A PCAOB inspection is designed to assess the firm’s compliance with PCAOB standards and rules, as well as other regulatory and professional requirements that are applicable to the firm’s system of quality control and to the portions of audits selected for review.A PCAOB inspection is not designed to review all aspects of a firm’s quality control system, to review all of the firm’s audits, or to identify every deficiency in the reviewed audits. Under the Sarbanes-Oxley Act and as explained in detail in Rule 4003 of the Board’s rules, the PCAOB annually inspects registered accounting firms that regularly provide audit reports for more than 100 issuers, while those that regularly provide audit reports for 100 or fewer issuers are inspected at least once every three calendar years, with a few limited exceptions as specified in Rule 4003. A PCAOB inspection results in an inspection report. A PCAOB inspection report is not intended to serve as a balanced report card or overall rating tool. Nothing in Part I of an inspection report should be interpreted to imply the Board has reached a conclusion about a firm’s quality control policies, procedures, or practices. A PCAOB inspection report should not be understood to provide any assurance that a firm’s audit work, or the relevant issuers’ financial statements or reporting on internal control over financial reporting (ICFR), are free of any deficiencies not specifically described in an inspection report.
Process for Reviewing Selected Firms’ Audit Work
PCAOB inspection teams review work performed on audits by making selections of completed audits through the following process:
- Select audits for review: The inspection team selects the audits and the audit areas, including non-financial areas such as independence, that it will review. The inspected firm has no opportunity to limit or influence the PCAOB’s selections. In selecting issuer audits for review, we generally use both risk-based and random methods of selection, and we generally focus our attention on audit areas we believe to be of greater complexity, areas of greater significance or with a heightened risk of material misstatement to the issuer’s financial statements, and areas of recurring deficiencies. The inspection team generally selects the audits most recently completed by the firm but may also select audits completed in prior years if, for example, there are no recently completed audits.
- Review work papers and interview engagement team: For each audit area that we select, the inspection team reviews the engagement team’s work papers and interviews engagement personnel regarding those audit areas.
- Provide comment forms: If the inspection team identifies a potential deficiency, it discusses the matter with the firm and may review additional audit documentation. If the inspection team still believes that a potential deficiency exists after its discussion with the firm and review of any additional audit documentation, it will provide the firm with a written comment form on the matter. The firm is allowed the opportunity to provide a written response to the comment form.
- Evaluate deficiencies: After the firm’s response to the comment form, the PCAOB evaluates the matter for inclusion in the inspection report. If a deficiency is included in Part I.A of the report, it does not necessarily mean that the firm has not addressed the deficiency. In many cases, the firm may take remedial actions, including performing additional audit procedures after the issue is identified, and may have completed those actions by the time the PCAOB publishes the inspection report. Depending on the circumstances, the firm may inform management of the issuer of the need for changes to the financial statements or reporting on ICFR, and may take steps to prevent reliance on prior audit reports. An inspection may include a review, on a sample basis, of the adequacy of a firm’s remedial actions, either with respect to previously identified deficiencies or deficiencies identified during that inspection.
- Prepare an inspection report: The report includes deficiencies in reviewed issuer audits that were of such significance that the Board believes that the firm, at the time it issued its audit report, had not obtained
sufficient appropriate audit evidence to support its opinion on the issuer’s financial statements and/or ICFR. These are included in Part I.A of the inspection report. Within Part I.A, we identify each issuer by a letter (e.g.,
Issuer A) and industry sector. In instances where classifying an issuer using its industry sector could make an issuer identifiable, we have not included the industry sector in Part I.A.
The report may also include certain deficiencies that relate to instances of non-compliance with PCAOB standards or rules other than those where the firm had not obtained sufficient appropriate audit evidence to support its opinion(s). These are included in Part I.B of the inspection report.
The report may also include instances of potential non-compliance with SEC rules or instances of non-compliance with PCAOB rules related to maintaining independence. These are included in Part I.C of the inspection report. Part I.C may include instances of potential non-compliance that we identified during the inspection and/or the firm identified through its independence monitoring activities and brought to our attention.
Consistent with the Sarbanes-Oxley Act, it is the Board’s assessment that nothing in Part I of an inspection report deals with a criticism of, or potential defect in, the firm’s quality control system. Any such criticisms or potential defects are discussed in Part II of a report. Further, readers should not infer from any Part I deficiency, or combination of deficiencies, that a quality control finding is identified in Part II.
- What an audit deficiency in an inspection report does and does not mean: The inclusion of a deficiency in an inspection report reflects information communicated to the Board by the inspection team and is not a determination by the Board as to whether the firm has engaged in conduct for which it could be sanctioned through the Board’s disciplinary process. In addition, any references in a report to violations or potential violations of law, rules, or professional standards are not a result of an adjudicative process and do not constitute conclusive findings for purposes of imposing legal liability. Inclusion of a deficiency in an inspection report—other than those deficiencies for audits with incorrect opinions on the financial statements and/or ICFR—does not necessarily mean that the issuer’s financial statements are materially misstated or that undisclosed material weaknesses in ICFR exist. It is often not possible for the Board to reach a conclusion on those points based on inspection procedures and related deficiencies because, for example, the inspection team has access only to the information that the auditor retained and the issuer’s public disclosures. The inspection team does not have direct access to the issuer’s management, underlying books and records, and other information that may be relevant.
- Enforcement and other referrals: The inspection team may refer matters, where appropriate, to the PCAOB’s Division of Enforcement and Investigations, and/or—consistent with requirements of the Sarbanes-Oxley Act and PCAOB Rule 4004—to the Securities and Exchange Commission or other appropriate regulatory or law enforcement authorities (federal, state, or foreign).
Process for Reviewing Firms’ Quality Control Systems
The PCAOB’s QC 20 standard, System of Quality Control for a CPA Firm’s Accounting and Auditing Practice, specifies that a firm’s quality control policies and procedures should encompass the following elements:
- Independence, integrity, and objectivity
- Personnel management
- Acceptance and continuance of issuer audit engagements
- Engagement performance
PCAOB inspection teams conduct quality control reviews through the following process:
- Assess a firm’s quality control system: The inspection team’s assessment is derived from results of procedures specifically related to a firm's quality control system as well as from analysis of the deficiencies
identified in individual audits. Readers should not infer simply because we identify in Part I a deficiency or combination of deficiencies that we necessarily also identify a quality control finding in Part II.
Each inspection team customizes the procedures it performs for each firm, bearing in mind the firm's structure, procedures performed in prior inspections, past and current inspection observations, the size of the firm, an assessment of risk related to each focus area, and other factors. The areas considered for review may include:
- Management structure and processes, including the tone at the top. The inspection team may interview firm personnel, including firm leadership, and review significant management reports, communications, and
documents, as well as information regarding financial metrics and other processes that the firm uses to manage and evaluate its business. PCAOB inspection teams’ procedures in this area are designed to focus on:
- How firm management is structured and operates the firm’s business and the implications that the management structure and processes have on audit performance.
- Whether actions and communications by the firm’s leadership (the tone at the top) demonstrate a commitment to audit quality.
- Practices for partner management, including allocation of partner resources and partner evaluation, compensation, admission, and disciplinary actions. The inspection team may interview members of the firm's
management and review documentation related to certain of these topics. In addition, the inspection team’s evaluation may include the results of interviews of audit partners regarding their responsibilities. Further,
the inspection team may review a sample of partners' personnel files. Procedures in this area are designed to focus on:
- Whether the firm’s processes related to partner evaluation, compensation, admission, termination, and disciplinary actions could be expected to encourage an appropriate emphasis on audit quality and technical competence, as distinct from marketing or other activities of the firm.
- The firm’s processes for allocating its partner resources.
- The accountability and responsibilities of the different levels of firm management with respect to partner management.
- Policies and procedures for considering and addressing the risks involved in accepting and retaining issuer audit engagements, including the application of any risk-rating system used by the firm. The inspection
team may consider the firm’s documented policies and procedures in this area. In addition, the inspection team may select certain issuer audits to:
- Evaluate compliance with the firm’s policies and procedures for identifying and assessing the risks involved in accepting or continuing the audits.
- Observe whether the audit procedures were responsive to the risks of material misstatement identified during this process.
- Processes related to the firm’s use of audit work that the firm’s foreign affiliates perform on the foreign operations of the firm’s U.S. issuer audits. The inspection team may review the firm's policies and procedures related to the work performed by foreign affiliates on the firm's U.S. issuer audits. The team may also review available information relating to the most recent internal inspections of foreign affiliated firms, interview members of the firm's leadership, and review the U.S. engagement teams’ supervision or use of the audit work that the firm's foreign affiliates performed on a sample of audits.
- The firm’s processes for monitoring audit performance, including processes for identifying and assessing indicators of deficiencies in audit performance, independence policies and procedures, and processes for responding to defects or potential defects in quality control. The
inspection team may interview members of the firm’s management and review documents relating to the firm’s identification and evaluation of, and response to, indicators of deficiencies in audit performance. In addition,
the inspection team may review:
- Documents related to the design, operation, and evaluation of findings of the firm’s internal inspection program, and may compare the results of the inspection team’s review of audit work to those from the internal inspection’s review of the same audit work.
- Steps the firm has taken to address possible quality control deficiencies and assess the design and effectiveness of the underlying processes.
- Policies, procedures, and guidance related to aspects of independence requirements and the firm's consultation processes, as well as the firm's compliance with these requirements and processes.
- Audits of issuers whose audits had been reviewed during previous PCAOB inspections of the firm to ascertain whether the audit procedures in areas with previous deficiencies have improved.
- Management structure and processes, including the tone at the top. The inspection team may interview firm personnel, including firm leadership, and review significant management reports, communications, and documents, as well as information regarding financial metrics and other processes that the firm uses to manage and evaluate its business. PCAOB inspection teams’ procedures in this area are designed to focus on:
- Evaluate whether identified deficiencies in individual audits indicate a defect or potential defect in a firm’s system of quality control: The inspection team considers the nature, significance, and frequency of deficiencies. They also consider related firm methodology, guidance, and practices, as well as possible root causes.
- Determine if deficiencies warrant inclusion in the PCAOB inspection report: If identified deficiencies, when accumulated and evaluated, indicate sufficiently significant defects or potential defects in the firm’s system of quality control, the PCAOB inspection report will include a discussion of those issues in a portion of the inspection report that is initially required by law to be nonpublic, unless the firm fails to address the criticism to the Board’s satisfaction no later than 12 months after the issuance of the inspection report. Part II of the PCAOB inspection report would include a discussion of these issues.
Post-inspection Procedures: Addressing Quality Control Criticisms
The Sarbanes-Oxley Act and PCAOB rules provide that no portions of an inspection report that deal with criticisms of or potential defects in the quality control systems of the firm shall be made public if those criticisms or defects are addressed by the firm, to the satisfaction of the Board, no later than 12 months after the issuance of the inspection report.
PCAOB Rule 4009 governs the process for addressing criticisms and potential defects as well as the process through which the Board could make nonpublic portions of the inspection report publicly available.
The Board encourages each firm with a quality control deficiency to initiate a dialogue with the PCAOB’s Division of Registration and Inspections as early as practicable in the 12-month period about the ways in which the firm intends to address the criticisms and potential defects.
Learn more about guidance regarding the remediation process, including criteria used by the staff to assess the firm’s remedial actions.
Detailed Inspections Procedures by Year
The PCAOB continually enhances the effectiveness of our inspection process, and therefore may enhance and refine procedures from year to year. Prior to the 2018 inspection reports for annually inspected firms and the 2019 inspection reports for the triennially inspected firms, inspection procedures were included within the inspection reports. This information will now be included on our website. This archive shows the inspections procedures from specific years beginning with the respective 2018 or 2019 inspection reports: