Public Company Accounting Oversight Board
The Public Company Accounting Oversight Board (PCAOB) is an independent, congressionally-established regulator that sets auditing standards for public company audits and conducts mandatory inspections of accounting firms. Created by the Sarbanes-Oxley Act in 2002 following the Enron collapse, the PCAOB sits between the SEC and the audit firms it oversees, enforcing both quality and compliance across the auditing profession.
Why Enron created a new regulator
Before 2002, auditing was largely a self-regulated profession. The American Institute of Certified Public Accountants (AICPA) set auditing standards; accounting firms conducted their own quality reviews. This worked until it didn’t.
Enron’s collapse in late 2001 revealed that its auditor, Arthur Andersen—once one of the “Big Five” accounting firms—had not merely failed to catch the fraud but had actively shredded documents to obstruct the investigation. The profession’s self-regulation had become a fig leaf. Congress responded decisively.
The Sarbanes-Oxley Act, passed in July 2002, created the PCAOB as an independent, non-profit entity. Unlike prior self-regulatory bodies, the PCAOB reported to the SEC and Congress, not to the accounting firms themselves. It had subpoena power. It could fine and even sanction audit firms. For the first time, auditors had an auditor.
What the PCAOB actually does
The PCAOB’s mandate splits into two broad categories: standard-setting and inspection.
Auditing Standards: The PCAOB establishes the Generally Accepted Auditing Standards (GAAS) that auditors must follow when examining public companies’ financial statements. These standards specify how an auditor must plan a financial statement audit, gather evidence, assess risk, evaluate internal controls, and form conclusions. Unlike GAAP (which governs how companies record transactions), auditing standards govern how auditors verify those recordings.
The standards are detailed and prescriptive. They address, for example, how many transactions an auditor must test, how to evaluate the competence of audit committee members, and what to do when auditors discover fraud mid-audit. Over 2,000 pages of guidance govern modern auditing.
Inspections: Every year, the PCAOB inspects the audit practices of the thousands of firms that audit U.S. public companies. Inspections are unannounced (with rare exception) and cover both the firm’s quality-control systems and individual audits. Inspectors review workpapers, interview personnel, and assess whether auditors followed standards. For the largest firms (those auditing more than 100 public companies), inspections happen annually. Smaller firms face inspections less frequently but remain under PCAOB purview.
If inspections find deficiencies, the PCAOB issues a report. Some deficiencies are minor and treated as learning moments. Others are serious: violations of auditing standards, failures in internal control testing, or inadequate evidence gathering. The PCAOB can impose sanctions, fines, temporary suspensions, and even revocations of registration.
The Big Four and the rest
The auditing profession is dramatically concentrated. The “Big Four” firms—Deloitte, EY, KPMG, and PwC—audit roughly 97% of U.S. public companies by market capitalization. The PCAOB’s largest inspection efforts focus on these four. However, the PCAOB also registers and inspects smaller, regional firms.
This concentration creates tension. The Big Four firms handle the audits of the largest, most complex corporations—and thus attract the most experienced auditors. Regional firms struggle with recruiting talent and competing on sophisticated engagements. Yet the PCAOB regulates all equally. Some argue this asymmetry is a feature, not a bug: larger firms should face harsher scrutiny. Others worry that excessive regulation drives smaller firms out of the market, making the Big Four even more dominant and the system even more fragile.
The scope of PCAOB rules
The PCAOB’s reach extends to any audit of a U.S. public company. This includes 10-K annual reports, quarterly reports, and special audits required by law. It does not extend to private company audits, though the PCAOB publishes guidance that private auditors often follow voluntarily.
The PCAOB also oversees auditor attestations on internal controls. Under Sarbanes-Oxley Section 404(b), external auditors must certify the effectiveness of a company’s internal control structure. The PCAOB sets the standard for what this attestation must cover and how rigorous it must be. This has been a source of ongoing debate: some argue that rigorous control testing catches fraud; others say it is costly compliance that adds little real protection.
Enforcement and controversy
The PCAOB has levied fines in the millions and tens of millions for audit failures. It has barred individuals from auditing public companies and, in extreme cases, revoked the registrations of entire firms. Notable enforcement actions have targeted the Big Four firms for failures in audits of major companies that later restated earnings.
However, the PCAOB’s enforcement is not without critics. Some in the accounting profession argue that enforcement standards are too harsh and punish honest mistakes. Others, particularly after high-profile corporate failures (e.g., WeWork’s bankruptcy despite clean audits), argue that enforcement is too lenient—that even major audit failures result in modest fines and little real deterrence. Academic research on audit quality remains divided on whether PCAOB regulation has meaningfully reduced the incidence of misstated financial statements.
Inspection reports and transparency
The PCAOB publishes inspection reports, though with redactions to protect client confidentiality and ongoing investigations. These reports are a window into the state of auditing. They reveal, for example, that some audit firms struggle with testing revenue recognition or assessing asset valuations. Repeat deficiencies year after year suggest systemic issues, which the PCAOB may escalate into formal enforcement.
Firms have fought to keep inspection reports from public view, citing competitive harm. The SEC has mostly sided with transparency, and reports are public (with some details withheld).
See also
Closely related
- Internal control over financial reporting — the control framework auditors must attest to
- COSO Framework — the control model that PCAOB audits rely on
- SEC — the regulator that oversees the PCAOB
- Sarbanes-Oxley Act — the law that created the PCAOB
- Audit committee — the board group that oversees external audit
- 10-K — the annual report PCAOB-regulated auditors must attest to
Wider context
- Generally accepted accounting principles — the standards auditors verify against
- Cash flow statement — a key audited statement
- Balance sheet — auditors verify these too
- Enron — the fraud that prompted PCAOB creation
- Public company — the enterprises PCAOB oversees
- Financial statement — the document auditors opine on