Key Points
- Every audit firm performing statutory audits in the Netherlands must hold a Wta licence issued by the AFM.
- The AFM operates a two-tier licence system: a regular licence for non-PIE statutory audits and a PIE licence carrying additional independence, rotation, and governance requirements.
- In 2024, the engagement quality control review (EQCR) policy was inadequate at 13 of 15 assessed non-PIE firms, according to AFM data.
- The AFM can withdraw a licence, impose fines, or publish enforcement actions if quality falls below statutory thresholds.
What is AFM (Autoriteit Financiele Markten)?
The AFM derives its audit supervision mandate from the Wta, which transposes the EU Audit Directive (2006/43/EC, as amended by Directive 2014/56/EU) into Dutch law. Any firm that signs a statutory audit opinion on a Dutch entity's financial statements needs an AFM-issued Wta licence. The licence application requires evidence of a functioning quality management system, adequately trained staff, and a governance structure that protects audit quality from commercial pressures.
For PIE auditors (firms auditing listed companies, banks, or insurers designated as "organisaties van openbaar belang"), the AFM applies a stricter supervision regime. EU Regulation 537/2014 adds mandatory firm rotation, audit committee pre-approval of non-audit services, and transparency reporting. Non-PIE firms face fewer structural requirements but are still subject to thematic reviews and individual engagement inspections. The AFM's 2025 State of the Auditing and Reporting Industry report confirmed that only 11% of statutory audits at non-PIE firms identified at least one fraud risk, a figure the AFM continues to flag as low.
Supervision sits alongside (not above) the NBA's professional conduct oversight. The AFM inspects firm-level quality systems and engagement files. The NBA handles individual practitioner discipline. For firms subject to ISQM 1, the AFM's inspection of the quality management system is the external test of whether the firm's own monitoring process actually works.
Worked example
Client context: Van der Berg Logistics B.V. is a Dutch transport and logistics company, FY2025, revenue EUR 19M, reporting under Dutch GAAP (RJ). The audit is performed by a mid-sized non-PIE firm holding a regular Wta licence.
Step 1 — Confirm the firm's licence status
Before accepting the engagement, the engagement partner verifies that the firm's regular Wta licence is current in the AFM's public register. Van der Berg is not a PIE, so a regular licence suffices. The partner also confirms that the firm's professional liability insurance meets the Bta (Besluit toezicht accountantsorganisaties) minimums.
Documentation note: record the licence verification date, the AFM register reference number, and the insurance policy details in the engagement acceptance file. Cross-reference to the firm's annual compliance declaration under Wta Article 15.
Step 2 — Apply the EQCR policy
The firm's quality management system requires an engagement quality control review for all engagements above EUR 10M revenue. Van der Berg's EUR 19M revenue triggers the review. The engagement quality reviewer is appointed before fieldwork begins and is independent of the engagement team.
Documentation note: record the EQCR appointment, the reviewer's independence confirmation, and the date of appointment. The AFM's 2024 inspection found EQCR policies inadequate at 13 of 15 non-PIE firms assessed; the file should demonstrate that the firm's policy addresses the specific deficiencies the AFM identified (scope of review, timing of involvement, documentation of conclusions).
Step 3 — Prepare for a potential AFM inspection
The engagement partner ensures that the audit file is inspection-ready by the archive deadline (60 days after the audit report date under NV COS). The working papers cross-reference NV COS requirements (the Dutch application of the ISAs) at each significant judgment point. The fraud risk assessment documents why revenue recognition was or was not identified as a presumed risk, given the AFM's stated 2026 priority of promoting fraud detection.
Documentation note: include a separate fraud risk summary memo referencing ISA 240.26–27 (as applied through NV COS). Record the rationale for each fraud risk identified or rebutted, with specific reference to the entity's industry characteristics and known logistics-sector fraud patterns.
Step 4 — Respond to AFM findings if selected
If the AFM selects the Van der Berg engagement for inspection, the firm must provide full access to the audit file within the AFM's requested timeframe. Any findings result in a draft report to which the firm can respond before the AFM finalises its conclusions. Serious deficiencies can escalate to enforcement measures including licence conditions or (in extreme cases) licence withdrawal.
Documentation note: maintain a log of all AFM correspondence related to the engagement. If the AFM issues findings, document the firm's response and any remedial actions taken, linking them to updates in the firm's ISQM 1 monitoring cycle.
Conclusion: the audit file for Van der Berg demonstrates compliance with the Wta licence conditions because each significant judgment is cross-referenced to NV COS, the EQCR is documented before fieldwork, and the fraud risk assessment addresses the AFM's current inspection priorities.
Why it matters in practice
- The AFM's 2024 thematic review of non-PIE firms found that the depth of the engagement quality control review was insufficient in 26 of 30 assessed EQCRs. The most common gap was the reviewer signing off without evaluating the key audit judgments (going concern assessment, fraud risk conclusions, materiality determination). ISQM 2.25 requires the reviewer to evaluate significant judgments, not simply confirm that the file is complete.
- Smaller non-PIE firms frequently treat the Wta licence as a one-time registration rather than an ongoing compliance obligation. The AFM monitors compliance continuously through data submissions (the SRA/AFM annual questionnaire) and can initiate an inspection at any time. Firms that delay updating their quality management system after an ISQM 1 gap miss the point: the AFM evaluates the system as it operates, not as it was designed on paper.
AFM vs. NBA
| Dimension | AFM | NBA |
|---|---|---|
| Legal basis | Wta (Wet toezicht accountantsorganisaties) | Wet op het accountantsberoep (Wab) |
| Supervisory focus | Audit firm quality systems, engagement files, firm governance | Individual practitioner conduct, professional ethics, continuing education |
| Scope | Only firms performing statutory audits (wettelijke controles) | All registered accountants (RA and AA title holders), including those not in audit |
| Enforcement tools | Licence conditions, fines, licence withdrawal, publication of decisions | Disciplinary proceedings, suspension or removal from the register, reprimands |
| Relationship to ISAs | Inspects compliance with NV COS (Dutch-applied ISAs) at engagement level | Sets professional standards through the NBA's standard-setting board |
The distinction matters on every Dutch statutory audit engagement. The AFM evaluates whether the firm's system produced a quality audit. The NBA evaluates whether the individual practitioner acted professionally. A firm can pass an AFM inspection while an individual partner faces NBA disciplinary proceedings, or vice versa.
Related terms
Frequently asked questions
Do non-PIE audit firms in the Netherlands need an AFM licence?
Yes. Any firm performing statutory audits (wettelijke controles) under Dutch law needs a Wta licence from the AFM, regardless of whether the client is a PIE. The licence type differs: non-PIE firms hold a regular licence, while PIE auditors need a PIE licence with additional requirements. Wta Article 5 sets out the application criteria for both licence types.
What happens if the AFM finds deficiencies in an audit file?
The AFM issues a draft report with findings and gives the firm an opportunity to respond. If deficiencies are confirmed, consequences range from informal corrective measures (requiring the firm to update its quality system) to formal enforcement actions including fines, licence conditions, or licence withdrawal. Wta Article 48 provides the AFM's sanctioning powers. Publication of enforcement decisions is standard practice.
How often does the AFM inspect non-PIE audit firms?
The AFM does not follow a fixed inspection cycle for non-PIE firms. Inspections are risk-based: the AFM selects firms and engagements based on data analysis, complaints, and thematic priorities. The 2025 State of the Auditing and Reporting Industry report indicated that consultation occurred in 32% of statutory audits at non-PIE firms, suggesting the AFM monitors engagement-level data continuously to identify outliers.