AFM Inspections for Dutch Audit Firms: What to Expect and How to Prepare

Twenty-six out of thirty. That’s how many engagement quality reviews (opdrachtgerichte kwaliteitsbeoordelingen, or OKBs) the AFM found insufficient at non-PIE firms in its March 2024 thematic review. Not borderline. Insufficient. In 25 of those 26, the OKB provided no assurance that the audit evidence actually supported the opinion. At the firms I’ve worked with since the 2022 transition, this finding didn’t surprise anyone. The OKB is the area where the gap between what firms think they’re doing and what the file shows is widest.

What changed when the AFM took over in 2022

Until 1 January 2022, the NBA and SRA handled quality reviews of non-PIE firms (firms holding an RV) on a fixed six-year cycle under the Verordening op de kwaliteitsbeoordelingen. You knew roughly when your review was coming. You could prepare. The AFM’s approach is fundamentally different.

The AFM operates on a risk basis with no fixed cycle. A firm with a high-risk profile can be selected in consecutive years. A firm with a low-risk profile may go longer between contacts. But the AFM retains discretion to inspect any firm at any time. That uncertainty changes how you need to manage file quality. You can’t prepare for a specific date anymore. You need files that are inspection-ready all the time.

The transition wasn’t instant. The AFM spent 2022 and 2023 building its supervisory infrastructure for the approximately 250 RV firms, running introductory visits (about 60 firms in summer 2022), and launching the annual data collection that now forms the backbone of its risk-based approach. By mid-2025, the AFM had data from over 31,000 statutory audits performed by non-PIE firms. The introductions are over.

All licence holders bear supervision costs. AFM fees for accountancy firms reached €18.8 million by 2023, with a phase-in schedule (ingroeipad) that added up to €5.1 million for the transfer of non-PIE supervision.

Your data submission is your risk profile

Every non-PIE firm must complete a questionnaire for each statutory audit (wettelijke controle). Most firms treat this as admin. That’s a mistake.

Each questionnaire captures: the nature of the audit client, the audit approach (fully substantive vs. controls-oriented), hours spent, whether an OKB was performed, identified independence threats, and identified fraud risks. The AFM builds firm-level and engagement-level risk profiles from this data. It uses a two-stage selection process: first identifying a sub-population of potentially inspectable files, then selecting specific files for review. Both stages incorporate risk indicators derived from your submissions.

The AFM hasn’t published the specifics of its selection algorithms. Professor Willem Buijink of Tilburg University has publicly called for more transparency on this point. What is known: the data shapes who gets inspected. Firms that report zero fraud risks across all engagements, or that show anomalously low hours relative to engagement complexity, or that never use consultations may attract more attention, not less.

On the files I’ve reviewed, the most common gap is the disconnect between the data submission and the actual engagement file. The questionnaire reports one fraud risk. The planning memo lists two. The questionnaire says "fully substantive." The file contains some controls testing. These inconsistencies generate AFM questions that could have been avoided with a 30-minute reconciliation before submission.

Data quality has improved: the percentage of statutory audits with data quality deviations dropped from 34% in Q2 2023 to 7% by Q3 2024. The AFM now trusts this data enough to plan supervisory activities around it. The data submission is not an admin task. It’s the single most important quality signal your firm sends the regulator. Treat it like a WP that the EP signs off on, because that’s effectively what it is.

What the thematic reviews keep finding

The AFM’s thematic reviews from 2023 to 2025 tell a consistent story. The findings concentrate where professional judgment meets documentation. Here are the areas that matter most, in order of severity.

OKB depth: 26 of 30 insufficient

The AFM’s March 2024 OKB report examined 52 OKBs across 21 firms (6 PIE, 15 non-PIE). At non-PIE firms, 26 of 30 reviewed OKBs lacked sufficient depth. In 25 of those 26, the OKB provided insufficient assurance that the audit evidence supported the opinion. In five cases, the OKB results were never discussed with the engagement partner before the report was signed. At 13 of the 15 non-PIE firms, the firm’s OKB policy itself was inadequate.

Why does this keep happening? In practice, OKBs at smaller firms are often performed by the only other partner available, squeezed into a Friday afternoon before the signing deadline. The reviewer ticks a checklist, writes “reviewed and agreed,” and moves on. In practitioner terms: the reviewer signed off without forming an independent view on whether the evidence actually supported the opinion. It becomes a tick-box exercise. That’s not an OKB. The AFM wants to see the reviewer’s own reasoning on the key judgments, not agreement with the team’s conclusions. The difference between those two things is the difference between passing and failing.

Fraud risk procedures: errors in 10 of 32 reports

A separate 2024 investigation reviewed 32 statutory audits and found errors in the fraud paragraph of the auditor’s report in 10 of them. Most findings related to process quality: how auditors identified fraud risks, designed responses, and documented their reasoning.

The AFM’s finding that auditors “did not specifically adapt the nature, timing and extent of audit procedures to the identified fraud risks” translates simply: teams did the standard fraud procedures, same as every year. They pulled the PY WPs forward and updated the dates. The AFM’s data shows non-PIE firms identified at least one fraud risk in only 11% of statutory audits (compared to 30% at PIE firms). I’d estimate 11% is too low. It doesn’t mean non-PIE clients have less fraud risk. It means non-PIE firms are worse at identifying it, or more cautious about documenting it. Management override under ISA 240.32 is a presumed risk on every engagement. If your firm is somehow not identifying fraud risks on 89% of statutory audits, the AFM notices that pattern. If you’re working on your fraud documentation, our ISA 240 fraud risk assessment pack covers the specific procedures the AFM found deficient.

Independence, root cause analysis, and everything else

Independence documentation gaps are persistent but less dramatic than the OKB and fraud findings. The AFM tracks the proportion of audits with identified independence threats (stable over 2022–2025), and what they inspect is the quality of the response, not whether threats exist.

A broader indicator from Sector in Beeld 2025: only 28% of small and medium-sized non-PIE firms have a written root cause analysis policy. When something goes wrong on an engagement and the firm has no structured process for investigating why, the AFM sees both the incident and the missing infrastructure.

That’s a lot of findings, and if you’ve been through an AFM review before, none of them are new. The same areas get flagged year after year and nothing changes at the sector level. But at the firm level, you can change. Focus on two areas first: OKB depth and fraud risk documentation. Those are where the deficiency rates are highest and where the AFM has been most specific about what it expects.

Emerging areas: PE investment and fee adequacy

The AFM’s 2025 supervisory agenda adds client acceptance and continuance (roundtable sessions scheduled for July 2025) and fee adequacy (the relationship between time invested and fees charged). The AFM’s position is not that fees must reach a specific level. Rather, it views adequate fees as a necessary condition for quality. If your firm is systematically underpricing engagements relative to the hours needed, the AFM sees a quality risk.

Private equity investment in non-PIE firms is another concern. Market share of PE-backed non-PIE firms rose from 11% in 2023 to approximately 30% by 2025. The AFM published a specific report in April 2025 warning that pressure for returns could compromise quality. If your firm has PE investors, expect increased supervisory attention on this point.

What inspectors check at file level

AFM inspections operate at two levels: the engagement file and the firm’s quality management system under ISQM 1.

At file level, the inspector reviews the engagement from planning through to the auditor’s report, checking whether the firm obtained sufficient appropriate audit evidence for each significant risk area. The AFM looks at substance, not form. What the AFM calls “lack of specificity and depth” means, in practice: you covered all the boxes but didn’t go deep on any of them. A completed checklist with ticked boxes but no underlying analysis won’t pass. An assessment that shows the auditor’s reasoning, links evidence to assertions, and documents how judgment was applied will.

At firm level, the AFM reviews the design and operating effectiveness of the quality management system: governance, risk assessment, ethical requirements (including independence), acceptance and continuance, engagement performance, resources, and monitoring. For non-PIE firms, the AFM has shown particular interest in whether the firm’s expertise matches its client portfolio and whether fee levels support adequate resourcing.

The letter arrives with 4–6 weeks’ notice. By then, you can’t fix the documentation. Everything useful happens before the letter.

Worked example: file-readiness review at Veldkamp Accountants

1. Reconcile the data submission against the file.
The questionnaire submitted to the AFM reports: fully substantive approach, 420 total hours (180 by partner and senior), one fraud risk identified (management override), one independence threat (long association, fifth year). The quality partner checks each against the file. Hours match the time recording system. Audit approach matches. Independence threat and response are documented.

Documentation note: “AFM data submission reconciled to engagement file on [date]. All reported data points traced to underlying documentation. No inconsistencies identified.”

2. Review the OKB file.
Brouwer Installatietechniek qualifies for an OKB under the firm’s policy (construction sector, revenue above €20M). The OKB reviewer (a partner not on the engagement) reviewed the file before signing. The quality partner checks: did the reviewer evaluate whether sufficient evidence was obtained for the significant risks (revenue recognition on long-term contracts under RJ 221, management override)? Did the reviewer form an independent view on the key judgments? Were conclusions discussed with the engagement partner before the report date?

Documentation note: “OKB file reviewed. Reviewer documented independent assessment of revenue recognition judgment (RJ 221 percentage-of-completion estimates). Discussion with engagement partner documented on [date], two days before report signing.”

3. Check the fraud risk documentation.
The planning memo identifies management override as a presumed risk under ISA 240.32 . The file should show: specific procedures performed (journal entry testing with defined selection criteria, review of estimates for bias, evaluation of unusual transactions under ISA 240.33 ), results, and the team’s conclusion. The quality partner cross-checks the fraud paragraph in the auditor’s report against the procedures actually documented.

Documentation note: “Fraud paragraph in auditor’s report references journal entry testing and estimate review. Both procedures documented in working papers with results. Paragraph is consistent with file content.”

The complication

During the reconciliation in step 1, the quality partner discovers that the planning memo actually identifies two fraud risks: management override and revenue recognition (given the judgment involved in percentage-of-completion estimates on long-term contracts). But the AFM data submission reports only one. This is exactly the kind of inconsistency the AFM catches during inspections.

The quality partner flags it. The engagement partner explains that revenue recognition was initially considered a fraud risk at planning but was reclassified as a significant risk (not fraud-related) after understanding the entity’s contract structures. The reclassification is documented in the risk assessment working paper but was made after the AFM questionnaire was submitted. The firm needs to either amend the data submission or ensure the reclassification rationale is clearly documented and consistent across the file. They choose to update the AFM submission and add a cross-reference between the risk assessment and the data questionnaire.

Documentation note: “Inconsistency identified between AFM data submission (1 fraud risk) and planning memo (2 fraud risks at initial assessment). Revenue recognition reclassified from fraud risk to significant risk on [date] based on [rationale]. AFM data submission updated to reflect reclassification. Cross-reference added to risk assessment working paper.”

Running this review on a sample of files each quarter takes about two hours per engagement. You’ll generate a few internal RNs, but those are far cheaper than the remediation conversation with the AFM after the fact.

Practical checklist for AFM inspection readiness

Common mistakes

• Treating the data submission as admin. The AFM builds firm-level risk profiles from these questionnaires. Errors, inconsistencies, or anomalous patterns (such as reporting zero consultations across 120 engagements) attract attention. I’ve seen firms delegate this to junior admin staff who don’t understand the engagement well enough to answer accurately. Assign it to the engagement partner or quality partner.
• Performing OKBs as a formality. At smaller firms, the OKB often gets squeezed into the last afternoon before signing because only one other partner is available and they have their own deadlines. A signed checklist without evidence of independent evaluation of key judgments will be flagged. The AFM found 26 of 30 insufficient. That rate doesn’t leave much room for “ours is probably fine.”
• SALY-ing the risk assessment. Rolling forward the PY risk assessment without rethinking it for the current year is the single fastest way to get flagged. The AFM’s fraud review found the same issue across firms of all sizes: standard procedures, same as every year, with no adaptation to what actually changed at the client.
• Assuming the old NBA cycle still applies. The NBA reviewed firms on a fixed six-year schedule. The AFM operates on risk. Consecutive-year selection is possible. Firms that haven’t been contacted since 2022 sometimes assume they’re safe. They’re not. They just haven’t been selected yet.
• Not budgeting time for inspection readiness. Partners under fee pressure cut the activities that don’t directly produce billable hours: OKB review time, data submission reconciliation, root cause analysis. The cost of those hours is visible. The cost of an AFM finding is not visible until the letter arrives, and by then it’s significantly higher.

Related content

• ISA 240 Fraud Risk Assessment Pack. 10 worksheets covering the fraud risk procedures the AFM found deficient, including journal entry testing, unpredictability, and management override documentation.
• ISQM 1 quality management. Glossary entry covering the standard that replaced ISQC 1, including the monitoring and remediation requirements the AFM evaluates at firm level.
• ISA 520 Analytical Review Calculator. For ensuring analytical review procedures in your files are documented with specific expectations and investigation of variances, which the AFM checks at file level.

Related tools and reading

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• AFM Sector in Beeld 2025: The AFM’s data report on the Dutch statutory audit sector, including non-PIE firm metrics on audit approach, fraud risk identification, and consultation rates.
• AFM OKB Report (March 2024): Thematic review findings on engagement quality reviews across 21 audit firms.
• AFM Fraud Risk Quality Report (2024): Findings on fraud risk procedures across 32 statutory audits.
• ISQM 1: The quality management standard governing the firm-level system the AFM evaluates.