Warning

The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:

  • No human verification has been conducted of the converted content.
  • While we strive for accuracy errors or omissions may exist.
  • This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
  • For the official and verified version of the publication, refer to the original PDF document.

If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].

Monitoring processes ISQM (UK) 1

The FRC does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any person relying on or otherwise using this document or arising from any omission from it.

© The Financial Reporting Council Limited 2025 Financial Reporting Council 13th Floor 1 Harbour Exchange Square London E14 9GE

1. Introduction

Why are monitoring processes important in a System of Quality Management (“SoQM")? Effective monitoring enables firms to identify, understand and address where they have weaknesses in their SoQM and enables continuous learning for ongoing quality management and iterative improvement. This is an area of regulatory focus, with findings identified across firms of varied sizes.

What does the standard say about monitoring processes?

ISQM (UK) 1 does not define what monitoring processes firms need, other than reviews of completed engagement files. Firms must design and perform monitoring activities to identify deficiencies. These should be, based on the nature of their risks and responses, the results of previous monitoring activities, and the availability of other relevant information. Firms then need to assess the deficiencies identified and design and implement remediating actions to enable the continuous cycle of quality management. Firms must ensure the individuals performing monitoring activities have sufficient time, competence, and objectivity. Firms must also prepare documentation that evidences the monitoring activities performed and the outcomes.

Scope of this piece

Firms should consider the following monitoring process:

  1. Iterative assessment of quality objectives to identify gaps.
  2. Iterative risk assessment to identify where to add or reassess risks.
  3. Assessment of the design and implementation of responses.
  4. Assessment of the operating effectiveness of responses.
  5. Monitoring other relevant information.
  6. Monitoring the effectiveness of previous remediating actions.
  7. Reviews of completed engagement files.

This piece will focus on the first six processes, as previous publications have covered reviews of completed files1. For each, we will highlight matters for consideration and share examples from firms, including on oversight and documentation of monitoring activities. These examples are illustrative; we would not expect one firm to incorporate all or for any example to be relevant to all firms. Different examples will be relevant to firms of different sizes, with different organisational structures, and with different audit portfolios.

The diagram illustrates the "Cycle for firms' operation of their SoQM". It's a continuous cycle with the following steps: - Identify quality objectives, risks, and responses - Operate responses to manage risks - Perform monitoring processes to identify deficiencies (with an arrow pointing to this step indicating "Focus of this piece") - Assess deficiencies and evaluate - Design and implement remedial actions

Definition of a deficiency per the standard

What is a deficiency?

  • A missing quality objective
  • A missing or inappropriately assessed quality risk
  • A response/s is not properly designed, implemented or operating effectively to mitigate quality risks
  • An SoQM aspect/s is not designed, implemented or operating effectively to support the firm's overall objectives.

2. Considerations and examples

Iterative assessment of quality objectives and risks

Firms must regularly revisit their assessments, considering changes in their circumstances and audit portfolio, and the outcomes of recent monitoring. When identifying changes, firms should consider if the changes are driven by prospective changes in their facts and circumstances or if these identify anything previously omitted or not appropriately assessed. Effective monitoring will be different for firms of different sizes, with examples including:

  • Identifying a range of internal and external sources of information to consider when revisiting the risk assessment
  • Requiring regular reporting from those responsible for business processes on if they have identified any new quality risks
  • Involving multiple layers of management, leadership and governance to ensure a range of perspectives
  • Reviewing the root causes for deficiencies, audit findings, and ethics breaches to see where risks should be added/updated
  • Assessing pending changes to objectives and risks to consider if any should have been included as at the evaluation date

Assessment of the design and implementation of responses

Firms must monitor if all quality risks are sufficiently mitigated by responses, individually or in combination, to identify gaps in responses. This requires understanding why risks could occur and how the responses would prevent or detect this on a timely basis. Effective monitoring will be different for firms of different sizes, with examples including:

  • Establishing templates and methodology-potentially using those from design and implementation testing of internal controls
  • Breaking down risks into what could wrong, to map these to responses to check the full risk is addressed by the responses
  • Walkthroughs to show how responses work together to mitigate risks and to check responses are implemented as designed.
  • Per response, identifying the IT systems, reports, inputs, and other responses relied upon to check their reliability was also assessed
  • Per risk, identifying the key response/s that can sufficiently mitigate the risk, to focus the scope of monitoring
  • Detailed descriptions of how each response should be performed to capture the steps that mitigate risk
  • Categorising responses as policies, systems, processes, or controls to assess the combination per risk
  • For responses that include management reviews, assessing the process, purpose, detail and inputs for these reviews
  • Where changes or additions to responses are pending, considering if there was a gap as at the evaluation date

Assessment of the operating effectiveness of responses

Firms must monitor if responses consistently operate as designed to have the intended impact. This can include observing the operation of responses, testing a sample through inspection or reperformance, or targeted review of whether the responses have the desired outcomes. This monitoring should be documented to provide assurance over the operation of responses to those with operational and ultimate responsibility for the SoQM. The nature and extent of monitoring of responses should reflect the nature and significance of the response, the complexity and formality of the firm's SoQM, and whether those with operational and ultimate responsibility are involved in the response activities. Effective monitoring will be different for firms of different sizes, with examples including:

  • Establishing a team to monitor responses who are separate from those operating the responses
  • Establishing templates and methodology-potentially using those from the audit of internal controls
  • Linking design assessments to monitoring to ensure, for each response, the testing covers the key steps required for risk mitigation
  • Using reporting by business area leads on weaknesses in responses, to scope and target central monitoring
  • Identifying responses that monitor other responses so reliance can be placed on higher level monitoring
  • Evidencing how responses were assessed as operating robustly, especially where they include reviews by senior individuals
  • Where responses occur through meetings ensuring sufficient notes or minutes to show the operation of all aspects of the responses
  • Where a response includes follow-up of exceptions, evidencing the monitoring of this follow-up
  • Using staff surveys or file reviews to assess the impact of responses, where there is limited direct evidence of operation
  • Evidencing how each exception was assessed to conclude whether it indicates an ineffective response

Monitoring other relevant information

Firms must identify and monitor other relevant information for insight into the extent their risks are mitigated. The standard suggests complaints/allegations, non-compliance with internal policies, information from service providers, and external inspections of audit files/the SoQM, and expects firms to identify other information relevant for them. This could include internal audit reports, staff surveys, speak-up reports, ethics breaches, trends in prior year adjustments, internal reviews of completed audit files, common root causes of audit findings and ethics breaches, progress on quality initiatives, and internal firm metrics. Effective monitoring will be different for firms of different sizes, with examples including:

  • Upfront identification of relevant sources of information to support consistent consideration
  • Mapping each source to the relevant objectives, risks, and responses and then assessing impact at an objective level
  • Identifying responses that are evidenced on audit files, e.g. use of templates, and how cold file reviews provide insight on these
  • Building consideration of risks and responses into RCA and linking causal factors to quality risks
  • Evidencing assessment of each internal audit report that covers areas relevant to the SoQM
  • Mapping quality initiatives and actions to the SoQM to assess the impact of delays and open actions
  • Assessing what period sources of information relate to so as to rank their relevance
  • Evidencing the judgements made to assess each source and if it indicated a deficiency

Monitoring the effectiveness of previous remediating actions.

Firms must monitor the effectiveness of remediating actions to assess whether findings and deficiencies recur and if their monitoring and remediation processes are operating effectively to drive improvements. Effective monitoring will be different for firms of different sizes, with examples including:

  • Planning effectiveness measures in the design of remedial actions to plan measurable outcomes
  • Identifying short-, medium- and long-term effectiveness measures to monitor progress
  • Using indirect measures, e.g., feedback or analysing consultations, for partial assurance
  • When issuing guidance or training, tracking attendance and engagement
  • Performing additional direct testing, e.g., reviews of audit files, to check the operation of actions
  • Performing phased testing to allow assessment of the impact of actions taken during the cycle
  • Including remediating actions within SoQM responses to include in existing monitoring processes.
  • Measuring past effectiveness of action types to assess which seem effective in varying circumstances

Overhead view of a collaborative workspace with hands interacting with laptops and tablets displaying business charts and data.

Financial Reporting Council

London office: 13th Floor, 1 Harbour Exchange Square, London, E14 9GE

Birmingham office: 5th Floor, 3 Arena Central, Bridge Street, Birmingham, B1 2AX +44 (0)20 7492 2300

www.frc.org.uk

Follow us on Linked in.

  1. https://www.frc.org.uk/documents/380/Audit Quality Thematic Review Engagement Quality Control Reviews.pdf 

File

Name Monitoring processes ISQM (UK) 1
Publication date 04 September 2025
Type Report
Format PDF, 704.8 KB
Download original
Back to top