Application of ISQM 1

An overview of the requirements and implementation of new quality standards for auditors


ISQM 1 Quality management for firms that perform audits or reviews of financial statements – or other assurance or related services engagements – is applicable from 15 December 2022. It replaces the old ISQC 1.

In addition, a new Engagement Quality Review ISQM 2 and ISA 220 are updated for quality management. Firms which are providing the following services must ensure that they have implemented the ISQM requirements within their practice:

  • audits in compliance with ISA (UK)
  • internal financial review engagement as per ISRE 2410
  • assurance engagements in accordance with ISAE 3000
  • assurance to the FCA on client assets.

Furthermore, ISQM 1 does apply to related service engagements too. ISQM 1 provides examples of when a requirement of this ISQM may not be relevant to the firm:

  • The firm is a sole practitioner. For example, the requirements addressing the organisational structure and assigning roles, responsibilities and authority within the firm, direction, supervision and review and addressing differences of opinion may not be relevant.
  • The firm only performs engagements that are related services engagements. For example, if the firm is not required to maintain independence for related services engagements, the requirement to obtain a documented confirmation of compliance with independence requirements from all personnel would not be relevant.

Application of ISQM 1

IFAC has issued a factsheet and first-time implementation guide for ISQM 1.

Firms that are complying with ISQC 1 will already have policies and procedures in place. The policies and procedures may still be relevant and appropriate for the firm’s new System of Quality Management (SOQM) or may need to be revised or enhanced such that they are appropriate for the new SOQM.

Although the existing policies and procedures may continue to be relevant and appropriate, the firm would still need to establish a SOQM that is compliant with ISQM 1, ensuring all eight components are covered in the procedure manual. Once the system is in place then an evaluation of the firm’s quality management system must be performed at least annually.

The ISQM requires the firm to apply a risk-based approach in designing, implementing and operating the components of the system of quality management in a proactive manner. The quality guidance should be capable of being updated with the changes in firms processes and modern technology.  

Components of the System of Quality Management (SOQM)

A SOQM should address the following eight components:

1. The firm’s risk-assessment process

ISQM 1 requires the firm to apply a risk-based approach in designing, implementing and operating the components of the SOQM in an interconnected and coordinated manner such that the firm proactively manages the quality of engagements performed by the firm. As such, the firm’s risk assessment process consists of:

  • establishing quality objectives
  • identifying and assessing quality risks to the achievement of the quality objectives
  • designing and implementing responses to address the assessed quality risk.

The minimum quality objectives are set out in ISQM 1, specifically within components 2-7, but the firm can establish additional quality objectives (or sub-objectives) it considers necessary to achieve the objectives of the SOQM.

Identifying and assessing quality risks puts attention on what could go wrong (WCGW) in achieving the quality objectives. ISQM 1 aims to focus the firm on risks that have the greatest impact on achieving the quality objectives, so that those risks are appropriately addressed by the firm. A risk qualifies as a quality risk when it meets both of the following criteria:

  • The risk has a reasonable possibility of occurring
  • The risk has a reasonable possibility of, individually or in combination with other risks, adversely affecting the achievement of one or more quality objectives.

Responses that are properly designed and implemented to address the quality risks mitigate the possibility that the quality risk occurs, thereby helping the firm achieve the quality objectives. Paragraph 34 of ISQM 1 includes some specified responses that the firm is required to design and implement, but it is expected that the firm design and implement responses in addition to those specified in the standard to fully comply with the requirements.

2. Governance and leadership

This sets out quality objectives relating to the firm’s culture, leadership responsibility and accountability, organisational structure, assignments of roles and responsibilities, and resource planning and allocation.

3. Relevant ethical requirements

This component addresses quality objectives related to fulfilling relevant ethical requirements by the firm and its personnel. It also deals with relevant ethical requirements to the extent that they apply to others external to the firm such as networks, network firms, individuals in the network or network firms, or service providers.

4. Acceptance and continuance of client relationships and specific engagements

This component details quality objectives addressing the firm’s judgements about whether to accept or continue a client relationship or specific engagement.

5. Engagement performance

This component deals with quality objectives related to the firm’s actions to promote and support the consistent performance of quality engagements, including through direction, supervision and review, consultation and differences of opinion. It includes how the firm supports engagement teams in exercising professional judgement and, when applicable to the nature and circumstances of the engagement, exercising professional scepticism.

6. Resources

This component addresses quality objectives related to obtaining, developing, using, maintaining, allocating and assigning resources in a timely manner to enable the design, implementation, and operation of the SOQM. It includes technological, intellectual and human resources, and addresses service providers.

7. Information and communication

This component deals with quality objectives related to obtaining, generating, or using information regarding the SOQM, and communicating information within the firm and to external parties on a timely basis to enable the design, implementation, and operation of the SOQM.

8. The monitoring and remediation process

The firm shall establish a monitoring and remediation process to:

  • provide relevant, reliable and timely information about the design, implementation and operation of the SOQM
  • take appropriate actions to respond to identified deficiencies such that they are remediated on a timely basis.

Does ISQM 1 apply to independent examiners?

The Charity Commission guidance highlights ‘Independent examination is a form of external scrutiny that provides a limited check on specific matters. This limited form of check (sometimes referred to as ‘negative assurance’) contrasts with an audit.’

The examiner is only required to confirm whether any material matters of concern have come to their attention, whilst an auditor is required to provide an opinion on whether a charity’s accounts give a ‘true and fair view’.

An examination is therefore a limited form of scrutiny compared to an audit. It provides less assurance in terms of the depth of work which is to be carried out and is limited as to the matters on which the examiner reports.

The ethical requirement is that the examiner must be independent of the charity which they are examining. Independence means that the examiner is not influenced, or perceived to be influenced, by either close personal relationships with the trustees of the charity or a day-to-day involvement in the administration of the charity being examined.

Consequently, work as independent examiners will not provide any assurance that the accounting records or the financial statements are free from material misstatement whether caused by fraud, other irregularity or error.

So, it may be construed that the examiners, which by their very nature of work are providing limited assurance only, will not need to comply with ISQM 1 requirements.

More information

ACCA's on-demand webinar provides a deep dive into ISQM 1, ISQM 2 and ISA 220, with examples. It also highlights a perspective from ACCA Practice Monitoring which firms may need to demonstrate for its effective implementation.