Key Takeaways
- Monitoring must include inspection of completed engagements, not just policy-level reviews of the firm's quality system.
- Remedial actions must respond to root causes, not just surface symptoms. The firm must also evaluate whether those actions actually worked.
- ISQM 1 requires an annual evaluation that concludes on whether the SoQM provides reasonable assurance that its objectives are being achieved.
- The FRC's 2024/25 inspection cycle found that firms outside the largest tier still struggle with monitoring and remediation despite the standard being effective since December 2022.
What actually goes wrong
In our experience, the typical mid-tier firm treats monitoring like an annual chore: pull two files, run through a checklist, write up findings that look suspiciously similar to last year's, and call it done. The FRC's 2024/25 inspection cycle confirmed this pattern across firms outside the largest tier. The problem isn't that firms skip monitoring. It's that they do just enough ticking and bashing to fill the file without ever asking whether the system is actually improving.
That's the gap ISQM 1 was designed to close. The standard doesn't just require you to inspect files. It requires a closed loop: monitor, identify deficiencies, trace them to root causes, fix those causes, and then verify the fix worked.
How ISQM 1 structures the process
ISQM 1.36 requires the firm to design and perform monitoring activities that provide a basis for identifying deficiencies in the system of quality management (SoQM). These activities sit on a spectrum. At one end: reviewing whether firm policies and procedures are properly designed. At the other: selecting completed engagements and inspecting the working papers (WPs) to test whether responses to quality risks actually operated as intended. ISQM 1.38 makes engagement inspection mandatory, not optional.
The individuals performing monitoring activities must be competent, have sufficient time, and be objective. ISQM 1.39 prohibits engagement team members or the engagement quality reviewer (EQR) from inspecting their own engagement. When monitoring reveals findings, ISQM 1.40 requires the firm to evaluate whether those findings constitute deficiencies. If they do, ISQM 1.41 requires investigation of root causes before designing remedial actions. ISQM 1.42 then requires the firm to design and implement remedial actions that respond to those root causes. The cycle closes at ISQM 1.43-44: the firm evaluates whether the remedial actions worked, and if they didn't, modifies them until they do.
The annual evaluation under ISQM 1.53-54 draws on all of this. The firm concludes on whether its SoQM provides reasonable assurance that its quality objectives are being achieved. That conclusion rests on the monitoring evidence, not on a general assertion that the system is operating.
Worked example: Rossi Alimentari S.p.A.
Client context: An Italian mid-tier audit firm, Studio Contabile Ferrara, performs the statutory audit of Rossi Alimentari S.p.A. (Italian food production company, FY2025, revenue €67M, IFRS reporter). Studio Contabile Ferrara has 14 partners and 85 professional staff. The firm's monitoring and remediation process is illustrated through its annual cycle.
Step 1: design monitoring activities
The firm's quality management leader selects four completed audit engagements for cold file review, including one public interest entity (PIE) engagement and one first-year engagement. Selection criteria also target two engagement partners (EPs) who weren't inspected in the prior year. The firm additionally schedules a policy-level review of its independence procedures and its acceptance and continuance process.
Step 2: perform engagement inspections
The cold file review of the Rossi Alimentari engagement identifies two findings. First, the engagement team didn't document its evaluation of a key supplier rebate estimate under ISA 540.18 . Second, the team accepted management's going concern assessment without documenting its own evaluation of the cash flow forecast assumptions.
Step 3: investigate root causes
The firm's quality management leader determines that the ISA 540 documentation gap recurred on two of the four inspected engagements. Root cause analysis identifies that the firm's audit methodology template doesn't prompt teams to document the evaluation of estimation methods separately from the testing of inputs. The going concern finding is isolated to one engagement.
Step 4: design and implement remedial actions
For the ISA 540 deficiency, the firm revises its methodology template to include a discrete section requiring documentation of the evaluation of the entity's estimation method before testing begins. The firm schedules a 90-minute training session for all managers and partners. For the going concern finding, the EP receives targeted coaching. The firm sets a follow-up inspection of two engagements in six months to verify whether the revised template is being used.
Studio Contabile Ferrara's annual evaluation concludes that the SoQM provides reasonable assurance that quality objectives are being achieved, with one identified deficiency ( ISA 540 documentation) for which remedial action has been designed and implemented but not yet evaluated for effectiveness. The conclusion is defensible because it rests on documented monitoring activities, root cause analysis, and specific remedial actions with a defined follow-up timeline.
Why it matters in practice
The FRC's 2024/25 inspection cycle (the first conducted solely under ISQM (UK) 1) found that firms outside the largest tier need to improve how they monitor the operation of responses and elements of their annual evaluation. Too many firms treated initial ISQM 1 implementation as a one-off project rather than an iterative process, and their monitoring activities haven't kept pace with changes to the system. ISQM 1.37 requires the firm to consider changes in the SoQM when determining the nature, timing, and extent of monitoring activities.
What actually happens on the ground is depressingly predictable. A deficiency recurs, so the firm runs the same firm-wide training it ran last year. Nobody checks whether last year's training changed anything. ISQM 1.44 requires modification of remedial actions that aren't working. At firms like ours, I think the honest answer is that repeating identical training in consecutive years without evidence of behavioural change is closer to a TGIF exercise than genuine remediation. That's an uncomfortable conclusion, but the standard is clear.
Monitoring and remediation vs. EQR
| Dimension | Monitoring and remediation (ISQM 1) | EQR (ISQM 2 / ISA 220 ) |
|---|---|---|
| Timing | After the engagement is completed (cold file review) and on an ongoing basis throughout the period | Before the engagement report is issued |
| Scope | The entire system of quality management, including firm-level policies and individual engagement files | A single engagement, focused on significant judgments and the proposed opinion |
| Performed by | Individuals assigned by the firm with objectivity from the engagement under review | The EQR, appointed for that specific engagement |
| Output | Findings, deficiency evaluations, root cause analysis, remedial actions, and the annual evaluation conclusion | The EQR's conclusion on whether to provide concurrence with the report |
| Standard | ISQM 1.36–47 | ISQM 2; ISA 220.35 –37 |
An EQR catches problems before the report goes out. Monitoring catches systemic patterns after reports have been issued and feeds those patterns back into the firm's quality system. A firm that relies on EQRs alone has no mechanism for detecting recurring deficiencies across its portfolio.
Related terms
Related reading
Frequently asked questions
How often do I need to inspect completed engagements under ISQM 1?
ISQM 1.38 requires the firm to include inspection of completed engagements in its monitoring activities but does not prescribe a fixed frequency or number. The firm determines the cycle based on the nature, timing, and extent of monitoring needed to identify deficiencies. Most regulatory bodies expect every engagement partner to be subject to inspection within a defined cycle (the FRC expects coverage within a three-year rotation for registered firms).
What happens if monitoring reveals no deficiencies at all?
A monitoring cycle that produces zero findings warrants scepticism, not celebration. ISQM 1.40 requires the firm to evaluate findings to determine whether deficiencies exist. If the monitoring activities are insufficiently rigorous or narrowly scoped, the absence of findings reflects the quality of the monitoring, not the quality of the system. Regulators have flagged this pattern as an indicator that monitoring activities need to be redesigned.
Does monitoring and remediation apply to non-audit engagements?
Yes. ISQM 1.3 applies to firms that perform audits or reviews of financial statements, or other assurance or related services engagements. The monitoring and remediation process covers the entire system of quality management, which encompasses all engagement types the firm performs. The scope and intensity of monitoring may differ, but the requirement itself is not limited to audit.