Date posted: 29/04/2022

Quality management

New standards bring a new risk-based approach to managing quality

In brief

  • Audit firms must design, implement and operate a system of quality management using a risk-based approach.
  • Firms are also required to establish a monitoring and remediation process.
  • Systems of quality management are required to be designed and implemented by 15 December 2022.

ASQM 1/PES 3 is part of the suite of new and revised audit quality management standards which also includes ASQM 2/PES 4 and ASA 220 (Revised)/ISA (NZ) 220 (Revised). It applies to all firms that perform audits or reviews of financial statements, other assurance engagements, or agreed-upon procedures engagements. It requires firms to design, implement and operate a system of quality management (SOQM) taking a risk-based approach. 

The standard splits the SOQM into six components: governance and leadership, relevant ethical requirements, acceptance and continuance of client relationships and specific engagements, engagement performance, resources, and information and communication. Firms are not required to organise their SOQM according to these components, a smaller firm may perform its risk assessment process holistically instead. 

The risk identification and assessment process

  1. Establish quality objectives. The standard sets out the quality objectives that all firms are required to have. In some cases (e.g., sole practitioners), some of the quality objectives may not be applicable. Firms can have additional quality objectives – but this is not expected to be common. 
  2. Identify and assess quality risks to the achievement of the quality objectives. The standard does not provide examples of quality risks, though it does provide a definition. The process focuses on understanding the various conditions, events, circumstances, actions or inactions related to the firm and its engagements that could adversely affect the achievement of the quality objectives.
  3. Design and implement responses to the assessed quality risks. There are very few specified responses required by the standard. Firms must design and implement their own additional policies/procedures/controls that are responsive to the quality risks in addition to those specified in the standard. Responses may address multiple quality risks. 

Firms must design and implement their SOQM by 15 December 2022. 

The monitoring and remediation process

Firms must establish a monitoring and remediation process, outlined below, to provide relevant, reliable, and timely information about the design, implementation and operation of the SOQM. This allows the firm to remediate deficiencies quickly and reduce the risk of undetected deficiencies. 

  1. Design and perform monitoring activities. Inspections of completed engagements are a monitoring activity required by the standard. The standard does not specify who is required to perform the monitoring activities and acknowledges that others external to the firm may perform some monitoring activities. There would likely be a mix of ongoing and periodic monitoring activities. 
  2. Evaluate findings and identify deficiencies and evaluate identified deficiencies. The standard includes a framework for evaluating findings to identify deficiencies, and then to further evaluate the severity and pervasiveness of the deficiencies. Findings are information which indicates that one or more deficiencies may exist. In determining whether deficiencies exist, firms consider whether a finding, or combination of findings, meet the definition of a deficiency. In order to evaluate the severity and pervasiveness of deficiencies, firms must investigate the root cause(s).
  3. Respond to identified deficiencies. Firm must remediate identified deficiencies in a timely manner to prevent them from reoccurring; evaluate the effectiveness of the remedial actions, and if they are not effective, take further action.
  4. Communicate. The standard includes minimum requirements of what needs to be communicated, including by whom, and to whom. In the case of a smaller firm, an individual may assume responsibility for all aspects of the SOQM. In such cases, this communication requirement would not be relevant.

Firms must evaluate their SOQM by 15 December 2023.

There are several streams of work underway to support local audit firms with implementation.

Related videos

IAASB: four-part webinar series

Watch here

Auditing and Assurance Standards Board (AUASB): awareness series

Watch here

NZAuASB explainer clips

Watch here 

IAASB Implementation Guides

ISQM 1, ISQM 2, and ISA 220


IFAC Knowledge Gateway

The International Federation of Accountants (IFAC) have a dedicated Quality Management webpage that features a collection of articles from their Supporting International Standards content series.

Find out more

More information

From the standard setters.


In-focus article

Evolving quality management in audit firms.

Read more

Join the discussion in the Audit & Assurance Community on My CA

Visit My CA

Search related topics