Culture and tone
Neil began the webinar by stressing the importance of culture. “Firms that demonstrate a culture of collective accountability, rather than a blame culture, tend to exhibit the best practices,” he said. While many firms already had positive cultural traits before ISQM 1, the standard has acted as a catalyst for change where weaknesses existed.
He noted that ISQM 1 had encouraged firms to see quality management as a dynamic process, rather than something static. Even firms with strong quality control processes before implementation have benefited from clarifying roles and responsibilities across their teams.
Risks, responses and tailoring
Good practice, Neil explained, includes “very clear, tailored risks and responses specific to the firm.” Some firms have gone further by applying risk ratings to focus monitoring on what matters most. In contrast, he highlighted firms that relied too heavily on methodology providers’ templates without adapting risks and responses for their own circumstances, for example, where subcontracting or outsourcing is used.
He added that tailoring becomes more important as firms grow in size and complexity.
The larger and more complex the firm, the more tailoring we would expect to see.
Monitoring activities and remediation
A proactive, risk-based approach to monitoring was a recurring theme. Neil pointed to firms that now select files for cold file review more carefully, linking criteria to identified risks and including higher-risk areas such as group audits or specialist audits. Some have also increased the frequency of reviews, not necessarily the total number, allowing them to test remediation more quickly.
He shared a practical example from one firm where late file assembly had been identified as a deficiency. The firm introduced an automated traffic-light system in its audit software to flag risks of missed deadlines, monitored by the audit compliance partner. “This was a clear remediation response, backed up by monitoring activities to test that the solution worked,” he said.
Neil also noted that successful firms do not rely solely on external reviewers. Instead, they carry out their own assessments, identifying patterns and using root cause analysis to inform remediation. “Stopping at identifying the root cause without planning remediation defeats the purpose,” he stressed.
Annual evaluation
Nick reminded firms of the requirement to conduct an annual evaluation of the system of quality management, using one of the three prescribed conclusions under ISQM 1. “Firms should not be tailoring these conclusions, nor should they sit on the fence between A and B, or between B and C,” he said.
While most larger firms have documented their conclusions properly, some smaller and mid-sized firms had either not carried out an evaluation or had been unclear in their wording. Good practice includes documenting how the conclusion was reached, summarising monitoring results and deficiencies, and evidencing remediation.
Neil added that in some firms, boards or oversight bodies had reviewed the evaluation, providing an additional layer of challenge before sign-off.
Beyond cold file reviews
Both speakers emphasised that firms should not rely exclusively on cold file reviews. Neil highlighted cases where deficiencies identified by ethics teams or training compliance reviews were not being considered as part of ISQM 1 monitoring. “This is probably the most common example of deficiencies from other monitoring activities not being appropriately assessed and evaluated,” he said.
In his closing remarks, Nick who was chairing the webinar linked this point to CPD monitoring. He explained that ICAEW’s new CPD requirements, which introduce dual responsibility for both firms and individuals, often overlap with ISQM 1’s quality objectives on resources. “There is a very clear crossover with the monitoring requirements of ISQM 1, give yourselves credit for the monitoring that is already happening,” he advised.
Continuous improvement
Firms are encouraged to integrate ISQM 1 monitoring with the requirements of audit regulation. This ICAEW helpsheet provides a useful checklist of additional regulatory obligations that should be considered when conducting monitoring and evaluations.
Nick was keen to stress the benefits to firms of embracing ISQM1, “Few audits are perfect. The objective is for firms’ systems of quality management to identify deficiencies, undertake root cause analysis, and be (at least) some way through remediation before any regulatory visit.”