AQMM v2.0 — How to Map Your Firm's Quality Maturity in 60 Minutes

The ICAI Council ratified the Audit Quality Maturity Model v2.0 (AQMM v2.0) on 22 August 2024. It is a self-assessment framework for CA firms to map themselves across 8 dimensions of audit quality, on a 4-level maturity scale. AQMM is not a regulation — there's no penalty for not doing it. But it's becoming the de-facto benchmarking tool for firms thinking about positioning, hiring, and tooling decisions.

This post walks through the 8 dimensions, the scoring rubric, and a 60-minute self-assessment script you can run for your firm before quarter-end.

---

What AQMM is — and isn't

AQMM is a firm-level self-assessment. It maps your CA practice on 8 dimensions, each scored 1 to 4 (or sometimes 1 to 5 depending on the indicator):

• Level 1 — Initial: ad-hoc, undocumented, partner-dependent
• Level 2 — Repeatable: documented but inconsistent application
• Level 3 — Defined: documented, consistent, periodically reviewed
• Level 4 — Managed: documented, consistent, measured, optimised
• Level 5 — Optimising (where applicable): continuously improving via data

It is not:

• A regulation. ICAI has no enforcement around AQMM scores.
• A peer review substitute. Peer Review is governed by the Peer Review Statement; AQMM is separate.
• A NFRA-equivalent. NFRA inspects PIE audits under Section 132 Companies Act; AQMM is voluntary firm-level.

But AQMM is increasingly used by:

• Clients evaluating which firm to engage (especially for larger audits)
• Banks and financial institutions assessing audit firms for empanelment
• Junior partners evaluating which firm to join
• The firm itself for self-improvement planning

The score gives you a defensible answer to "where does our practice rank?" and helps prioritise the next 12 months of investment.

---

The 8 dimensions of AQMM v2.0

1. Practice Management

How the firm is managed structurally — governance, strategic planning, capacity, financial discipline. Indicators:

• Documented vision / mission / strategic plan
• Partner-level governance structure
• Annual budgeting and financial review
• Risk management framework at firm level
• Succession planning

Common gap: small firms operate informally. Level 1-2 is typical.

2. Human Resources

Partner / manager / staff capability, recruitment, development, retention. Indicators:

• Documented competency framework
• Onboarding process for new joiners
• Annual training calendar with mandatory + elective tracks
• Performance review system
• Career path documented

Common gap: training is reactive (when staff fails a peer review) rather than proactive.

3. Knowledge Updation

How partners and staff stay current on standards, regulations, technology. Indicators:

• Tracked CPE compliance for all members
• Subscription to ICAI / regulator notifications
• Internal knowledge-sharing forums
• Documentation of regulatory changes affecting active clients

Common gap: CPE is collected for compliance, not absorbed into firm practice.

4. Information Technology

Technology adoption in audit execution. Indicators:

• Engagement management system
• Document management / paperless office
• Data analytics tools
• Automation of routine procedures
• Cybersecurity controls

Where AI lifts the score — Level 1 firms use Excel + email. Level 2 firms have a working-paper system. Level 3 firms have CAATs / data analytics for sampling. Level 4 firms have AI-assisted execution across multiple modules (JE testing, reconciliation, Schedule III mapping). CORAA-like adoption typically moves a firm from Level 2 to Level 4.

5. Engagement Acceptance

The acceptance / continuance protocol. Indicators:

• Documented client acceptance policy
• Independence + competence + capacity test
• Engagement letter template under SA 210
• Predecessor-auditor communication

Common gap: written policy but inconsistent application across partners.

6. Engagement Execution

How audits are actually performed. Indicators:

• Risk assessment under SA 315 documented per engagement
• Sampling under SA 530 with formula + seed
• SA 240 fraud testing on full journal entry population
• SA 230 contemporaneous documentation
• CARO 2020 clause-wise working papers
• UDIN-gated sign-off

Where AI lifts: same direction as IT — AI tools like CORAA make full-population testing the default rather than a partner-specific choice. Moves Level 2 to Level 3-4.

7. Quality Reviewer Engagement

Independent review of completed engagements. Indicators:

• Annual cold review per partner
• EQR / EQCR for listed audits
• Root cause analysis for review findings
• Remediation tracking

Common gap: ad-hoc reviews when there's a regulatory query, not systematic.

8. Other Engagements

Non-audit engagements (tax audit, GST audit, certification, advisory). Indicators:

• Independence policy covering Section 144 prohibitions
• Service quality controls for each engagement type
• Fee structure documented

---

The 60-minute self-assessment script

Here's the actual script to run with your partners. Block 60 minutes. Everyone present. Honest answers.

Minutes 0-10 — Practice Management (4 questions)

1. Does the firm have a written vision / mission and 3-year strategic plan? (Yes formal = 3, informal = 2, no = 1)
2. Is there a documented partner governance structure (decision rights, meeting cadence)? (Same scale)
3. Is there an annual budget approved by partners with quarterly review? (Same scale)
4. Is there a documented risk management framework (client concentration, key person dependency, regulatory exposure)? (Same scale)

Minutes 10-15 — Human Resources (3 questions)

1. Documented competency framework with role-level expectations? (Same scale)
2. Annual training calendar tracked across all staff (not just CPE)? (Same scale)
3. Documented performance review with quarterly check-ins? (Same scale)

Minutes 15-20 — Knowledge Updation (2 questions)

1. CPE compliance tracked at partner + staff level with quarterly status? (Same scale)
2. Internal forum (monthly) for sharing regulatory changes affecting active clients? (Same scale)

Minutes 20-30 — Information Technology (5 questions, weight heavily)

1. Engagement management system in use (or paper-based)? (1 = paper, 2 = Excel, 3 = audit software, 4 = AI-assisted)
2. Document management — paperless office with cloud backup and access controls? (Same scale)
3. CAATs / data analytics applied to at least 50% of engagements? (Yes = 3+, partial = 2, no = 1)
4. AI-assisted procedures (JE testing, reconciliation, Schedule III mapping)? (Mature use = 4, pilot = 3, evaluating = 2, no = 1)
5. Cybersecurity controls (MFA, encryption, training, incident response)? (Same scale)

Minutes 30-40 — Engagement Acceptance + Execution (6 questions)

1. Documented client acceptance policy with independence + competence + capacity test? (Same scale)
2. Risk assessment under SA 315 documented per engagement? (Same scale)
3. SA 530 sampling with formula + seed printed in working papers? (Same scale)
4. SA 240 fraud testing across full period (or representative sample with documented rationale)? (Same scale)
5. SA 230 documentation with final assembly within 60 days of report? (Same scale)
6. UDIN-gated sign-off across all attest engagements? (Same scale)

Minutes 40-50 — Quality Reviewer Engagement (3 questions)

1. Annual cold review per partner with documented findings? (Same scale)
2. EQR / EQCR for listed engagements per SQM 2? (Same scale)
3. Root cause analysis with remediation tracking for every quality finding? (Same scale)

Minutes 50-60 — Other Engagements + Scoring (3 questions + total)

1. Independence policy covering Section 144 prohibitions? (Same scale)
2. Service quality controls per engagement type (tax audit, GST, advisory)? (Same scale)
3. Fee structure documented and applied consistently? (Same scale)

Final: Add scores across all dimensions. Average across the 26 questions to get firm-level AQMM score on a 1-4 scale.

A typical mid-tier firm scores 2.3-2.8 on first run. Big-4 networks score 3.3-3.7. The benchmark to target depends on positioning.

---

What to do with the score

The score itself is informational. The dimension-level breakdown is actionable.

If IT score is 1.8 and Engagement Execution is 2.3: invest in audit tech in the next 12 months. AI-assisted execution lifts both simultaneously. CORAA, EzAudit, AssureAI, or equivalent. See the AI Audit Tool Evaluation Checklist for the 46-criterion scoring rubric.

If Quality Reviewer Engagement is 1.5: build the cold review process. Two cold reviews per partner per year, documented findings, remediation tracking. The SQM 1 Implementation Checklist covers this.

If Knowledge Updation is 2.0: institute the monthly internal forum. Allocate 30 minutes per month per professional to discuss regulatory changes. Track attendance.

If Engagement Execution is below 2.5: revisit the Peer Review Phase IV Readiness Hub — its 19-item self-assessment is more granular than AQMM and directly tied to SA documentation expectations.

---

How CORAA scores firms on AQMM

The AI Audit Tool Evaluation Checklist maps each criterion to an AQMM dimension (Engagement Execution, IT, Quality Reviewer Engagement, etc.). For firms using CORAA across most engagements:

• IT dimension typically moves from Level 2 to Level 4
• Engagement Execution from Level 2-3 to Level 3-4
• Quality Reviewer Engagement modestly improved (CORAA's audit trail makes reviewers' job faster)

The overall AQMM score lift from CORAA adoption is typically 0.5-0.8 points (on the 1-4 scale). Combined with other quality investments, mid-tier firms can move from 2.5 to 3.3 — which puts them in the same band as some Big-4 networks for the audit execution and IT dimensions.

This isn't marketing for CORAA. It's a measurable change in the AQMM scoring rubric. Verify it for your own firm by running the 60-minute script before and 12 months after audit tech adoption.

---

The bigger picture

AQMM v2.0 is one of three frameworks Indian CA firms should map themselves against:

1. AQMM v2.0 — voluntary firm-level quality maturity (this post)
2. SQM 1 — firm-level quality management system, deferred but mandatory once notified — see the SQM 1 Implementation Checklist
3. Peer Review (Phase IV deadline 31 Dec 2026) — ICAI's mandatory quality assurance for certain practising units — see the Peer Review readiness hub

All three converge on the same underlying expectations: documented systems, consistent application, evidence preserved, audit-grade trail. Firms that build for one are largely ready for the others.

The 60-minute self-assessment from this post is the cheapest way to start. Block the time. Be honest about the answers. The score is whatever it is — the dimension-level gaps are the actionable output.

---

Try CORAA → AI-assisted audit execution that lifts AQMM Engagement Execution + IT dimensions. India-hosted, audit-grade evidence trail. See pricing · Talk to us · Browse calculators.