Key takeaways

  • The AFM found EQCR depth insufficient at 87% of non-PIE firms (26 of 30 assessed EQCRs), and 13 of 15 non-PIE firms lacked an adequate EQCR policy under ISQM 1.34(d).
  • Fraud risk procedures had findings in 17 of 20 non-PIE statutory audits reviewed, with journal entry testing and the absence of unpredictable procedures as the most common deficiencies.
  • Only 11% of non-PIE statutory audits identified at least one fraud risk beyond the two presumed risks – compared to 30% at PIE firms.
  • Small non-PIE firms consulted their professional practice department on only 14% of engagements, versus 40% at large non-PIE firms.
  • Approximately 30% of statutory audits at non-PIE firms are now performed by firms with private equity involvement, raising AFM concerns about fee and time pressure.

The EQCR problem: 87% insufficient at non-PIE firms

The AFM published its EQCR thematic review in March 2024. The numbers were stark. Across 21 audit firms, the AFM assessed 52 EQCRs. At non-PIE firms, 26 of 30 assessed EQCRs had insufficient depth. At PIE firms, 9 of 22 showed similar deficiencies. But the non-PIE finding is the one that matters for most practitioners, because 13 of the 15 assessed non-PIE firms did not even have an adequate EQCR policy in place.

What does “insufficient depth” mean in practice? The AFM found that EQC reviewers were not inspecting the underlying audit evidence. An EQC reviewer who reads the top memo on a balance sheet item, checks that a conclusion is stated, and signs off has not performed an EQCR. The standard (ISQM 1.34(f) and ISA 220.25–26) requires the reviewer to evaluate whether sufficient appropriate audit evidence has been obtained. That evaluation requires looking at the evidence, not just the conclusion built on top of it.

The AFM’s board member Hanzo van Beusekom stated it directly: the quality safeguard is currently lacking throughout non-PIE audit firms. The AFM expects firms to act on these findings and will continue monitoring improvement.

What this means for your file

If your engagement required an EQCR, the reviewer must document which audit evidence was inspected, what was evaluated, and what conclusion was reached on sufficiency. A single sign-off line on the completion checklist is not documentation of an EQCR. The AFM has made that explicit.

The policy gap is equally important. If your firm’s EQCR policy does not define which engagements require review, what the scope of the review includes, and what competencies the reviewer must have, the policy itself fails ISQM 1.34(d). Fixing the policy is not an engagement-level decision. It requires firm-level action. But if you are the engagement partner on a high-risk file and your firm has no adequate EQCR policy, you have a quality management problem that affects the defensibility of your audit opinion.

Fraud risk procedures: findings in 17 of 20 non-PIE files

The AFM published a separate report on audit procedures addressing fraud risks (the report appeared in early 2025, covering inspections from the prior period). At regular (non-PIE) audit firms, the AFM found one or more findings in 17 of 20 statutory audits reviewed. At the three PIE firms included, findings appeared in 6 of 12 audits.

The AFM’s summary was blunt: the procedures performed often lack sufficient specificity and depth. Auditors plan and perform standard procedures without adapting them to the identified fraud risk. The nature, timing, and extent of procedures are not tailored. Journal entry testing, in particular, drew repeated findings.

The specific deficiencies the AFM identified follow a pattern. Auditors test journal entries but do not verify the full entry against source documents. They check the description and the authorisation but do not assess whether the business rationale is consistent with what the auditor knows about the entity. The AFM noted that many journal entry tests included cross-references to other sections of the audit file, but those sections contained no evidence that the auditor had actually tested the referenced transactions.

ISA 240.32–33 requires the auditor to design and perform audit procedures responsive to the assessed risks of material misstatement due to fraud. ISA 240.33(a)(i) specifically requires testing journal entries for evidence of management override. The AFM’s finding is not that auditors fail to test journals. It is that the testing is shallow: performed as a standardised procedure rather than a response designed around the specific fraud risk identified for that client.

Unpredictability is almost entirely absent

For non-PIE firms, the AFM found that an element of unpredictability (ISA 240.30(c)) was almost entirely absent. If your fraud response section looks identical across all engagements – same sample sizes, same journal entry selection criteria, same timing – the unpredictability requirement is not met.

One additional data point from the AFM’s 2024 sector data: only 11% of statutory audits at non-PIE firms identified at least one fraud risk beyond the presumed risks of management override and revenue recognition. At PIE firms, that figure was 30%. The AFM’s interpretation is clear. Non-PIE firms are under-identifying client-specific fraud risks, which means the procedures built on those risk assessments are under-designed from the start.

Consulting rates and what they signal

The AFM’s State of the Auditing and Reporting Industry 2025 report (published November 2025 as a supplement to Trend Monitor 2026) included new data on how often statutory auditors consult their firm’s professional practice department. In 2024, consultations occurred in an average of 32% of statutory audits at non-PIE firms. Large non-PIE firms consulted on 40% of engagements. Small non-PIE firms consulted on 14%.

A 14% consulting rate at small firms does not mean 86% of their engagements are straightforward. It signals that auditors at small firms are either not recognising situations that warrant consultation or are not requesting it when they should. The AFM has been tracking this metric since 2022, and the gap between large and small firms has persisted.

ISQM 1.34(c)(ii) requires firms to establish policies and procedures for consultation on difficult or contentious matters. The obligation runs both ways. The firm must make consulting resources available, and the engagement partner must use them when the situation calls for it. A going concern assessment on a client with a declining current ratio, a first-time CSRD engagement, a complex revenue recognition policy, a related party transaction with a management-controlled entity – these are all situations where the standard expects consultation.

The AFM also reported that small non-PIE firms hired an average of 1.0 FTE for professional practice support in 2024, up from 0.7 FTE in 2022. The investment is increasing, but from a low base. For firms with fewer than five partners, the practical option is often external consultation through the NBA or SRA professional practice desks. The AFM noted that the percentage of non-PIE firms using NBA and SRA consultation services is increasing.

Private equity in the audit sector

The AFM published a report in April 2025 titled “Private equity in the auditing industry: public interest under pressure.” The key statistic: approximately 30% of statutory audits at non-PIE firms are now performed by firms with private equity involvement, up from previous years.

The AFM’s concern is structural. Private equity ownership introduces return-on-investment pressure that may conflict with the public interest obligations of statutory audit. The AFM gave greater weight to the risks than the opportunities. The specific risk the AFM identified: pressure on fee levels, pressure on partner and staff time per engagement, and pressure to grow revenue (through advisory or non-audit services) in ways that could compromise independence.

For auditors at PE-backed firms, the practical implication is to document independence assessments with extra care and ensure that time budgets on statutory audits are not being compressed below the level needed to perform the required procedures. For auditors at non-PE firms competing for the same clients, the implication is different: PE-backed firms may be pricing statutory audits aggressively, and the AFM is watching whether that pricing reflects the actual cost of a quality audit.

Worked example: Jansen & Partners Accountants

Jansen & Partners Accountants is a fictional regular-licence (non-PIE) audit firm in Amersfoort with four partners and 22 staff. The firm performs 85 statutory audits per year. The engagement partner is reviewing one file after reading the AFM’s 2024–2025 findings.

1. EQCR check

The engagement is the statutory audit of Kuiper Logistics B.V. (€28M revenue, 95 employees). The firm’s EQCR policy triggers a review for any engagement with revenue above €20M. The EQC reviewer (a partner not involved in the engagement) signed the EQCR completion form with a single line: “Reviewed and approved.” No documentation of which working papers were inspected.

Documentation fix

Reopen W/P Q1 (EQCR). Document that the reviewer inspected W/P B4 (revenue testing), W/P C2 (going concern), and W/P D1 (management representations). For each, record the specific evidence evaluated and the conclusion on sufficiency. If the reviewer did not inspect these papers, the EQCR must be re-performed before the opinion is signed.

2. Fraud risk assessment

The file identifies two presumed fraud risks (management override per ISA 240.31, revenue recognition per ISA 240.27). No client-specific fraud risks are identified. Kuiper Logistics operates a cash-intensive parcel delivery division and has a management-controlled related party (Kuiper Transport Holding B.V.) through which intercompany charges flow.

Documentation fix

Add to W/P A5 (Fraud Risk Assessment) a client-specific fraud risk: misstatement of intercompany charges between Kuiper Logistics B.V. and Kuiper Transport Holding B.V. due to management’s ability to set transfer prices without independent oversight. Design a specific procedure: agree a sample of intercompany invoices to underlying delivery records and compare pricing to arm’s-length benchmarks. This addresses ISA 240.32’s requirement for procedures responsive to the assessed risk.

3. Journal entry testing

The current journal entry test selected 25 entries based on materiality and round-number criteria. For each entry, the working paper records the description, amount, posting date, and a tick mark. No source documents are referenced. No assessment of business rationale appears.

Documentation fix

For each selected journal entry in W/P A6, add a column: “Source document verified” and “Business rationale consistent with auditor’s understanding (Y/N).” Re-perform the test for the 25 selected entries, verifying each against the source document and assessing whether the entry is consistent with the auditor’s knowledge of the entity’s operations. This is what ISA 240.33(a) requires.

4. Unpredictability

The fraud procedures section is identical to last year’s file. Same sample sizes, same selection criteria, same timing (all performed during the January fieldwork visit).

Documentation fix

Add one unpredictable procedure. Perform a surprise visit to the parcel delivery depot in February (after fieldwork concludes) to verify that the physical inventory of undelivered parcels matches the system records. Document the rationale in W/P A5: “Unpredictable procedure per ISA 240.30(c) designed to address the risk that management could manipulate period-end delivery records.” The procedure takes half a day. The deterrent value is worth more than the evidence it produces.

After these four corrections, the file addresses the AFM’s most common findings directly. Total additional time: approximately 1.5 days across the EQCR, fraud risk documentation, and journal entry re-testing.

What to fix on your next engagement

  1. Review your firm’s EQCR policy against ISQM 1.34(d) and (f). If the policy does not define which engagements require review, what the reviewer must evaluate, and what competencies the reviewer needs, flag it to the quality management partner. This is a firm-level fix. Do not wait for the next AFM inspection cycle.
  2. Add at least one client-specific fraud risk beyond the two presumed risks on every file. If you cannot identify one, document why (with reference to the entity’s operations, related party structure, and incentive pressures). A blank client-specific fraud risk section is the fastest way to draw an AFM finding.
  3. For journal entry testing, verify each selected entry against source documents and document the business rationale assessment. A tick mark next to a description is not evidence under ISA 240.33(a).
  4. Add one unpredictable procedure per engagement. It does not need to be elaborate. A site visit at an unexpected time, a confirmation sent to a party not usually confirmed, a substantive test performed at an interim date when the client expects year-end only. Document the rationale under ISA 240.30(c).
  5. If you are at a small firm with a consulting rate below 20%, increase the rate. Consult on any going concern assessment where indicators exist, any first-time CSRD engagement, and any significant related party transaction. Use the NBA or SRA professional practice desk if your firm does not have internal capacity.

Common mistakes

  • Signing off the EQCR without inspecting underlying audit evidence. The AFM’s 2024 thematic review found this in 87% of non-PIE EQCRs. A sign-off without documented evaluation of the evidence is not an EQCR under ISQM 1.
  • Running identical fraud procedures across all engagements without adapting them to the specific client. The AFM’s fraud risk report identified this as the most frequent deficiency. ISA 240.32 requires procedures responsive to the assessed risk, which by definition must vary between clients.
  • Identifying zero client-specific fraud risks. The AFM’s 2024 sector data showed only 11% of non-PIE statutory audits identified at least one fraud risk beyond the presumed risks. For a portfolio of 85 engagements, that rate implies most files are under-assessing fraud risk.

Related products

ISAE 3402 Workbook → · ISA 240 Toolkit →

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

No spam — we're auditors, not marketers.

Related tools and reading

Put audit concepts into practice with these free tools:

Materiality Calculator
ISA 320
Going Concern Checklist
ISA 570

Related guides:

What Dutch Audit Firms Need to Know About AFM Inspections
How files are selected, what inspectors check, and how to prepare
ISA 220: Quality Management for an Audit of Financial Statements
Engagement-level quality management requirements
ISA 315: Identifying and Assessing the Risks of Material Misstatement
Risk assessment procedures and understanding the entity

Frequently asked questions

What percentage of non-PIE EQCRs did the AFM find insufficient in 2024?

The AFM found that 26 of 30 EQCRs at non-PIE firms (87%) had insufficient depth. In 25 of those 26, the EQCR provided insufficient assurance that audit evidence was adequate. At 13 of the 15 assessed non-PIE firms, the firm’s EQCR policy itself was inadequate under ISQM 1.34(d).

How many non-PIE statutory audits had fraud risk findings in the AFM’s review?

The AFM found one or more findings in 17 of 20 non-PIE statutory audits reviewed. The most common deficiencies were shallow journal entry testing, identical fraud procedures across all engagements, and the absence of unpredictable audit procedures under ISA 240.30(c).

What is the consulting rate gap between large and small non-PIE audit firms?

In 2024, large non-PIE firms consulted their professional practice department on 40% of statutory audits. Small non-PIE firms consulted on only 14%. The AFM has tracked this gap since 2022, and it has persisted. A 14% consulting rate signals that auditors at small firms may not be recognising situations that warrant consultation.

What did the AFM find about private equity involvement in the audit sector?

The AFM reported that approximately 30% of statutory audits at non-PIE firms are now performed by firms with private equity involvement. The AFM’s concern is that PE ownership introduces return-on-investment pressure that may conflict with public interest obligations, including pressure on fee levels, partner and staff time per engagement, and revenue growth through non-audit services.

Source references

  • AFM EQCR Thematic Review (March 2024): Assessment of 52 engagement quality control reviews across 21 audit firms.
  • AFM Fraud Risk Procedures Report (2025): Findings on audit procedures addressing fraud risks across non-PIE and PIE statutory audits.
  • AFM State of the Auditing and Reporting Industry 2025: Sector data including consulting rates, fraud risk identification, and PE involvement.
  • AFM Private Equity Report (April 2025): “Private equity in the auditing industry: public interest under pressure.”

This guide reflects AFM supervisory publications and data through early 2026. The AFM’s approach continues to evolve. Always consult the AFM’s most recent publications for current supervisory priorities. This content is for educational purposes and does not constitute legal or professional advice.

Last reviewed: February 2026 · Source: AFM thematic reports 2024–2025, AFM Trend Monitor 2026