Key Points
- Every quality response must trace back to a specific quality risk. Responses without a linked risk are orphaned controls with no demonstrable purpose.
- Firms must design responses that are proportionate to the nature and significance of the quality risks they address.
- ISQM 1.26 requires responses to be designed and implemented, not merely documented on paper.
- Inspection findings from regulators such as the AFM and FRC most frequently target gaps between documented responses and actual firm behaviour.
What are quality responses?
At firms like ours, the most common ISQM 1 inspection finding isn't a missing policy. It's a policy that exists on paper but has no documented link to the risk it's supposed to address. Quality responses are the fix for that disconnect: they're the specific policies and procedures a firm designs to address each identified quality risk, and ISQM 1.26 requires each one to trace back to something concrete.
The logic is sequential. The firm sets quality objectives (QOs) under ISQM 1.23–24, identifies risks that threaten those objectives, and then designs responses that reduce those risks to an acceptable level. A response might be a policy (the firm requires all engagement partners to complete a conflict check before acceptance) or a procedure (the engagement team runs a materiality calculation tool at planning). Many responses combine both elements.
ISQM 1.27 adds a scalability requirement. A sole practitioner with twelve statutory audits doesn't need the same apparatus as a 200-person firm. The responses must be proportionate to the nature and circumstances of the firm, including what engagements it performs and how it's organised. This is where many smaller firms either over-engineer (copying Big 4 templates wholesale) or under-engineer (treating responses as a checklist exercise with no link to specific risks).
The connection to monitoring and remediation matters here. ISQM 1.40 requires the firm to monitor whether its responses are operating as designed. A response that exists on paper but isn't followed in practice fails ISQM 1.26 just as completely as having no response at all.
Worked example: Byrne & Associates
The worked example applies to a fictional mid-sized Irish audit practice, Byrne & Associates, with 14 professionals performing 45 statutory audits annually under ISAs (Ireland and the UK). The "client" here is the audit firm itself.
Step 1 — Link response to quality risk
Byrne & Associates identified a quality risk that engagement teams may accept new clients without adequate consideration of competence and ethical requirements. The risk threatens the QO at ISQM 1.30(a) relating to acceptance and continuance decisions.
Step 2 — Design the response
The firm implements a two-stage acceptance and continuance procedure. First, the prospective engagement partner (EP) completes a structured assessment form covering competence, independence, client integrity, and anti-money-laundering requirements. Second, the managing partner reviews and approves or rejects the assessment before the engagement letter is issued. For high-risk clients (public interest entities, entities in regulated industries, entities with prior-year qualified opinions, or entities operating across multiple jurisdictions), the firm requires an additional review by a second partner.
Step 3 — Implement and communicate
Byrne & Associates updates its quality management manual, distributes the revised acceptance form to all partners, runs a 90-minute training session, and logs the go-live date as 1 January 2026.
Step 4 — Monitor operating effectiveness
Six months after go-live, the firm's monitoring function reviews a sample of eight new client acceptances. Two files are missing the managing partner's sign-off. That's a frustrating result after the effort of building the procedure, but it's exactly the kind of gap ISQM 1.40 is designed to catch. The firm logs the deficiency and requires retrospective approval within ten days.
The acceptance procedure is a defensible quality response because it traces directly to an identified risk and is proportionate to a 14-person firm. It has also been tested for operating effectiveness within the first monitoring cycle.
Why it matters in practice
- The AFM's 2023 thematic inspection of ISQM 1 implementation at non-PIE audit firms found that many firms had documented quality responses but couldn't demonstrate that those responses were operating in practice. We've seen this on about half the engagements we review. The gap between design and operation is the single most common deficiency.
- Firms frequently design responses at a generic level without linking them to specific quality risks. A firm-wide "training policy" is not a quality response unless the firm can articulate which quality risk the training addresses and how the training reduces that risk. Without that link, the response is just ticking and bashing at the system level.
Quality responses vs. quality risks
| Dimension | Quality responses | Quality risks |
|---|---|---|
| Definition | Policies and procedures the firm designs to address quality risks (ISQM 1.26) | Conditions that have a reasonable possibility of individually or in combination adversely affecting a QO (ISQM 1.25) |
| Sequence | Come after risk identification; can't be designed without a risk to address | Come after QOs are set; identified before responses are designed |
| Scalability test | Must be proportionate to the firm's size and engagement portfolio (ISQM 1.27) | Must reflect the firm's actual conditions, not a generic risk list |
| Monitoring focus | Whether the response is operating as designed (ISQM 1.40) | Whether risks have changed or new risks have emerged (ISQM 1.39) |
| Inspection finding pattern | Responses exist on paper but are not followed | Risks are listed generically without firm-specific analysis |
The distinction matters because inspectors assess the chain from objective to risk to response. A firm that documents 40 responses but only 15 quality risks has a broken chain. The excess responses are untraceable controls that add cost without satisfying ISQM 1.
Related terms
Related reading
Frequently asked questions
How many quality responses does a small firm need?
There is no fixed number. ISQM 1.27 requires responses to be proportionate to the firm's nature and circumstances. A sole practitioner performing only compilation engagements will have fewer responses than a 50-person statutory audit practice. The test is whether every identified quality risk has at least one designed response that reduces it to an acceptable level, not whether the firm has reached a minimum count.
What happens if a quality response is not working?
ISQM 1.42 requires the firm to evaluate deficiencies identified through monitoring. If a response is not operating as designed, the firm must determine the root cause and take remedial action. If the deficiency is severe enough to indicate the system of quality management is not providing reasonable assurance, ISQM 1.54 requires the firm to communicate that conclusion to engagement partners affected by the deficiency and to take appropriate action on the affected engagements.
Do quality responses apply to non-audit engagements?
Yes. ISQM 1.3 applies to firms performing audits or reviews of financial statements, other assurance engagements, and related services engagements. The quality responses must cover all engagement types the firm performs, though the nature of responses for a compilation engagement will differ from those for a statutory audit.