Key points
- Every firm performing statutory audits (wettelijke controles) in the Netherlands needs a Wta licence from the AFM, regardless of whether the client is a PIE.
- Two licence tiers exist: regular (non-PIE statutory audits) and PIE (adding independence, rotation, and governance obligations under EU Regulation 537/2014).
- In 2024, the AFM found EQCR policies inadequate at 13 of 15 assessed non-PIE firms, not because policies were missing but because reviewers were ticking and bashing through checklists instead of forming independent views on key judgments.
- Enforcement runs from corrective measures and fines through licence withdrawal, and the AFM publishes decisions by default.
Thirteen out of fifteen
That is the AFM's 2024 EQCR pass rate at non-PIE firms. Thirteen failures. Two passes. The policies existed. The checklists existed. What did not exist was an engagement quality reviewer willing to spend four hours forming an independent view on going concern, fraud risk, and materiality when the budget allowed forty-five minutes and the partner wanted sign-off by Friday.
I think that statistic tells you more about how AFM supervision actually works than any amount of reading the Wta. The Autoriteit Financiele Markten does not inspect what you designed. It inspects what you do. And what most non-PIE firms do, in practice, is build a quality management system that photographs well for the licence application, then let economics erode it one unbilled hour at a time until the inspection letter arrives and somebody has to explain why the EQCR file contains a signed checklist and nothing else.
That inspection authority derives from the Wta (Wet toezicht accountantsorganisaties), which transposes the EU Audit Directive (2006/43/EC, as amended by 2014/56/EU) into Dutch law. Any firm signing a statutory audit opinion on a Dutch entity's financial statements needs an AFM-issued Wta licence. The application requires evidence of a functioning quality management system, adequately trained staff, and governance that protects audit quality from commercial pressures. This page covers the licence framework and inspection process for non-PIE firms; it does not address PIE transparency reporting under EU Regulation 537/2014 in detail.
Two licence tiers, one uncomfortable truth
PIE auditors (firms auditing listed companies, banks, or insurers designated as "organisaties van openbaar belang") operate under a stricter regime. EU Regulation 537/2014 adds mandatory firm rotation, audit committee pre-approval of non-audit services, and transparency reporting. Non-PIE firms face fewer structural requirements but remain subject to thematic reviews and engagement-level inspections. The distinction matters less than most practitioners assume.
Here is why. The AFM's 2025 State of the Auditing and Reporting Industry report found that only 11% of statutory audits at non-PIE firms identified at least one fraud risk. That number has been flagged as low for consecutive reporting cycles. I think it reflects a systemic reluctance to document fraud risks that probably will not materialise, because documenting them generates work the budget does not fund. The regulator sees a profession that is not looking hard enough. The profession sees a regulator that does not understand fee pressure. Both are right, and that tension drives most of what happens when the AFM opens an inspection file.
AFM supervision sits alongside the NBA's professional conduct oversight, not above it. The AFM inspects firm-level quality systems and engagement files. The NBA handles individual practitioner discipline. For firms subject to ISQM 1, an AFM inspection is the external test of whether the firm's own monitoring process produces real findings or whether it is just ticking and bashing through an internal checklist that nobody reads after signing. We find that most firms already know the answer to that question. They just prefer not to write it down.
Worked example
Van der Berg Logistics B.V. is a Dutch transport and logistics company, FY2025, revenue EUR 19M, reporting under Dutch GAAP (RJ). A mid-sized non-PIE firm holding a regular Wta licence performs the audit.
Confirm the firm's licence status
Before accepting the engagement, the EP verifies that the firm's regular Wta licence is current in the AFM's public register. Van der Berg is not a PIE, so a regular licence suffices. The partner also confirms professional liability insurance meets the Bta (Besluit toezicht accountantsorganisaties) minimums.
Documentation note: record the licence verification date, AFM register reference number, and insurance policy details in the engagement acceptance file. Cross-reference to the firm's annual compliance declaration under Wta Article 15.
Apply the EQCR policy
The firm's quality management system requires an engagement quality control review for all engagements above EUR 10M revenue. Van der Berg's EUR 19M triggers the review, so the reviewer is appointed before fieldwork begins and is independent of the engagement team.
This is where the 13-of-15 statistic becomes personal. ISQM 2.25 requires the reviewer to evaluate significant judgments, not confirm that working papers are complete. In our experience, reviewers are not lazy. They are rationally responding to a fee structure that allocates zero hours to the EQCR, which means the review happens in whatever time is left between signing the opinion and archiving the file. On a EUR 19M logistics engagement, a proper review of going concern, fraud risk, and materiality takes four to six hours. Most reviewers get forty-five minutes and a reminder from the office manager that the archive deadline is tomorrow.
Documentation note: record the EQCR appointment, reviewer's independence confirmation, and appointment date. The file should show that the firm's policy addresses AFM-identified deficiencies (scope of review, timing of involvement, documentation of conclusions). If the file cannot demonstrate what the reviewer actually evaluated, the AFM will fill in the blanks.
Prepare for a potential AFM inspection
The EP ensures the audit file is inspection-ready by the archive deadline (60 days after the audit report date under NV COS). Working papers cross-reference NV COS requirements (the Dutch application of the ISAs) at each significant judgment point. The fraud risk assessment documents why revenue recognition was or was not identified as a presumed risk, given the AFM's stated 2026 priority of promoting fraud detection.
Documentation note: include a separate fraud risk summary memo referencing ISA 240.26 -27 (as applied through NV COS). Record the rationale for each fraud risk identified or rebutted, with specific reference to entity industry characteristics and known logistics-sector fraud patterns.
Complication: the AFM disagrees with the fraud risk assessment
A competitor in the logistics sector faces a public fraud investigation involving inflated intercompany revenue. The AFM selects the Van der Berg file. The inspection team disagrees with the engagement team's conclusion that revenue recognition is not a presumed fraud risk, arguing that the sector-level fraud pattern should have triggered heightened procedures.
Two defensible positions exist. One: Van der Berg's revenue model (domestic freight, no intercompany transactions, customer-verified delivery receipts) is fundamentally different from the competitor's, so the sector-level event does not change the entity-level risk assessment. Two: ISA 240.A28 requires reconsidering presumed risks when industry-level fraud emerges, and declining to respond is indefensible once the AFM has your file open. I lean toward the second position, because adding targeted revenue testing (perhaps 12 additional hours) costs far less than defending a file the AFM has already flagged. But both positions are professionally supportable. What separates a good outcome from a bad one is whether the file documents the reasoning or just states the conclusion. Bare conclusions invite the inspector to substitute their own reasoning, and inspectors are not known for generous interpretations.
Documentation note: maintain a log of all AFM correspondence. If the AFM issues findings, document the firm's response and remedial actions, linking them to updates in the firm's ISQM 1 monitoring cycle. Where findings relate to fraud risk, record how the firm's fraud brainstorming process will incorporate sector-level events going forward.
Why the EQCR problem persists
Budget. That is the one-word answer nobody puts in the findings response.
ISQM 2.25 requires the engagement quality reviewer to evaluate significant judgments. Doing that properly on a mid-market statutory audit takes real time, and real time costs real money. But the EQCR is invisible to clients. It does not appear as a line item on the fee proposal, most non-PIE firms do not build it into their pricing model, and the partner who wins the engagement on a competitive tender has no incentive to add four unbilled hours to a file that was already underquoted. So the reviewer does what the economics allow: a fast pass through the working papers, focused on completeness rather than supportability, signed off in under an hour.
The AFM's 2024 thematic review confirmed this at scale. Insufficient depth in 26 of 30 assessed EQCRs. The regulatory language is "insufficient depth of review." The practitioner translation is shorter: ticking and bashing. I'd argue the AFM keeps finding the same deficiency because the profession has not solved the economic problem underneath it. You cannot regulate quality into a process that nobody is willing to pay for. Until non-PIE firms either price the EQCR into fees or accept the inspection risk of not doing it properly, this finding will appear in every thematic report the AFM publishes.
A related pattern: smaller non-PIE firms treat the Wta licence as a one-time registration rather than an ongoing obligation. The AFM monitors compliance continuously through the SRA/AFM annual questionnaire and can initiate an inspection at any time. Firms that identify an ISQM 1 gap in their own monitoring and then delay remediating it are handing the inspector a pre-written finding. TGIF (thank God it's Friday) might describe the feeling when the archive deadline passes, but the AFM evaluates systems as they operate on Monday morning, not as they were designed for the licence application.
AFM vs. NBA: who inspects what
| Dimension | AFM | NBA |
|---|---|---|
| Legal basis | Wta (Wet toezicht accountantsorganisaties) | Wet op het accountantsberoep (Wab) |
| Focus | Firm quality systems, engagement files, governance | Individual practitioner conduct, ethics, continuing education |
| Scope | Only firms performing statutory audits (wettelijke controles) | All registered accountants (RA and AA title holders), including non-audit |
| Enforcement | Licence conditions, fines, licence withdrawal, published decisions | Disciplinary proceedings, suspension or removal from register, reprimands |
| ISA relationship | Inspects NV COS (Dutch-applied ISAs) compliance at engagement level | Sets professional standards through the NBA's standard-setting board |
A firm can pass an AFM inspection while an individual partner faces NBA disciplinary proceedings. The reverse happens too. We find that firms focus almost entirely on the AFM side, because licence risk concentrates the mind in a way that individual disciplinary risk does not. The NBA's requirements become something the practitioner handles on their own time. That creates a gap nobody at the firm actively monitors: whether individual partners are meeting their continuing education and ethics obligations under the Wab. It only surfaces when something goes wrong, and by then you are explaining to the NBA's disciplinary board why a partner who had not completed PE hours in two years was still signing statutory audit opinions.
Related terms
Related tools
Related reading
Frequently asked questions
Do non-PIE audit firms in the Netherlands need an AFM licence?
Yes. Any firm performing statutory audits (wettelijke controles) under Dutch law needs a Wta licence from the AFM, regardless of client type. Non-PIE firms hold a regular licence. PIE auditors need a PIE licence with additional independence, rotation, and governance requirements. Wta Article 5 sets out the application criteria.
What happens if the AFM finds deficiencies in an audit file?
The AFM issues a draft report and gives the firm a chance to respond. If deficiencies are confirmed, consequences range from corrective measures (updating the quality system) to formal enforcement: fines, licence conditions, or licence withdrawal under Wta Article 48. Publication of enforcement decisions is standard. In practice, even informal findings create significant pressure because they become part of the firm's inspection history and influence future selection for thematic reviews.
How often does the AFM inspect non-PIE audit firms?
There is no fixed cycle. Inspections are risk-based: the AFM selects firms and engagements using data analysis, complaints, and thematic priorities. The 2025 State of the Auditing and Reporting Industry report found that consultation occurred in 32% of statutory audits at non-PIE firms, which means the AFM monitors engagement-level data continuously. Firms that treat inspection as a remote possibility tend to be surprised when the letter arrives.