The FRC’s July 2025 Annual Review of Audit Quality reported that five of six Tier 1 UK firms achieved positive outcomes on 90% or more of their inspected audits. Sounds reassuring until you look at who did not make the cut, and at what the findings actually say. BDO’s results were “significantly short of expectations,” with the number of audits requiring significant improvements doubling. IFIAR’s 2024 global survey found deficiencies in 34% of inspected audits worldwide (up from 32% in 2023), reversing a decade-long downward trend. The AFM’s 2025 State of the Auditing Industry report shows that going concern and fraud remain the most consulted topics across Dutch PIE and non-PIE firms alike.

European audit regulators (the FRC in the UK, the AFM in the Netherlands, IFIAR globally) consistently flag the same deficiency areas year after year: accounting estimates, revenue, going concern, journal entry testing, and ISQM 1 implementation at non-Tier 1 firms. I think the pattern says something uncomfortable about how the profession responds to inspection feedback. We read the reports, we run the training sessions, and the same findings come back twelve months later.

IFIAR 2024 global survey
34%
Inspected audits with deficiencies worldwide, up from 32% in 2023 — reversing a decade-long downward trend.

Key Takeaways

  • Which deficiency areas the FRC, AFM, IFIAR, and other EU national regulators identified most frequently in their 2024 and 2025 inspection cycles
  • Why the same findings recur despite the profession’s quality improvement programmes
  • How specific deficiencies translate into working paper gaps you can fix on your current engagement
  • What ISQM 1 implementation problems regulators are finding at non-Big Four firms and what to do about them

In this guide

  1. How European audit inspection works (and why it matters for your file)
  2. Findings that appear in every European regulator report
  3. Accounting estimates: the most common finding and the hardest to fix
  4. Going concern: where scepticism gaps become inspection findings
  5. Worked example: addressing the FRC’s recurring findings at Dijkstra Logistics B.V.
  6. ISQM 1 at non-Big Four firms: what regulators found in the first full cycle
  7. Practical checklist for your current engagement
  8. Common mistakes

How European audit inspection works (and why it matters for your file)

European audit oversight operates through a network of national competent authorities (NCAs) that inspect audit firms under the EU Audit Directive (2014/56/EU) and Audit Regulation (537/2014). In the Netherlands, the AFM supervises PIE audit firms directly and delegates non-PIE supervision to the SRA and NBA. In the UK (post-Brexit, operating outside the EU framework), the FRC inspects Tier 1 firms (BDO, Deloitte, EY, Forvis Mazars, KPMG, PwC) and publishes individual firm reports annually. It also oversees Tier 2 and Tier 3 firms through a separate inspection programme. IFIAR coordinates internationally, publishing an annual survey that aggregates inspection findings from over 50 member regulators.

For a non-Big Four European auditor, the relevant inspection body depends on your jurisdiction and your client base. If you audit PIE entities in the Netherlands, the AFM reviews your files. If you audit non-PIE entities, the SRA or NBA’s quality review programme applies. Either way, the findings these regulators publish tell you exactly what inspectors prioritise and where they find problems.

The practical value of reading these reports is not compliance anxiety. It is the specificity. The FRC does not just say “improve your audit of estimates.” It publishes examples of what it found: weak challenge of management assumptions, insufficient evaluation of alternative outcomes, failure to test the accuracy of underlying data, and reliance on management representations without corroborating evidence. Those are procedures you can add to your working papers before the next inspection cycle. In my view, the findings function as a free, regulator-curated list of what your file needs to survive scrutiny.

Findings that appear in every European regulator report

When you read the FRC’s 2025 Annual Review, the AFM’s reporting, and IFIAR’s 2024 survey side by side, the overlap is striking. Year after year, the same deficiency areas surface across all of them.

Accounting estimates and judgements. The FRC’s 2025 review identified this as the most common finding area for Tier 1 firms, with deficiencies most often linked to weaknesses in evaluating key assumptions and challenging management’s judgements. IFIAR’s global survey found the same. The AFM’s historical inspection data (including its 2017 report, which found insufficient evidence in 74% of inspected non-Big Four PIE audits) consistently pointed to estimates as the primary driver of inadequate files. ISA 540 (Revised) was supposed to address this by requiring a more granular risk assessment for each estimate. The standard is now embedded, but the findings have not disappeared.

Revenue. The FRC’s 2025 review flagged revenue findings including issues with contract testing and data input testing. Revenue appears in the PCAOB’s deficiency lists as well (covered in our separate post on PCAOB findings), but European regulators emphasise different problems. They focus less on IT application controls (which dominate PCAOB revenue findings) and more on the auditor’s testing of contract terms against recognition criteria. Under IFRS 15 , the question is whether the auditor tested that each performance obligation was satisfied at the point of recognition. The FRC finds gaps when auditors confirm the total contract value but do not test the timing.

Going concern. The AFM’s 2025 State of the Industry report identified going concern as the most consulted topic at PIE audit firms (16.1% of all consultations) and second-most at non-PIE firms. The FRC has flagged going concern in every annual review since at least 2020. The finding is consistently about the auditor’s evaluation of management’s assessment: did you evaluate whether management considered all relevant events and conditions? Did you test the underlying assumptions in management’s cash flow forecast? And is the going concern period sufficient (at least twelve months from the date of the auditor’s report, not the balance sheet date)? ISA 570.16 requires this. Regulators still find files where the going concern working paper is a tick box exercise with no evidence of the auditor’s own assessment.

Journal entry testing. The FRC’s 2025 review identified journal testing as a common finding area. ISA 240.32 requires the auditor to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in preparing the financial statements. Regulators find deficiencies when the auditor uses generic selection criteria (all entries above a threshold) instead of criteria designed to identify entries with fraud risk characteristics. ISA 240 .A44 provides examples: entries made at unusual times, entries to seldom-used accounts, entries made by individuals who do not normally make journal entries, and entries lacking adequate supporting documentation. If your selection criteria do not target at least two of these characteristics, expect the finding.

General IT controls. Both the FRC and IFIAR have flagged GITCs as a recurring area. The issue is not that auditors skip GITC testing. It is that GITC testing is not connected to the reliance on IT application controls. If you conclude that access controls over the ERP system are ineffective, but then rely on an automated revenue reconciliation produced by that same system, the audit logic is broken. ISA 315 .A147 links IT controls to the controls that depend on them. Regulators test that linkage.

Accounting estimates: the most common finding and the hardest to fix

ISA 540 (Revised) requires auditors to identify and assess the risks of material misstatement for each accounting estimate, and then design procedures that respond to those risks at the assertion level. The FRC’s findings suggest that many audit teams perform the risk assessment but then apply the same procedures regardless of the risk level. A low-risk estimate (an accrual for a recurring expense based on a contract with fixed terms) gets the same depth of work as a high-risk estimate (an impairment model with multiple assumptions about discount rates and growth rates). ISA 540.13 explicitly requires the response to be proportionate to the risk.

FRC findings on estimates concentrate on four procedural gaps.

Challenge of management. ISA 540 .A130 describes the “stand back” evaluation: after performing detailed testing, the auditor steps back and evaluates whether the estimate is reasonable or whether indicators of possible management bias exist. The FRC finds good practice here (all Tier 1 firms had examples of effective challenge), but also finds audits where the challenge is absent. The auditor accepts management’s assumptions without testing whether alternative assumptions would produce a materially different result. For an impairment test, this means running the model with the auditor’s own estimate of a key input (the discount rate or the long-term growth rate) and comparing the output. If management used a 9% discount rate and you did not test what happens at 10% or 11%, you have not challenged the assumption.

Evaluating the range of reasonable outcomes. ISA 540 .A11 permits auditors to develop a point estimate or a range. The FRC finds that some auditors develop a range but do not evaluate where management’s estimate falls within it. If management’s estimate sits at the most favourable end, that is a potential indicator of management bias under ISA 540.32 . The auditor needs to evaluate and document that observation. Noting that management’s estimate is “within the range” is not enough if the range is wide and management consistently picks the favourable end.

Testing the underlying data. ISA 540.18 requires testing the completeness and accuracy of data used in the estimate, as well as its relevance to the calculation. For provisions, this might mean testing that the claims data feeding the provision model is complete by reconciling to an independent source. For expected credit losses (ECL), it means testing that the historical loss rates are calculated from complete and accurate data. The FRC finds auditors who test the model logic but not the data inputs. A model with perfect logic and incomplete data still produces the wrong answer.

Linking the risk assessment to the response. This is the gap that ties the other three together. ISA 540.13 requires the audit response to be proportionate to assessed risk, yet the FRC finds audit teams applying the same depth of work to a straightforward accrual and to a multi-assumption impairment model. If you cannot point to a sentence in your risk assessment that explains why you tested this estimate differently from that one, the linkage is missing.

Going concern: where scepticism gaps become inspection findings

Going concern findings persist because the standard requires something auditors find uncomfortable: forming a view on whether the entity will survive, using information that is inherently uncertain. ISA 570.16 requires the auditor to evaluate management’s assessment of the entity’s ability to continue as a going concern. ISA 570 .A2 lists indicators of events or conditions that may cast doubt: financial indicators (net liability position, negative operating cash flows) and operating indicators (loss of key management, loss of a major market).

AFM data on consultation frequency tells you where Dutch firms struggle. Going concern is the topic PIE audit firms consult on most often. That does not mean the audits are wrong. It means the judgement is hard enough that engagement teams seek help. The problem regulators find is when the judgement is hard but the file does not reflect that difficulty. A going concern assessment that concludes “no material uncertainty” in two paragraphs, for a client with a current ratio below 1.0 and a covenant breach waiver, is not credible as audit documentation. The file needs to show what events and conditions you considered and what evidence you obtained about management’s plans. Honestly, if the going concern section of your file could apply unchanged to any client in any industry, it is not doing its job.

For Dutch entities specifically, ISA 570 (Revised 2024) will change the assessment sequence when it takes effect for periods beginning on or after 15 December 2026. Under the revised standard, auditors must identify events and conditions on a gross basis before evaluating management’s mitigating plans. If your current files merge identification and mitigation into a single step, you will need to restructure your approach.

Worked example: addressing the FRC’s recurring findings at Dijkstra Logistics B.V.

Client scenario: Dijkstra Logistics B.V. is a Dutch freight forwarding and warehousing company. Annual revenue: €67 million. The company has a significant goodwill balance (€8.2 million) from the acquisition of a Belgian subsidiary in 2021. Revenue recognition involves long-term warehousing contracts with variable consideration (storage fees vary by volume). The company reports under Dutch GAAP (RJ). Cash flow from operations turned negative in Q4 2025 due to the loss of a major customer representing 12% of revenue. Fiscal year end: 31 December 2025.

1. Addressing the accounting estimates finding: goodwill impairment.

Dijkstra management performed an impairment test using a discounted cash flow (DCF) model with a discount rate of 8.5% and a five-year revenue growth assumption of 4% per annum (terminal growth rate of 2%). Test the data inputs first. Verify that the base-year cash flows used in the model reconcile to the audited financial data of the Belgian subsidiary. Then challenge the assumptions. The 4% growth rate assumed the major customer would continue. That customer left. Request a revised forecast from management that excludes the lost customer. Run the model at management’s 8.5% rate with the revised forecast, and then run it at 9.5% and 10.5% to assess the sensitivity. If the headroom (the difference between the recoverable amount and the carrying amount) disappears at 10.5%, the estimate has high estimation uncertainty and your file needs to reflect that under ISA 540.13 (or RJ 121 for Dutch GAAP).

Documentation note: Record the impairment test procedures in a dedicated working paper. State the discount rate range tested, the source of the base-year data, the impact of the customer loss on forecast revenue, and your conclusion on whether the carrying amount exceeds the recoverable amount. If headroom is thin, document your evaluation of whether a provision or additional disclosure is required.

2. Addressing the going concern finding.

Negative operating cash flow combined with the loss of a major customer triggers ISA 570 .A2 indicators. Do not treat this as a tick box exercise. Document the specific events: operating cash flow was negative €1.2 million in Q4 2025 (annualised, this would consume the company’s €3.8 million cash reserve within four years, but the going concern assessment covers the next twelve months from the date of the auditor’s report). Management’s mitigation plan states they expect to replace 60% of the lost revenue through existing pipeline opportunities by Q3 2026. Test this. Inspect the pipeline documentation: are there signed letters of intent? Binding contracts? Or just internal sales forecasts? If the pipeline is speculative, the mitigation plan does not meet the “feasible” standard ISA 570 requires.

Documentation note: Separate the identification of events and conditions from the evaluation of management’s plans. List each ISA 570 .A2 indicator considered. For each indicator present, document the evidence obtained about management’s response and your assessment of its feasibility. State your overall conclusion on whether a material uncertainty exists.

3. Addressing the journal entry testing finding.

Design your journal entry selection criteria around ISA 240 .A44. For Dijkstra, relevant criteria include: entries posted in the final week of December and the first week of January (period-end timing), entries posted by individuals outside the finance team (unusual preparer), entries to the goodwill or impairment accounts (infrequently used accounts), and revenue entries without a matching customer invoice reference (entries inconsistent with normal business processes). Do not select journals based solely on a monetary threshold. The ISA 240 requirement is about identifying entries with fraud risk characteristics, not about testing large transactions.

Documentation note: State the selection criteria used and reference the specific ISA 240 .A44 characteristics each criterion targets. If you found entries that could not be explained, describe the follow-up procedures performed.

4. Addressing the revenue finding.

Dijkstra’s warehousing contracts include variable consideration tied to storage volumes. Under RJ 270, revenue recognition for variable consideration requires estimating the amount of consideration to which the entity expects to be entitled. Test the estimation methodology: does management accrue revenue based on actual volumes each month, or does it estimate volumes in advance and true up quarterly? If the latter, test the accuracy of the estimates by comparing prior-quarter estimates to actuals. A systematic pattern of overestimation is a bias indicator.

Documentation note: Document the revenue recognition method for variable consideration contracts. State the procedures performed to test the estimation accuracy, including the comparison of estimates to actuals for at least two prior quarters. Reference RJ 270 or IFRS 15.56 as applicable.

ISQM 1 at non-Big Four firms: what regulators found in the first full cycle

2024/25 was the first inspection cycle where the FRC inspected firms solely under ISQM (UK) 1. Its 2025 review noted that implementation was more challenging for firms outside Tier 1, particularly regarding monitoring and remediation processes.

ISQM 1.37 requires firms to establish a monitoring and remediation process that includes monitoring the system of quality management (SoQM), evaluating findings, identifying deficiencies, evaluating severity, and remediating them. The FRC found that some non-Tier 1 firms performed monitoring (cold file reviews, root cause analysis) but did not connect the monitoring findings to their annual SoQM evaluation. A firm that found going concern deficiencies in three cold reviews but then concluded its SoQM was operating effectively has a disconnect that regulators will challenge.

AFM data from 2025 showed that PIE audit firms deployed more FTEs for professional practice in 2024 (averaging 66.6, up from 56.7 in 2023). This increase reflects the additional work ISQM 1 requires, particularly around monitoring and the annual SoQM evaluation. Non-PIE firms with fewer resources face the same standard with less capacity.

For non-Big Four firms, the practical takeaway is this: your annual SoQM conclusion must be supported by evidence. If your cold file reviews found recurring issues (going concern documentation and estimates testing, for example), those issues must appear in your annual evaluation and your remediation plan. If they do not, your ISQM 1 conclusion is unsupported, and that is exactly what inspectors check.

Practical checklist for your current engagement

Common mistakes

  • Accepting management’s impairment model without running sensitivity analysis on the key assumptions. The FRC has identified this as a recurring finding for estimates across every inspection cycle. ISA 540 requires the auditor to evaluate the reasonableness of assumptions, not just verify the mathematical accuracy of the model.
  • Treating the going concern assessment as a checklist rather than a substantive evaluation. AFM consultation data shows going concern is the hardest judgement for Dutch PIE audit firms. If it is hard enough to consult on, it is too hard for a ticked-box working paper. ISA 570 requires documented evidence of the auditor’s own assessment.
  • Performing journal entry testing with selection criteria based only on size. ISA 240 .A44 requires criteria targeting fraud risk characteristics. The FRC and IFIAR both flag this annually.
  • Concluding that the SoQM is operating effectively when cold file reviews found recurring deficiencies. If the monitoring evidence contradicts the conclusion, regulators will treat the ISQM 1 evaluation as unsupported.

Related content

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

Related ciferi content

Related guides:

ISA 220 Quality Management Guide
Quality management for an audit of financial statements
ISA 315 Risk Assessment Guide
Identifying and assessing the risks of material misstatement
ISA 540 Accounting Estimates Guide
Auditing accounting estimates, including fair values and related disclosures

Put audit concepts into practice with these free tools:

Materiality Calculator
Overall, performance & trivial materiality
Going Concern Checklist
Severity-weighted going concern indicators

Frequently asked questions

What are the most common audit quality findings across European regulators?

Deficiency areas that appear consistently across FRC, AFM, and IFIAR reports are: accounting estimates and judgements (the most common finding area), revenue recognition, going concern assessments, journal entry testing, and general IT controls. These areas have been flagged year after year despite the profession’s quality improvement programmes.

What did IFIAR’s 2024 global survey find about audit deficiency rates?

IFIAR’s 2024 global survey found deficiencies in 34% of inspected audits worldwide, up from 32% in 2023, reversing a decade-long downward trend. This increase occurred despite continued investment in audit quality programmes across firms.

What specific ISA 540 gaps do regulators find in accounting estimates?

FRC findings concentrate on four procedural gaps: insufficient challenge of management’s assumptions (not testing alternatives), failure to evaluate where management’s estimate falls within the range of reasonable outcomes (particularly at the favourable end), testing model logic but not the completeness and accuracy of underlying data inputs, and applying the same depth of work regardless of assessed risk level.

What ISQM 1 implementation problems are regulators finding at non-Big Four firms?

Some non-Tier 1 firms performed monitoring activities but did not connect those findings to their annual SoQM evaluation. A firm that found recurring deficiencies in cold reviews but concluded its SoQM was operating effectively has a disconnect that regulators will challenge. The annual SoQM conclusion must be supported by evidence linking monitoring findings to the evaluation and remediation plan.

How will ISA 570 (Revised 2024) change the going concern assessment?

ISA 570 (Revised 2024), effective for periods beginning on or after 15 December 2026, requires auditors to identify events and conditions on a gross basis before evaluating management’s mitigating plans. This means separating the identification step from the mitigation evaluation, rather than merging them into a single assessment.

Further reading and sources

  • FRC Annual Review of Audit Quality (July 2025): the source for UK Tier 1 firm inspection findings referenced throughout this guide.
  • AFM State of the Auditing Industry (2025): the Dutch regulator’s report covering PIE and non-PIE consultation data and quality trends.
  • IFIAR Survey of Inspection Findings (2024): the global aggregation of audit inspection results from over 50 member regulators.
  • ISA 540 (Revised), Auditing Accounting Estimates and Related Disclosures: the standard governing the risk assessment and audit response for estimates.
  • ISA 570 (Revised 2024), Going Concern: the forthcoming standard requiring separation of event identification from mitigation evaluation.
  • ISQM 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements: the standard governing the system of quality management, including monitoring and remediation.

This guide reflects inspection reports published through July 2025. National regulatory frameworks may differ from the general patterns described. This content is for educational purposes and does not constitute legal or professional advice.

Last reviewed: March 2026