AFM Inspection Findings 2025: What Non-PIE Audit Firms Need to Know

How the AFM collects and uses non-PIE audit data

Since 2022, non-PIE audit firms have been required to complete questionnaires for each statutory audit (Wta Article 21). The AFM uses this data to identify and address quality risks across the sector. Data quality has improved rapidly: the percentage of submissions with one or more data quality deviations dropped from 34% in Q2 2023 to 7% by Q3 2024, and has stayed at 7% through Q3 2025.

This isn't a paper exercise. The AFM explicitly designed this system to support risk-based selection of firms for inspection. Firms with outlier data points on fraud risk identification, consultation rates, or independence threats are more likely to receive attention. The State of the Auditing and Reporting Industry 2025 publication sits alongside the AFM's Trend Monitor 2026, which covers broader risks including private equity in the audit sector and the CSRD readiness gap.

Two broader developments make this data even more significant. First, private equity now accounts for approximately 30% of the non-PIE audit market (excluding the Big 6), and the AFM explicitly warned in April 2025 that return-driven growth pressure may compromise statutory audit quality. Second, the number of companies subject to the CSRD is expanding from 95 (financial year 2024) to over 3,000 from financial year 2025. Non-PIE firms performing assurance on sustainability reports need capacity and expertise they may not yet have. Both factors increase the AFM's interest in whether non-PIE firms' quality management systems are keeping pace with the engagements they're accepting.

Market share: non-PIE firms now control 40% of revenue

Non-PIE audit firms' share of revenue from statutory audits of non-PIE clients increased from 18% in 2014 to 40% in 2024, according to the AFM's State of the Auditing and Reporting Industry 2025. Total revenue from these engagements rose from €678 million in 2014 to €1,485 million in 2024. Four audit firms from other EU Member States have also registered with the AFM since 2023, adding a small but notable cross-border element to the Dutch market.

Non-PIE firms now perform a significant portion of the statutory audit market, and the AFM's supervisory resources are following the revenue. Amended size criteria (effective 13 March 2024, raising the asset threshold from €6 million to €7.5 million and net turnover from €12 million to €15 million under BW Article 396(1)) caused a spike in early termination notifications from 159 in 2023 to 417 in 2024, almost entirely at non-PIE firms.

Substantive versus controls-oriented: what the data shows

The percentage of statutory audits performed by non-PIE firms in a fully substantive manner rose to 54% in 2025, up from 48% in 2023. Medium-sized firms had the highest rate at 55%, compared to 52% for large firms and 43% for small firms.

This matters for two reasons. First, a fully substantive approach on a larger engagement (one where internal controls exist and could be relied upon) may signal that the firm lacks the capability or confidence to test controls. Second, the AFM tracks this as a data point. A firm that switches from controls-reliance to fully substantive without a documented rationale visible in the file creates an inspection risk.

Independence threats: concurrent services dominate

Around 60% of statutory audits at non-PIE firms had at least one identified independence threat over the 2022 to 2025 period (ViO, Regulation on the Independence of Auditors in Assurance Engagements). Concurrent service provision appeared in 55% of engagements. Long-term involvement accounted for 18%. All other threat categories appeared in a maximum of 1% of statutory audits.

Large and medium-sized firms identify more threats than small firms. At large non-PIE firms, 64% of statutory audits had at least one threat; at medium-sized firms, 60%. Small firms reported at least one threat in only 44% of engagements. When it comes to concurrent service provision specifically, large firms flagged it in 59% of engagements, medium-sized firms in 55%, and small firms in 37%.

Lower identification rates do not earn a pass from the AFM. A small firm with zero identified threats across its portfolio will likely attract more scrutiny, not less, because it suggests the firm may not be documenting threats that exist. If you provide tax compliance, payroll, or compilation services alongside the statutory audit, concurrent service provision must appear in every relevant engagement file with a documented threat mitigation assessment.

One positive trend: the percentage of engagements with two or more threats fell from 18% in 2022 to 14% in 2025. But the overall identification rate staying flat at 60% suggests that the core threat profile of the non-PIE sector hasn't changed. Actions are preventative and documented; the underlying risks remain structural.

Fraud risk identification: small firms lag behind

The average number of fraud risks identified per statutory audit at non-PIE firms increased from 2.7 in Q2 2023 to 3.2 in Q3 2025, based on auditor's report issue dates. Large and medium-sized non-PIE firms identified more than two fraud risks in 63% and 64% of statutory audits respectively. Small firms identified more than two in only 47% of their audits.

At PIE firms, the share of engagements with more than two identified fraud risks rose from 42% in 2023 to 47% in 2024 (though this data relates to only three PIE firms with complete reporting). Both trends point in the same direction: firms across the entire market are identifying more fraud risks per engagement than they were two years ago, which likely reflects both genuine improvement in ISA 240 compliance and the awareness that the AFM is watching the numbers.

But the gap between small and larger non-PIE firms is the finding most likely to generate AFM follow-up. ISA 240.26 requires the auditor to identify and assess risks of material misstatement due to fraud. The AFM's data now makes it possible to benchmark a firm's fraud risk identification rate against the sector average. If your firm's rate sits below the small-firm average of 47%, expect questions. Revenue recognition is presumed a fraud risk under ISA 240.27 unless the auditor rebuts it with documented reasons.

Since 2022, the AFM has observed a positive trend in fraud risk identification among non-PIE firms specifically. Whether that reflects better audit procedures or better form-filling is an open question the AFM hasn't answered. For your firm, the question is simpler: can you defend your number if asked?

Root cause analysis: only 36% have a written policy

The percentage of non-PIE audit firms with a written root cause analysis policy rose from 29% in 2021 to 36% in 2024. Large firms lead at 56%. Medium-sized firms sit at 28%. Small firms also sit at 28%, with 26% having no policy at all.

This is a weak point for the sector. ISQM 1.43 requires the firm to design and implement a monitoring and remediation process that includes investigating the root causes of deficiencies. A firm that cannot point to a written policy has a documentation gap that affects the entire SoQM evaluation. The AFM now publishes this breakdown by firm size, which means your SoQM evaluator (and any future AFM inspector) can see exactly where you sit relative to the sector.

Training hours offer a brighter picture. Average training hours for RAs and AAs in audit practice at non-PIE firms rose from about 62 in 2021 to about 79 in 2024, with minimal variation across firm sizes. And the percentage of non-PIE firms with their own internal training programme focused on audit quality increased to 55% among small firms in 2024 (up from 44% in 2021). All large firms and 84% of medium-sized firms had internal programmes.

Consultations: who asks for help and on what

In 2024, an average of 32% of statutory audits at non-PIE firms involved at least one consultation. Large non-PIE firms consulted on 40% of their engagements. Small firms consulted on only 14%. At PIE firms, the average was 25%, with PIE-specific audits reaching 38%.

The top consultation topics at non-PIE firms were: the auditor's report (26.7% of all consultations), independence (22.6%), going concern (9.0%), fraud and corruption (8.0%), and complex reporting issues (7.0%). At PIE firms, the order shifts: going concern leads at 16.1%, followed by the auditor's report at 15.8%.

The AFM also tracks how firms source professional practice support. The percentage of non-PIE firms using SRA professional practice support rose from 45% in 2021 to 54% in 2024. NBA usage rose from 17% to 20% over the same period. Small firms hired an average of 1.0 FTE for professional practice support in 2024, up from 0.7 in 2022. The direction is positive but the absolute numbers remain low.

Worked example: benchmarking a mid-sized firm

Scenario: Van Loon Accountants B.V. is a medium-sized non-PIE firm with €1.8 million in revenue from statutory audits, performing approximately 95 engagements per year.

1. Fraud risk identification rate

Van Loon's average fraud risks per engagement: 2.4. The AFM sector average for medium-sized firms: above 2.7. Van Loon's rate falls below the sector average.

Documentation note: Record in the SoQM monitoring file that the firm's fraud risk identification rate is below the sector benchmark. Initiate a root cause analysis to determine whether the gap reflects genuine lower-risk clients or insufficient risk assessment procedures.

2. Independence threat identification

Van Loon identifies at least one independence threat in 48% of engagements. The AFM benchmark for medium-sized firms: 60%.

Documentation note: Flag the delta in the annual SoQM evaluation. Review a sample of engagements with zero identified threats to confirm whether the ViO assessment was performed and documented.

3. Consultation rate

Van Loon consulted on 18% of engagements. The sector average for medium-sized firms: 25%.

Documentation note: Consider whether the low rate reflects strong internal expertise or a reluctance to consult. Document the firm's consultation policy and the criteria that trigger mandatory consultation under Wta Article 17.

4. Root cause analysis policy

Van Loon has no written RCA policy.

Documentation note: Draft a two-page RCA policy covering trigger events (inspection findings, quality review failures, complaints, near-misses), methodology, required participants, and reporting. Present to the firm's quality management partner for approval and adoption.

A reviewer examining Van Loon's SoQM evaluation would see that the firm has identified four areas where it sits below sector averages and has documented a plan for each. That is defensible. A file with no benchmarking and no identified gaps is not.

Practical checklist

1. Download the AFM's State of the Auditing and Reporting Industry 2025 report and compare your firm's numbers to the published benchmarks for your size category
2. Check your fraud risk identification rate per engagement against the AFM's average of 3.2 risks (Q3 2025). If your rate is below 2.5, run a targeted review of five recent planning files to identify whether risks are being missed
3. Review your independence threat documentation for the past 12 months. If fewer than 50% of engagements identify at least one threat, investigate whether concurrent service provision and long-term involvement are being assessed and documented per the ViO
4. Confirm your firm has a written root cause analysis policy (ISQM 1.43). If not, draft one this quarter
5. If your consultation rate is below 20%, review whether your consultation policy has clear trigger criteria or whether teams are self-assessing their way out of mandatory consultations

Common mistakes

• Treating low fraud risk identification as a positive signal. The AFM's data shows that small non-PIE firms identify more than two fraud risks in only 47% of engagements, compared to 63% at large firms (AFM State of the Auditing and Reporting Industry 2025). A low number doesn't mean low risk. It may mean the ISA 240.26 assessment isn't being performed with sufficient rigour.
• Having no written root cause analysis policy and assuming verbal debriefs satisfy ISQM 1.43. Only 36% of non-PIE firms had a written policy as of 2024. The AFM tracks this data point by firm size.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• AFM State of the Auditing and Reporting Industry 2025: The primary source for all non-PIE audit market data, fraud risk identification rates, independence threat analysis, and root cause analysis maturity discussed in this post. Published November 2025.
• AFM Trend Monitor 2026: Covers broader risks including private equity in the audit sector and the CSRD readiness gap.
• ISQM 1: Quality Management for Firms that Perform Audits or Reviews of Financial Statements. Governs root cause analysis, monitoring, and remediation requirements.
• ISA 240: The Auditor's Responsibilities Relating to Fraud. The standard governing fraud risk identification benchmarks discussed in this post.
• ViO (Verordening inzake de onafhankelijkheid van accountants bij assurance-opdrachten): The Dutch regulation governing independence requirements for auditors in assurance engagements.