top of page

SQMS 1: Finalizing your Risk Assessment

  • Mar 4
  • 6 min read

SQMS 1 has been on the radar of firms for quite some time now and following implementation in December 2025  firms who have not yet put in place a SOQM are moving fast to complete the first key element being the Risk Assessment. 


On this journey firms are quickly realizing that far from just rolling over existing policies and procedures, SQMS 1 (System of Quality Management Standard 1), requires firms to consider how they run their firms and ensuring that quality is built into all areas of how they deliver engagements. 


In this short blog I have shared some areas where we have had discussions with firms as they go on their quality journey and complete their risk assessment. 


Risk Assessment Process

The risk assessment process is one of the core components of SQMS 1. Without it, you can’t define and design a system that genuinely supports your firms quality objectives.

The process starts with understanding your firm’s nature and circumstances — size, structure, types of engagements, client base, and the regulatory environment are key factors that impact your quality objectives and define the types of quality risks and responses you will have.


By considering the impacts your firm’s nature and circumstances have on quality objectives, you can then document your quality risks that may threaten the achievement of the firm’s quality objectives.


Once identified, you develop tailored responses that address the risks identified. 


Quality Objectives

Where do I find the Quality Objectives?

SQMS 1 contains a number of “expected” objectives across the 6 core components of the standard (remember there are 8 components in total including Risk Assessment and Monitoring & Remediation).  Each Component has objectives the firm needs to consider in the context of their firm. 


There tends to be two simple questions for firms on objectives:


Do I need to include all the “expected” objectives?

The standard states that the “firm should establish the quality objectives specified by this SQMS and any additional quality objectives considered necessary by the firm”, on review of the objectives, where a firm performs audits and attest services, it seems that all objectives would normally apply to all firms. 

 

Let’s take this further though, take the case under Relevant Ethical Requirements and the second objective covers “others, including the network, network firms,……service providers”. 

 

But I am not part of a firm that is not part of a network and doesn’t use service providers, is this a quality objective?  

 

Quick answer would be yes, services providers and relevant ethical standards covers the work of an expert and it would be expected that most firms have a response in place in relation for this scenario. 

 

Obviously every firm must take their own view on the objectives, and as an example (but also an exceptional scenario) where a firm only provides a narrow attest (with no financial statement audit) focused service line they may deem some objectives not pertain to their service delivery, however, we do see even these firms including these objectives as part of their risk assessment but identifying that the risk are not quality risks (I will discuss this later). 


Do you need to add more quality objectives

The standard sets our firms should assess all quality objectives considered necessary by the firm but there is no requirement setting a requirement to have firm defined quality objectives.  However I have seen in in cases including:


  • Larger firms with multiple office locations setting quality objectives for their risk assessment and monitoring and remediation to ensure consistency in approach across offices;

  • Larger firms who under take more complicated audit or attest work, or work with additional reporting requirements setting quality objectives around the additional areas of quality in these areas; and

  • Firms who are part of networks incorporating their networks additional quality objectives within their risk assessment. 

 

 

Quality Risks

I have a comprehensive suite of responses already, so I don’t have quality risks!

As firms need to define their own quality risks and none are included in SQMS 1, the identification of risks can be difficult, why…..simple you have the policy and procedures already because it was best practice or required under other requirements.

Here are a few tips to help in considering quality risks:


Quality Risks are defined before you consider the policies in place.

It is important to remember that a quality risk assessment is based on pre mitigation risk assessment scoring, so if you are thinking:

 

 “We don’t have any quality risks because we have best in class policies”,

 

you need to think,

 

“If we didn’t have these policies what would be the risk for our firm in achieving these quality objectives”. 

 

I would also suggest that firms use this as a genuine exercise to consider if there are gaps (and every firm is very likely to have some) in the risks which are currently addressed with our existing policies. 


Scoring helps

SQMS 1, provides guidance on identifying quality risks and confirms not all risks may be deemed a quality risk, but does not mandate or preclude the use of a formal rating system. 

 

However, we see most firms adopting a rating system for a number of reasons including:

  • Consistency of application and identification of quality risks;

  • Evidence of the evaluation and rationale;

  • Alignment with other existing risk assessments and risk scoring approaches to improve internal reporting and understanding; and

  • Evidence of changes in the risk profiles. 

 

Why you will eventually have non-quality risks you want to track and manage

SQMS 1 specifically calls out the need to identify Quality Risk, but also emphasises the need for firms to have policies and procedures to identify additional quality objectives, quality risks or responses or modification of risks or responses as a result of changes in the nature and circumstances of your firm. 


This is a key driver of why firms will have non-quality risks in the futures for example:


  • Where a firm makes a strategic decision to enter a new market this may give rise to required changes, capturing the new objective and related risk as a non quality risk at the point of the decision means the system is ready to switch on when the new market engagements commence.

  • Similarly, exiting a market may result in a quality risk no longer being a quality risk but the firm needs to track the previous quality risk for future external reporting and reviews.

  • A quality risk may have been identified due to a finding from a previous external review, albeit a number of review cycles have completed the firm may decide to tracks and consider this now, non-quality risk, on an ongoing basis. 

Therefore capturing and reporting non-quality risks represent evidence of the past or preparation for the future.


Responses

Responses – Documented or undocumented what do I need?

All responses will require to be captured as part of the Risk Assessment at a minimum, so in a smaller firm that may mean capturing the agreed approach, actions and outputs, albeit the procedure remains “undocumented” in any other form.

A simple example may be a weekly management meeting that occurs but is not subject to a formal policy document. 


However, remember, one of the key requirements under monitoring & remediation will be the ability to confirm the operation of the response and therefore confirm the response mitigated the risk such that the quality objective could be achieved.

 

Evidence of the operation of the responses will be key and must be available to facilitate your monitoring.  So in our weekly meeting, summarizing discussions or actions via email or a tracker or some mechanism will be required. 

 

How many responses am I required to have?

Firstly, the specified responses per the standard will not be sufficient to operate a system of quality management under SQMS 1 and neither would policies solely focused on the old SQCS 8 requirements. 


Your System of Quality Management covers a broader scope.  You may have some or the vast majority of these but you will need new ones. 


Good to note though for these new ones, there is a risk of using boiler plate templates. 

It is important that any response is supported with relevant evidence for monitoring purposes which demonstrates that the policy is operating.  If the policy is not operated, immediately the question around operational effectiveness and the risk occurring become more important. 


Therefore think:


“If I say I should do it (in my risk assessment response) then it is important that I actually do it”.

 
 
bottom of page