Audit firms face increasing pressure to turn regulatory requirements like ISQM 1 into real, operational quality. But how do you move from policies and testing into daily behavior and accountability? In our second ISQM webinar, experts from RSM, Grant Thornton, and CERRIX shared practical insights on how audit firms can embed ISQM into the heart of their operations.
ISQM in Practice: Moving Beyond Documentation
“Before you can talk about control assurance, you first need a control framework,” said Harry Weijers, Quality Officer at RSM Netherlands. And that’s where most firms struggle—not in defining ISQM requirements, but in operationalizing them.
At RSM, the journey started by reverse-engineering existing quality handbooks and mapping them to ISQM risks and controls. That internal foundation was then enriched by external sources, including:
- The control framework
- Tools from the IAASB and IFAC
- Practice aids from Essera
- AI-based control suggestions
This multi-source approach helped build a comprehensive, living control framework that evolves with every audit cycle.
From Framework to Execution: The Control Assurance Model
Paul Bruggeman, founder of CERRIX, explained that real assurance requires more than control design. It requires execution:
“Many firms focus on effectiveness testing after the fact. But if you embed execution upfront, you get timely insights—and fewer surprises.”
CERRIX enables firms to schedule and document controls as tasks, linked directly to responsible owners. This proactive execution model creates a live view of whether controls are being performed and allows firms to monitor and improve quality in real time.
First-Line Ownership: A Cultural Shift
Jan Ludolf Heeres, Partner at Grant Thornton Advisory, emphasized a key principle: quality must live in the first line.
“We used to assign all controls to the Head of Audit. Now, we push responsibility to where execution actually happens—HR, IT, functional teams.”
This shift means that staff across the firm, not just risk teams, interact with the ISQM framework. And that requires support tools, accountability structures, and most of all—clarity.
Grant Thornton uses Cerex to set up monthly execution tasks for HR (e.g., onboarding documentation), with automated reminders and evidence tracking. Over 60% of their 214 ISQM-related controls are now integrated into these workflows.
Transparency Drives Awareness
Transparency is crucial for cultural adoption. At RSM, the incidents register is shared across offices. “People are much more aware when they see real examples from peers,” Weijers noted. “It’s not about blaming—it’s about learning.”
Measuring and Reporting on Quality
The challenge is not just to perform controls, but to track improvement over time. Both firms generate semi-annual partner-level reports summarizing:
- Residual risks
- Status of significant measures of improvement (MOIs)
- Progress on control execution
This real-time data from CERRIX is visualized in Power BI dashboards, providing leadership with actionable insights and audit trail.
“Quality isn’t a side project. It’s how we work. And tools like CERRIX help make that part of our rhythm,” Heeres said.
Final Thoughts
ISQM requires more than documentation. It’s about embedding quality into roles, workflows, and decision-making. That means defining your control framework, assigning ownership, enabling execution, and continuously learning.
Join our next webinar to see how audit firms are applying real-time monitoring and reporting across the ISQM lifecycle.
Frequently Asked Questions
Q: What is ISQM in auditing?
A: ISQM is a global standard that requires audit firms to implement a system of quality management tailored to their services and risks.
Q: How can firms make ISQM part of daily operations?
A: By integrating controls into business processes, assigning responsibility to operational leaders, and using platforms like CERRIX to plan, document, and monitor control execution.
Download your guide for ISQM implementation within Audit firms
Accessible popup
Welcome to Finsweet's accessible modal component for Webflow Libraries. This modal uses custom code to open and close. It is accessible through custom attributes and custom JavaScript added in the embed block of the component. If you're interested in how this is built, check out the Attributes documentation page for this modal component.
How Audit Firms Embed ISQM into Daily Practice
In our second ISQM webinar, experts from RSM, Grant Thornton, and CERRIX shared practical insights on how audit firms can embed ISQM into the heart of their operations.
What is a risk register and how do you create one?
Wondering what a risk register is? Learn how to create this essential tool to identify, assess, and manage organizational risks effectively and boost compliance.
Can a company lose its ISO certification?
Can a company lose its ISO certification? Discover the 8 common reasons, consequences, and prevention strategies to protect your business reputation and investment.
How long does it take to get ISO 9001 certified?
Discover how long ISO 9001 certification takes, from 4-12 months depending on your organization's size and complexity. Learn the key phases, challenges, and ways to accelerate your quality management journey.
What is ISO 27001 and why is it important for businesses?
Discover how ISO 27001 certification protects your business data, builds customer trust, and ensures regulatory compliance in today's high-risk digital landscape. A complete implementation guide.
Key sectors affected by NIS2 compliance
Explore the impact of NIS2 compliance on key sectors like energy and healthcare, enhancing cybersecurity and data protection.
Are automated compliance tools reliable?
Exploring the reliability of automated compliance tools and their role in cybersecurity.
%20(1)%20(2).jpg)
DORA compliance checklist for beginners
An essential guide for beginners to understand and implement DORA compliance effectively.
Key benefits of adhering to DORA compliance
Explore the key benefits of DORA compliance, enhancing security, efficiency, and regulatory adherence.
NIS2 compliance: top strategies for success
Explore effective strategies for NIS2 compliance to enhance cybersecurity and regulatory adherence.
EU AI Act vs. GDPR: what's the difference?
Explore the key differences and overlaps between the EU AI Act and GDPR, focusing on regulation, impact, and compliance.
Can GRC tools predict compliance risks?
Exploring if GRC tools can predict compliance risks and their role in risk management.
Can a GRC tool adapt to regulatory changes?
Explore if GRC tools can adapt to regulatory changes, covering compliance management and risk assessment.
.jpg)
How to prepare for the EU AI Act implementation?
Learn how to prepare for the EU AI Act implementation with practical steps for compliance.
Is your business ready for the EU AI Act?
Explore readiness for the EU AI Act with insights on compliance, challenges, and strategic planning for businesses.
.png)
How does DORA compliance impact financial sectors?
Discover how DORA compliance strengthens financial sectors, enhancing risk management, digital resilience, and regulatory standards.
.jpg)
What is DORA compliance and why does it matter?
Explore DORA compliance, its significance in financial services, and strategies for effective implementation.
DORA compliance vs other regulatory standards
Explore the differences between DORA compliance and other regulatory standards, focusing on financial regulations and cybersecurity.
Can automation improve DORA compliance efforts?
Explore how automation can enhance DORA compliance efforts by streamlining processes and ensuring ongoing monitoring.
How to integrate GRC with existing systems?
Integrating GRC with existing systems enhances compliance, risk management, and efficiency.
Why real-time analytics in GRC are vital
Real-time analytics in GRC is crucial for proactive risk management and continuous compliance monitoring.
What features should a GRC tool have?
Explore essential GRC tool features like integration, risk management, compliance, governance, and customization.
How to prepare your business for CSDR compliance?
Guide to preparing your business for CSDR compliance, covering key strategies, challenges, and technology solutions.
Embedding ISQM 1 into the DNA of Your Audit Firm: A Risk-Based Approach to Quality Management
Discover how to implement ISQM 1 with a risk-based approach. Learn how audit firms can embed quality management into daily operations and governance.
%20(1).avif)
CERRIX User Conference 2025
On March 12, 2025, industry leaders, assurance experts, and CERRIX customers came together for the CERRIX User Conference 2025—a day of knowledge-sharing, insightful discussions, and collaboration on the future of risk management, compliance, and AI-driven GRC solutions.
From Spreadsheets to GRC Software: Why Pension Funds Need a Modern Approach to Risk Management
CERRIX and BR1GHT Strengthen Long-term Partnership to Enhance Governance, Risk, Compliance and Audit Solutions
Implementing DORA: From Compliance to Long-Term Resilience
