AFM and BFT Audit Findings: Dutch Accountants Know the Risks, but Controls Fall Short
Dutch audit firms holding a standard licence are broadly aware that clients with Russian operations carry sanctions risk. That is the headline from a joint inspection by the AFM (Autoriteit Financiële Markten) and the BFT (Bureau Financieel Toezicht) published on 18 June 2026. The more uncomfortable finding is that awareness has not translated into consistently robust controls, and at least two statutory audits resulted in clean opinions that are now under review. For accounting firms and their quality teams, the report is a direct signal to revisit policy, screening procedures, and how sanctions-related fraud risk is communicated in audit opinions.
Scope and Structure of the Joint Inspection
The AFM and BFT conducted parallel but separate reviews, each working from its own supervisory mandate.
What each regulator examined
The BFT focused on client due diligence obligations and monitoring requirements under the Wwft (the Dutch Anti-Money Laundering and Counter-Terrorism Financing Act). It reviewed three standard-licence holders across ten client files. The AFM examined quality systems and business operations at six standard-licence holders, covering approximately thirty statutory audits in total. The combined scope means the findings reflect both the client-facing and the internal-governance dimensions of sanctions compliance.
Where Firms Are Getting It Right
The inspection did identify genuine good practice. Several firms declined to take on, or terminated relationships with, clients carrying Russian activities where the risk profile was unacceptable. Some went further than the sanctions rules strictly required. Others accepted engagements only on the condition that Russian activities would be wound down. Firms also sought formal guidance from the NBA (the Dutch professional accountancy body) and from the Centrale Dienst voor In- en Uitvoer to confirm that their services did not constitute a sanctions breach. Portfolio-level screening was carried out using structured data and direct enquiry to external auditors, particularly when new sanctions packages were introduced. Where audit scope was constrained by sanctions-related access limitations, modified opinions were issued in line with NBA Alert 45.
Where Controls Need to Improve
The positive picture is partial. The inspection identified recurring gaps across policy design, third-party reliance, verification discipline, and audit opinion content.
Policy gaps: sanctions risk is too narrowly defined
Internal policies at a number of firms address sanctioned persons and entities but do not extend consistently to sanctioned goods and services. A sanctions compliance framework that only screens counterparties will miss the risk that a client is supplying or receiving restricted items. The AFM expects policy to explicitly cover identification, control, monitoring, and periodic evaluation of the full range of sanctions exposures.
Over-reliance on client-commissioned expert opinions
Only one of the firms inspected independently engaged a sanctions law specialist. Where clients themselves obtained legal advice on sanctions exposure, auditors did not always request documentary evidence of that advice. Similarly, when reviewing screening reports produced by or for the client, auditors did not consistently scrutinise the scope of the screening, its limitations, the relevance of the methodology, or the residual population that may have been excluded. Relying on a client's own expert, without independently verifying the basis and boundaries of that advice, is a significant control weakness.
Verification of sanctioned goods and services
For material transactions involving goods or services that may be subject to restrictions, the inspection found that auditors were not always independently checking sanctions lists themselves. Where the sums involved are significant, cross-referencing the relevant lists independently, rather than deferring entirely to management representations, is a basic control that several firms were not applying consistently.
Clean opinions issued while reviews were still open
In two of the statutory audits reviewed, an unqualified audit opinion had been signed off while investigation into whether that opinion was appropriate, given the constraints on auditing Russian activities, was still ongoing. The AFM notes these cases are under review. Issuing a clean opinion before resolving a known scope limitation on Russia-linked activities is the kind of gap that attracts regulatory and reputational consequences.
Revenue substitution not being followed
The inspection asks a pointed question that audit teams should be asking of clients: how is revenue previously generated in Russia being replaced? If a client has formally exited Russian markets but overall revenues have held steady, understanding the substitution is a substantive audit procedure, not an optional enquiry. Firms were not consistently pursuing this line of analysis.
Fraud risk from sanctions evasion absent from audit opinions
The finding that drew the sharpest language in the AFM report is this: in none of the statutory audits reviewed did the auditor's report include a fraud risk related to potential breach or circumvention of sanctions. The AFM considers this omission difficult to justify for clients with significant Russian activities. Sanctions evasion is, by definition, a financial reporting risk where the financial statements may not accurately reflect the true nature of transactions. Audit teams working on such clients should assess whether a specific fraud risk disclosure belongs in the opinion.
What Firms Should Do Now
The AFM and BFT are working with the NBA and SRA, the sector body representing many standard-licence firms, to help the sector act on these findings. The regulators have been explicit: they expect firms to engage with the improvement points rather than treat the report as an external observation. For quality directors and engagement partners, the practical checklist is short but demanding.
Immediate priorities for quality teams
First, audit your own policy document. If it addresses sanctioned persons but is silent on sanctioned goods and services, update it before the next engagement cycle. Second, establish a protocol for independently engaging sanctions law expertise, rather than accepting client-commissioned opinions at face value, and document what evidence you require when a client produces its own legal advice. Third, build a step into file review that checks whether any fraud risk related to sanctions evasion has been considered and, where clients have material Russian exposure, documented in the audit opinion. Fourth, treat revenue substitution analysis as a required procedure rather than a background observation. Fifth, ensure that no unqualified opinion is finalised while a material sanctions-related scope question remains open.
Firms that use crypto compliance reporting workflows alongside traditional audit tools should note that the control principles here apply equally to digital asset clients with cross-border exposure. The screening gaps identified by the AFM are tool-agnostic: the question is whether the firm's process is independently verifying what it needs to verify, not whether the client's own data looks clean. Digital asset accounting software that surfaces wallet-level and entity-level flags can support the independent verification step, but only if the firm's policy requires that step in the first place.
The broader sanctions compliance landscape is tightening across jurisdictions. The patterns documented in this AFM/BFT report, over-reliance on client representations, under-specified policy scope, and incomplete fraud risk disclosure, are not unique to the Netherlands. Firms advising on OFAC SDN cryptocurrency addresses and firm compliance priorities will recognise the same structural tensions. Equally, the concern about revenue obscured by complex counterparty chains echoes the risks documented in the AML risks around the Huione Group and USDH stablecoin.
FAQs
Which firms does this AFM/BFT report cover?
The review covered standard-licence audit firms in the Netherlands. The AFM examined six firms across approximately thirty statutory audits; the BFT reviewed three firms across ten client files. The findings are addressed to the sector as a whole, not only those directly inspected.
What is NBA Alert 45 and why does it matter here?
NBA Alert 45 is guidance issued by the Dutch professional accountancy body that covers how auditors should handle audit opinion modifications when sanctions restrict access to information about Russian activities. The AFM noted positive examples of modified opinions issued in line with Alert 45, but also cases where clean opinions were given before a related review was complete.
Is there an obligation to include a sanctions fraud risk in every audit opinion for Russia-linked clients?
The AFM stops short of saying it is mandatory in every case, but it signals clearly that for clients with significant Russian activities, the absence of any fraud risk disclosure related to sanctions evasion is hard to defend. Engagement teams should document their assessment, whatever conclusion they reach.
How should firms handle a client's own legal opinion on sanctions exposure?
The AFM expects auditors to request and review documentary evidence of any legal advice the client obtained, and to assess its scope, limitations, and relevance independently. Accepting a summary from management without seeing the underlying advice does not satisfy the verification standard.
Does this report affect crypto-asset service providers or only traditional audit clients?
The inspection focused on statutory audit clients with Russian activities. However, the AFM has separate supervisory responsibilities for crypto-asset service providers under MiCA and Dutch law. The control principles, independent screening, policy covering goods and services not just persons, and fraud risk assessment, apply across all client types where sanctions exposure is present.
