What is COS (Controlestandaarden / Dutch Auditing Standards)?
The NBA translates each IAASB engagement standard into Dutch and publishes it as a Standaard within the NV COS. Standaard 200 through Standaard 810 correspond to ISA 200 through ISA 810. The numbering is intentionally identical so that practitioners can cross-reference the international source text. Where Dutch law or professional practice requires a deviation or supplement, the NBA inserts the additional text in italics within the relevant standard. If the Dutch requirement has no ISA equivalent at all, the NBA creates a standalone standard with an "N" suffix (Standaard 4400N for Dutch agreed-upon procedures, for example).
The Wta provides the legal basis. Article 26 requires audit firms to comply with the standards issued by the NBA when performing statutory audits. The AFM enforces compliance for OOB audit firms directly. For non-OOB firms, the SRA conducts reviews under delegation from the NBA, applying the same COS requirements. This two-track enforcement model means that a sole practitioner auditing a mid-market B.V. faces the same substantive standards as a Big 4 team auditing a listed company, though the supervisory route differs.
COS also incorporates the IAASB's review, assurance, and related services standards. Standaard 2400 covers review engagements, Standaard 3000 covers other assurance engagements, and Standaard 4410 covers compilation engagements. The scope extends beyond statutory audit into every engagement type that the NBA regulates.
Key Points
- Every statutory audit in the Netherlands must be performed under COS, not directly under ISA, even though COS mirrors the ISA numbering and content.
- Dutch-specific additions are printed in italics within each standard and carry an "N" suffix (e.g., Standaard 700N) when the entire standard is unique to the Netherlands.
- The AFM supervises COS compliance for OOB (public interest entity) audit firms and performs thematic inspections on non-OOB firms through the SRA.
- Non-compliance with COS requirements on fraud risk procedures was flagged in 17 of 20 non-OOB statutory audits reviewed by the AFM in its January 2025 inspection cycle.
Worked example: Van der Berg Logistics B.V.
Client: Dutch transport and logistics company, FY2025, revenue €19M, Dutch GAAP (RJ) reporter. The engagement team at a 25-person SRA-member firm is planning the statutory audit.
Step 1 — Identify the applicable framework
The engagement partner confirms that the audit falls under COS because Van der Berg is a Dutch legal entity subject to a statutory audit requirement under BW2 Title 9. The applicable financial reporting framework is the RJ (Richtlijnen voor de Jaarverslaggeving). Standaard 210.6 requires the engagement letter to specify that the audit will be performed in accordance with the Controlestandaarden.
Documentation note: record the legal basis for the statutory audit requirement, the financial reporting framework (RJ), and the reference to NV COS in the engagement letter per Standaard 210.6. File the signed engagement letter.
Step 2 — Apply Dutch-specific requirements in planning
Standaard 240 (fraud) mirrors ISA 240 but includes Dutch italic paragraphs requiring the auditor to consider the entity's compliance with the Wwft (anti-money laundering legislation). The engagement team adds a Wwft compliance assessment to the fraud risk discussion. Separately, Standaard 700N prescribes the format of the controleverklaring (Dutch auditor's report), including mandatory references to the BW2 Title 9 reporting framework that have no ISA equivalent.
Documentation note: record the Wwft compliance assessment performed during the fraud risk discussion per Standaard 240 (Dutch italic paragraphs). Document the planned report format per Standaard 700N, including the BW2 references.
Step 3 — Evaluate going concern under COS
Van der Berg lost its largest contract (representing €6.2M, or 33% of revenue) in October 2025. Standaard 570.10 requires the auditor to evaluate whether events or conditions exist that cast significant doubt on continuity. The team obtains management's cash flow forecast for the 12 months following the balance sheet date. The forecast shows a €1.1M funding gap in Q3 2026 unless a replacement contract is signed. Standaard 570.16 requires the auditor to evaluate management's plans and whether those plans are feasible.
Documentation note: record the identified going concern indicator (contract loss), the cash flow forecast obtained, the €1.1M funding gap, management's mitigation plan, and the team's assessment of feasibility per Standaard 570.16. Cross-reference to the engagement completion checklist required by firm policy.
Step 4 — Issue the controleverklaring
After completing fieldwork, the engagement partner concludes that a material uncertainty exists regarding going concern. Standaard 570.22 requires a separate section in the auditor's report. The controleverklaring follows the Standaard 700N format, includes the mandatory going concern paragraph per Standaard 570.22, and references BW2 Title 9 as the applicable reporting framework.
Documentation note: record the conclusion on the going concern material uncertainty, the auditor's report format per Standaard 700N, and the partner's sign-off. File the final controleverklaring with the date of issue.
Conclusion: the audit file demonstrates COS compliance at each phase (engagement acceptance, planning, fieldwork, reporting) because the team applied both the ISA-equivalent requirements and the Dutch-specific italic paragraphs, producing a controleverklaring that satisfies Standaard 700N and the Wta.
Why it matters in practice
The AFM's January 2025 supervision report found that audit procedures addressing fraud risks were insufficient in 17 of 20 non-OOB statutory audits reviewed. Auditors planned and performed standard procedures without adapting their nature, timing, and extent to the specific fraud risk identified. Standaard 240.28–30 requires the auditor to design responses that are specifically linked to the assessed fraud risks, not generic checklists applied uniformly across engagements.
Practitioners at smaller firms frequently treat the Dutch italic paragraphs in COS as optional guidance rather than binding requirements. The NV COS preamble states that italic text carrying the "N" designation has the same authority as the translated ISA text. Ignoring a Dutch italic requirement (such as the Wwft assessment within Standaard 240) exposes the firm to an SRA inspection finding on the same basis as ignoring an ISA paragraph.
COS vs. ISA
| Dimension | COS (Controlestandaarden) | ISA (International Standards on Auditing) |
|---|---|---|
| Issuing body | NBA (Royal Netherlands Institute of Chartered Accountants) | IAASB (International Auditing and Assurance Standards Board) |
| Legal authority | Binding for Dutch statutory audits under Wta Article 26 | No direct legal force; adopted by jurisdictions individually |
| Dutch-specific content | Italic paragraphs and "N"-suffix standards add Dutch requirements (Wwft, BW2 references, controleverklaring format) | None; ISA is jurisdiction-neutral |
| Numbering | Mirrors ISA numbering (Standaard 200 = ISA 200) | Original numbering |
| Enforcement | AFM for OOB firms; SRA (under NBA delegation) for non-OOB firms | Varies by jurisdiction |
The distinction matters when a Dutch audit firm also performs cross-border engagements. An audit of a Dutch entity follows COS. An audit of a German subsidiary under a group audit instruction follows ISA (or the applicable local standard). Applying ISA instead of COS on a Dutch statutory audit is non-compliant, even though the substantive requirements are nearly identical.
Related terms
Frequently asked questions
Are COS and ISA the same thing?
COS mirrors ISA in numbering and content, but the two are not identical. The NBA translates each ISA into Dutch and adds country-specific requirements printed in italics. Standaard 700N, for instance, prescribes the Dutch controleverklaring format with references to BW2 Title 9 that ISA 700 does not contain. Practitioners must apply COS (not ISA directly) for any statutory audit in the Netherlands.
Does COS apply to review and compilation engagements?
Yes. The NV COS covers more than statutory audits. Standaard 2400 governs review engagements, Standaard 3000 covers other assurance engagements, and Standaard 4410 applies to compilation engagements. The scope follows the IAASB's full suite of engagement standards, each translated and supplemented with Dutch-specific requirements where relevant.
How quickly does the NBA incorporate revised ISAs into COS?
The NBA translates revised ISAs after the IAASB finalises them, typically within 12 to 18 months. ISA 315 (Revised 2019) was incorporated as Standaard 315 (Herzien) and became effective for audits of financial statements for periods beginning on or after 15 December 2021. ISA 570 (Revised 2024) is expected to be incorporated and effective for periods beginning on or after 15 December 2026. The NBA publishes exposure drafts of translations for public comment before finalisation.