What is PCAOB?
PCAOB = Public Company Accounting Oversight Board. A US regulator established under the Sarbanes-Oxley Act (SOX) 2002 to oversee the audit of public companies and protect investors.
Key point: PCAOB issues Auditing Standards (AS), which are MANDATORY for audits of US public companies. They differ materially from ISA and must be followed even if the client also reports under IFRS.
PCAOB also conducts periodic inspections of audit firms — major and smaller firms face triennial or annual inspections to assess compliance with PCAOB standards.
PCAOB Auditing Standards Overview
PCAOB standards are numbered AS 1000— S 3400 and grouped by topic:
- AS 1000 series: General standards, risk assessment, planning
- AS 2000 series: Audit procedures (testing controls, substantive tests, specific areas)
- AS 3000 series: Reporting and other topics
Key standards: AS 1200 (Risk Assessment), AS 1210 (Audit Planning), AS 2201 (Audit of Internal Controls), AS 2401 (Fraud Detection), AS 3101 (Audit Reports).
AS 1200: Risk Assessment
PCAOB AS 1200 requires the auditor to:
- Obtain an understanding of the entity and its environment
- Assess risks of material misstatement (RMM)
- Plan audit procedures to address identified risks
- Test design and operating effectiveness of controls
Key difference from ISA: PCAOB emphasizes design effectiveness testing of controls. PCAOB auditors must test whether controls are designed to prevent/detect misstatement, not just whether they operated. This is more prescriptive than ISA.
Reference: PCAOB AS 1200-3 (Risk Assessment).
AS 1210: Audit Planning & Procedures
AS 1210 requires the auditor to plan the audit by:
- Establishing an overall audit strategy
- Developing a detailed audit plan
- Determining materiality and performance materiality
- Identifying areas of higher risk (e.g., fraud, complex estimates)
Materiality: PCAOB uses the same concept as ISA but emphasizes qualitative factors. A misstatement may be material even if quantitatively small if it affects compliance, management compensation, or going concern.
Reference: PCAOB AS 1210-1 (Audit Planning).
Fraud Detection & AS 2401
AS 2401 requires auditors to explicitly assess the risk of fraud in two areas:
- Fraudulent financial reporting: Management override of controls, revenue recognition schemes, expense understatement
- Misappropriation of assets: Theft of cash, inventory, or other assets
Key requirement: Auditors must design procedures specifically to detect fraud, including:
- Analytical procedures on journal entries (especially manual entries)
- Tests of unusual transactions
- Confirmations with third parties
- Review of management estimates and judgments
Difference from ISA: PCAOB is stricter on fraud procedures. ISA focuses on "professional skepticism"; PCAOB requires specific, documented fraud procedures. US public company audits have higher fraud-testing demands.
Reference: PCAOB AS 2401-1 (Fraud Detection).
Quality Control (AS 1200, PCAOB QC)
PCAOB QC standards require audit firms to:
- Assign an independent engagement quality review partner (EQRP) to major audits
- Document quality control procedures at the firm and engagement level
- Perform periodic internal monitoring and external inspection (PCAOB inspections)
- Address inspection findings and enforce remedial actions
EQRP role: The EQRP reviews the audit work before the auditor issues a report. This is a key difference from ISA (where a secondary review is optional). PCAOB mandates it.
Inspection findings: PCAOB publishes inspection results for large firms (Big 4, large regional firms). Non-compliance with PCAOB standards can result in fines, restrictions, or loss of audit license.
PCAOB vs ISA: Key Differences
| Area | PCAOB | ISA |
|---|---|---|
| Risk Assessment | Design of controls is mandatory testing | Risk assessment; control testing is optional if auditor assesses high risk |
| Fraud Testing | Explicit, documented fraud procedures required | Fraud consideration required but less prescriptive |
| Engagement Review | Independent EQRP mandatory | Review partner optional (some jurisdictions require it) |
| Audit Report | Must include opinion on internal controls over financial reporting (ICFR) for public companies | No ICFR opinion required |
| Materiality | Quantitative + qualitative (emphasizes qualitative) | Primarily quantitative with qualitative consideration |
Worked Example: Fraud Risk Assessment
Scenario: Audit of a US public technology company (SaaS vendor). Revenue is contract-based (multi-year subscriptions). Key fraud risks:
- Revenue recognition scheme: side letters reducing contract value after execution
- Expense understatement: accrual of unused consulting services not reversal
- Management compensation: profit targets tied to revenue, incentive to overstate
PCAOB AS 2401 fraud procedures:
- Analytical: Compare monthly revenue to prior periods and budgets. Flag unusual spikes (potential channel stuffing)
- Journal entry testing: Sample all manual revenue journal entries >£100k. Trace to customer contract and delivery evidence
- Revenue contracts: Select sample of contracts signed near period-end. Confirm with customer that terms match recorded revenue
- Management estimates: Review discount assumptions in revenue models; challenge against market rates
- Refunds and returns: Trace post-year-end refunds back to pre-year-end revenue; identify channel stuffing patterns
Output: Documented fraud risk assessment, specific procedures linked to risks, and evidence of performance. This is more detailed than ISA typical practice.
Audit Implications
- Planning: PCAOB audits require more upfront planning and risk documentation. Allocate time for fraud risk brainstorming and materiality calculation.
- Control testing: Design of controls is non-negotiable under PCAOB. Budget for detailed control documentation and design testing.
- Fraud: Explicit fraud procedures are mandatory. Do not rely on analytical procedures alone; perform confirmations, journal entry testing, and management interviews.
- EQRP: Ensure an independent partner is assigned early and reviews key judgments (materiality, fraud risk, estimates).
- Documentation: PCAOB requires extensive documentation of procedures, judgments, and conclusions. Document your thinking, not just your procedures.
Need help with PCAOB compliance?
Ask an expert in the Meeting Room — free guidance on PCAOB standards and audit procedures.
Ask an Expert →FAQs
What is the PCAOB?
The Public Company Accounting Oversight Board. A US regulator that sets audit standards (AS) and inspects audit firms for compliance. Mandatory for US public company audits.
What is the difference between PCAOB and ISA?
PCAOB is more prescriptive: mandatory control design testing, explicit fraud procedures, and required independent EQRP review. ISA is more principles-based and less prescriptive.
What is AS 2401?
PCAOB Auditing Standard 2401 on fraud detection. Requires auditors to design specific procedures to detect fraudulent financial reporting and misappropriation of assets.
Do I need to audit internal controls under PCAOB?
For US public companies (accelerated filers), yes — AS 2201 requires an opinion on the effectiveness of internal controls over financial reporting (ICFR). For smaller companies, audit may be limited to financial statements.
This guide is simplified for educational purposes. PCAOB audits are complex and depend on specific client facts, risk assessments, and firm quality control policies. Always consult the full PCAOB AS standards and your own supervisors before finalising audit procedures or conclusions.
Real-Life Case Study: A PCAOB Inspection Finding
Scenario. A registered audit firm is inspected. The PCAOB flags that on one engagement the auditor accepted management's goodwill-impairment cash-flow forecasts without independently challenging the growth assumptions.
The finding. Insufficient audit evidence over a significant estimate, a breach of the standard requiring the auditor to evaluate the reasonableness of management assumptions and test the model. The remediation: enhanced procedures, specialist involvement, and revised methodology guidance firm-wide.
Takeaway. The recurring theme in PCAOB findings is estimates and judgement, impairment, fair value, revenue. "Management said so" is never audit evidence; scepticism means independently corroborating or challenging the key assumptions.
Illustrative composite scenario for educational purposes. Figures are indicative and do not represent any specific company.