Continuing our blog where we looked at how to establish quality objectives for the ISQM, this week we look at how to assess the quality risks.

Have you assessed your quality risks yet?

The first step is to consider the likelihood and significance of a particular risk crystallising.

Bear in mind that the quality management process is iterative, so you can adjust the assessment at any time if you think it has changed since it was last assessed, as long as you document your changes and the reasons for the change.

Develop and implement responses

There are broadly 6 mandatory responses set out in ISQM 1 (see paragraph 34 of ISQM 1) to which the IAAASA have added a further 12 of their own (see paragraph 34D-1 of ISQM 1). Paragraph 34D-2 adds some requirements for auditors of listed entities and Paragraph 34D-3 mentions  adjusting the requirements for the scalability and complexity of the audit firm and the entities it audits.

On their own they will not be sufficient for full ISQM 1 compliance.

Many of the policies and procedures you already have in place on your ISQC1 may be appropriate but be careful not to take the attitude that this is a copy and paste exercise.

The responses identified need to link back to the quality risks already identified and the established quality objectives. Please don’t give in to the temptation to work backwards by starting with your policies and procedures and then doing the responses followed by the risk assessment.

Follow this sequence:

  1. Document the key information about your firm and engagements;
  2. Think about the quality objectives in the standard and the risks that could arise by not achieving those objectives; and
  3. Then look at your current procedures and policies to identify gaps.

Where you find that your existing ISQC 1 policy or procedure doesn’t fit any of the risks, you have identified, it has one of two main consequences either:

  1. The procedure isn’t needed or
  2. You have missed a risk that needs more attention in the new ISQM 1 System of Quality Management (SOQM).

Monitor and revisit

As you progress through the standard and you evaluate and monitor your System of Quality Management (SOQM), you may revisit and change objectives, risks and responses. If deficiencies are identified, you must perform root cause analysis, the outcome of which may then involve revising either your objectives, risks or responses.

You may have already been doing this by responding to cold and hot file review and inspection findings, but perhaps not being sufficiently proactive about correcting deficiencies and ensuring they are much less likely to recur.

If you haven’t, please don’t need to wait until 15 December 2022 to start – get started now.

It’s impossible to cover everything in this brief blog. For more assistance please see our new ISQM TOOLKIT or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard, please call or e-mail John McCarthy FCA or e-mail him at

Publications and AML webinar

  • The ISQM TOOLKIT 2022 is available to purchase here.
  • See our latest Anti-Money Laundering Policies Controls & Procedures Manual (March 2022) – View the Table of Contents click here.
  • Also we have an updated AML webinar (March 2022) available here, which accompanies the AML Manual. It explains the current legal AML reporting position for accountancy firms and includes a quiz. Upon completion, you receive a CPD Certificate of attendance in your inbox.
  • To ensure your letters of engagement and similar templates are up to date visit our site here where immediate downloads are available in Word format. A bulk discount is available for orders of five or more items if bought together.