SQM 1 vs SQC 1: What Changes and Where Firms Underspend on Implementation
The ICAI Standard on Quality Management 1 (SQM 1) replaces the Standard on Quality Control 1 (SQC 1) — converging with IAASB's ISQM 1. The original effective date was 1 April 2023 for SQM 1; ICAI has deferred this multiple times. Refer the latest ICAI Council notification for the current effective date.
For Indian CA firms, the difference between SQM 1 and SQC 1 isn't cosmetic. SQC 1 is compliance-centric — "here are the controls every firm must have." SQM 1 is risk-based and customised — "identify your firm's specific quality risks and design controls proportionate to them."
This post walks through the six structural differences and where mid-tier firms typically underspend on implementation.
Difference 1: From compliance to risk-based design
SQC 1: Prescribes 6 elements (leadership, ethics, acceptance, performance, resources, monitoring). Apply each in the firm.
SQM 1: Prescribes 8 components (governance + leadership; ethics; engagement acceptance and continuance; engagement performance; resources; information and communication; monitoring and remediation; risk assessment). For each component, the firm must:
- Establish quality objectives
- Identify and assess quality risks (what could go wrong with achieving the objective)
- Design controls (responses) proportionate to the assessed risks
The risk-based design is the structural shift. Two firms of similar size and similar engagements may have different SQM 1 systems because their specific risks differ.
Where firms underspend: most firms copy a template QM manual without doing the risk-assessment work. The result is a generic manual that doesn't actually guide engagement teams. Peer reviewers and (eventually) NFRA inspectors will spot this. A 4-hour partner workshop to identify the firm's specific quality risks is the foundation.
Difference 2: From "quality control reviewer" to "engagement quality reviewer"
SQC 1: Quality Control Reviewer for high-risk engagements — typically focused on technical review.
SQM 1 / SQM 2: Engagement Quality Reviewer (EQR) — broader scope. EQR not only reviews the technical conclusions but also evaluates the engagement team's judgement, response to significant matters, evidence sufficiency, and overall engagement quality.
SQM 2 (separate standard, paired with SQM 1) governs EQR engagements specifically.
Where firms underspend: many firms appoint EQRs from within the engagement team's reporting line — the EQR reports to the engagement partner. SQM 2 requires the EQR to be independent of the engagement team. Reporting line matters. The EQR should report to a different partner (typically the managing partner or quality partner) — not to the partner whose engagement they're reviewing.
Difference 3: Quality risks now have a register
SQC 1: Quality issues addressed engagement-by-engagement.
SQM 1: Firm-level Quality Risk Register. Maintained, updated, reviewed quarterly or annually.
The register has columns:
- Quality objective (e.g., "Engagements are conducted in accordance with the SAs")
- Quality risk (e.g., "Junior staff lack training on Ind AS 115 — risk of incorrect revenue recognition application")
- Risk assessment (likelihood × impact)
- Control / response (e.g., "Annual Ind AS 115 training mandatory for managers / staff; pre-approval of revenue working papers by quality partner")
- Monitoring evidence (training attendance records, pre-approval log)
Where firms underspend: most firms maintain the register at first then let it lapse. The register needs ownership — one partner or quality manager accountable. Without ownership it dies.
Difference 4: Monitoring is continuous, not annual
SQC 1: Annual review of quality control system.
SQM 1: Ongoing monitoring of the system, with formal review at least annually. The shift is from "inspection at year-end" to "ongoing feedback loop."
Specific elements of ongoing monitoring:
- Engagement-level monitoring (during fieldwork — partner check-ins, manager reviews, EQR for high-risk engagements)
- Periodic monitoring (quarterly review of selected files, root cause analysis of any findings)
- Annual monitoring (formal evaluation of the QM system, deficiencies identified, remediation plan)
Where firms underspend: small firms treat this as paperwork. But the cold-file-review practice (post-engagement review of a sample of files by an independent partner) is what catches quality drift before NFRA does.
A practical rhythm: 2 cold reviews per partner per year, 30 minutes each, documented findings, remediation tracked to closure. This is the heart of SQM 1 monitoring.
Difference 5: Network firm considerations
SQC 1: Limited treatment of network firm relationships.
SQM 1: Specific component (4 of 8) on resources, including how the firm uses resources of network firms. If the firm is part of a network (member of a Big-4, mid-tier network, or affiliated independent network), SQM 1 requires:
- Documentation of the network relationship
- Identification of network resources used (methodology, training, tools)
- Independence considerations across the network
- Quality controls over use of network resources
Where firms underspend: many mid-tier firms in networks treat network membership as a marketing relationship. SQM 1 requires it to be a documented quality system. The reverse is also true — if the firm uses network methodology / tools, that should be in the QM manual.
Difference 6: Specific accountability for the firm's leadership
SQC 1: Leadership responsible generally.
SQM 1: Named accountability for specific components. The firm must identify:
- The individual(s) with ultimate responsibility for the QM system
- The individual(s) with operational responsibility for the QM system (typically the QM partner)
- Named EQRs for engagements requiring EQR
- The individual responsible for monitoring and remediation
Where firms underspend: governance documents are vague. SQM 1 wants named individuals with documented responsibilities and the resources to discharge them. A small firm with 3 partners can name one partner as the QM partner — and document what that means in 1-2 pages.
What deferred means (and doesn't)
ICAI has deferred SQM 1 multiple times. The current notified effective date should be checked with ICAI Council notifications.
The deferral does NOT mean SQM 1 doesn't apply. It just delays the formal compliance date. Most ICAI Peer Review Phase IV requirements already reference SQM 1 components — so firms targeting Peer Review readiness are implicitly building SQM 1 anyway.
Practically:
- If you're in Peer Review Phase IV: complete SQM 1 implementation regardless of formal effective date
- If you're a NFRA-perimeter audit firm: SQM 1 implementation is implicit in NFRA's inspection programme expectations
- If you're a small firm not in either: do the minimum and wait for the formal date
Implementation cost — honest numbers
For a mid-tier firm (5-20 partners, 50-500 engagements / year), full SQM 1 implementation:
| Element | Effort | Cost |
|---|---|---|
| Initial risk assessment workshop (partner-level) | 8 hours × 5 partners | ₹2-5 lakh in partner time |
| Drafting the QM manual | 40-60 hours by QM partner / consultant | ₹2-4 lakh (if outsourced) |
| Training delivery to all staff (3 hours) | 30 staff × 3 hours | ₹3-5 lakh in staff time |
| Quality risk register setup | 16 hours initial + 4 hours / quarter ongoing | ₹50K initial + ₹20K / quarter |
| EQR appointments and process setup | 8-16 hours | ₹50K-1L |
| Cold file review process setup | 8 hours | ₹30K |
| First annual evaluation | 24-40 hours | ₹1-2 lakh |
| Total Year 1 | ~150-250 hours | ₹10-15 lakh |
Year 2 onwards: roughly 50-80 hours / year ongoing (₹3-5 lakh). The big-ticket items are the initial workshop and the manual — both one-time.
Most firms underestimate this and assume "we'll just update the SQC 1 manual." That doesn't pass peer review. The risk assessment work is the substantive change.
How CORAA helps
The IT and Engagement Execution components of SQM 1 (and indirectly Monitoring) get easier when the firm has audit tech that timestamps and indexes the audit trail. CORAA's Working Papers module preserves the SA 230 audit file with full timestamps — making cold-file-review faster and more defensible.
For specific calculators and tools that pair with SQM 1 components:
- SQM 1 Implementation Checklist — 30-point self-assessment
- SQM 1 Gap Assessment — capability mapping by component
- Peer Review Phase IV Readiness Hub — covers SQM 1 components from the peer reviewer's perspective
- AQMM v2.0 self-assessment — quality maturity mapping
The 60-minute AQMM self-assessment in the prior post is a useful sanity check before investing in formal SQM 1 implementation — if the AQMM score is already at Level 3-4 on quality management, SQM 1 implementation is largely a documentation exercise. If AQMM is Level 1-2, SQM 1 will be substantive.
Bottom line
SQM 1 replaces SQC 1 with a risk-based, customised, named-accountability framework. The deferral by ICAI doesn't change the underlying requirement; it changes the compliance date. Peer Review Phase IV and NFRA inspection expectations already reference SQM 1 components.
For mid-tier firms, the practical implementation cost is ₹10-15 lakh Year 1 + ₹3-5 lakh ongoing. The substantive work is the risk assessment workshop — copying a template manual without doing this is the most-common underspending pattern.
Action items:
- Run the SQM 1 Implementation Checklist for your firm
- Schedule the partner-level risk assessment workshop (4 hours)
- Identify the named QM partner and document their responsibilities
- Set up the Quality Risk Register
- Establish the cold-file-review rhythm (2 per partner per year)
Firms that do this in the next 6-12 months will be ahead of the curve regardless of the formal SQM 1 effective date — and ready for Peer Review Phase IV (31 December 2026 deadline) without a separate scramble.
Try CORAA → Audit trail that makes Engagement Execution + IT + Monitoring components of SQM 1 default rather than effortful. See pricing · Talk to us · SQM 1 Implementation Checklist.