Skip to main content

Who audits the auditors, and what do they do when audits fail?

The auditor's opinion on a public company's financial statements is supposed to be an independent, objective verdict on whether the statements are fairly presented. But auditors are human. Auditors work for audit firms that are hired and paid by the companies they audit. Auditors face pressure to retain clients. Auditors sometimes make mistakes. Without oversight, the auditor's opinion would be as reliable as a company grading itself.

That oversight function belongs to the Public Company Accounting Oversight Board (PCAOB), a private, non-profit corporation established by the Sarbanes-Oxley Act in 2002, immediately after the Enron and WorldCom accounting scandals. The PCAOB inspects audit firms, investigates audit failures, and enforces auditing standards.

Understanding the PCAOB's role and inspection process is critical for investors. PCAOB inspection reports reveal which audit firms are maintaining quality and which firms are issuing clean opinions on statements later found to contain material fraud or error. For an investor, a PCAOB enforcement action against an audit firm is a signal that that firm's recent audit opinions may be unreliable.

This article explains what the PCAOB is, how it inspects audit firms, what it looks for, and what enforcement actions mean for investors.

Quick definition: The PCAOB is the independent regulator of auditors of public companies. It inspects audit firms annually (for the largest firms) or every three years (for smaller firms), looking for evidence that the auditor failed to detect material fraud or error. It brings enforcement actions when firms are found to have issued materially false clean opinions.

Key takeaways

  • The PCAOB was created in 2002 by the Sarbanes-Oxley Act to regulate auditors of public companies.
  • The PCAOB inspects audit firms to assess compliance with auditing standards and the quality of audits.
  • Large firms (Big Four and other issuers with many clients) are inspected annually; smaller firms every three years.
  • PCAOB inspection reports are public and identify specific audits that failed to meet standards.
  • The PCAOB can bring enforcement actions against firms and individual auditors for issuing materially false opinions.
  • A PCAOB enforcement action against an audit firm raises questions about the reliability of recent opinions issued by that firm.

What is the PCAOB and how did it come to exist?

Before 2002, audit firms were regulated by their own professional associations and the SEC. The American Institute of Certified Public Accountants (AICPA) set auditing standards and reviewed audit quality. But the AICPA's enforcement power was limited, and the SEC's authority was indirect.

The Enron collapse in 2001 revealed massive audit failure. Enron's auditor, Arthur Andersen, had issued a clean audit opinion on Enron's financial statements even as the company was systematically hiding debt in special-purpose entities and manipulating earnings. Andersen's Houston office had a clear motive to keep Enron happy; Enron was a major client paying Andersen millions in audit and consulting fees. When Enron's accounting got questionable, Andersen did not push back forcefully.

Congress passed the Sarbanes-Oxley Act in 2002 to address these failures. Section 101 of Sarbanes-Oxley created the PCAOB as an independent, non-profit organization with power to:

  • Register audit firms that audit public companies
  • Set auditing standards
  • Inspect audit firms
  • Investigate audit failures
  • Bring enforcement actions against firms and individual auditors

The PCAOB is funded by fees on public company audit fees, not by the audit firms themselves, reducing conflict of interest. The PCAOB's board includes accountants and investors but is chaired by a non-accountant, ensuring the organization's independence.

How PCAOB inspection works

The PCAOB's inspection process is rigorous and systematic.

Registration. Any firm that audits public companies must register with the PCAOB. The registration process requires the firm to provide evidence of quality controls, staff qualifications, and disciplinary history.

Inspection frequency. The PCAOB inspects audit firms on a defined schedule:

  • Large firms (the Big Four: Deloitte, EY, KPMG, PwC, and a handful of other large firms) are inspected annually.
  • Mid-size firms with 100+ public company audit clients are inspected every two years.
  • Smaller firms with fewer than 100 public company clients are inspected every three years.

Inspection process. During an inspection, PCAOB inspectors:

  1. Select a sample of audits. The PCAOB selects a sample of the firm's audits conducted in the prior year. For large firms, the PCAOB typically inspects 10–20 audits per inspection.

  2. Review audit work papers. The inspectors examine the audit firm's work papers (the documentation of the audit procedures performed, evidence obtained, and conclusions reached).

  3. Assess compliance with standards. The inspectors determine whether the audit firm followed Generally Accepted Auditing Standards (GAAS) and PCAOB standards. For example, did the auditor perform sufficient procedures on revenue? Did the auditor adequately test the client's internal controls?

  4. Evaluate judgment calls. The inspectors assess whether the auditor's judgments on key matters (like valuation assumptions for goodwill) were reasonable and well-documented.

  5. Test for signs of misstatement. The inspectors examine whether the auditor's testing would have detected material fraud or error if the error had been present. This is a "control test"—would the auditor's procedures have been sufficient?

  6. Interview the audit team. The inspectors interview the engagement partner, audit manager, and staff to understand the auditor's reasoning and any challenges encountered.

What the PCAOB looks for in audits

The PCAOB's inspection procedures focus on several areas:

Revenue recognition. The PCAOB considers revenue recognition a high-risk area because it is a common source of fraud. The PCAOB inspectors test whether the auditor:

  • Understood the company's revenue processes and systems.
  • Tested for side agreements or terms that could affect revenue recognition.
  • Evaluated whether revenue was recognized in the correct period.
  • Considered fraud risk in revenue.

Accounting estimates. Items like goodwill impairment, pension liabilities, and allowances for doubtful accounts involve significant judgment. The PCAOB inspectors test whether the auditor:

  • Evaluated the reasonableness of management's assumptions.
  • Compared assumptions to external sources (market data, historical data).
  • Challenged management when assumptions were optimistic.

Related-party transactions. The PCAOB inspectors test whether the auditor identified and evaluated related-party transactions, including transactions at non-arm's-length prices.

Internal controls. For large accelerated filers, companies must have audits of internal control over financial reporting (ICFR). The PCAOB inspectors test whether the auditor:

  • Identified significant risks to controls.
  • Evaluated whether controls were operating effectively.
  • Did not rely on management representations without testing.

Fraud risk. The PCAOB expects auditors to assess fraud risk and design procedures to address those risks. The PCAOB inspectors test whether the auditor:

  • Held a brainstorming session to discuss fraud risks.
  • Designed procedures to test high-risk accounts.
  • Followed up on fraud risks identified.

Going concern. For companies showing signs of financial distress, the PCAOB inspectors test whether the auditor:

  • Identified going-concern risks.
  • Evaluated management's remediation plans.
  • Appropriately disclosed going-concern doubts.

What PCAOB inspection reports disclose

PCAOB inspection reports are public documents. They contain:

A summary of the inspection. Overview of how many audits were inspected, what percentage of audits had deficiencies, and the overall quality of the firm's auditing.

Specific audit deficiencies. Descriptions of audits where the PCAOB found that the auditor failed to follow standards. For example:

"In one audit of a financial services company, the auditor did not adequately evaluate whether a significant revenue contract was properly accounted for. Specifically, the contract contained terms that the auditor did not evaluate for potential revenue recognition implications. The auditor's procedures with respect to this contract were limited to a review of the contract terms; the auditor did not evaluate whether the terms were consistent with the company's revenue recognition policy or whether there were any side agreements that could affect revenue recognition. Had the auditor performed procedures sufficient to identify the full nature of the contract, it would have identified that [specific misstatement]."

Root cause analysis. The PCAOB often identifies why deficiencies occurred. Common causes include:

  • Insufficient audit procedures (the auditor did not do enough testing).
  • Failure to exercise professional skepticism (the auditor accepted management's explanation without sufficient corroboration).
  • Insufficient knowledge of the accounting standards (the auditor misinterpreted the rule).
  • Time or resource constraints (the auditor did not have enough staff to complete thorough procedures).

Trends. The PCAOB identifies whether deficiencies are isolated or part of a pattern. If the PCAOB finds similar deficiencies across multiple audits, it signals systemic problems with the firm's quality control.

PCAOB enforcement actions

When the PCAOB finds serious or recurring deficiencies, it can bring enforcement actions. These actions range from minor to severe:

Deficiency letters. For minor, isolated deficiencies, the PCAOB may issue a letter to the firm requesting corrective action. The letter is not public but may be referenced in future inspections.

Sanctions. For more serious or recurring deficiencies, the PCAOB may impose sanctions, including:

  • Censure. A public reprimand of the firm or individual auditor.
  • Monetary penalties. Fines imposed on the firm.
  • Mandatory training. Requirements that the firm or individual auditors complete additional training.
  • Engagement restrictions. Temporary prohibition on auditing certain types of companies (e.g., financial institutions) until the firm demonstrates remediation.

Disciplinary orders. For severe violations (including evidence of fraud by the auditor or intentional disregard of standards), the PCAOB may issue a disciplinary order suspending or permanently barring the auditor from practice. For example, in 2020, the PCAOB permanently barred an individual auditor from practice for failure to exercise due diligence on a fraud case.

Firm-level enforcement. In rare cases, the PCAOB has taken enforcement against entire audit firms. For example, the PCAOB settled a case with KPMG in 2018 related to inadequate audits of a financial institution. The settlement required KPMG to pay a <digit20> million penalty and implement extensive remediation.

Reading PCAOB inspection reports as an investor

PCAOB inspection reports are dense technical documents, but they contain valuable information for investors:

Overall quality. At the top of the report, the PCAOB summarizes the firm's quality. A report noting that 90% of audits had no deficiencies signals higher quality than one noting 70% without deficiencies.

Trend data. Compare the current inspection to prior years. If deficiency rates are increasing, the firm's quality may be declining.

Specific industries. If a firm is having trouble auditing tech companies or financial institutions, note that. It suggests the firm lacks expertise in that sector.

Systemic issues. If the PCAOB identifies systemic deficiencies (not isolated errors), that signals quality control problems at the firm level. This is more concerning than isolated auditor mistakes.

Root causes. Read the PCAOB's assessment of why deficiencies occurred. If the cause is insufficient staff or time constraints, it suggests the firm is overextended. If the cause is failure to exercise professional skepticism, it suggests the firm's culture tolerates laxity.

What to do if your auditor received a PCAOB enforcement action

If your company's auditor received a PCAOB enforcement action, you have several options:

Request explanation. Ask the audit firm to explain the enforcement action and describe how it will prevent recurrence.

Assess specificity. If the enforcement action relates to a weakness in the audit firm's procedures for your company's type of business (e.g., revenue recognition for SaaS companies), take that seriously. If the enforcement action relates to an unrelated area, it is less concerning.

Consider auditor change. If you have low confidence in the audit firm's quality, or if the enforcement action signals systemic problems, consider hiring a different auditor.

Increase audit fees. You might offer higher audit fees to incentivize the audit firm to assign more senior staff and allocate more time to your audit.

Evaluate management. If your auditor is having quality problems, consider whether your management team is contributing to the problem through obstruction, unrealistic guidance, or pressure to close the books quickly.

Common mistakes investors make regarding PCAOB oversight

Assuming PCAOB inspection reports are definitive. PCAOB inspection findings are evidence of past audit quality, not a guarantee of current or future quality. A firm with deficiencies in prior inspections might have improved. Conversely, a firm with clean prior inspections might have current deficiencies not yet uncovered.

Overlooking small firms. Investors often focus on Big Four auditors. But many mid-size and smaller public companies are audited by regional or specialty firms. PCAOB inspection reports for these firms contain valuable information but are less widely read.

Confusing PCAOB inspection with audit firm rating. The PCAOB does not publicly rate audit firms or publish a "quality ranking." It publishes inspection reports with deficiency findings. Investors must interpret those findings.

Failing to monitor ongoing enforcement. PCAOB enforcement actions and investigation notices are published on the PCAOB website. If your auditor is under investigation, that is a signal to monitor the situation.

Assuming your auditor has no deficiencies. Many auditors will have some deficiencies noted in PCAOB reports. A few isolated deficiencies are normal. Patterns of deficiencies are concerning.

Frequently asked questions

Q: How can I access PCAOB inspection reports? A: PCAOB inspection reports are public and available on the PCAOB website (www.pcaobus.org). Search by audit firm name. Full reports are available for download.

Q: Does the PCAOB inspect international audit firms? A: The PCAOB has inspection authority over US-registered audit firms and limited authority over foreign audit firms that audit US public companies. The PCAOB has cooperative agreements with foreign regulators in many countries.

Q: What percentage of audits have deficiencies? A: It varies by firm. Large firms typically have 20–40% of inspected audits with some deficiency noted. Smaller firms vary widely. The PCAOB publishes aggregated statistics in its annual reports.

Q: Can the PCAOB force a company to change auditors? A: No. The PCAOB can impose sanctions on audit firms and individuals but cannot directly force auditor changes. However, if an audit firm is seriously sanctioned or suspended from practice, companies must hire a different auditor.

Q: How long does a PCAOB enforcement action investigation take? A: Investigations can take 1–3 years. The PCAOB will issue a notice of investigation, conduct discovery, and eventually issue a report of investigation. The firm and individual auditors can settle or proceed to a hearing.

Q: Are PCAOB enforcement actions disclosed in the company's 10-K? A: Not directly. Companies disclose changes in auditors and disagreements with auditors in Item 9A of the 10-K. But a PCAOB enforcement action against the auditor might be disclosed if the company believes it affects the auditor's ability to audit the company.

Sarbanes-Oxley Act. The 2002 legislation that created the PCAOB and established requirements for audits, internal controls, and corporate governance.

Generally Accepted Auditing Standards (GAAS). The authoritative standards for US audits, set by the AICPA. The PCAOB also sets standards for public company audits.

Audit quality. The degree to which an audit provides reasonable assurance that financial statements are free of material misstatement. PCAOB inspections are a proxy for assessing audit quality.

Professional skepticism. The auditor's obligation to maintain a questioning mind and not accept management representations without adequate corroboration. Failure to exercise professional skepticism is a common PCAOB finding.

Audit failure. An audit where the auditor issued an unqualified opinion on statements later found to contain material fraud or error. PCAOB investigations often follow audit failures.

Inspection deficiency. A finding by the PCAOB that the audit firm failed to comply with auditing standards or quality control standards.

Summary

The PCAOB is the independent regulator of auditors of public companies. It was created by Sarbanes-Oxley in 2002 in response to audit failures at Enron and WorldCom. The PCAOB inspects audit firms regularly (annually for large firms, every three years for smaller firms) and brings enforcement actions when firms are found to have issued materially false clean opinions or failed to follow auditing standards.

PCAOB inspection reports are public and available on the PCAOB website. These reports reveal specific audits where the audit firm failed to comply with standards and identify systemic quality control issues. For investors, PCAOB inspection reports are a valuable tool for assessing whether the auditor of a company you own or are considering owning is maintaining appropriate quality standards.

When the PCAOB brings enforcement actions against an audit firm, it is a signal that the firm's recent audit opinions may be less reliable than normal. Investors should consider whether the enforcement action affects confidence in the auditor and whether an auditor change is warranted.

The PCAOB's existence and activity have improved audit quality since Sarbanes-Oxley. But audit firms remain businesses with profit motives and client relationships. The PCAOB's inspection function provides essential oversight but is not a guarantee that every audit is flawless.

Next

Having covered the auditor's opinion and its variations, going-concern qualifications, critical audit matters, and audit firm oversight, the next chapter shifts focus to recognizing red flags in financial statements themselves: Financial statement red flags.

Word count: 2,138 words. PCAOB Public Company Accounting Oversight Board audit firm inspection audit quality audit oversight Sarbanes-Oxley auditor regulation deficiency enforcement action going concern revenue recognition internal controls audit standards Big Four audit firms Enron WorldCom audit failure.