How Audit Firms Embed ISQM into Daily Practice

Audit firms face increasing pressure to turn regulatory requirements like ISQM 1 into real, operational quality. But how do you move from policies and testing into daily behavior and accountability? In our second ISQM webinar, experts from RSM, Grant Thornton, and CERRIX shared practical insights on how audit firms can embed ISQM into the heart of their operations.

ISQM in Practice: Moving Beyond Documentation

“Before you can talk about control assurance, you first need a control framework,” said Harry Weijers, Quality Officer at RSM Netherlands. And that’s where most firms struggle—not in defining ISQM requirements, but in operationalizing them.

At RSM, the journey started by reverse-engineering existing quality handbooks and mapping them to ISQM risks and controls. That internal foundation was then enriched by external sources, including:

• The control framework

• Tools from the IAASB and IFAC

• Practice aids from Essera

• AI-based control suggestions

This multi-source approach helped build a comprehensive, living control framework that evolves with every audit cycle.

From Framework to Execution: The Control Assurance Model

Paul Bruggeman, founder of CERRIX, explained that real assurance requires more than control design. It requires execution:

“Many firms focus on effectiveness testing after the fact. But if you embed execution upfront, you get timely insights—and fewer surprises.”

CERRIX enables firms to schedule and document controls as tasks, linked directly to responsible owners. This proactive execution model creates a live view of whether controls are being performed and allows firms to monitor and improve quality in real time.

First-Line Ownership: A Cultural Shift

Jan Ludolf Heeres, Partner at Grant Thornton Advisory, emphasized a key principle: quality must live in the first line.

“We used to assign all controls to the Head of Audit. Now, we push responsibility to where execution actually happens—HR, IT, functional teams.”

This shift means that staff across the firm, not just risk teams, interact with the ISQM framework. And that requires support tools, accountability structures, and most of all—clarity.

Grant Thornton uses Cerex to set up monthly execution tasks for HR (e.g., onboarding documentation), with automated reminders and evidence tracking. Over 60% of their 214 ISQM-related controls are now integrated into these workflows.

Transparency Drives Awareness

Transparency is crucial for cultural adoption. At RSM, the incidents register is shared across offices. “People are much more aware when they see real examples from peers,” Weijers noted. “It’s not about blaming—it’s about learning.”

Measuring and Reporting on Quality

The challenge is not just to perform controls, but to track improvement over time. Both firms generate semi-annual partner-level reports summarizing:

• Residual risks

• Status of significant measures of improvement (MOIs)

• Progress on control execution

This real-time data from CERRIX is visualized in Power BI dashboards, providing leadership with actionable insights and audit trail.

“Quality isn’t a side project. It’s how we work. And tools like CERRIX help make that part of our rhythm,” Heeres said.

Final Thoughts

ISQM requires more than documentation. It’s about embedding quality into roles, workflows, and decision-making. That means defining your control framework, assigning ownership, enabling execution, and continuously learning.

Join our next webinar to see how audit firms are applying real-time monitoring and reporting across the ISQM lifecycle.

Frequently Asked Questions

Q: What is ISQM  in auditing?

A: ISQM is a global standard that requires audit firms to implement a system of quality management tailored to their services and risks.

Q: How can firms make ISQM part of daily operations?

A: By integrating controls into business processes, assigning responsibility to operational leaders, and using platforms like CERRIX to plan, document, and monitor control execution.

‍