Top Audit Quality Findings Across European Regulators: What the AFM, FRC, and IFIAR Keep Flagging

How European audit inspection works (and why it matters for your file)

European audit oversight operates through a network of national competent authorities that inspect audit firms under the EU Audit Directive (2014/56/EU) and Audit Regulation (537/2014). In the Netherlands, the AFM supervises PIE audit firms directly and delegates non-PIE supervision to the SRA and NBA. In the UK (post-Brexit, operating outside the EU framework), the FRC inspects Tier 1 firms (BDO, Deloitte, EY, Forvis Mazars, KPMG, PwC) and publishes individual firm reports annually. IFIAR coordinates internationally, publishing an annual survey that aggregates inspection findings from over 50 member regulators.

For a non-Big Four European auditor, the relevant inspection body depends on your jurisdiction and your client base. If you audit PIE entities in the Netherlands, the AFM reviews your files. If you audit non-PIE entities, the SRA or NBA’s quality review programme applies.

The practical value of reading these reports isn’t compliance anxiety. It’s the specificity. The FRC doesn’t just say “improve your audit of estimates.” It publishes examples of what it found: weak challenge of management assumptions, insufficient evaluation of alternative outcomes, failure to test the accuracy of underlying data. These are procedures you can add to your working papers before the next inspection cycle. The findings function as a free, regulator-curated list of what your file needs to survive scrutiny.

The findings that appear in every European regulator report

When you read the FRC’s 2025 Annual Review, the AFM’s reporting, and IFIAR’s 2024 survey side by side, the overlap is striking. The deficiency areas that appear across all of them, year after year, fall into a consistent set.

Accounting estimates and judgements

The FRC’s 2025 review identified this as the most common finding area for Tier 1 firms, with deficiencies most often linked to weaknesses in evaluating key assumptions and challenging management’s judgements. IFIAR’s global survey found the same. The AFM’s historical inspection data consistently pointed to estimates as the primary driver of inadequate files. ISA 540 (Revised) was supposed to address this by requiring a more granular risk assessment for each estimate. The standard is now embedded, but the findings haven’t disappeared.

Revenue

The FRC’s 2025 review flagged revenue findings including issues with contract testing, data analytics, and data input testing. European regulators focus less on IT application controls (which dominate PCAOB revenue findings) and more on the auditor’s testing of contract terms against recognition criteria. Under IFRS 15, the question is whether the auditor tested that each performance obligation was satisfied at the point of recognition. The FRC finds gaps when auditors confirm the total contract value but don’t test the timing.

Going concern

The AFM’s 2025 State of the Industry report identified going concern as the most consulted topic at PIE audit firms (16.1% of all consultations) and second-most at non-PIE firms. The FRC has flagged going concern in every annual review since at least 2020. The finding is consistently about the auditor’s evaluation of management’s assessment: did you evaluate whether management considered all relevant events and conditions? Did you test the underlying assumptions in management’s cash flow forecast? Did you evaluate whether the going concern period was sufficient (at least twelve months from the date of the auditor’s report, not the balance sheet date)? ISA 570.16 requires this. Regulators still find files where the going concern working paper is a checklist with ticked boxes and no evidence of the auditor’s own assessment.

Journal entry testing

The FRC’s 2025 review identified journal testing as a common finding area. ISA 240.32 requires the auditor to test the appropriateness of journal entries recorded in the general ledger. Regulators find deficiencies when the auditor uses generic selection criteria (all entries above a threshold) instead of criteria designed to identify entries with fraud risk characteristics. ISA 240.A44 provides examples: entries made at unusual times, entries to seldom-used accounts, entries made by individuals who don’t normally make journal entries. If your selection criteria don’t target at least two of these characteristics, expect the finding.

General IT controls

Both the FRC and IFIAR have flagged GITCs as a recurring area. The issue isn’t that auditors don’t test GITCs. It’s that the GITC testing isn’t connected to the reliance on IT application controls. If you conclude that access controls over the ERP system are ineffective, but then rely on an automated revenue reconciliation produced by that same system, the audit logic is broken. ISA 315.A147 links IT controls to the controls that depend on them. Regulators test that linkage.

Accounting estimates: the most common finding and the hardest to fix

ISA 540 (Revised) requires auditors to identify and assess the risks of material misstatement for each accounting estimate, and then design audit procedures that respond to those risks at the assertion level. The FRC’s findings suggest that many audit teams perform the risk assessment but then apply the same procedures regardless of the risk level. A low-risk estimate gets the same depth of work as a high-risk estimate. ISA 540.13 explicitly requires the response to be proportionate to the risk.

The specific FRC findings concentrate on three procedural gaps.

Challenge of management

ISA 540.A130 describes the concept of “stand back” evaluation: after performing detailed testing, the auditor steps back and evaluates whether the estimate is reasonable or whether indicators of possible management bias exist. The FRC finds audits where the challenge is absent. The auditor accepts management’s assumptions without testing whether alternative assumptions would produce a materially different result. For an impairment test, this means running the model with the auditor’s own estimate of a key input (the discount rate, the long-term growth rate) and comparing the output. If management used a 9% discount rate and you didn’t test what happens at 10% or 11%, you haven’t challenged the assumption.

Evaluating the range of reasonable outcomes

ISA 540.A11 permits auditors to develop a point estimate or a range of reasonable outcomes. The FRC finds that some auditors develop a range but don’t evaluate where management’s estimate falls within it. If management’s estimate sits at the most favourable end of the range, that’s a potential indicator of management bias under ISA 540.32. Noting that management’s estimate is “within the range” isn’t enough if the range is wide and management consistently picks the favourable end.

Testing the underlying data

ISA 540.18 requires testing the completeness and accuracy of data used in the estimate, as well as its relevance to the calculation. For provisions, this might mean testing that the claims data feeding the provision model is complete by reconciling to an independent source. For expected credit losses, it means testing that the historical loss rates are calculated from complete and accurate data. The FRC finds auditors who test the model logic but not the data inputs. A model with perfect logic and incomplete data still produces the wrong answer.

Going concern: where scepticism gaps become inspection findings

Going concern findings persist because the standard requires something auditors find uncomfortable: forming a view on whether the entity will survive, using information that is inherently uncertain. ISA 570.16 requires the auditor to evaluate management’s assessment of the entity’s ability to continue as a going concern. ISA 570.A2 lists indicators: financial indicators (net liability position, negative operating cash flows, inability to pay creditors on due dates), operating indicators (loss of key management, loss of a major market), and others.

The AFM’s data on consultation frequency tells you where Dutch firms struggle. Going concern is the topic PIE audit firms consult on most often. The problem regulators find is when the judgement is hard but the file doesn’t reflect that difficulty. A going concern assessment that concludes “no material uncertainty” in two paragraphs, for a client with a current ratio below 1.0 and a covenant breach waiver, isn’t credible as audit documentation.

Worked example: addressing the FRC’s recurring findings at Dijkstra Logistics B.V.

Client scenario: Dijkstra Logistics B.V. is a Dutch freight forwarding and warehousing company. Annual revenue: €67 million. The company has a significant goodwill balance (€8.2 million) from the acquisition of a Belgian subsidiary in 2021. Revenue recognition involves long-term warehousing contracts with variable consideration (storage fees vary by volume). The company reports under Dutch GAAP (RJ). Cash flow from operations turned negative in Q4 2025 due to the loss of a major customer representing 12% of revenue. Fiscal year end: 31 December 2025.

1. Addressing the accounting estimates finding: goodwill impairment

Dijkstra management performed an impairment test using a discounted cash flow model with a discount rate of 8.5%, a five-year revenue growth assumption of 4% per annum, and a terminal growth rate of 2%. Test the data inputs first. Verify that the base-year cash flows used in the model reconcile to the audited financial data of the Belgian subsidiary. Then challenge the assumptions. The 4% growth rate assumed the major customer would continue. That customer left.

Request a revised forecast from management that excludes the lost customer. Run the model at management’s 8.5% discount rate with the revised forecast, and then run it at 9.5% and 10.5% to assess the sensitivity. If the headroom (the difference between the recoverable amount and the carrying amount) disappears at 10.5%, the estimate has high estimation uncertainty and your file needs to reflect that under ISA 540.13 (or RJ 121 for Dutch GAAP).

2. Addressing the going concern finding

Negative operating cash flow combined with the loss of a major customer triggers ISA 570.A2 indicators. Don’t treat this as a checklist exercise. Document the specific events: operating cash flow was negative €1.2 million in Q4 2025. Management’s mitigation plan states they expect to replace 60% of the lost revenue through existing pipeline opportunities by Q3 2026.

Test this. Inspect the pipeline documentation: are there signed letters of intent? Binding contracts? Or just internal sales forecasts? If the pipeline is speculative, the mitigation plan doesn’t meet the “feasible” standard ISA 570 requires.

3. Addressing the journal entry testing finding

Design your journal entry selection criteria around ISA 240.A44. For Dijkstra, relevant criteria include: entries posted in the final week of December and the first week of January (period-end timing), entries posted by individuals outside the finance team (unusual preparer), entries to the goodwill or impairment accounts (infrequently used accounts), and revenue entries without a matching customer invoice reference (entries inconsistent with normal business processes). Don’t select journals based solely on a monetary threshold.

4. Addressing the revenue finding

Dijkstra’s warehousing contracts include variable consideration tied to storage volumes. Under RJ 270, revenue recognition for variable consideration requires estimating the amount of consideration to which the entity expects to be entitled. Test the estimation methodology: does management accrue revenue based on actual volumes each month, or does it estimate volumes in advance and true up quarterly? If the latter, test the accuracy of the estimates by comparing prior-quarter estimates to actuals. A systematic pattern of over-estimation is a bias indicator.

ISQM 1 at non-Big Four firms: what regulators found in the first full cycle

The 2024/25 inspection cycle was the first where the FRC inspected firms solely under ISQM (UK) 1. The FRC’s 2025 review noted that implementation was more challenging for firms outside Tier 1, particularly regarding monitoring and remediation processes.

ISQM 1.37 requires firms to establish a monitoring and remediation process that includes monitoring the system of quality management (SoQM), evaluating findings, identifying deficiencies, evaluating the severity of deficiencies, and remediating them. The FRC found that some non-Tier 1 firms performed monitoring (cold file reviews, root cause analysis) but didn’t connect the monitoring findings to their annual SoQM evaluation. A firm that found going concern deficiencies in three cold file reviews but then concluded its SoQM was operating effectively has a disconnect that regulators will challenge.

The AFM’s 2025 State of the Industry report observed that PIE audit firms deployed more FTEs for professional practice in 2024 (averaging 66.6, up from 56.7 in 2023). This increase reflects the additional work ISQM 1 requires, particularly around monitoring, root cause analysis, and the annual SoQM evaluation. Non-PIE firms with fewer resources face the same standard with less capacity.

Practical checklist for your current engagement

1. Test key assumptions for high-risk estimates. For every high-risk accounting estimate, test at least one key assumption by developing an independent expectation or range. Document the sensitivity analysis showing what happens when the assumption moves by a reasonable amount. Reference ISA 540.13.
2. Separate going concern identification from evaluation. List every relevant ISA 570.A2 indicator considered. For each indicator present, document the evidence you obtained about management’s response separately from the identification step.
3. Design fraud-targeted journal entry criteria. Target at least two ISA 240.A44 fraud risk characteristics. Don’t rely solely on monetary thresholds. Document the criteria and their rationale in the fraud risk working paper.
4. Test revenue estimation accuracy. For revenue on contracts with variable consideration, compare management’s estimates to actuals for prior periods to test estimation accuracy and identify potential bias. Reference IFRS 15.56 or the applicable local GAAP standard.
5. Connect ISQM 1 monitoring to your SoQM conclusion. If your firm performed cold file reviews during the year, verify that the findings are reflected in the annual ISQM 1 evaluation. Any recurring deficiency area must appear in the remediation plan with specific actions and timelines.

Common mistakes

• Accepting management’s impairment model without sensitivity analysis. The FRC has identified this as a recurring finding across every inspection cycle. ISA 540 requires the auditor to evaluate the reasonableness of assumptions, not just verify the mathematical accuracy of the model.
• Treating going concern as a checklist exercise. The AFM’s consultation data shows going concern is the hardest judgement for Dutch PIE audit firms. If it’s hard enough to consult on, it’s too hard for a ticked-box working paper. ISA 570 requires documented evidence of the auditor’s own assessment.
• Journal entry testing based only on size. ISA 240.A44 requires criteria targeting fraud risk characteristics. The FRC and IFIAR both flag this annually. Selection criteria must include at least period-end timing and unusual preparer characteristics.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• FRC Annual Review of Audit Quality (July 2025): the source for UK Tier 1 firm inspection findings referenced throughout this guide.
• AFM State of the Auditing Industry (2025): the Dutch regulator’s report covering PIE and non-PIE consultation data and quality trends.
• IFIAR Survey of Inspection Findings (2024): the global aggregation of audit inspection results from over 50 member regulators.
• ISA 540 (Revised), Auditing Accounting Estimates and Related Disclosures: the standard governing the risk assessment and audit response for estimates.
• ISA 570 (Revised 2024), Going Concern: the forthcoming standard requiring separation of event identification from mitigation evaluation.
• ISQM 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements: the standard governing the system of quality management, including monitoring and remediation.