Coraa
Start Trial
Quality Management

EQCM Review Procedures: NFRA-Defensible Documentation [2026]

Master EQCM procedures to pass NFRA inspection. Learn ISA 220 requirements, red flag identification, reviewer independence, and how to document quality reviews auditors respect.

C
CORAA Team
24 March 2026 14 min

EQCM Review Procedures: NFRA-Defensible Documentation [2026]

Published: March 24, 2026 | Category: Quality Management | Read Time: 14 minutes | Author: CORAA Team

Introduction

EQCM (Engagement Quality Control Measures) is where audits are defended—or failed.

NFRA 2024-25 inspection reports show: ~25% of firms have EQCM gaps. Common findings:

  • "EQCM review performed but documentation insufficient"
  • "Reviewer independence questionable (partner reviewed own work)"
  • "Review focused on compliance, not substantive audit quality"
  • "High-risk issues not escalated to EQCM reviewer"

Yet many Indian CA firms struggle with EQCM. Why? Because ISA 220 (now SQM1 in India) gives principles but not specifics. Firms don't know what NFRA considers "adequate" EQCM.

This guide provides specific, NFRA-defensible EQCM procedures. We cover:

  • ISA 220 requirements adapted for India
  • 5-step EQCM review procedure (with time estimates)
  • High-risk areas requiring escalation
  • Common NFRA findings and how to avoid them
  • Real case studies of firms that improved EQCM → eliminated NFRA findings

Table of Contents

  1. EQCM Under ISA 220
  2. Key Risk Areas
  3. 5-Step EQCM Procedure
  4. NFRA-Defensible Documentation
  5. Common NFRA Findings
  6. Real Results
  7. Common Questions
  8. Conclusion

EQCM Under ISA 220

What is EQCM?

EQCM is an independent, substantive review of an engagement before release to the client. The objective: ensure the audit meets quality standards and audit evidence supports the audit opinion.

Key principle: The EQCM reviewer is NOT the engagement partner. Independence is critical.

ISA 220 Requirements (Adapted for India)

Requirement 1: Reviewer Selection

  • Reviewer must have sufficient expertise (usually a senior partner)
  • Reviewer must be independent of the engagement (not on the team)
  • Reviewer must have adequate time (not rubber-stamping)

Requirement 2: Timing

  • Review must occur BEFORE audit completion (not after)
  • Review must cover key issues (not just signing checklist)
  • Reviewer must have authority to prevent engagement release if issues not resolved

Requirement 3: Scope

  • Review key audit matters (revenue, fraud risk, significant estimates)
  • Review high-risk assessments (complex transactions, estimates, related parties)
  • Review concluding procedures (materiality, subsequent events, going concern)

Requirement 4: Documentation

  • Document issues identified
  • Document how issues were resolved
  • Document reviewer's conclusion (audit meets quality standards or issues remain)

Key Risk Areas Requiring EQCM Focus

Area 1: Revenue Recognition (Ind AS 115)

Why high-risk: 67% of NFRA findings involve revenue; complexity creates opportunity for aggressive accounting

EQCM review focus:

  • Contract identification: Were all material contracts identified?
  • Performance obligations: Were obligations properly identified and segregated?
  • Revenue timing: Were period-end entries properly cut-off?
  • Variable considerations: Were returns/rebates/discounts properly estimated?

Red flags requiring escalation:

  • Period-end revenue adjustments (>5% of revenue or >2% of profit)
  • Unusual contracts (bundled products, extended payment terms)
  • Significant estimates (warranty, allowances based on estimates)

Area 2: Management Override of Controls

Why high-risk: Highest-risk fraud category; auditor can't rely on internal controls

EQCM review focus:

  • Manual journal entries: Were unusual entries reviewed?
  • Related-party transactions: Were terms verified as arm's length?
  • Accounting estimates: Were estimates challenged and verified?

Red flags requiring escalation:

  • Manual entries by CFO/senior mgmt (30+% of manual entries)
  • Related-party transactions (>5% of total transactions)
  • Aggressive accounting estimates (variance >15% from historical)

Area 3: Fraud Risk Assessment

Why high-risk: SA 240 requires specific fraud risk procedures; weak procedures = NFRA finding

EQCM review focus:

  • Risk identification: Were fraud risks specific to entity identified (or boilerplate)?
  • Risk response procedures: For identified risks, were procedures designed and executed?
  • Exception investigation: Were exceptions properly investigated?

Red flags requiring escalation:

  • Boilerplate fraud risk assessment (same as all other clients)
  • No fraud testing procedures documented
  • Exceptions not investigated

Area 4: Significant Estimates (Ind AS, Fair Values, Useful Lives)

Why high-risk: Estimates offer opportunity for earnings management; require management assumptions

EQCM review focus:

  • Estimate methodology: Is approach sound and supported by data?
  • Estimate basis: Is estimate backed by historical data, market data, or expert judgment?
  • Estimate variance: How does estimate compare to prior years? Is variance explained?

Red flags requiring escalation:

  • Estimate change >10-15% from prior years (unexplained)
  • Estimate methodology changed (without documented rationale)
  • Estimate not supported by data (appears to be "plugged" to achieve target")

5-Step EQCM Review Procedure

Step 1: Pre-Review Planning (Time: 30 min)

Objective: Reviewer understands engagement before diving into documentation review

Activities:

  1. Review engagement risk assessment (what are key risks identified?)
  2. Review materiality and performance materiality (what's material?)
  3. Review key dates (audit start/completion, management review dates)
  4. Review engagement timeline (were procedures completed on schedule?)
  5. Identify high-risk areas requiring deep review

Output: Reviewer knows what to focus on

Step 2: Scope Review (Time: 30 min)

Objective: Verify scope of audit procedures is adequate

Activities:

  1. Revenue: Verify 100% of revenue >materiality threshold tested; cut-off procedures documented
  2. Fraud: Verify fraud risk assessment completed; high-risk entries tested
  3. Related parties: Verify all RP transactions identified; pricing verified as arm's length
  4. Estimates: Verify significant estimates challenged and supported
  5. Subsequent events: Verify procedures through to audit completion date

Red flags: Gaps in scope, untested high-risk areas, incomplete procedures

Output: Scope confirmed adequate or issues noted

Step 3: Key Issues Review (Time: 60-90 min)

Objective: Review documentation on key issues; ensure audit evidence supports conclusions

Activities:

  1. For each key issue identified in planning (usually 3-5):

    • Review audit documentation (work papers, testing performed, exceptions)
    • Review evidence (contracts, invoices, approvals)
    • Assess: Is audit evidence sufficient to support audit conclusion?

  2. For unusual or complex issues:

    • Review accounting treatment (compared to Ind AS, prior year practices)
    • Review management justification (is it sound? supported by data?)
    • Assess: Would another auditor reach same conclusion?

  3. For exceptions identified:

    • Review investigation (what was the issue? how was it resolved?)
    • Assess: Did auditor investigate adequately? Is issue resolved?

Red flags:

  • Weak evidence (entry exists but supporting documents missing/insufficient)
  • Unresolved exceptions (issue identified but not resolved)
  • Aggressive accounting (treatment questionable given facts)

Output: Key issues documented; evidence reviewed; conclusions supported

Step 4: Materiality & Adjustments Review (Time: 30 min)

Objective: Verify materiality calculations and evaluate unadjusted differences

Activities:

  1. Materiality recap:

    • Review overall materiality (✓ reasonable?)
    • Review performance materiality (✓ at appropriate %)
    • Review specific materiality items (if any)

  2. Unadjusted differences:

    • Obtain list of all identified but unadjusted items
    • Review each item (error or estimation difference?)
    • Assess: Individually or in aggregate, would differences change audit opinion?

  3. Evaluate qualitative factors:

    • Are differences in aggressive direction (revenue up, expenses down)?
    • Do differences affect key metrics (profit margins, covenants)?
    • Would differences be important to users?

Output: Materiality and adjustments reviewed; no material unadjusted differences

Step 5: Conclusion & Sign-off (Time: 15 min)

Objective: Reviewer documents conclusion; either approves release or escalates issues

Activities:

  1. Document conclusion:

    • "EQCM review completed. All key areas reviewed. No material issues outstanding. Engagement meets quality standards."

    OR

    • "EQCM review completed. Issues identified [list]: [resolution required before release]"

  2. If issues remain:

    • Document specific issues and resolution required
    • Communicate to engagement partner; require remediation before release

  3. Sign and date EQCM memo

  4. Attach to engagement documentation

Output: EQCM memo with reviewer sign-off; authorization to release or hold for remediation

NFRA-Defensible Documentation

What NFRA Expects to See

When NFRA inspectors review your engagement, they look for EQCM evidence:

1. EQCM memo: One-page summary documenting review, issues, resolution, sign-off

2. Review timing: Evidence review occurred BEFORE audit release (review date should be same day as audit release or 1-2 days before)

3. Reviewer independence: Reviewer is not the engagement partner (different person, ideally senior partner)

4. Issue identification: If any issues identified, documentation showing how they were resolved

5. Concluding statement: Reviewer's explicit conclusion: "Audit meets quality standards" or "Issues require remediation"

EQCM Memo Template

ENGAGEMENT QUALITY CONTROL MEASURE (EQCM) MEMO

Engagement: [Client Name], Audit Period [Y/E Date]
Engagement Partner: [Partner Name]
EQCM Reviewer: [Reviewer Name - Different from EP]
Review Date: [Date - before audit release]

Key Areas Reviewed:
1. Revenue (Ind AS 115): [Summary - adequately tested]
2. Fraud Risk (SA 240): [Summary - procedures executed]
3. Management Override: [Summary - JE testing complete]
4. Materiality & Adjustments: [Summary - no material unadjusted differences]
5. Estimate Review: [Summary - estimates reasonable]

Issues Identified:
[List any issues found during review; how resolved]

EQCM Conclusion:
Audit documentation reviewed. Key areas adequately covered. Audit evidence supports audit opinion. Engagement meets quality standards and ISA 220 requirements.

✓ EQCM Approval: [Reviewer signature, date]

[Attached to Final Audit File]

Common NFRA Findings on EQCM

Finding 1: "EQCM review not performed"

Issue: No EQCM memo in file; or EQCM performed but not documented

Prevention: Document EQCM in every engagement (non-negotiable)

Finding 2: "Reviewer independence questionable"

Issue: Engagement partner reviewed own work; "independent" reviewer was team member

Prevention: EQCM reviewer must be independent partner not on engagement team

Finding 3: "EQCM review performed but coverage insufficient"

Issue: EQCM memo exists but only rubber-stamps approach; doesn't address high-risk areas

Prevention: EQCM must include substantive review of key issues (revenue, fraud risk, estimates)

Finding 4: "Issues identified but not resolved before release"

Issue: EQCM identified audit gaps; engagement released without addressing them

Prevention: EQCM reviewer has authority to prevent release until issues resolved

Real Results: Before & After EQCM Implementation

Firm Profile

12-partner mid-size firm, 50 audits annually.

Before (2024): Weak EQCM

EQCM process:

  • Engagement partner performed own review (minimal independence)
  • EQCM memo was 1 paragraph (checklist-style)
  • Review focused on compliance, not substance
  • Average time per EQCM: 15 minutes

NFRA findings (2024-25): 3 audits flagged for EQCM weaknesses

  • "EQCM documentation insufficient"
  • "Reviewer independence questionable"
  • "High-risk issues not escalated"

After (2025-26): Strong EQCM

EQCM process implemented:

  • Senior partner (not on engagement) performs EQCM
  • Substantive review: revenue, fraud risk, estimates, adjustments
  • EQCM memo: 1-2 pages with specific findings/conclusions
  • Average time per EQCM: 90-120 minutes

Training: All partners trained on new EQCM procedures

NFRA findings (2025-26): 0 audits flagged for EQCM weaknesses

  • Inspectors noted: "EQCM documentation demonstrates substantive review and independence"

Impact:

  • Audit quality improved (issues caught before release)
  • NFRA confidence improved (zero EQCM-related findings)
  • Firm reputation improved (clients see rigorous quality control)

Common Questions

Q1: Who should be EQCM reviewer?

A: Usually the most senior partner not on the engagement team. For small firms (solo/2 partners), consider:

  • External EQCM reviewer (another firm's partner)
  • Retired partner/senior associate providing EQCM services

Key: Independence from engagement is critical.

Q2: How much time should I budget for EQCM?

A:

  • Small audits (₹5-10L fees): 60-90 minutes
  • Medium audits (₹10-30L fees): 90-120 minutes
  • Large/complex audits (₹50L+ fees): 120-180 minutes

Budget as % of audit hours: 5-8% (so if audit is 100 hours, EQCM is 5-8 hours)

Q3: What if EQCM reviewer and engagement partner disagree?

A: EQCM reviewer has authority. If reviewer says "Issue not resolved; don't release," audit cannot be released.

Resolution: Issue is escalated to engagement partner and EQCM reviewer for discussion. Either:

  • Engagement partner agrees and remedies issue, or
  • EQCM reviewer escalates to firm quality leader; matter resolved at firm level

Q4: Should I have separate EQCM for larger audits?

A: Yes. For audits >₹50L, consider two-level review:

  • Engagement EQCM: Senior manager reviews substantive procedures
  • Firm EQCM: Partner reviews key issues and EQCM conclusion

This provides additional quality gate for largest/most complex audits.

Conclusion

5 Key Takeaways

  1. EQCM is non-negotiable. ISA 220 requires it; NFRA expects it; firms without robust EQCM consistently fail inspection.

  2. Independence is critical. The reviewer must not be the engagement partner. External reviewer is acceptable for small firms.

  3. Substance matters, not compliance. NFRA doesn't want checklists; they want evidence of substantive review of key issues.

  4. Document everything. EQCM memo should specifically address high-risk areas and explain how issues were resolved.

  5. Escalate high-risk issues. EQCM reviewer must have authority to prevent release if material issues unresolved.

Ready to strengthen your EQCM?

  1. Start Free Trial: Sign up here
  2. Book a Demo: See CORAA's EQCM Review tools
  3. Read More: SQM1 Implementation Roadmap

Related Articles

About CORAA

CORAA helps audit firms implement robust EQCM and quality management procedures. Document your quality reviews, prevent NFRA findings, and build audit quality that stands up to inspection.

Learn more: Visit our website

Free newsletter

Get weekly audit insights

Practical guides on audit automation, SQM1 compliance, and Ind AS procedures — delivered to 2,000+ CA professionals every Friday.

No spam. Unsubscribe any time.

Topics

EQCM proceduresengagement quality controlISA 220 implementationquality control documentationNFRA inspection defensibility
Back to all articles
Keep reading
All articles
Quality Management

SQM1 Implementation Roadmap: From ISA 220 to ICAI Standards [2026]

15 min
Quality Management

SQM1 & EQCM Complete Guide for Indian CA Firms [2026]

7 min read
Built for India · DPDPA compliant

Ready to automate your audit work?

See how Coraa reduces audit engagement time by 60% — from ledger scrutiny to working papers, all from one Tally import.

Start free 14-day trialBook a live demo