ISQM 1 Explained: What Audit Firms Must Do Differently Now
ISQM 1 represents one of the biggest shifts in audit regulation in decades. Yet many audit firms still treat it as a documentation update or a renamed version of ISQC 1. That assumption is risky.
In reality, ISQM 1 fundamentally changes how audit firms are expected to manage quality. It moves firms away from checklist compliance and towards active risk-based quality management.
This article explains ISQM 1 in practical terms, what has changed, and what audit firms must do differently now.
What Is ISQM 1?
ISQM 1 (International Standard on Quality Management 1) sets out requirements for:
-
Designing
-
Implementing
-
Operating
-
Monitoring
a firm-wide system of quality management for audits and other assurance engagements.
ISQM 1 replaces ISQC 1, which was largely policy-driven and reactive. The new standard is issued by the International Auditing and Assurance Standards Board and is effective for audit firms globally.
Why ISQM 1 Is a Major Shift (Not a Minor Update)
Under ISQC 1, many firms relied on:
-
Standard templates
-
Annual declarations
-
Retrospective inspections
ISQM 1 changes the mindset entirely.
Key shifts include:
-
From policies → to risk-based systems
-
From compliance → to continuous management
-
From periodic checks → to ongoing monitoring
In short, firms must now manage quality proactively, not just demonstrate it after the fact.
What Audit Firms Must Do Differently Under ISQM 1
1️⃣ Move from Policies to a Risk-Based Quality System
ISQM 1 requires firms to identify and assess quality risks specific to their practice.
This means:
-
No more one-size-fits-all manuals
-
Quality risks must reflect:
-
Firm size
-
Engagement types
-
Client risk profile
-
Audit firms must design tailored responses to those risks.
2️⃣ Take Clear Ownership at Leadership Level
Under ISQM 1, leadership accountability is explicit.
Firms must:
-
Assign ultimate responsibility for quality to firm leadership
-
Ensure leaders demonstrate commitment to quality in practice, not just in words
Quality is no longer delegated entirely to a “quality partner” — it is a leadership obligation.
3️⃣ Actively Manage Engagement Performance
ISQM 1 requires firms to look beyond individual engagement checklists.
Firms must ensure:
-
Appropriate engagement team selection
-
Proper supervision and review
-
Adequate time and resources allocated
Under-resourced audits now represent a quality risk, not just a commercial issue.
4️⃣ Strengthen Resources, Including People and Technology
Firms must assess whether they have:
-
Sufficient competent staff
-
Appropriate training programmes
-
Adequate technological resources
Using outdated systems or overstretched teams without mitigation now breaches the spirit of ISQM 1.
5️⃣ Formalise Risk Assessment Processes
A key new requirement is documented quality risk assessment.
Firms must:
-
Identify quality objectives
-
Identify risks that threaten those objectives
-
Design responses
-
Reassess risks regularly
This is not a one-off exercise. It is continuous.
6️⃣ Introduce Ongoing Monitoring and Remediation
ISQM 1 places heavy emphasis on:
-
Continuous monitoring
-
Root-cause analysis
-
Timely remediation
Firms must:
-
Identify deficiencies early
-
Analyse why they occurred
-
Fix root causes, not symptoms
Annual cold file reviews alone are no longer sufficient.
7️⃣ Improve Documentation — But With Purpose
ISQM 1 does require more documentation. However, documentation must:
-
Demonstrate decision-making
-
Show risk assessment logic
-
Evidence monitoring and remediation
Generic templates without firm-specific reasoning are increasingly indefensible.
Common Misconceptions About ISQM 1
❌ “ISQM 1 is just updated ISQC 1”
Wrong. It is a structural change, not a cosmetic one.
❌ “Small firms don’t need full systems”
Incorrect. ISQM 1 applies to all audit firms, regardless of size — though systems must be proportionate.
❌ “We can fix this during inspection”
Too late. ISQM 1 expects ongoing operation, not last-minute clean-up.
What Regulators Are Looking for Now
Regulators increasingly focus on:
-
Whether the system is designed properly
-
Whether risks are realistically identified
-
Whether leadership involvement is genuine
-
Whether monitoring leads to real change
Firms with “paper compliance” but weak execution face higher inspection risk.
A Practical ISQM 1 Readiness Checklist (High-Level)
Audit firms should ask:
-
Have we identified firm-specific quality risks?
-
Are leadership responsibilities clearly documented and evidenced?
-
Do engagement teams have sufficient time and resources?
-
Are monitoring activities ongoing or only annual?
-
Can we demonstrate how deficiencies are remediated?
If any answer is unclear, ISQM 1 compliance is likely incomplete.
Why ISQM 1 Is Also a Commercial Issue
ISQM 1 is not just regulatory.
Poor quality management leads to:
-
Rework
-
Staff burnout
-
Inspection findings
-
Reputation damage
Strong ISQM 1 implementation:
-
Improves audit consistency
-
Reduces engagement risk
-
Supports sustainable firm growth
Quality management is now a strategic issue, not an administrative one.
Final Thoughts
ISQM 1 explained simply: audit firms must stop treating quality as a checklist and start managing it as a system.
Firms that embrace ISQM 1 early gain:
-
Better audit outcomes
-
Stronger regulatory standing
-
More resilient practices
Firms that delay or minimise the change risk both compliance and credibility.
How uSafe Can Help
uSafe supports audit firms with:
-
ISQM 1 gap assessments
-
Risk-based quality system design
-
Documentation tailored to firm reality
-
Implementation and monitoring frameworks
If your firm is still relying on ISQC 1-style approaches, now is the time to reassess.
Chinese 
English