On the way to a better fraud risk analysis

TOEZICHT VISUELE SAMENVATTING NOVEMBER 2025

In het kort The AFM investigated six OOB-licensed accounting firms regarding measures to improve the quality of fraud risk analysis. We also assessed the fraud risk analysis in twelve statutory audits. We see progress by the OOB accounting firms towards a better fraud risk analysis. To maintain this correct course, the root cause analysis must be more thorough, particularly regarding behavioral and cultural aspects. There must also be more attention for monitoring and measuring the effectiveness of measures. The AFM expects accounting firms to take responsibility and will discuss this with the sector in the coming period.

1. Introduction and main findings

1 EU Directive Article 24 bis paragraph 1g. 2 EU Directive Article 24 bis paragraph 1k.

Controlled companies are primarily responsible for preventing and tackling fraud; the timely detection and follow-up of fraud (risks) by the auditor in the statutory audit can prevent significant damage to the stakeholders of the company. The detection and follow-up of fraud (risks) in the statutory audit is therefore an important responsibility of the auditor. Increasing awareness of the possibility of fraud and improving the detection and follow-up of fraud risks is one of the strategic pillars of the auditing supervision of the Authority for the Financial Markets (AFM). The AFM wrote a position paper on this in 2022 and published two investigations in recent years: 'Sharper on fraud risks!' and 'Audit procedures regarding fraud risks fall short'.

Timeline of investigations and publications on the theme of fraud

• May 2022: Hypothesis: insufficient responsibility for detecting and following up fraud risks.
• June 2023: Sharper attitude needed in fraud risk analysis.
• January 2025: Audit procedures regarding fraud risks fall short.
• Today: On the way to a better fraud risk analysis.
• 2026: Follow-up investigation into the quality of audit procedures regarding fraud risks.

Accounting firms have a system of quality management, with the aim of guaranteeing the quality of the statutory audit.1 The fraud risk analysis is an important part of the statutory audit. Performing risk assessment procedures and identifying and assessing fraud risks is an important step in the audit process. And thereby a 'condition' for the quality of the statutory audit. Therefore, the system of quality management must also guarantee the quality of the fraud risk analysis, and the accounting firm must take appropriate measures to remedy any shortcomings.2 The AFM previously investigated the quality of the fraud risk analysis (2023). We also investigated the quality of the audit procedures regarding fraud risks (2025). The first investigation showed in short that a sharper attitude was needed in fraud risk analyses. The 2025 investigation showed that the audit procedures regarding fraud risks fell short.

The report now before you is a follow-up investigation into the system of quality management on the theme of fraud risk analysis, carried out at six OOB accounting firms. We investigated which elements contribute to a qualitatively sufficient fraud risk analysis, how these accounting firms dealt with previous results of the 2023 investigation, and to what extent they acted on shortcomings. In addition, the quality of the fraud risk analysis was assessed in twelve statutory audits.3

The goal of this investigation is to determine whether accounting firms are on the right track. That is, to what extent the accounting firms have taken responsibility and taken appropriate measures to remedy any shortcomings that we identified in our investigation 'Sharper on fraud risks!'.

The AFM sees progress among the six OOB accounting firms since the 2023 report; we are positive about the measures taken to address shortcomings in the fraud risk analysis at the level of the system of quality management. Accounting firms have taken among other measures:

• Conducted internal investigation based on the report 'Sharper on fraud risks!'.
• Strengthened awareness and professional-critical attitude via training, intervision, and gamification.
• Deployed fraud experts more frequently and established fraud communities.
• Sharpened consultation policy and applied hot file reviews.
• Used coaching during statutory audits to strengthen the quality of the fraud risk analysis.
• Updated guidelines and procedures, with attention to good examples and pitfalls.

3 The AFM has established in both formal and material terms for these statutory audits whether the relevant legislation and regulations (NV COS) were sufficiently complied with for the fraud risk analysis in the selected statutory audits. Specifically, we tested against the standards as included in NV COS 240, NV COS 250 (auditor responsibilities regarding fraud/legislation and regulations) and NV COS 315 (identifying and assessing risks of material misstatement).

The quality of the fraud risk analysis in the twelve investigated statutory audits has also improved. Fraud risk factors are identified and evaluated more often, and fraud risks are specified more specifically. In the majority of the investigated statutory audits, it is substantiated why fraud risk factors do or do not lead to a fraud risk. The investigated statutory audits also showed room for improvement. What really needs to be better is the depth and the professional-critical attitude when gaining insight into the entity and its environment, particularly when gathering information and team discussions.

The AFM is predominantly positive about the path taken within the investigated accounting firms to improve the quality of the fraud risk analysis in statutory audits. The measures taken can contribute to a better fraud risk analysis. But we see that the insight into the actual effectiveness of individual measures is still limited. To maintain the upward trend and achieve structural guarantee, it is necessary for accounting firms to take further steps on:

• Conducting thorough root cause analyses; these are performed limitedly and behavioral and cultural aspects are underrepresented.
• Monitoring and measuring the effectiveness of measures; these are insufficiently developed and testing instruments are often too broad in scope.
• Identifying the presumed fraud risk on the outcomes: this is refuted too often, despite sharpened procedures and consultation obligations.

The AFM calls on accounting firms to continue the actions taken, and to monitor the effectiveness of measures better, evaluate them structurally, and adjust them. Only in this way can the quality of fraud risk analyses be sustainably guaranteed. We expect accounting firms not only to take measures, but also to structurally evaluate whether these actually contribute to addressing identified shortcomings. This requires targeted evaluations, further expanding data-driven monitoring, and applying effectiveness measurement. The AFM calls on all accounting firms to take note of the results of this investigation in 2025 and 2026, reflect on them, and (if necessary) take concrete improvement measures. Conducting a thorough root cause analysis with attention to behavioral and cultural aspects is crucial in this regard. The AFM will conduct a repeat investigation in 2026 at the OOB accounting firms regarding the audit procedures regarding fraud risks.

2. Results of the investigation into the system of quality management

4 1 OOB client, 1 Housing cooperative client, 2 high-risk clients, and 1 low-risk client.

2.1 The AFM sees progress on the system of quality management on the theme of fraud risk analysis

The AFM has investigated whether the six OOB accounting firms have taken responsibility and taken appropriate measures in light of the results of the report 'Sharper on fraud risks!' from 2023. We are positive about this: we see progress on the measures taken to address shortcomings in the fraud risk analysis at the level of the system of quality management. Below we describe the main measures that accounting firms have taken, and share good examples.

Measure: Internal investigation conducted into the quality of the fraud risk analysis.

Three (of the six) OOB accounting firms have conducted internal research into the quality of the fraud risk analysis and have taken measures in light of the report 'Sharper on fraud risks!'. The three OOB accounting firms involved in the investigation received an institution-specific report with findings and recommendations at that time. The other three accounting firms that were not part of the 2023 investigation use the report 'Sharper on fraud risks!' as a starting point for their measures. These three accounting firms have conducted internal research to a greater or lesser extent. One accounting firm focused on the audit reports and refuting the mandatory fraud risk on the outcome statement. Another accounting firm repeated the AFM's investigation. The AFM shares the following good practice example regarding this.

Good practice example: Following up on external signals based on internal investigation into fraud risk analysis

An accounting firm that was not part of the 2023 investigation into the fraud risk analysis performed an assessment on five statutory audits4. This assessment consisted, among other things, of determining whether there were similar findings and recommendations as included in the 2023 report.

This is a good practice example because the accounting firm - despite not being part of the 2023 investigation - actively reflected on the findings and recommendations from the report 'Sharper on fraud risks!'. The accounting firm shows that it takes signals from the sector seriously. The accounting firm has also taken measures to follow up on the specific findings and recommendations that - based on the results of the internal investigation - are relevant for this accounting firm. This aligns with the AFM's expectation that non-participating accounting firms also learn from public reports and translate them to their organization.

Measure: Increasing awareness of fraud risks and strengthening the professional-critical attitude.

• Accounting firms actively use fraud cases to increase awareness of fraud risks and improve the quality of the fraud risk analysis. These cases, originating from the media and from their own statutory audits, are shared with practice. This happens via various channels, including short news reports, extensive case descriptions, and internal platforms for knowledge sharing. Via these platforms, audit teams receive a selection of relevant cases that they can include in their risk assessment and audit approach. Fraud cases have also been shared during training and technical meetings. These measures stimulate audit teams to think critically, (re)recognize fraud risk factors, and improve the substantiation of their judgment formation. The structural sharing of practical examples can contribute to a learning culture and a strengthening of the quality of the fraud risk analysis.

• Accounting firms have developed training programs to strengthen the professional-critical attitude and awareness of fraud risks. The training programs are usually developed per function level, with themes such as fraud risk analysis and corruption at the center. These programs contain, for example, contributions from external experts (such as the FIOD) and make use of e-learnings, virtual classrooms, and informative mailings. Attention has been paid to the results of the AFM's investigation, results from internal investigations, and results from internal safeguards, such as the hot file review. In addition, intervision meetings and team sessions are organized, in which dilemmas and lessons learned from statutory audits are discussed. Furthermore, initiatives have been taken to increase awareness of fraud risk factors, with specific attention to recognizing and documenting these factors. These measures can contribute to strengthening the professional-critical attitude and improving the quality of the fraud risk analysis.

• Accounting firms have experimented with innovative training forms, which can contribute to a deeper learning experience. Gamification has been used, where participants were confronted with practical situations from the perspective of a fraudster via an escape room. This approach provided space for strengthening the professional-critical attitude and increasing insight into fraud risks. We also see examples of regularly distributing short visual explanations, in which specific fraud schemes and mechanisms are explained. These innovative forms can contribute to a deeper learning experience, increasing engagement, and professional-critical thinking.

Measure: Deploying fraud experts based on pre-set criteria and developing initiatives for training fraud experts and setting up a fraud community.

The deployment of a fraud expert in the statutory audit can contribute to the quality of the fraud risk analysis. For example, the deployment of a fraud expert can increase attention for fraud risks. The fraud expert can also provide a fresh external perspective during discussions between members of the audit team. In our investigation, we see that all accounting firms assign fraud experts to audit assignments based on pre-set criteria.

The deployment of fraud experts can oversee various parts of the audit, such as the fraud risk analysis, but also the entire audit process. In addition, initiatives have been started to train colleagues to become fraud experts ('fraud champions') and to set up fraud communities. For example, one accounting firm has set up a separate fraud community. There, employees, from different function levels and spread across the organization, are trained annually to become fraud experts.

Good practice example: Training colleagues to become fraud experts and setting up a fraud community

An accounting firm has set up a fraud community, where employees are trained annually to become fraud experts. Members of the fraud community can be approached for, among other things, brainstorming about fraud risks and the procedures regarding them. They are also the first point of contact in case of suspicions of fraud during the audit and the discussion about next steps. The members of the community are further involved in the review of passages about fraud in the audit report. The fraud community meets periodically, and members of the fraud community have now taken on a role in the deployment as fraud experts. Thereby, more and more employees are developing expertise in this area and sharing this knowledge and skills with practice in a low-threshold manner. It is also the case that audit teams can discuss issues or cases with these members in a low-threshold manner, allowing for more proactive responses.

We see this as a good practice example because this can contribute to the quality of (among other things) the fraud risk analysis.

Measure: Using various forms of coaching to strengthen the quality of the fraud risk analysis during the statutory audit.

The coaching takes place during the execution of the statutory audit, so that feedback is followed up directly and contributes to the quality of the statutory audit. A common approach is conducting interim evaluations of the fraud risk analysis, where a colleague accountant - often outside the direct sector or audit team - assesses the fraud risk analysis and provides feedback and determines follow-up. These assessments take place specifically focused on the fraud risk analysis, or as part of a broader coaching program focused on the quality of statutory audits.

The coaching focuses on critically questioning the fraud risk assessments used, substantiating fraud risks, and stimulating the professional-critical attitude in the audit team. The insights derived from this are valuable for the ongoing statutory audit and are also applied more broadly to other statutory audits. This working method creates a learning environment in which audit teams are supported in strengthening their professional judgment formation and improving the quality of the fraud risk analysis.

Good practice example: Sharing the red threads from the hot file reviews with the audit practice

An accounting firm shares the red threads from the executed hot file reviews with the audit practice. Here, the points of attention that the audit teams receive during the hot file reviews are discussed systematically in organization-wide meetings or via internal newsletters. This makes it visible which recurring points of attention are playing a role.

This is a good example because not only is the learning experience of individual audit teams increased, but it also contributes to a shared quality awareness of the entire audit practice. By actively sharing red threads, audit teams can learn from each other and prevent the same shortcomings from recurring. Moreover, it can stimulate an open dialogue on technical dilemmas and strengthen the professional-critical attitude.

Measure: Sharpened consultation policy.

Consultations can oversee the informal or formal consultation of issues, such as alignment on issues arising from the fraud risk analysis. In our investigation, we see that accounting firms have adjusted or sharpened their policy regarding consultations in light of the report 'Sharper on fraud risks!'. For example, at one accounting firm, there is a consultation obligation5 if the presumed fraud risk on the outcome statement is refuted. At the majority of accounting firms, the consultation policy is aimed at audit teams being able to align issues in a low-threshold manner.

This allows potential issues to be detected and followed up earlier, and the role of consultations shifts more and more from reactive to proactive. We refer to 'Good practice example: Training colleagues to become fraud experts and setting up a fraud community' for a good example of the application by an accounting firm.

Measure: Guidelines and procedures regarding the fraud risk analysis updated and sharpened.

The documentation of team discussions has been updated with example questions and clear instructions on what must be recorded. Also described in this are the less good examples (so-called pitfalls). For conversations with management, in-depth questions have been drawn up regarding prevention, detection, and response to fraud. These questions help to identify and substantiate relevant fraud risk factors. The procedures stipulate that careful minute-taking of these conversations is important. Furthermore, it has been clarified that internal control measures may not be taken into account as a mitigating factor when assessing fraud risks. These measures prevent risks from being underestimated and can contribute to a sharper fraud risk assessment.

5 There are a number of exception situations formulated in which the consultation obligation does not apply. 6 The NBA published the report 'Exploratory root cause analysis fraud: Fraud requires a more critical basic attitude' in June 2022.

2.2 The AFM sees room for improvement of the system of quality management

This can be better: Measures implemented, but without thorough root cause analysis.

Effective improvement of the fraud risk analysis begins with understanding the underlying causes of shortcomings. Without a thorough root cause analysis, there remains a risk that measures are merely symptomatic treatment, and that structural problems persist. Behavioral and cultural aspects are an essential part of the root cause analysis6.

We see in our investigation that only a few accounting firms conduct in-depth root cause analyses. Behavioral and cultural aspects are underrepresented in this. (Timely) conducting root cause analyses into the underlying fundamental causes of shortcomings enables accounting firms to uncover fundamental causes. So that they can take appropriate measures, thereby preventing the recurrence of the identified shortcomings.

This can be better: Monitoring and effectiveness measurement are insufficiently developed.

We noted that accounting firms have taken measures to improve the quality of the fraud risk analysis in statutory audits. Although the measures described in paragraph 2.1 contribute to the quality of the fraud risk analysis, we see that there is too limited insight into the actual effectiveness of individual measures.

The current testing instruments, such as OKB's and IKO's, offer valuable information about the quality of the statutory audit. But these instruments are often too broad in scope to specifically assess the...