What Dutch Audit Firms Need to Know About AFM Inspections

Q: What are the most common AFM findings at non-PIE audit firms?

The AFM's thematic reviews from 2023-2025 show findings concentrated in engagement quality reviews (26 of 30 OKBs at non-PIE firms lacked sufficient depth), fraud risk procedures (errors in the fraud paragraph of the auditor's report in 10 of 32 reviewed audits), and independence documentation. Only 28% of small and medium-sized non-PIE firms have a written root cause analysis policy.

Q: When did the AFM take over supervision of non-PIE audit firms?

The AFM formally took over supervision of all firms performing statutory audits on 1 January 2022. Before that date, the NBA and SRA handled quality reviews of non-PIE audit firms. The AFM spent 2022-2023 building its supervisory infrastructure, running introductory visits, and launching annual data collection. By mid-2025, the AFM had data from over 31,000 statutory audits performed by non-PIE firms.

Q: How often does the AFM inspect non-PIE audit firms?

Unlike the old NBA/SRA fixed six-year review cycle, the AFM operates on a risk basis with no fixed cycle. A firm with a high-risk profile can be selected for inspection in consecutive years. A firm with a low-risk profile may go longer between contacts, but the AFM retains discretion to inspect any firm at any time.

Key takeaways

The AFM selects files for inspection using risk-based algorithms informed by mandatory data submissions from every non-PIE audit firm.
Recent thematic reviews found that 26 of 30 OKBs at non-PIE firms lacked sufficient depth, and 13 of 15 firm OKB policies were inadequate.
The AFM took over supervision from the NBA and SRA on 1 January 2022 and operates on a risk basis with no fixed inspection cycle.
Every data point you submit shapes your firm's risk profile. Firms reporting zero fraud risks across all engagements may attract more attention, not less.

Who the AFM supervises and how supervision shifted in 2022

Until 2022, the NBA and SRA handled quality reviews of non-PIE audit firms (firms holding a reguliere vergunning, or RV). The AFM's attention focused almost exclusively on the six PIE licence holders. That changed on 1 January 2022 when the AFM formally took over supervision of all firms performing wettelijke controles.

As of mid-September 2025, the AFM reported having data from more than 31,000 statutory audits performed by non-PIE firms, covering approximately a three-year period. Data quality has improved significantly: the percentage of statutory audits with identified data quality deviations dropped from 34% in Q2 2023 to 7% by Q3 2024.

For non-PIE firms, this represents a fundamentally different supervisory experience. The NBA and SRA reviews operated on a fixed six-year cycle. The AFM operates on a risk basis with no fixed cycle. A firm with a high-risk profile can be selected for inspection in consecutive years.

Supervision costs are borne by the sector. AFM fees for accountancy firms reached €18.8 million by 2023, with an ingroeipad (phase-in schedule) that added up to €5.1 million for the transfer of non-PIE supervision.

How the AFM selects files for inspection

The AFM uses a risk-based selection methodology. Every non-PIE audit firm must complete a questionnaire for each statutory audit. This data feeds into the AFM's risk profiles at both the firm level and individual engagement level.

Each questionnaire captures information about the nature of the audit client, the audit approach, hours spent, use of consultations, whether an OKB was performed, identified threats to independence, and identified fraud risks. The AFM's Sector in Beeld 2025 report reveals key patterns: 54% of statutory audits by non-PIE firms in 2025 were fully substantive, and only 11% identified at least one fraud risk (compared to 30% at PIE firms).

Your data shapes your risk profile

Every data point you submit shapes your firm's risk profile. Firms that report zero fraud risks across all engagements, show anomalously low hours relative to engagement complexity, or never use consultations may attract more attention, not less. The data should reflect your actual practice accurately.

What inspectors actually look at

AFM inspections operate at two levels: the engagement file (dossier) level and the firm's quality management system level.

At the file level, the AFM assesses whether the audit file supports the auditor's opinion. The inspector reviews the engagement from planning through to the auditor's report, checking whether the firm obtained sufficient appropriate audit evidence. A completed checklist with ticked boxes but no underlying analysis will not pass. An assessment that shows the auditor's reasoning, links specific evidence to specific assertions, and documents how professional judgment was applied will.

At the firm level, the AFM reviews the design and operating effectiveness of the quality management system under ISQM 1. For non-PIE firms, the AFM has shown particular interest in client acceptance and continuance procedures, whether the firm's expertise matches its client portfolio, and the functioning of the engagement quality review.

Thematic reviews are a separate tool. Recent themes have included engagement quality reviews (2023-2024), fraud risk procedures (2024), and client acceptance and continuance (2025).

Recent AFM findings at non-PIE firms

The AFM's thematic reviews from 2023 to 2025 paint a consistent picture. The findings concentrate in areas where professional judgment meets documentation.

Engagement quality reviews (OKB)

The AFM's March 2024 report examined 52 OKBs across 21 audit firms. At non-PIE firms, the depth of the OKB was insufficient in 26 of 30 reviewed cases. In 25 of those 26, the OKB provided insufficient assurance that the audit evidence was adequate. In five cases, the OKB results were never discussed with the engagement partner. At 13 of the 15 non-PIE firms reviewed, the firm's OKB policy itself was inadequate.

Fraud risk procedures

A separate 2024 investigation reviewed 32 statutory audits and found errors in the fraud paragraph of the auditor's report in 10 of them. Most findings related to how auditors identified fraud risks, designed responses, and documented their reasoning.

Broader data signals

Only about one-third of non-PIE firms use consultations during statutory audits. Only 28% of small and medium-sized non-PIE firms have a written policy for performing root cause analyses. Private equity investment in non-PIE audit firms rose from 11% market share in 2023 to approximately 30% by 2025, which the AFM flagged as a risk to audit quality.

Worked example: preparing a file for potential AFM review

Firm: Veldkamp Accountants B.V., a mid-sized non-PIE firm in Arnhem with 8 partners and approximately 120 statutory audit engagements. Engagement under review: statutory audit of Brouwer Installatietechniek B.V. (€28M revenue, 95 employees, construction sector). Audit opinion: unqualified.

1. Check the data submission for accuracy

Verify that the audit approach classification, hours reported, fraud risks, and independence threats in the AFM questionnaire match the engagement file. The AFM cross-references data submissions against file content. If the questionnaire reports one fraud risk but the planning memo lists two, the inconsistency will generate questions.

2. Review the engagement quality review file

Check that the OKB file shows the reviewer evaluated whether sufficient evidence was obtained for significant risk areas, formed an independent view on key judgments, and discussed conclusions with the engagement partner before the report date. "Reviewed and agreed" on a checklist is not sufficient.

3. Review the fraud risk documentation

The file should show specific procedures performed in response to identified fraud risks, the results of those procedures, and the engagement team's conclusion. Check the fraud paragraph in the auditor's report against the procedures actually documented in working papers.

4. Review the independence assessment

For a fifth-year engagement, document the specific threat from long association, the response measure applied, and why the response reduces the threat to an acceptable level. A one-line statement that "independence was assessed and confirmed" does not meet the standard.

5. Check client acceptance and continuance

The file should show the firm assessed whether it has sufficient expertise and resources, including sector-specific knowledge. If the firm accepted the engagement despite a risk factor, the rationale should be documented.

Practical checklist for AFM inspection readiness

Reconcile your AFM data submissions against actual engagement files. Resolve inconsistencies before the next submission deadline.
Review your OKB policy against the AFM's March 2024 report findings. The OKB reviewer must form an independent view on key judgments, not just review the team's conclusions.
For every engagement with an identified fraud risk, check that the auditor's report fraud paragraph matches the working papers. Either they match or they don't.
Document independence threat assessments with specifics: the threat, the response measure, and the residual risk.
Ensure your firm has a written root cause analysis policy. Only 28% of small and medium-sized non-PIE firms do.
Keep your ISQM 1 monitoring and remediation cycle current. A well-designed system that hasn't been monitored in two years will not pass.

Common mistakes

Treating the AFM data submission as an administrative task. The AFM builds firm-level risk profiles from these submissions. Errors, inconsistencies, or anomalous patterns will attract attention. Assign a quality partner to review submissions before filing.
Performing OKBs as a formality. The AFM's 2024 report found that 26 of 30 OKBs at non-PIE firms lacked sufficient depth. A signed checklist without evidence of independent evaluation does not satisfy the standard.
Assuming the AFM approach mirrors the old NBA/SRA cycle. The NBA reviewed firms on a fixed six-year schedule. The AFM operates on a risk basis. A firm can be selected in consecutive years.

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

No spam — we're auditors, not marketers.

Frequently asked questions

How does the AFM select audit files for inspection?

The AFM uses a risk-based two-stage process informed by mandatory data submissions. First, a sub-population of potentially inspectable files is identified. Then specific files are selected based on risk indicators. Every questionnaire you submit for each statutory audit feeds into your firm's risk profile.

What are the most common AFM findings at non-PIE audit firms?

Findings concentrate in engagement quality reviews (26 of 30 OKBs lacked sufficient depth), fraud risk procedures (errors in 10 of 32 auditor's report fraud paragraphs), and independence documentation. Only 28% of small and medium-sized non-PIE firms have a written root cause analysis policy.

When did the AFM take over supervision of non-PIE audit firms?

The AFM formally took over on 1 January 2022. Before that, the NBA and SRA handled quality reviews. By mid-2025, the AFM had data from over 31,000 statutory audits performed by non-PIE firms and now uses this data to build risk profiles and plan supervisory activities.

How often does the AFM inspect non-PIE audit firms?

The AFM operates on a risk basis with no fixed cycle, unlike the old NBA/SRA six-year schedule. A firm with a high-risk profile can be selected in consecutive years. A low-risk firm may go longer between contacts, but the AFM retains discretion to inspect any firm at any time.