AFM Inspection

Six years is long enough to forget how to be inspected

Most non-PIE audit firms in the Netherlands will go through an AFM inspection once, fix whatever the regulator flagged, and then have five or six years before the next visit. That gap is the problem. By year four, the partner who managed the last inspection has moved on. By year five, the remediation evidence is buried in a SharePoint folder nobody opens. By year six, the firm's quality management system has drifted far enough from its documented design that the next inspection feels like starting from scratch.

I think the six-year cycle is the single biggest contributor to the quality gap at non-PIE firms, because it creates an environment where internal monitoring has no external consequence until the AFM shows up again. We see this pattern repeatedly: firms build a quality management system that looks credible on paper, then nobody tests whether it actually works until inspectors arrive and start pulling files.

An AFM inspection is a periodic review by the Autoriteit Financiele Markten (AFM) of whether an audit firm's ISQM 1 system and individual statutory audit engagements comply with the Wet toezicht accountantsorganisaties (Wta) and applicable professional standards. The Wta has been in force since 1 October 2006, and the AFM holds supervisory authority over every firm licensed to perform statutory audits in the Netherlands.

Two tracks run in parallel. Regular inspections assess the firm's quality management system and examine a sample of completed engagement files. Inspectors select two to three focus areas per engagement based on the audited entity's risk profile and the significance of financial statement line items, then assess whether the auditor obtained sufficient appropriate evidence and documented the reasoning behind significant judgments. They do not review the entire file. Thematic inspections target a specific topic across multiple firms and publish sector-wide findings without naming individual firms.

EU Regulation 537/2014 article 26 sets the minimum inspection frequency for PIE auditors at once every three years. For non-PIE firms, the Wta requires at least one inspection per six-year cycle, though the AFM can inspect sooner based on risk analysis. Enforcement after an inspection ranges from informal corrective instructions to formal measures under Wta article 54 (administrative fines, licence conditions, and in severe cases licence withdrawal).

Worked example

Client: Van der Berg Logistics B.V., Dutch transport and logistics company, FY2025, revenue EUR 19M, Dutch GAAP (RJ) reporter. Brouwer & Verhoeven Accountants performs the statutory audit. Six partners, approximately 30 statutory audit clients, non-PIE licensed.

Notification and scope selection

Brouwer & Verhoeven receives an AFM notification letter in March 2026 confirming a regular inspection in Q2. Two engagement files are selected. One is Van der Berg Logistics FY2025. Focus areas: revenue recognition (contract logistics with volume-based pricing, the firm's largest client revenue stream) and going concern (negative working capital of EUR 1.4M).

Documentation note: retain the AFM notification letter in the firm's regulatory correspondence file. Identify the EP, the engagement quality reviewer (if applicable), and the key WPs for each selected focus area.

Where the file falls short

Inspectors start with revenue cut-off testing. Van der Berg recognises revenue based on completed delivery runs, with December revenue of EUR 1.7M. The engagement team tested the final five business days but did not document why five days rather than a longer window. I have reviewed files where the cut-off period was copied from the prior year without anyone checking whether the client's revenue patterns had shifted. It happens because the team is ticking and bashing through last year's programme, and nobody flags that the question "why this window?" deserves its own paragraph in the WP.

On going concern, the EP concluded that a new three-year contract (signed January 2026, value EUR 8.5M) mitigated the negative working capital. Inspectors request evidence that the team verified the contract's enforceability and assessed whether projected cash flows covered obligations falling due within twelve months. A signed contract alone is not sufficient. The AFM wants to see that someone stress-tested whether the cash actually arrives on time.

Documentation note: ensure the file contains the engagement team's rationale for the scope of cut-off testing (not just the results) and the corroborating evidence for the new contract: signed copy, projected cash flow analysis, management representation.

Complication: the contract counterparty collapses

Two weeks into the inspection, Van der Berg's new contract counterparty enters court-supervised restructuring (surseance van betaling). The EUR 8.5M contract that anchored the going concern assessment is now uncertain.

Here is where the pressure bites. Reopening the going concern evaluation on a signed-off file introduces scope risk while the AFM is actively reviewing it. Not reopening leaves a material subsequent event undocumented. There is no clean answer. What makes it worse is that the EP knows the inspector will read whatever memo gets written next, so the temptation is to frame the analysis conservatively rather than honestly. I have seen that instinct produce documentation that technically satisfies ISA 560.14 but obscures the real judgment call the partner made.

In practice, most firms notify the AFM informally, document the subsequent event in a separate memo, and assess whether the going concern conclusion changes. If it does, the firm faces an ISA 560.14 subsequent event procedure on an engagement the regulator is actively inspecting. This is the scenario that tests whether a firm's quality management system works under real pressure or only works when nobody is watching.

Firm-level quality management review

Alongside the file review, AFM inspectors assess Brouwer & Verhoeven's monitoring and remediation process. How many files did the firm inspect internally? What deficiencies turned up? Was root cause analysis performed? Were remedial actions implemented?

Brouwer & Verhoeven inspected four files (13% of the portfolio). Not one was a logistics or transport sector client, despite that sector representing 40% of portfolio revenue. This is not accidental. Firms gravitate toward monitoring the files that are easiest to review, because those reviews finish faster and generate fewer uncomfortable conversations with partners. Result: the highest-risk sectors go uninspected year after year.

Documentation note: prepare a summary of the firm's internal monitoring cycle covering the number of files inspected, selection criteria, sectors covered, and the link between identified deficiencies and remedial actions taken.

Findings letter and remediation

Brouwer & Verhoeven receives a findings letter with two observations. First, the revenue cut-off WP lacks documented reasoning for the scope of testing ( ISA 330.28 requires documentation of the nature, timing, and extent of further audit procedures). Second, the firm's internal monitoring programme does not cover its risk profile because the largest sector by revenue was excluded from the sample entirely. Remediation plan due within 60 days.

Documentation note: file the AFM findings letter, the firm's remediation plan, the revised monitoring selection methodology, and evidence that the revenue cut-off documentation deficiency was addressed through updated guidance to engagement teams.

Why proportionate oversight fails when firms stop self-monitoring

Non-PIE firms get inspected once every six years at minimum. On paper, that looks proportionate. In practice, it creates a feedback loop: the long gap between inspections reduces the perceived cost of weak internal monitoring, which produces exactly the deficiencies the next inspection will find.

Numbers bear this out. Consultation occurred in only 14% of statutory audits at small non-PIE firms, compared with 40% at large firms (AFM State of the Auditing and Reporting Industry 2025). In 2024, 13 of 15 assessed non-PIE firms had inadequate EQCR policies. At the engagement level, 26 of 30 reviewed EQCRs lacked sufficient depth. Reviewers were ticking and bashing through checklists without forming an independent view on going concern, fraud risk conclusions, or materiality. This is not a documentation gap. It is a systems failure, and the six-year cycle is part of what enables it.

A reasonable counterargument: non-PIE firms audit entities with lower public interest, so the regulatory burden should be lighter. Fair enough, as far as it goes. But proportionate oversight only works if firms maintain their own quality management between visits. When the AFM finds, inspection after inspection, that they do not, the proportionality rationale collapses into something closer to regulatory neglect.

We think the better model would tie inspection frequency to the firm's internal monitoring track record rather than to a fixed calendar. A firm that can demonstrate genuine root cause analysis and remediation earns the long cycle. A firm whose monitoring sample excludes its highest-risk sector does not. Risk-based frequency already exists in the Wta's discretionary provisions, but the AFM rarely exercises that discretion for non-PIE firms, because the resource constraint is real and PIE supervision absorbs most of the budget.

AFM inspection vs. firm internal monitoring

Complementary, not substitutes. A firm with functioning monitoring and remediation will have already identified and fixed many of the issues the AFM might otherwise catch. But strong internal monitoring does not buy a smoother inspection. The AFM calibrates expectations upward for firms that claim strong processes, because inspectors then ask harder questions: are those processes producing genuine quality improvements, or just generating TGIF-worthy reconciliations that look good in the monitoring report but change nothing about how the next engagement is run?

Related terms

Related tools

Related reading

Frequently asked questions