Key Points
- ISQM 1 prescribes eight quality objectives (QOs) that every firm must address, regardless of size or number of partners.
- Each QO requires the firm to identify specific quality risks and design responses before the system becomes operational.
- Failing to tailor objectives to the firm's own circumstances is the single most common inspection finding on ISQM 1 implementation.
- Firms had until 15 December 2023 to evaluate whether their quality management system achieved its objectives for the first time.
What are quality objectives?
Most firms we've spoken to hit the same wall during ISQM 1 implementation: they can list their policies, but they can't explain what outcome each policy is supposed to achieve. That gap between "we have a procedure" and "here's the objective it serves" is exactly where quality objectives (QOs) sit. Without them, your quality management system is a filing exercise rather than a diagnostic tool.
ISQM 1.23–27 requires the firm to establish QOs for each component: governance and leadership, relevant ethical requirements, acceptance and continuance, engagement performance, resources (human, technological, intellectual, and financial), information and communication, and the monitoring and remediation process. The standard sets these objectives at a high level. ISQM 1.24 then requires the firm to establish additional objectives if it identifies conditions or circumstances beyond those contemplated by the standard.
The logic runs in one direction. QOs sit at the top. Underneath each objective, the firm identifies quality risks (the conditions that could prevent the objective from being achieved). Underneath each risk, the firm designs quality responses (the policies and procedures that address the risk). This three-layer architecture replaced the old ISQC 1 approach, which prescribed a fixed set of policies without requiring the firm to connect them to specific risks.
ISQM 1.A30–A47 provides application material with examples of quality risks for each objective, but the standard is explicit that these examples are not a checklist. A two-partner firm performing only statutory audits of owner-managed companies faces different risks than a 200-person firm with listed-entity clients. The firm must assess its own practice and document why each identified risk threatens a specific QO.
Worked example: Studio Contabile Marchetti
Rossi Alimentari is an Italian food production company, but this example focuses on the audit firm that audits Rossi. Studio Contabile Marchetti is a 14-person practice in Milan with four partners, performing statutory audits of mid-market Italian manufacturers. FY2024 is the first evaluation year.
Step 1 — Map QOs to the firm's circumstances
The managing partner documents the eight ISQM 1 QOs. For the engagement performance component, ISQM 1.25 requires the objective that engagements are performed in accordance with professional standards and applicable requirements. The partner tailors this by noting that 60% of the firm's audit clients report under IFRS while 40% report under Italian GAAP (OIC), creating a dual-framework competence requirement.
Step 2 — Identify quality risks for the engagement performance objective
The firm identifies two quality risks. First, audit teams may apply IFRS recognition criteria to OIC-reporting clients (or vice versa) when staff rotate between engagements. Second, the firm's standard audit programmes were developed for IFRS engagements and may not capture OIC-specific disclosure requirements. Both risks threaten the QO because they could result in engagements not being performed in accordance with the applicable framework.
Step 3 — Design quality responses
For the first risk, the firm implements a mandatory pre-engagement briefing confirming the applicable framework, with a sign-off by the engagement partner (EP) before fieldwork begins. For the second risk, the firm develops a parallel OIC audit programme and assigns a partner with OIC specialisation to review all OIC engagements. Both responses are documented in the firm's quality management manual with assigned responsibilities and implementation dates.
Step 4 — Evaluate and conclude
At the end of the first evaluation period (15 December 2024), the managing partner reviews monitoring results. Two OIC engagements were tested by the firm's monitoring and remediation process. Neither showed framework misapplication. The partner concludes that the QO for engagement performance is being achieved for the OIC-related risks identified.
The QO is supported by a documented chain from objective to risk to response to monitoring evidence. It's defensible because each layer is specific to the firm's dual-framework practice rather than copied from generic templates.
Why it matters in practice
- The AFM's 2023 inspection findings on ISQM 1 implementation noted that firms frequently adopted QOs verbatim from the standard without tailoring them to the firm's own circumstances. ISQM 1.24 requires the firm to establish additional QOs when conditions beyond those in paragraphs 23–27 exist. We've seen this on about half the engagements we review: firms copy-paste the standard's language, call it done, and then can't explain how their QOs differ from any other firm's.
- Firms often treat QOs as a one-time documentation exercise completed at initial implementation. Nobody wants to revisit a 40-page quality manual every year, but that's what ISQM 1.54–56 requires. The system (and therefore the objectives) must remain current as the firm's circumstances change. Skipping this step is how firms end up with a quality system that describes the practice they had two years ago, not the one they run today.
Quality objectives vs. quality risks
| Dimension | QOs (ISQM 1.23–27) | Quality risks (ISQM 1.25–26) |
|---|---|---|
| What it is | The outcome the firm must achieve | The condition that could prevent the outcome |
| Direction | Set first; drives the rest of the system | Identified second; flows from the objective |
| Source | Prescribed by the standard, plus firm-specific additions | Identified by the firm based on its circumstances |
| Level of specificity | High-level, component-based | Granular, firm-specific |
| Documentation focus | Why the objective applies to this firm | What threatens the objective and how likely/severe the threat is |
The distinction matters because reversing the order (identifying policies first, then retrofitting objectives to justify them) produces a system that looks complete on paper but lacks the diagnostic power ISQM 1 intended. It's ticking and bashing at the system level. Root cause analysis becomes impossible when the firm can't trace a deficiency back through the risk layer to a specific QO that was or wasn't achieved.
Related terms
Related reading
Frequently asked questions
How many quality objectives does ISQM 1 require?
ISQM 1.23–27 prescribes objectives across eight components, but the standard does not cap the total number. Firms must establish additional objectives under ISQM 1.24 when they identify risks not covered by the prescribed set. A firm with unusual engagement types (agreed-upon procedures across multiple jurisdictions, for instance) will need objectives beyond the baseline eight.
What happens if a quality objective is not achieved?
ISQM 1.42 requires the firm to investigate the root cause of any identified deficiency and determine whether the deficiency is severe enough to conclude that the system does not provide reasonable assurance. If the conclusion is negative, ISQM 1.54(b) requires the firm to take prompt and appropriate action, which may include halting acceptance of new engagements until the deficiency is remediated.
Do sole practitioners need to set quality objectives?
Yes. ISQM 1 applies to all firms that perform audits or reviews of financial statements, or other assurance or related services engagements. ISQM 1.A3 acknowledges that smaller firms may address the requirements differently, but the obligation to establish quality objectives and connect them to identified risks applies regardless of firm size.