.
Are automated compliance tools reliable?
Exploring the reliability of automated compliance tools and their role in cybersecurity.
%20(1)%20(2).jpg)
DORA compliance checklist for beginners
An essential guide for beginners to understand and implement DORA compliance effectively.
Key benefits of adhering to DORA compliance
Explore the key benefits of DORA compliance, enhancing security, efficiency, and regulatory adherence.
NIS2 compliance: top strategies for success
Explore effective strategies for NIS2 compliance to enhance cybersecurity and regulatory adherence.
EU AI Act vs. GDPR: what's the difference?
Explore the key differences and overlaps between the EU AI Act and GDPR, focusing on regulation, impact, and compliance.
Can GRC tools predict compliance risks?
Exploring if GRC tools can predict compliance risks and their role in risk management.
Can a GRC tool adapt to regulatory changes?
Explore if GRC tools can adapt to regulatory changes, covering compliance management and risk assessment.
How does AI governance impact compliance?
Explore the impact of AI governance on compliance, focusing on regulation, ethics, and risk management.
.jpg)
How to prepare for the EU AI Act implementation?
Learn how to prepare for the EU AI Act implementation with practical steps for compliance.
Is your business ready for the EU AI Act?
Explore readiness for the EU AI Act with insights on compliance, challenges, and strategic planning for businesses.
.png)
How does DORA compliance impact financial sectors?
Discover how DORA compliance strengthens financial sectors, enhancing risk management, digital resilience, and regulatory standards.
.jpg)
What is DORA compliance and why does it matter?
Explore DORA compliance, its significance in financial services, and strategies for effective implementation.
DORA compliance vs other regulatory standards
Explore the differences between DORA compliance and other regulatory standards, focusing on financial regulations and cybersecurity.
Can automation improve DORA compliance efforts?
Explore how automation can enhance DORA compliance efforts by streamlining processes and ensuring ongoing monitoring.
How to integrate GRC with existing systems?
Integrating GRC with existing systems enhances compliance, risk management, and efficiency.
Can settlement discipline improve market stability?
Exploring how settlement discipline can enhance market stability, focusing on its benefits and challenges.
Why real-time analytics in GRC are vital
Real-time analytics in GRC is crucial for proactive risk management and continuous compliance monitoring.
What features should a GRC tool have?
Explore essential GRC tool features like integration, risk management, compliance, governance, and customization.
How to prepare your business for CSDR compliance?
Guide to preparing your business for CSDR compliance, covering key strategies, challenges, and technology solutions.
Embedding ISQM 1 into the DNA of Your Audit Firm: A Risk-Based Approach to Quality Management
Discover how to implement ISQM 1 with a risk-based approach. Learn how audit firms can embed quality management into daily operations and governance.
%20(1).avif)
CERRIX User Conference 2025
On March 12, 2025, industry leaders, assurance experts, and CERRIX customers came together for the CERRIX User Conference 2025—a day of knowledge-sharing, insightful discussions, and collaboration on the future of risk management, compliance, and AI-driven GRC solutions.
From Spreadsheets to GRC Software: Why Pension Funds Need a Modern Approach to Risk Management
CERRIX and BR1GHT Strengthen Long-term Partnership to Enhance Governance, Risk, Compliance and Audit Solutions
Implementing DORA: From Compliance to Long-Term Resilience
