PCAOB Inspections of Financial Services Auditors

The Public Company Accounting Oversight Board conducts recurring inspections of registered audit firms to assess whether those firms' audit work meets the standards required for public company engagements. For auditors serving financial services clients — banks, broker-dealers, insurance companies, investment advisers, and asset managers — these inspections carry particular weight because of the sector's systemic importance and dense regulatory overlay. This page explains how PCAOB inspections are structured, what triggers heightened scrutiny in financial services contexts, and where inspection findings intersect with firm-level audit decisions.

Definition and scope

The PCAOB is a nonprofit corporation established under the Sarbanes-Oxley Act of 2002 (SOX) to oversee the auditors of public companies and SEC-registered broker-dealers. Its inspection authority, codified in SOX Section 104, requires annual inspections of firms that audit more than 100 public company issuers, and inspections on a triennial cycle for smaller registered firms (PCAOB, Inspections Program Overview).

Financial services firms constitute a disproportionate share of PCAOB inspection focus because publicly traded banks, insurance holding companies, and broker-dealers are subject to both SEC reporting requirements and sector-specific regulators. An audit firm conducting the annual financial statement audit of a major commercial bank must comply with PCAOB standards for financial audits while simultaneously navigating FDIC, Federal Reserve, and OCC expectations. The PCAOB's scope does not extend to auditors of private entities unless those entities are registered broker-dealers subject to SEC Rule 17a-5, which extended PCAOB oversight to broker-dealer auditors beginning in 2014 (SEC, Final Rule 34-70073).

The distinction between a PCAOB-registered firm and a non-registered firm determines which auditors can legally sign off on public company and registered broker-dealer financial statements. Understanding auditor independence requirements in financial services is prerequisite context, because independence violations discovered during PCAOB inspections can disqualify an audit firm from continued engagement.

How it works

PCAOB inspections proceed in two parallel tracks: an engagement review track and a quality control systems review track.

Engagement Review

Inspectors select specific audit engagements to examine — typically those involving highest-risk clients or audit areas flagged in prior inspection cycles. Within each selected engagement, inspectors assess whether the audit firm:

  1. Identified and responded to risks of material misstatement at the assertion level
  2. Obtained sufficient appropriate evidence for significant accounts and disclosures
  3. Applied PCAOB Auditing Standard No. 2110 (Risk Assessment) correctly
  4. Evaluated internal controls over financial reporting under PCAOB AS 2201 (the successor to the original AS No. 5) where Section 404(b) of SOX applies
  5. Documented its conclusions in a manner consistent with PCAOB AS 1215 (Audit Documentation)

For financial services engagements, inspectors pay particular attention to fair value measurements, credit loss reserves under CECL (Current Expected Credit Loss), and revenue recognition for complex financial instruments — all areas identified as recurring deficiencies in PCAOB inspection reports (PCAOB, 2022 Annual Report on the Audit Firms' Deficiencies).

Quality Control Review

The second track evaluates the firm's system of quality control — policies governing partner supervision, engagement quality reviews, training, independence monitoring, and client acceptance. Deficiencies in quality control systems are disclosed in a nonpublic Part II of the inspection report unless the firm fails to remediate them within 12 months, at which point the Part II becomes public (PCAOB Rule 4007).

A connection to Sarbanes-Oxley Section 404 audit requirements is central here: firms that consistently fail to identify internal control deficiencies at financial services clients generate Part I.A deficiency findings — the most serious category, introduced in the PCAOB's 2022 inspection framework revision.

Common scenarios

Three recurring scenarios characterize PCAOB inspection findings at financial services auditors.

Scenario 1 — Inadequate testing of allowances for credit losses. Banks and credit unions maintain allowances against loan portfolios. PCAOB inspectors regularly find that auditors relied excessively on management's models without independently evaluating the reasonableness of inputs, particularly for commercial real estate and leveraged lending portfolios. The PCAOB's 2022 inspection brief on credit losses identified this as a firm-wide deficiency at multiple large and mid-size registered firms.

Scenario 2 — Insufficient procedures over fair value of Level 3 instruments. Investment banks, hedge fund auditors, and asset management auditors frequently receive findings related to fair value hierarchy classification and valuation of Level 3 (unobservable input) instruments. PCAOB AS 2502 governs auditing fair value measurements, and inspectors assess whether auditors developed independent price estimates rather than simply accepting management valuations. This scenario connects directly to hedge fund audit requirements in the US.

Scenario 3 — Broker-dealer auditor compliance with PCAOB Rule 17a-5 requirements. Since 2014, auditors of SEC-registered broker-dealers must be PCAOB-registered and follow PCAOB standards. Inspections have found that smaller audit firms — those newly registered after the rule change — sometimes applied standards inconsistently with PCAOB AS 3101 requirements for the auditor's report form and content (PCAOB, Broker-Dealer Auditor Inspection Reports).

Decision boundaries

Several classification boundaries determine how PCAOB inspection rules apply to a given audit engagement.

Issuer vs. non-issuer: Only auditors of SEC-registered issuers and registered broker-dealers fall within PCAOB jurisdiction. Auditors of private companies, credit unions regulated by NCUA, or non-registered private investment funds use GAAS — Generally Accepted Auditing Standards under AICPA oversight rather than PCAOB standards. This distinction is explored further in the comparison of internal vs. external audit differences.

Accelerated filer vs. non-accelerated filer: Under SEC definitions, accelerated filers and large accelerated filers must obtain an auditor attestation on internal controls under SOX 404(b), which PCAOB inspectors evaluate intensively. Non-accelerated filers are exempt from 404(b), meaning the PCAOB inspection of their audits focuses on financial statement assertions only, not integrated audit procedures.

Annual vs. triennial inspection cycle: Audit firms that audit more than 100 issuers are inspected annually; firms auditing 100 or fewer issuers are inspected every three years (SOX Section 104(b)(1)(B)). For financial services auditors, firm size relative to this 100-issuer threshold determines inspection frequency and resource allocation.

Part I.A vs. Part I.B deficiencies: The PCAOB's 2022 inspection framework distinguishes between deficiencies so significant that the auditor failed to support the audit opinion (Part I.A) and other deficiencies where audit procedures were inadequate but the opinion may still have been appropriate (Part I.B). Part I.A findings trigger mandatory public disclosure and may result in referral to PCAOB enforcement. Audit firms serving large financial services clients under intense market scrutiny face greater reputational exposure from Part I.A classification than those in less-visible sectors. The audit findings and management response process addresses how firms document responses to inspection findings.

References

📜 1 regulatory citation referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Compound Interest Calculator