Uncategorized

How to Prepare for a PCAOB Inspection in 2026: Documentation, Workpaper Review, Common Findings

By chrisomo

How to prepare for a PCAOB inspection comes down to documentation discipline, workpaper review rigor, and partner-level engagement quality before the inspector ever walks in. The FY2024 Big 4 average inspection deficiency rate of 23 percent (PCAOB FY2024 Annual Report) tells you the bar is real. The mechanics of preparation are well understood; the discipline of executing them is what separates clean inspection cycles from Form 1 remediation.

What a PCAOB inspection looks like

The PCAOB conducts inspections under the Sarbanes-Oxley Act of 2002 Sections 104 and 105. The PCAOB inspects every registered firm that audits more than 100 issuers annually (the Big 4 and a handful of large national firms) and inspects smaller firms on a three-year cycle. The inspection covers two areas: (1) selected audit engagements (“Part I”) and (2) the firm’s quality control system (“Part II”).

For a Big 4 firm, the PCAOB selects roughly 50 to 80 audit engagements per inspection cycle from across the firm’s issuer audit population. The selection is risk-based and not random; the PCAOB targets engagements with higher inherent risk profiles (complex revenue recognition, financial-instrument valuations, going concern, related-party transactions, restatements in prior years).

The inspection process spans roughly nine to twelve months from initial engagement selection notification through final report issuance. The on-site or remote fieldwork portion runs four to ten weeks per engagement selected, with PCAOB inspectors requesting workpapers, conducting interviews with engagement teams, and following up on questions iteratively.

The deliverables are the public inspection report (Part I.A findings only) and the non-public Part II findings on firm-wide quality control. Part I.A findings are public and itemized engagement-by-engagement. Part I.B findings are non-public (often related to compliance with PCAOB standards or independence) but become public if not remediated within twelve months. Part II findings on the quality control system are non-public unless not remediated within twelve months, at which point they become public.

The 6 areas where deficiencies cluster (with FY2024 data)

PCAOB FY2024 inspection data shows deficiencies clustering predictably across six recurring areas. Engagement teams that read prior-year inspection reports and tune their planning around these six areas materially reduce inspection risk.

1. Revenue recognition (ASC 606). Revenue is consistently the largest single source of deficiencies. Common citations: insufficient testing of performance obligations identification, inadequate evidence of variable consideration estimates, weak testing of contract modifications, and gaps in testing the cutoff assertion. The complexity of ASC 606 implementation continues to surface deficiencies even seven years post-adoption.

2. Internal control over financial reporting (ICFR). Under AS 2201, the auditor must perform an integrated audit of ICFR for accelerated and large accelerated filers. Common deficiencies: insufficient testing of management review controls (the auditor accepts the control’s existence without testing whether it operates with the precision claimed), inadequate testing of information used in controls (IPE), and weak design assessment for entity-level controls.

3. Fair value measurements. Level 3 fair-value measurements (private equity, complex financial instruments, intangible assets in business combinations) are persistently difficult. Common citations: insufficient testing of management’s models, inadequate evaluation of significant assumptions, weak use-of-specialist procedures, and gaps in testing observable market inputs.

4. Going concern. AS 2415 requires the auditor to evaluate whether substantial doubt exists about the entity’s ability to continue as a going concern. Common citations: inadequate evaluation of management’s plans, weak documentation of the auditor’s conclusion, and insufficient consideration of post-balance-sheet-date events affecting the going concern analysis.

5. Related-party transactions. AS 2410 sets specific procedures for related-party identification and testing. Common citations: weak procedures to identify undisclosed related parties (the entity’s own related-party listing being treated as complete without independent verification), inadequate testing of authorization and approval for related-party transactions, and insufficient evaluation of the business purpose and economic substance.

6. Journal entries. AS 2401 requires testing journal entries as part of the fraud-risk response. Common citations: insufficient population analysis (the auditor tested management’s exception-flagged entries without independently identifying high-risk entries), weak testing of standard entries, and inadequate evaluation of unusual or non-routine entries near the period-end.

Pre-inspection prep: 90 days out

The 90-day window before the PCAOB notifies the firm of selected engagements is the operational sweet spot for preparation. Useful actions in this window:

Read the prior PCAOB inspection report. The firm’s prior-year and prior-three-year inspection reports describe the deficiency patterns the PCAOB has flagged. Engagement teams that read the prior reports and explicitly tune their planning to address recurring themes do measurably better in subsequent inspections.

Run a pre-inspection workpaper review. Select 5 to 10 high-risk engagements from the firm’s issuer portfolio and run a simulated PCAOB inspection: an independent partner not involved in the audit reads the workpapers using the PCAOB’s evaluation criteria and identifies gaps. This is essentially an internal practice run.

Confirm AS 1215 documentation completion. Workpaper documentation must be assembled within 45 days of report release (AS 1215.15). Past that window, the workpaper cannot be modified without specific procedures (AS 1215.16). A firm-wide audit of compliance with the 45-day rule, and the documentation of any 45-day-rule extensions, is a routine pre-inspection check.

Refresh the engagement risk assessment. The risk assessment under AS 2110 drives the entire audit. PCAOB inspectors regularly cite weak risk assessment as a root cause of downstream deficiencies. A targeted refresh of the risk assessment for high-risk engagements catches gaps before the inspector does.

Strengthen the Engagement Quality Reviewer (EQR) record. The EQR under AS 1220 must document significant judgments and conclusions made during the audit and the EQR’s review. EQR documentation is itself an inspection focus: a thin EQR file signals to the PCAOB that the EQR was pro forma rather than substantive.

Verify independence documentation. Independence under PCAOB Rule 3520 and 3526 is a common Part I.B finding. Documentation of partner rotation, non-audit services, audit committee pre-approval, and personal investment monitoring should be sweepable in 30 days.

The audit firm rotation index tracks which firms have been most affected by these inspection dynamics across 2024 to 2026. The internal controls testing primer covers the ICFR procedures that drive cluster 2.

The workpaper review checklist

The workpaper review is where most inspection preparation happens. The checklist below is the operational baseline; engagement teams should run through every selected engagement against these criteria at least 30 days before inspection fieldwork begins.

The partner and EQR process

The audit partner under AS 1201 has ultimate responsibility for the engagement. The Engagement Quality Reviewer (EQR) under AS 1220 performs an independent review of significant judgments and conclusions. The partner-and-EQR axis is where inspection defense lives or dies.

Partner-level discipline. The partner’s review notes should themselves demonstrate engagement; “reviewed” sign-offs without specific evidence of the partner’s evaluation are an inspection red flag. Strong partner records include specific notes on areas where the partner challenged the team, asked follow-up questions, or required additional procedures. Weak partner records show only sign-offs.

EQR substantive review. The EQR must be independent of the engagement team in a way that allows fresh-eyes evaluation. The EQR review should focus on the most significant judgments: revenue recognition policy applications, fair-value model selections, going concern conclusions, related-party identification, and management override of controls. The EQR’s documentation should specifically address how the EQR challenged or accepted the engagement team’s judgments.

Concurring partner conclusion. The concurring partner under AS 1220 must affirmatively conclude that the engagement team’s significant judgments were appropriate. A weak concurring partner conclusion is a meaningful inspection vulnerability because it is one of the most visible artifacts in the workpaper file.

National office consultation. Complex technical accounting areas (revenue recognition policy questions, business combination accounting, going concern conclusions in close-call situations) should run through national office consultation. The national office consultation memo is itself an inspection-defensible artifact; PCAOB inspectors specifically look for evidence of national office involvement on complex matters.

Cumulative known misstatement tracking. AS 2810 requires the auditor to accumulate misstatements identified during the audit. The cumulative summary of misstatements (the “summary of audit differences”) is an inspection touchpoint. A cumulative misstatement file that shows only zero entries is implausible and frequently cited; a well-populated file shows the team’s work catching and evaluating misstatements regardless of materiality.

During the inspection visit

The PCAOB inspection visit is a structured information-exchange process. The firm typically assigns a national-office inspection coordinator who serves as the primary point of contact with the PCAOB inspector. Engagement teams whose work is selected provide workpapers, attend interviews, and respond to follow-up questions.

Be responsive but not over-explanatory. The PCAOB inspector asks questions to understand the audit work performed. Engagement teams that answer the specific question asked, with reference to the workpaper documentation, do better than teams that volunteer narrative explanations that go beyond what the workpaper supports.

Respect the workpaper assembly rule. AS 1215.16 prohibits modifying workpapers after the 45-day assembly deadline except in documented circumstances. Adding documentation in response to PCAOB questions can cross this line. Any additions during inspection must be documented as additions made in response to PCAOB inquiry, dated, and signed.

Escalate disputed findings appropriately. Firms have the right to disagree with PCAOB preliminary findings. The disagreement process runs through the firm’s national office and the PCAOB’s inspection team. Substantive disagreements should be raised early and documented with the underlying technical analysis. Firms that capitulate too readily on disputable findings reinforce the PCAOB’s position; firms that disagree without technical support tend to lose anyway.

Document the inspection trail. The firm should maintain its own internal record of the inspection: which engagements were selected, which questions were asked, what documentation was provided, and what findings were raised. This internal record supports the firm’s response on Form 1 and informs future inspection cycles. See our coverage of the Zwick CPA Genie Energy sanctions for an example of how the inspection-to-enforcement trail unfolds when documentation breaks down.

Post-inspection response: Form 1 + Form 2 mechanics

After the PCAOB issues the draft inspection report, the firm has the opportunity to respond. The formal response mechanism is built around two forms.

Form 1: Firm response to the inspection report. Form 1 is the firm’s written response to the PCAOB’s findings, typically filed within 30 days of receiving the draft report. The response can address factual corrections, disagreements with characterizations, and the firm’s planned remedial actions. The PCAOB takes Form 1 responses into account when finalizing the report but is not bound by them. Strong Form 1 responses focus on factual accuracy and remediation steps rather than arguing against the underlying findings.

Part I.B remediation. Part I.B findings (typically independence and certain compliance matters) are non-public initially. Firms have 12 months from the inspection report date to remediate Part I.B findings; failure to remediate results in the findings becoming public. The PCAOB conducts a remediation determination process to evaluate whether the firm’s actions are sufficient.

Part II remediation. Part II findings address quality-control deficiencies and are also subject to 12-month remediation. These findings are the most consequential because they speak to firm-wide systems rather than single-engagement issues. Remediation typically involves changes to firm-wide policies, training, monitoring procedures, and quality-control infrastructure.

Form 2: Annual report. Form 2 is the registered firm’s annual report to the PCAOB. It includes information about the firm’s audit practice, including issuer client count, partners, and certain practice metrics. Form 2 is not directly related to inspection findings but is a recurring compliance touchpoint.

Long-term: the inspection cycle compounds. Firms that handle their first inspection cycle thoughtfully (substantive Form 1 responses, completed Part I.B remediation, completed Part II remediation) typically see improved inspection outcomes over subsequent cycles. Firms that treat inspection responses as a compliance checkbox typically see deficiency rates persist or worsen. Our regulatory coverage tracks the inspection-to-enforcement pipeline at the issuer and audit firm level.

Frequently asked questions

How are engagements selected for inspection?

Risk-based, not random. The PCAOB targets engagements with higher inherent risk profiles: complex revenue recognition, financial instrument valuations, going concern questions, prior restatements, recent IPOs, and industry-specific risk factors (financial services, healthcare, technology). The selection methodology is not publicly disclosed in detail, but the pattern of selections across published inspection reports tracks the risk-based logic.

What counts as a deficiency?

A deficiency exists when the auditor failed to obtain sufficient appropriate audit evidence to support the audit opinion under PCAOB standards. This can include unperformed procedures, insufficient procedures, weak documentation, or procedural gaps that prevent the auditor from concluding on a material assertion. Note that a deficiency does not necessarily mean the opinion was wrong; it means the work supporting the opinion was insufficient.

Does a deficiency mean the audit opinion was incorrect?

Not necessarily. A deficiency identifies that the auditor lacked sufficient appropriate evidence. The underlying financial statements may still have been free of material misstatement. The PCAOB’s concern is the audit process, not necessarily the financial statement outcome. That said, a meaningful pattern of deficiencies can lead to a restatement if the underlying work was inadequate enough that material misstatements went undetected.

How long does the inspection process take?

Nine to twelve months from engagement selection notification to public report issuance. The on-site or remote fieldwork portion runs four to ten weeks per selected engagement. The drafting, response, and finalization portion runs three to six months after fieldwork completes.

Can a firm appeal PCAOB inspection findings?

The firm can respond to draft findings via Form 1 and through discussion with PCAOB inspectors during the inspection cycle. There is no formal appeal mechanism after the report is final. Firms can challenge characterizations and provide additional context, but the PCAOB has discretion over the final report.

What is the difference between PCAOB inspection and SEC enforcement?

PCAOB inspections are a regulatory oversight function focused on audit quality. SEC enforcement is a separate process focused on violations of securities laws. PCAOB inspection findings can feed into SEC enforcement referrals in serious cases (where audit failures contributed to materially misleading financial statements), but the two processes are formally distinct.

How can engagement teams prepare individually?

Read the firm’s prior inspection reports, focus on the six recurring deficiency clusters, complete AS 1215 documentation rigorously within the 45-day window, ensure the EQR has substantive engagement, and run a partner-level self-review focused on documentation quality. Engagement-level preparation is more impactful than firm-level coordination for most outcomes.

What happens if Part II findings are not remediated?

Part II findings that the PCAOB determines have not been adequately remediated within 12 months become public. This is a meaningful reputational and operational event for the firm. The PCAOB publishes the previously non-public findings, which often triggers client reviews, audit committee scrutiny, and in some cases procurement decisions to switch auditors.