How Audit Firms Embed ISQM into Daily Practice

Phuong Pham

September 10, 2025

•

5 min read

Audit firms face increasing pressure to turn regulatory requirements like ISQM 1 into real, operational quality. But how do you move from policies and testing into daily behavior and accountability? In our second ISQM webinar, experts from RSM, Grant Thornton, and CERRIX shared practical insights on how audit firms can embed ISQM into the heart of their operations.

ISQM in Practice: Moving Beyond Documentation

“Before you can talk about control assurance, you first need a control framework,” said Harry Weijers, Quality Officer at RSM Netherlands. And that’s where most firms struggle—not in defining ISQM requirements, but in operationalizing them.

At RSM, the journey started by reverse-engineering existing quality handbooks and mapping them to ISQM risks and controls. That internal foundation was then enriched by external sources, including:

The control framework

Tools from the IAASB and IFAC

Practice aids from Essera

AI-based control suggestions

This multi-source approach helped build a comprehensive, living control framework that evolves with every audit cycle.

From Framework to Execution: The Control Assurance Model

Paul Bruggeman, founder of CERRIX, explained that real assurance requires more than control design. It requires not only deep understanding about ISQM framework, but also execution:

“Many firms focus on effectiveness testing after the fact. But if you embed execution upfront, you get timely insights—and fewer surprises.”

CERRIX enables firms to schedule and document controls as tasks, linked directly to responsible owners. This proactive execution model creates a live view of whether controls are being performed and allows firms to monitor and improve quality in real time. Check out ISQM implementation guide within audit firms.

First-Line Ownership: A Cultural Shift

Jan Ludolf Heeres, Partner at Grant Thornton Advisory, emphasized a key principle: quality must live in the first line.

“We used to assign all controls to the Head of Audit. Now, we push responsibility to where execution actually happens—HR, IT, functional teams.”

This shift means that staff across the firm, not just risk teams, interact with the ISQM framework. And that requires support GRC tools, accountability structures, and most of all—clarity.

Grant Thornton uses CERRIX to set up monthly execution tasks for HR (e.g., onboarding documentation), with automated reminders and evidence tracking. Over 60% of their 214 ISQM-related controls are now integrated into these workflows.

Transparency Drives Awareness

Transparency is crucial for cultural adoption. At RSM, the incidents register is shared across offices. “People are much more aware when they see real examples from peers,” Weijers noted. “It’s not about blaming—it’s about learning.”

Measuring and Reporting on Quality

The challenge is not just to perform controls, but to track improvement over time. Both firms generate semi-annual partner-level reports summarizing:

Residual risks

Status of significant measures of improvement (MOIs)

Progress on control execution

This real-time data from CERRIX is visualized in Power BI dashboards, providing leadership with actionable insights and audit trail.

“Quality isn’t a side project. It’s how we work. And tools like CERRIX help make that part of our rhythm,” Heeres said.

Final Thoughts

ISQM requires more than documentation. It’s about embedding quality into roles, workflows, and decision-making. That means defining your control framework, assigning ownership, enabling execution, and continuously learning.

Register to watch the on-demand webinar here.

Frequently Asked Questions

Q: What is ISQM in auditing?

A: ISQM is a global standard that requires audit firms to implement a system of quality management tailored to their services and risks.

Q: How can firms make ISQM part of daily operations?

A: By integrating controls into business processes, assigning responsibility to operational leaders, and using platforms like CERRIX to plan, document, and monitor control execution.

‍

Download your guide for ISQM implementation within Audit firms

Download Whitepaper

Share this post

Phuong Pham

Marketing Manager at CERRIX (For media contact: phuong.pham@cerrix.com)

Related content

How to Write an Incident Report That Stands Up to Audits

Learn how to write incident reports that are clear, evidence-backed, and audit-ready. Includes a template, best practices, and compliance alignment for risk professionals.

How to Implement ISO 31000: Real-Time Risk Decisions with AI‑Enabled Tools

Discover how to move beyond compliance and operationalize ISO 31000 using AI, real-time dashboards, and structured risk assessments. Learn from webinar insights and best practices tailored for financial services and regulated industries.

What’s Blocking Your ISMS Rollout? 7 Fixable Challenges for Financial Institutions

Discover the 7 biggest blockers in ISMS rollout for financial institutions—and how to solve them. Learn practical strategies to secure buy-in, define scope, streamline controls, and prepare for ISO 27001 certification.

Trends Driving ISMS Adoption in 2025: What Risk & Compliance Leaders Need to Know

Discover the top trends pushing organizations toward ISMS adoption in 2025—from regulatory changes and remote work to threat evolution and AI. Learn what to prioritize to stay ahead in risk and compliance.

What Is an ISMS? A Practical Guide for Risk & Compliance Leaders in 2025

An Information Security Management System (ISMS) is more than policy—it’s your organization’s shield against evolving threats, regulation, and reputation risk. Discover what ISMS means, how to implement it, and why it matters in 2025.

The Intelligent Future of GRC: How AI is Reshaping Governance, Risk & Compliance in 2025

Explore how AI is transforming GRC in 2025—from predictive insights and automation to ethical oversight. Learn what features matter, what risks to manage.

How Do You Implement an ISMS in Financial Services Without Slowing Down Innovation?

Implementing an ISMS in financial services? Explore a practical, risk-aligned roadmap tailored for banks, fintechs, and insurers to meet ISO 27001, GDPR, and DORA compliance—without compromising agility.

How Do You Build a Robust ISMS Framework Based on ISO 27001?

Learn how to build a robust ISMS framework aligned with ISO 27001. Discover the key components—people, policies, processes, and controls—to strengthen security and achieve compliance.

When to Conduct Risk Assessments: 6 Enterprise-Critical Moments

Learn when to conduct risk assessments—annual, quarterly, after incidents or change—and how CERRIX ensures continuous compliance.

How do you build a system of quality management that works under ISQM 1?

Learn how to build a system of quality management under ISQM 1. Move beyond compliance to an operational model that proves audit quality.

Top GRC Platforms Compared: Risk Assessment Tools for 2025

Discover the top GRC platforms for 2025 with a focus on risk assessment tools.

What Are Risk Scoring Methods for Financial Institutions? [2025 Guide]

From Risk Assessment to Risk Management: Moving Beyond Checklists in 2025

Understand the evolution from risk assessment to strategic risk management in 2025. Learn why leading organizations are embedding risk into decision-making—and how GRC platforms like CERRIX support this shift.

What is risk management? A strategic guide for leaders in 2025