← Usman Qureshi — Free AI Tools for Audit & CFO Advisory

PCAOB Audit Standards & Quality Guide

By Usman Qureshi (ACCA, ACA) · Published July 2026 · Last reviewed July 2026 · 10 min read

If you audit a US public company, you follow PCAOB standards (Auditing Standards — "AS"). The PCAOB is the US regulator for audit quality, set up under Sarbanes-Oxley 2002. PCAOB standards differ from ISA (International Standards on Auditing) in philosophy, risk assessment approach, and fraud detection requirements. This guide covers the key PCAOB standards, quality control, and how they compare to ISA — essential reading for auditors transitioning from IFRS/ISA to GAAP/PCAOB audits.

In this guide

What is PCAOB?

PCAOB = Public Company Accounting Oversight Board. A US regulator established under the Sarbanes-Oxley Act (SOX) 2002 to oversee the audit of public companies and protect investors.

Key point: PCAOB issues Auditing Standards (AS), which are MANDATORY for audits of US public companies. They differ materially from ISA and must be followed even if the client also reports under IFRS.

PCAOB also conducts periodic inspections of audit firms — major and smaller firms face triennial or annual inspections to assess compliance with PCAOB standards.

PCAOB Auditing Standards Overview

PCAOB standards are numbered AS 1000— S 3400 and grouped by topic:

Key standards: AS 1200 (Risk Assessment), AS 1210 (Audit Planning), AS 2201 (Audit of Internal Controls), AS 2401 (Fraud Detection), AS 3101 (Audit Reports).

AS 1200: Risk Assessment

PCAOB AS 1200 requires the auditor to:

  1. Obtain an understanding of the entity and its environment
  2. Assess risks of material misstatement (RMM)
  3. Plan audit procedures to address identified risks
  4. Test design and operating effectiveness of controls

Key difference from ISA: PCAOB emphasizes design effectiveness testing of controls. PCAOB auditors must test whether controls are designed to prevent/detect misstatement, not just whether they operated. This is more prescriptive than ISA.

Reference: PCAOB AS 1200-3 (Risk Assessment).

AS 1210: Audit Planning & Procedures

AS 1210 requires the auditor to plan the audit by:

Materiality: PCAOB uses the same concept as ISA but emphasizes qualitative factors. A misstatement may be material even if quantitatively small if it affects compliance, management compensation, or going concern.

Reference: PCAOB AS 1210-1 (Audit Planning).

Fraud Detection & AS 2401

AS 2401 requires auditors to explicitly assess the risk of fraud in two areas:

  1. Fraudulent financial reporting: Management override of controls, revenue recognition schemes, expense understatement
  2. Misappropriation of assets: Theft of cash, inventory, or other assets

Key requirement: Auditors must design procedures specifically to detect fraud, including:

Difference from ISA: PCAOB is stricter on fraud procedures. ISA focuses on "professional skepticism"; PCAOB requires specific, documented fraud procedures. US public company audits have higher fraud-testing demands.

Reference: PCAOB AS 2401-1 (Fraud Detection).

Quality Control (AS 1200, PCAOB QC)

PCAOB QC standards require audit firms to:

EQRP role: The EQRP reviews the audit work before the auditor issues a report. This is a key difference from ISA (where a secondary review is optional). PCAOB mandates it.

Inspection findings: PCAOB publishes inspection results for large firms (Big 4, large regional firms). Non-compliance with PCAOB standards can result in fines, restrictions, or loss of audit license.

PCAOB vs ISA: Key Differences

Area PCAOB ISA
Risk Assessment Design of controls is mandatory testing Risk assessment; control testing is optional if auditor assesses high risk
Fraud Testing Explicit, documented fraud procedures required Fraud consideration required but less prescriptive
Engagement Review Independent EQRP mandatory Review partner optional (some jurisdictions require it)
Audit Report Must include opinion on internal controls over financial reporting (ICFR) for public companies No ICFR opinion required
Materiality Quantitative + qualitative (emphasizes qualitative) Primarily quantitative with qualitative consideration

Worked Example: Fraud Risk Assessment

Scenario: Audit of a US public technology company (SaaS vendor). Revenue is contract-based (multi-year subscriptions). Key fraud risks:

PCAOB AS 2401 fraud procedures:

  1. Analytical: Compare monthly revenue to prior periods and budgets. Flag unusual spikes (potential channel stuffing)
  2. Journal entry testing: Sample all manual revenue journal entries >£100k. Trace to customer contract and delivery evidence
  3. Revenue contracts: Select sample of contracts signed near period-end. Confirm with customer that terms match recorded revenue
  4. Management estimates: Review discount assumptions in revenue models; challenge against market rates
  5. Refunds and returns: Trace post-year-end refunds back to pre-year-end revenue; identify channel stuffing patterns

Output: Documented fraud risk assessment, specific procedures linked to risks, and evidence of performance. This is more detailed than ISA typical practice.

Audit Implications

Need help with PCAOB compliance?

Ask an expert in the Meeting Room — free guidance on PCAOB standards and audit procedures.

Ask an Expert →

FAQs

What is the PCAOB?

The Public Company Accounting Oversight Board. A US regulator that sets audit standards (AS) and inspects audit firms for compliance. Mandatory for US public company audits.

What is the difference between PCAOB and ISA?

PCAOB is more prescriptive: mandatory control design testing, explicit fraud procedures, and required independent EQRP review. ISA is more principles-based and less prescriptive.

What is AS 2401?

PCAOB Auditing Standard 2401 on fraud detection. Requires auditors to design specific procedures to detect fraudulent financial reporting and misappropriation of assets.

Do I need to audit internal controls under PCAOB?

For US public companies (accelerated filers), yes — AS 2201 requires an opinion on the effectiveness of internal controls over financial reporting (ICFR). For smaller companies, audit may be limited to financial statements.

UQ

About the author — Usman Qureshi (ACCA, ACA)

Usman has audited US public companies under PCAOB standards in a Big 4 firm. He specialises in fraud risk assessment and quality control compliance.

This guide is simplified for educational purposes. PCAOB audits are complex and depend on specific client facts, risk assessments, and firm quality control policies. Always consult the full PCAOB AS standards and your own supervisors before finalising audit procedures or conclusions.

Real-Life Case Study: A PCAOB Inspection Finding

Scenario. A registered audit firm is inspected. The PCAOB flags that on one engagement the auditor accepted management's goodwill-impairment cash-flow forecasts without independently challenging the growth assumptions.

The finding. Insufficient audit evidence over a significant estimate, a breach of the standard requiring the auditor to evaluate the reasonableness of management assumptions and test the model. The remediation: enhanced procedures, specialist involvement, and revised methodology guidance firm-wide.

Takeaway. The recurring theme in PCAOB findings is estimates and judgement, impairment, fair value, revenue. "Management said so" is never audit evidence; scepticism means independently corroborating or challenging the key assumptions.

Illustrative composite scenario for educational purposes. Figures are indicative and do not represent any specific company.