Key Points
- A quality risk is not a deficiency. It's a condition or circumstance that could prevent a QO from being met.
- Firms must assess quality risks by considering both the likelihood of the risk occurring and the severity of its effect on QOs.
- The FRC's 2025 annual review found a persistent gap between larger and smaller firms in implementing quality management systems, with monitoring processes flagged most often.
- Each identified quality risk must have at least one documented response that is proportionate to the assessed risk.
What are quality risks?
Most firms we've seen copied a Big 4 quality risk register in late 2022 and haven't touched it since. The register sits in a shared drive, and nobody can explain how the listed risks connect to the firm's actual clients or staffing. That disconnect is exactly the problem ISQM 1 was designed to fix.
A quality risk, per ISQM 1.16(r), is a condition or circumstance that could prevent a quality objective from being achieved. ISQM 1.25 requires the firm to identify and assess these risks so they provide a reasonable basis for designing responses. The identification starts with the firm's quality objectives (QOs). For each QO, the firm considers what could go wrong given its own size, client base, organisational structure, and the types of engagements it performs.
The assessment step is where smaller firms often stumble. ISQM 1.26 requires the firm to assess each quality risk by considering how and to what degree conditions could adversely affect the QO. A ten-partner, four-office firm faces different quality risks from a sole practitioner. The standard doesn't prescribe a scoring matrix or a red-amber-green grid; it requires the firm to exercise judgment and to document that judgment. This isn't ticking and bashing. ISA 220.22 then connects the firm-level quality risk assessment to the engagement level, because the engagement partner must determine whether the firm's quality responses are appropriate for the specific engagement.
Worked example: Rossi Alimentari S.p.A.
Rossi Alimentari S.p.A. is an Italian food production company, FY2025, revenue EUR 67M, IFRS reporter. The audit firm is a mid-sized Italian practice with 14 partners across two offices (Milan and Bologna). The firm is conducting its annual evaluation of its system of quality management under ISQM 1.48.
Step 1 — Identify QOs relevant to the engagement
For this example, the relevant QO falls under ISQM 1.24(b): "personnel comply with relevant ethical requirements, including those related to independence." Rossi Alimentari is a significant client representing 8% of the Milan office's fee income.
Step 2 — Identify quality risks
Two quality risks attach to this objective. First, a self-interest threat arising from the fee concentration (the Milan office may be reluctant to challenge management on contentious positions because losing the client would materially affect office revenue). Second, a familiarity threat because the EP has served the client for four consecutive years.
Step 3 — Assess each quality risk
The firm assesses the self-interest threat as high severity and moderate likelihood (Rossi is a profitable client, but the firm has not historically lost clients over audit disagreements). The familiarity threat is assessed as moderate severity and increasing likelihood (year four of five before mandatory rotation under local rules).
Step 4 — Design responses
For the self-interest threat, the firm assigns the engagement quality review (EQR) to a Bologna-based partner with no prior involvement. For the familiarity threat, the firm implements a pre-issuance consultation requirement on all significant judgments for the final year of the EP's tenure.
The Rossi quality risk assessment is defensible because each risk ties to a documented condition and carries a reasoned severity and likelihood assessment. Each also triggers a specific response proportionate to the assessed level.
Why it matters in practice
- The FRC's 2025 annual review of audit quality found that firms outside the largest tier struggled most with monitoring and remediation processes within their systems of quality management. A recurring observation was that firms identified quality risks at a generic level rather than tailoring the risk identification to their own circumstances. That's frustrating, because the whole point of replacing ISQC 1 was to move away from one-size-fits-all checklists.
- We've seen this on about half the engagements we review: teams treat the quality risk assessment as a one-time exercise completed at ISQM 1 adoption in December 2022, then left unchanged. ISQM 1.54 requires the firm to monitor its system on an ongoing basis and ISQM 1.56 requires remediation when deficiencies are identified.
Quality risks vs. quality objectives
| Dimension | Quality risks | Quality objectives |
|---|---|---|
| Definition | Conditions or circumstances that could prevent an objective from being achieved (ISQM 1.16(r)) | The desired outcomes the firm's system of quality management is designed to achieve (ISQM 1.16(q)) |
| Direction | Look at what could go wrong | State what should go right |
| Prescribed by standard | Not prescribed; firm must identify its own based on its circumstances | Eight components with prescribed objectives in ISQM 1.24, plus firm-specified additional objectives |
| Assessment required | Yes; severity and likelihood must be assessed per ISQM 1.25 | No assessment of objectives; they are the fixed reference points against which risks are measured |
| Triggers a response | Each quality risk must have at least one designed response under ISQM 1.26 | Objectives do not directly trigger responses; they trigger risk identification |
The distinction matters because firms that skip the risk identification step and jump straight from objectives to responses produce a checklist-based system rather than a risk-based one. ISQM 1 was designed to replace the prescriptive approach of the former ISQC 1 with a system that adapts to each firm's circumstances. Conflating objectives with risks undermines that design.
Related terms
Related reading
Frequently asked questions
How do I document quality risks for a small audit firm?
Scale the documentation to the firm's size, but don't skip it. ISQM 1.A4 acknowledges that less complex firms may document their system of quality management in a less formalised way. Record each QO, the risks you identified against it, your assessment of severity and likelihood, and the response you designed. A single spreadsheet with those four columns satisfies the requirement if it reflects genuine judgment rather than copied templates.
Do quality risks change from year to year?
Yes. ISQM 1.54 requires the firm to design and perform monitoring activities on an ongoing basis. New clients, staff turnover, changes in the firm's service lines, and external events (such as a new regulatory requirement) all alter the firm's risk profile. The annual evaluation under ISQM 1.48 must consider whether previously identified quality risks remain current and whether new risks have emerged.
What happens if a quality risk has no documented response?
An unaddressed quality risk is a deficiency in the system of quality management under ISQM 1.39. The firm must evaluate the severity and pervasiveness of the deficiency per ISQM 1.42 and take remedial action. If the unaddressed risk relates to a QO concerning ethical requirements or engagement performance, the deficiency may affect the firm's overall evaluation of whether the system provides reasonable assurance under ISQM 1.53.