Selecting a CPA Firm for Financial Services Audits

Selecting a CPA firm to conduct financial services audits is a decision with direct consequences for regulatory compliance, investor confidence, and operational risk management. Financial institutions face audit requirements imposed by the SEC, PCAOB, FDIC, FINRA, and other agencies — each carrying distinct standards that not every CPA firm is qualified to meet. This page covers the scope of CPA firm selection for financial services clients, the criteria that differentiate qualified firms, the regulatory frameworks governing auditor qualifications, and the decision boundaries that determine when a firm is — or is not — a suitable choice.

Definition and scope

A CPA firm engaged for a financial services audit is not merely providing accounting oversight; it is fulfilling a legally mandated function that intersects with federal regulatory frameworks, professional licensing requirements, and standards bodies including the Public Company Accounting Oversight Board (PCAOB) and the American Institute of Certified Public Accountants (AICPA).

The scope of "financial services audit" encompasses a wide range of engagements. A bank regulated by the FDIC requires audits conforming to FDIC audit requirements for banks. A registered investment adviser has distinct obligations under the SEC's Custody Rule (Rule 206(4)-2 under the Investment Advisers Act of 1940). A broker-dealer registered with FINRA must obtain an annual audit by an independent public accountant as specified under FINRA Rule 4370 and SEC Rule 17a-5. Hedge funds and private equity funds face auditor requirements under the Investment Company Act or Dodd-Frank Act provisions, outlined further at hedge fund audit requirements and private equity fund audit standards.

For public companies in financial services, the CPA firm must be registered with the PCAOB — a non-negotiable threshold established by the Sarbanes-Oxley Act of 2002 (SOX), 15 U.S.C. § 7211. Private financial entities not subject to SOX fall under AICPA standards — specifically Generally Accepted Auditing Standards (GAAS) — but may still carry institution-specific regulatory requirements that constrain which firms are eligible.

How it works

Selecting a CPA firm follows a structured evaluation process, not a single decision point. The phases below reflect standard procurement and compliance practice for financial services entities:

  1. Regulatory eligibility screening — Determine whether the entity is subject to PCAOB oversight (public company or broker-dealer filing with the SEC) or AICPA-only standards. Only PCAOB-registered firms may audit public companies; a list of registered firms is maintained at the PCAOB firm search portal. Broker-dealers must also verify the firm's qualification under SEC Rule 17a-5, which requires the auditor to be "independent" as defined under 17 C.F.R. § 240.17a-5(f).

  2. Industry specialization assessment — A CPA firm's general license does not confirm competence in financial services sub-sectors. Relevant specializations include banking (familiarity with Call Report requirements and OCC guidance), investment management (knowledge of ASC 946 fair value frameworks), and insurance (adherence to statutory accounting principles set by the NAIC). Prospective clients should request engagement references within their specific sub-sector.

  3. Independence verification — Auditor independence is codified in PCAOB Rule 3520 and AICPA ET § 1.200.001. The CPA firm must not have financial interests, employment relationships, or business ties that impair objectivity. Independence conflicts are among the most frequently cited deficiencies in PCAOB inspection reports.

  4. Capacity and team qualification review — Firm size alone is not determinative. A large national firm may assign a lightly experienced team to a smaller client. Evaluating the proposed engagement partner's specific financial services experience, and whether the firm has handled entities of comparable asset size and regulatory complexity, is more informative than aggregate firm revenue. The concept of auditor independence in financial services extends to team-level conflicts, not just firm-level relationships.

  5. Engagement letter and fee structure negotiation — Once a firm passes eligibility and qualification review, the audit engagement letter governs the formal scope, timing, and deliverable structure. Fee structures should be evaluated against scope — not treated as the primary selection criterion, as artificially low fees correlate with reduced audit hours, which PCAOB inspections have linked to audit quality deficiencies.

Common scenarios

Three distinct selection scenarios illustrate how the process diverges based on entity type:

Scenario A — Community bank or credit union. A federally insured institution subject to the Federal Deposit Insurance Act (12 U.S.C. § 1831m) must obtain an annual independent audit if total assets exceed $500 million (FDIC Part 363). Institutions below that threshold may still require audits under state banking authority rules. The CPA firm must be familiar with bank-specific presentation standards and the regulatory overlay from the OCC, Federal Reserve, or FDIC depending on charter type.

Scenario B — Registered investment adviser with custody. Under SEC Rule 206(4)-2, advisers with custody of client funds must obtain a surprise examination by an independent public accountant registered with and inspected by the PCAOB (for larger advisers) or otherwise independent under AICPA standards. The firm must also submit Form ADV disclosures reflecting auditor identity and credentials, creating a public accountability trail maintained at IAPD.

Scenario C — Broker-dealer subject to FINRA oversight. FINRA Rule 4370 and SEC Rule 17a-5 require broker-dealers to file audited financial statements annually. The CPA firm must complete the audit using PCAOB standards for firms that are public company auditors, or AICPA standards where applicable — a distinction explored in depth at PCAOB standards for financial audits. Firms with introducing-broker status face the same requirement but at a different net capital threshold tier.

Decision boundaries

Not all CPA firms are interchangeable for financial services work. The following classification boundaries define selection eligibility:

PCAOB-registered vs. non-registered firms
Public companies and broker-dealers subject to SEC reporting requirements must use PCAOB-registered firms. Non-registered firms — regardless of reputation or size — are legally ineligible for these engagements. The PCAOB's registration database is the authoritative eligibility check, and PCAOB inspection results provide a secondary quality signal.

Specialized financial services expertise vs. general practice
A CPA firm with a generalist practice may be fully licensed but lack the technical competence required for sub-sector-specific audits. Engagements involving fair value measurement under ASC 820, hedge fund partnership accounting, or credit loss modeling under CECL (the Current Expected Credit Losses standard under ASC 326) require demonstrated sub-sector depth. The financial-services-audit-standards-us resource outlines where standards diverge by entity type.

Firm size tiers and audit quality
PCAOB inspection data consistently distinguishes outcomes by firm size tier. The eight largest registered firms (commonly called "Big Four" plus four additional large firms) account for the majority of public company audit opinions by market capitalization, but mid-tier and regional firms serve a larger number of smaller financial institutions. Regional firms may carry deeper familiarity with state-chartered institutions, community bank regulatory environments, or credit union structures. The relevant comparison is not prestige but rather documented engagement history and absence of unresolved PCAOB inspection deficiencies.

Rotation and tenure considerations
Lead audit partner rotation is required every five years for public company engagements under PCAOB Rule 3600T, incorporating SEC rules adopted under SOX Section 203 (17 C.F.R. § 210.2-01(c)(6)). Mandatory firm-level rotation is not currently required under US rules, but audit committee governance frameworks at financial institutions — including those outlined in audit committee role in financial services — typically address rotation policy as a risk management matter.

Understanding these boundaries clarifies that CPA firm selection in financial services is a compliance function, not merely a procurement decision. Mismatched selections — where firm eligibility, independence, or expertise does not align with the entity's regulatory profile — expose the institution to restatement risk, regulatory examination findings, and in public company contexts, potential SEC enforcement action.

References

📜 9 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Compound Interest Calculator