Practical guidance on risk assessments under ISQM (UK) 1
The Financial Reporting Council (FRC) has published a short report highlighting what’s working well, and where firms are facing challenges, when carrying out risk assessments as part of their System of Quality Management (SoQM). Drawing on inspection findings and supervisory experience, it shares practical examples of good practice, common pitfalls and actions firms can take to strengthen their approach.
The shift to a more proactive, iterative model
ISQM (UK) 1 requires firms to move beyond a compliance-based approach and adopt a more dynamic, tailored model of quality management. Rather than treating risk assessment as a one-off exercise, firms should identify quality objectives, assess risks to those objectives and design responses that are proportionate to their specific circumstances.
This isn’t a one-off exercise. It's part of a continuous cycle incorporating monitoring, evaluation and remediation. The results should then feed back into the process.
The FRC report emphasises that the effectiveness of an SoQM depends heavily on the quality of the underlying risk assessment. It shapes how firms design controls, allocate resources and monitor outcomes, making it a key focus during monitoring visits.
Tailor risks to your firm
Every firm’s risk assessment should reflect its own circumstances. ISQM (UK) 1 requires firms to consider a range of factors when identifying risks, including their business model, strategy, operating environment, available resources and the types of work they carry out.
In practice, firms use information from a variety of sources to help identify, assess and respond to those risks, such as:
- Engagement with partners and staff.
- Horizon scanning for emerging risks, including technological developments.
- Identified ethics breaches and regulatory feedback.
- Inspection findings and root cause analysis.
Using the right information helps firms identify the real risks they face, rather than generic or theoretical risks that may not be relevant. The report notes that recurring issues often come from firms relying on ‘boilerplate’ risks that aren’t tailored to their own specific circumstances.
Getting the right level of detail
The report also highlights the importance of determining an appropriate level of granularity when identifying risks. ISQM (UK) 1 doesn’t prescribe how detailed risk identification should be and leaves firms to exercise judgement.
The challenge firms face is striking the right balance. The standard recognises that the level of detail and documentation required of a small, less complex practice will vary significantly to that of a large, multi-office firm.
Detailed risk assessments can improve focus, support targeted responses and enhance the analysis of how controls mitigate risks. However, they can also become overly complex and make it harder to identify the issues that matter most.
Conversely, broader risks may simplify the system and reduce complexity. However, pitching the record at too high a level will make it difficult to understand which quality responses will sufficiently and appropriately address the risks arising.
A continuous and responsive process
The risk assessment process under ISQM (UK) 1 shouldn’t stand still. Firms should revisit their assessments at least annually and update them whenever circumstances change or when monitoring arrangements indicate that the existing assessments are no longer accurate or effective.
Larger firms often adopt more frequent and formal monitoring and evaluation processes, while smaller firms may rely more on ongoing, informal mechanisms supported by regular face-to-face engagement. The FRC highlights the importance of embedding risk awareness into day-to-day activities across the board, rather than relying solely on periodic reviews.
Using risk frameworks effectively
Many firms use structured frameworks to rate risks based on impact and likelihood. These ratings help determine the nature and extent of responses, including the level of monitoring required. The FRC observes that effective frameworks clearly define thresholds, use both qualitative and quantitative considerations, and distinguish between gross and net risk assessments.
In contrast, common weaknesses include unclear methodologies, limited evidence supporting risk ratings, and failing to use monitoring outcomes to reassess risks. Firms may overlook how findings from SoQM monitoring should inform their assessment of risk likelihood.
Strengthening governance and oversight
Leadership plays a critical role in effective risk assessment. The report stresses that those with operational and ultimate responsibility for the SoQM should be actively engaged in identifying, reviewing and challenging risks.
Actual approaches will vary depending on firm size and complexity. Smaller firms may rely on informal discussions and periodic approval, while larger firms tend to implement more structured governance arrangements, including formal reporting, documented challenge and multi-level approval processes.
Whatever the firm’s size, leadership should actively challenge risk assessments rather than simply relying on “boilerplate” sign-off.
Common pitfalls and regulatory focus
The FRC report notes a number of recurring shortcomings, including:
- Failure to tailor risks to the firm’s specific circumstances.
- Inadequate updating of risk assessments.
- Weak linkage between root cause analysis, monitoring and risk identification.
- Insufficient documentation and evidence supporting judgements.
These issues underline the need for firms to treat risk assessment as a critical, integrated component of their SoQM, rather than just a compliance exercise.
Looking ahead
The report reinforces that effective risk assessment is central to the success of ISQM (UK) 1. Reviewing the SoQM and risk assessment process is a core part of a monitoring visit. Firms should be ready to demonstrate that their processes are proportionate, tailored and responsive to change.
The practical insights and examples provide a useful benchmark for assessing your firm’s current approach. The report reinforces the general expectation from ISQM (UK) 1 that firms embed a culture of continuous improvement, placing the risk assessment process firmly at the heart of a firms audit quality journey.
Read the reportCategories:
- Audit and assurance
- Audit News




