The useful question for small firms is not whether AI helps, but whether the trail still holds.
AI in audit is often discussed as if the machine were about to take the accountant’s chair. That is the wrong picture. In Dutch compliance terms, the sharper change is quieter. AI can help read, compare, classify and summarise. It also asks every conclusion to show its route back to source material.
The signal has to become readable
A small founder may feel this before any formal audit. The accountant asks for an export behind a dashboard. The bank wants an explanation of turnover. A buyer asks why the margin report differs from the ledger. A VAT question still needs original invoices, not a neat AI summary. The real issue is traceability.
I read the current Dutch signal as a shift from speed to traceability. AI may make work faster, but it does not make weak administration stronger.
Human still owns the judgement
AFM has made the audit line clear. Advanced audit tools, including generative AI, can support audit work. They do not replace the accountant or the accountant’s ultimate responsibility. That matters because it pulls AI out of the gadget corner and places it inside the control environment.
AFM’s building blocks for controlled audit tooling focus on risk management, information security, data quality, implementation, traceability and conscious use in the audit process. In ordinary language, the questions are simple. Which data went in? What happened to it? Who checked the output? Why could a professional rely on it?
For statutory audits, Dutch company law already points in this direction. Book 2, article 393 of the Civil Code requires the accountant, where an audit applies, to examine whether the annual accounts give the required insight and comply with legal requirements. The accountant must also report findings on the reliability and continuity of automated data processing.
That last phrase matters. Automated data processing is not background plumbing. It belongs in the judgement environment. If a business cannot explain its systems, exports, corrections and source documents, AI will not tidy that weakness. It may only make the report look more confident.
The practical example is simple. A growing webshop uses AI to summarise monthly sales and flag unusual refunds. The summary looks useful. Yet the payment exports, order records, stock movements and credit notes sit in different folders, with manual edits made by two employees. If the accountant, lender or tax inspector asks how the AI figure ties back to the records, the business has a problem.
Better data, better evidence
One of the most important compliance lessons here is that volume can mislead. AFM stresses that input data used by audit tools must be relevant and reliable to obtain sufficient and appropriate audit evidence. It also points to weaknesses in general IT controls at audited entities, and to the need for documented extraction, transformation and loading of data.
What the signal changes
That sounds technical, but the business lesson is human. A full export is not automatically a clean export. A dashboard is not automatically a reliable basis for decision. A complete-looking dataset can still carry missing invoices, duplicated entries, wrong dates, private expenses, broken VAT coding or unexplained manual adjustments.
AI is strong at processing what it receives. That strength is also its danger. If the input is polluted, the output may become polished pollution. For a small company, the most useful discipline is not a grand AI policy. It is a habit of tying every important number back to the system of record and the source document.
Belastingdienst remains relevant here. Entrepreneurs must keep business data in their administration, on paper or digitally. The general retention period is seven years, with longer periods in some cases. Digital invoices must be stored digitally, and the digital administration must remain controllable within a reasonable period.
An AI summary of invoices is not the invoice archive. A generated explanation of costs is not the cost evidence. A forecast based on receivables is not a substitute for customer invoices, bank receipts and debtor notes. The recordkeeping floor still holds, even when the analysis layer becomes modern.
The shadow work inside small firms
CBS shows why this is no longer only an audit-firm problem. In 2025, 33 percent of Dutch companies with 10 or more employed persons used one or more surveyed AI technologies. The figure was 23 percent in 2024 and 14 percent in 2023. CBS marks the 2025 figures as provisional.
Among microbusinesses with 2 to 9 employed persons, CBS reports 13.8 percent using at least one surveyed AI technology in 2025. That is more than three percentage points higher than in 2024 and roughly double the 2023 level. Use in microbusinesses often touches marketing, sales, administration and management tasks.
UWV adds the workplace side. The share of employers using AI to a reasonable or high degree doubled from 16 percent to 32 percent in one year. At the same time, about four in ten employers using AI do not guide employees in that use.
That is the gap I see most clearly for small businesses. AI enters through ordinary work before governance catches up. Someone drafts debtor emails. Someone classifies costs. Someone asks a tool to explain a contract clause, payroll issue or margin movement. The work becomes faster, but responsibility becomes vague.
A sensible owner does not need to turn this into theatre. The first question is modest. Where does AI touch finance, tax, payroll, reporting, contracts or customer data? The second is sharper. Who reviews the result before the business relies on it?
What founders should check
The answer should be simple enough for a colleague to understand later. The tool, the source data, the purpose, the reviewer and the retained evidence should not be mysteries. That is not bureaucracy. It is memory with a name attached.
The European clock is also running
The AI Act gives this subject a wider frame. Rijksoverheid states that the European AI Act entered into force on 1 August 2024 and applies in phases. Prohibited AI practices apply from 2 February 2025. Requirements for general-purpose AI models apply from 2 August 2025. High-risk AI and transparency obligations follow from 2 August 2026.
The full AI Act applies from 2 August 2027. For certain high-risk AI systems placed on the market before August 2026 and used by government organisations, Rijksoverheid also points to a later date, 2 August 2030.
Not every finance tool, chatbot or audit-support workflow falls into the same category. Classification depends on the system and its use. Still, the direction is plain. Transparency, human oversight, data quality and accountability are moving from good manners to expected control language.
Small firms should not wait for a formal label before improving the trail. The useful work is already valuable for annual accounts, VAT, wage administration, subsidy files, insurance claims, financing and sale negotiations. A clean record is not only a compliance comfort. It can save adviser time, reduce rework and make credit conversations less painful.
The cash point is often missed. An AI tool may be cheap per month, while its real cost sits in data cleanup, staff training, security choices, adviser review and corrections after poor use. If the company saves two hours with automation and loses ten hours proving where the answer came from, the efficiency story is not finished.
Keep the judgement human and the evidence visible
The strongest position is not to ban AI from administration. That will often be unrealistic. The stronger position is controlled use with a visible trail. Use AI to help find patterns, draft explanations or compare records, but keep the source documents, system exports and human review close to the conclusion.
For an owner-managed business, I would start with one process, not twenty. Pick sales, purchase invoices, payroll mutations or debtor follow-up. Trace one number from the original document to the final report. Look for missing links, manual edits, unexplained exports and unsupported summaries. The weakness found there will teach more than a long policy copied from somewhere else.
Accountants will still need to judge. Founders will still need to keep the administration controllable. Employees will still need to know what data may not be placed in consumer tools. Advisers will still need to challenge confident answers. AI changes the speed and shape of the work. It does not remove the need for discipline.
The quiet risk is not that AI thinks for the business. It is that the business stops asking how the conclusion was built. In Dutch compliance life, trust has always needed records. AI does not change that. It only makes the missing record easier to notice.
Sources
Referenced in the article
Column | Compliance
The Audit Line Will Not Rescue Weak Business Evidence
A finished year can still hide weak authority, broken software trails and slow tax.
Column | Ledger & Tax
When a Senior Employee Raises the BV Owner’s Salary Question
A senior hire can turn the DGA salary from a private choice into a payroll-tax.
Column | Governance
Dutch Pay Transparency Makes Salary Memory a Governance Risk
Dutch pay transparency asks employers to explain pay before memory and negotiation become weak evidence.
The Polder is written for readers who need the Dutch business environment translated into practical meaning. Corrections, source policy and editorial accountability are part of the publication record.
