PCAOB Inspection Findings 2026: What CFOs and Audit Committees Must Act On
PCAOB inspection reports are written for auditors. But the deficiencies they document almost always trace back to the preparer side: thin documentation, aggressive estimates, weak ICFR design, or going-concern disclosures that don't hold up under scrutiny. If you're a CFO, controller, or audit committee member, the 2026 inspection cycle is sending you a direct message, even if it's addressed to your auditor.
This article translates the 2026 PCAOB inspection findings into preparer-side action. It covers the structural shift underway at the PCAOB, what the recurring deficiency categories mean for your financial reporting, what the BDO USA and RSM US expanded-report disclosures signal about mid-market audit quality, and what you need to document now if your team uses AI in the financial close.
Key takeaway: PCAOB inspection findings are a leading indicator of where your auditor will push back hardest, where SEC comment letters are likely to follow, and where material weakness risk concentrates. Read them as a preparer, not as a bystander.
What Is Changing at the PCAOB in 2026
The PCAOB is in a structural transition, and the near-term inspection agenda is genuinely uncertain. Under new Chairman Demetrios (Jim) Logothetis, the Board has paused its prior standard-setting agenda pending analysis of stakeholder input from a public comment period that ran March 31 through May 15, 2026. That 45-day window was the first time the PCAOB had solicited broad public input on its strategic plan in this format.
On May 28, 2026, the PCAOB announced the Inspections Modernization Council, the first formal advisory body specifically focused on modernizing the inspection program. Chairman Logothetis stated that "modernization of PCAOB inspections has the potential to bring improved audit quality and other significant benefits to investors and other stakeholders." The Council explicitly sought financial executives at public companies as participants, not just auditors and academics.
For preparers, the practical implication is a window of regulatory uncertainty. Standard-setting activities are paused. The inspection modernization agenda will take 1 to 3 years to materialize. But the inspections themselves continue at pace, and the recurring deficiency categories have not changed.
Which Audit Areas Are PCAOB Inspectors Flagging in 2025-2026
The PCAOB's own guidance to preparers names the focus areas directly. According to the PCAOB's Information for Preparers page, inspection selection concentrates on:
- Auditor risk assessment processes
- Financial reporting areas affected by economic trends or pressures
- Audit areas presenting significant challenges or risk
- New accounting standards in their first adoption cycle
- Areas of recurring audit deficiencies
The PCAOB uses both risk-based and random audit selection. Risk-based selection means companies in sectors with elevated economic stress, complex accounting estimates, or recent standard adoption are disproportionately likely to have their audits reviewed. If your company is in a sector under macro pressure, or if you adopted a new standard in the past two years, your audit is a higher-probability selection target.
The recurring deficiency categories that inspectors flag most consistently include:
| Deficiency Category | Preparer-Side Root Cause | Preparer Action Required |
|---|---|---|
| Risk assessment | Auditor didn't understand the business well enough | Improve management's risk briefing at engagement start; document key assumptions clearly |
| Revenue recognition | Insufficient support for SSP analysis, variable consideration, or contract modifications | Maintain contemporaneous documentation of each ASC 606 judgment; update SSP analyses annually |
| Going concern | Auditor accepted thin management analysis | Prepare a robust, quantified going-concern analysis with documented mitigating factors before the audit begins |
| ICFR (AS 2201) | Control design gaps, missing evidence of operation | Strengthen control documentation; ensure SOX 302/906 certifications are supported by tested controls |
| Accounting estimates | Insufficient audit evidence for fair value, impairment, or reserves | Document the methodology, inputs, and sensitivity analysis for every significant estimate |
| AI/technology-assisted procedures | New area; documentation standards not yet established | Document how AI tools are used in the close and what human review steps exist |
Revenue Recognition: What a PCAOB Deficiency Means for Your Documentation
When inspectors flag a revenue recognition deficiency, the finding typically means the auditor failed to obtain sufficient evidence to support the client's accounting. That evidence gap almost always reflects a preparer-side documentation gap. If your standalone selling price analysis hasn't been updated since the original ASC 606 adoption, or if contract modification judgments aren't documented contemporaneously, your auditor is working from a thin file. The PCAOB deficiency becomes your problem at the next SEC comment letter review.
The connection is direct: the SEC's comment letter process concentrates on the same areas PCAOB inspectors flag. A revenue recognition deficiency in a sector's inspection reports reliably predicts SEC staff comment letters on revenue disclosures in that sector's 10-Ks.
ICFR: The AS 2201 Feedback Loop
ICFR deficiencies in PCAOB inspection reports signal that auditors are not performing AS 2201 procedures with sufficient rigor. For accelerated and large accelerated filers, that rigor is what supports your auditor's internal control opinion under SOX 404(b). If your auditor's AS 2201 work is deficient, your SOX 404 opinion is at risk. The downstream consequence is a potential material weakness disclosure in your 10-K, with all the SEC and market consequences that follow.
Prepare by treating your ICFR documentation as if PCAOB inspectors will review it directly. They won't, but your auditor's workpapers will reflect it.
What the BDO USA and RSM US Expanded Reports Mean for Preparers
If your auditor has had Part II of an inspection report made public, you have a documented, public record of systemic quality control failure. This is not a hypothetical risk for clients of BDO USA and RSM US.
Here is how the disclosure mechanism works. PCAOB inspection reports have two parts:
- Part I (public): Specific audit deficiencies found in selected engagements.
- Part II (initially non-public): Criticisms of the firm's quality control system.
Under PCAOB Rule 4009(d), Part II becomes public if the firm fails to remediate the identified quality control issues to the Board's satisfaction within 12 months of the report date.
Both BDO USA and RSM US triggered this disclosure in 2026:
- BDO USA, LLP: Additional portions of its September 30, 2021 inspection report were made public on June 10, 2026, approximately 4.5 years after the original report date.
- RSM US LLP: Additional portions of its December 16, 2021 inspection report were made public on March 19, 2026, approximately 4.25 years after the original report date.
RSM is the fifth-largest U.S. audit firm by public company clients. BDO USA is a major mid-market auditor. These are not fringe firms.
What this means for your audit committee: A public Part II disclosure is evidence that the firm's quality control system had documented, unresolved deficiencies for years. Your audit committee should request a direct briefing from the engagement partner on what those deficiencies were, what remediation steps were taken, and how the firm's QC 1000 implementation (effective December 15, 2025) addresses the underlying issues.
Audit committees at companies audited by firms with expanded report disclosures should also review the PCAOB's machine-readable inspection datasets, which are available in CSV, XML, and JSON formats covering annually inspected firms from 2018 forward and triennially inspected firms from 2019 forward, updated quarterly. This data lets you track your auditor's Part I.A deficiency rate over time, not just in the most recent report. Most audit committees are not using this capability. They should be.
How to Use PCAOB Inspection Data to Evaluate Your Auditor
The PCAOB publishes enough machine-readable data to run a meaningful due-diligence analysis on any registered firm. Here is a practical approach:
- Download the Part I.A dataset for your auditor from the PCAOB firm inspection reports page. Filter by firm, year, and engagement type.
- Calculate the deficiency rate (deficient audits divided by audits inspected) for each inspection year. Compare it to the firm's peer group using the PCAOB's new interactive charts for Global Network Firms and Non-Affiliate Annual Firms.
- Check for Part II disclosures. Search for expanded reports under PCAOB Rule 4009(d). A public Part II is a red flag that warrants direct conversation with the engagement partner.
- Review the deficiency categories. If your auditor's inspection reports repeatedly flag revenue recognition or ICFR deficiencies, those are the areas where your own documentation needs to be strongest.
- Factor in inspection frequency. Under Sarbanes-Oxley Act Section 104, firms auditing more than 100 public company clients are inspected annually; firms auditing 100 or fewer are inspected only every three years. A triennially inspected firm may have gone three years without a PCAOB quality check. That gap matters for auditor selection decisions.
The PCAOB also publishes new interactive visualization tools for trend analysis across the Global Network Firms and Non-Affiliate Firm inspection categories, making it easier to spot deteriorating deficiency rates before they show up in an expanded report.
The AI Documentation Risk That Most Preparers Are Missing
The PCAOB has an active research project on the use of technology-based tools by both auditors and preparers. The explicit inclusion of "preparers" in that research scope, confirmed in the May 5, 2026 standard-setting update, is new and significant. It signals that AI use in financial reporting processes will become an inspection focus area, even if no binding standard exists yet.
PwC's May 13, 2026 comment letter to the PCAOB (PCAOB No. 2026-001) was direct: "As a matter of priority, the PCAOB should address the use of AI by companies and auditors." PwC also called AI's impact on company operations "the most significant development that is likely to impact the PCAOB's standard setting and other activities in the next five years."
For preparers using AI tools in the financial close, disclosure drafting, or estimate preparation, the documentation gap is real today. Finrep's 2026 compliance map for AI in financial reporting covers the regulatory vacuum in detail. The practical steps to take now:
- Document every AI tool used in the close process: name, version, purpose, and the human review step that validates the output.
- Retain the inputs and outputs of AI-assisted calculations or disclosures as part of your audit support file.
- Brief your auditor on AI tool use before fieldwork begins. Auditors are increasingly required to understand the technology environment they're auditing, and surprises create deficiencies.
- Map AI use to specific financial statement line items or disclosures so the auditor can assess the risk of material misstatement at the assertion level.
No PCAOB standard currently governs this directly, but the research project signals that inspection teams will start asking questions. Being unprepared when they do creates both audit friction and potential comment letter exposure.
QC 1000 and What It Means for the Audits You Receive
QC 1000, the PCAOB's new quality control standard, took effect December 15, 2025. It requires registered firms to implement a comprehensive system of quality management covering governance, risk assessment, and monitoring. The PCAOB has already issued a supplemental request for comment on targeted improvements to QC 1000, based on early implementation experience, per the May 5, 2026 update.
For preparers, QC 1000 matters because it directly affects the consistency and reliability of the audit work you receive. Firms that struggled to remediate quality control deficiencies under the prior framework (as BDO USA and RSM US demonstrably did) now face a more rigorous, documented QC requirement. Audit committees should ask their auditor how QC 1000 implementation has changed engagement-level quality procedures, particularly for risk assessment and ICFR testing.
The International Dimension: U.S. Multinationals and Component Auditors
The PCAOB's 2026 inspection reports published through July cover at least six jurisdictions outside the United States: Brazil (Deloitte), Australia (PwC), Denmark (PwC), Philippines (Navarro Amper), Hong Kong (KPMG), and Mexico (Mancera), per the June 10, 2026 release.
For U.S. multinationals that rely on component auditors in these jurisdictions, this matters directly. A deficiency finding in a component auditor's inspection report affects the reliability of the work that feeds into your consolidated audit. Group engagement teams are required under AS 2101 to supervise and review component auditor work, but the quality of that work still depends on the component firm's own procedures. Review the inspection reports for your key component auditors, not just your primary engagement firm.
The MANCERA, S.C. (Mexico) report update on June 10, 2026, based on an SEC determination under SEC Rule 140, also illustrates that cross-regulator coordination on non-U.S. firm inspections is active. The SEC and PCAOB are aligned on international audit quality in ways that create compounding compliance implications, a theme Finrep covers in the context of the SEC's FY 2026-2030 strategic plan.
What Your Audit Committee Should Do Now
PwC's comment letter to the PCAOB argued that the Board "should pursue deeper engagement with audit committees and related organizations, given their shared oversight responsibilities with the PCAOB, their fiduciary duty to investors, and their ability to interact directly with firms to monitor audit quality." That's a call to action for audit committees, not just for regulators.
A practical pre-engagement and ongoing oversight checklist:
- Pull your auditor's most recent inspection report and the Part I.A deficiency dataset. Review deficiency categories and rates against peer firms.
- Ask whether Part II has ever been made public for your auditor under PCAOB Rule 4009(d). If yes, request a written explanation of what was found and how it was resolved.
- Request a briefing on QC 1000 implementation at your auditor's firm, specifically how it changes engagement-level risk assessment and ICFR procedures.
- Discuss AI tool use on both sides: what AI tools is the auditor using, and what documentation exists for AI tools your finance team uses in the close?
- Map PCAOB deficiency categories to your own risk areas. If your auditor's inspection reports flag revenue recognition deficiencies, your audit committee should be asking management about the depth of ASC 606 documentation before fieldwork begins.
- Consider engaging with the Inspections Modernization Council process. The Council explicitly sought financial executives at public companies. The application window has closed, but the Council's work will produce public recommendations, and preparers can engage through the PCAOB's stakeholder liaison channel.
FAQ
What is the difference between Part I and Part II of a PCAOB inspection report? Part I (public) covers specific audit deficiencies found in selected engagements. Part II covers criticisms of the firm's quality control system and is initially non-public. Under PCAOB Rule 4009(d), Part II becomes public if the firm fails to remediate quality control issues within 12 months of the report date.
What does it mean if my auditor has an expanded inspection report? An expanded report means the firm did not resolve its quality control deficiencies to the PCAOB's satisfaction within the required 12-month window. BDO USA and RSM US both had expanded reports published in 2026. Your audit committee should request a direct briefing on what the deficiencies were and how QC 1000 implementation addresses them.
How do PCAOB inspection findings connect to SEC comment letters? The SEC's comment letter staff focuses on the same high-risk areas that PCAOB inspectors flag. A pattern of revenue recognition or going-concern deficiencies in a sector's inspection reports reliably precedes SEC comment letter scrutiny of those disclosures in that sector's 10-Ks. Treat PCAOB findings as an early warning system for your own disclosure review.
Does the PCAOB inspect my company directly? No. The PCAOB inspects registered public accounting firms, not the companies they audit. But the deficiencies inspectors find almost always reflect preparer-side documentation or accounting gaps. The inspection program affects you indirectly but materially.
How often is my auditor inspected? Firms auditing more than 100 public company clients are inspected annually under Sarbanes-Oxley Act Section 104. Firms auditing 100 or fewer are inspected every three years. If your auditor is triennially inspected, there may be a multi-year gap since the last quality check.
What should I document if my team uses AI in the financial close? Document the tool name and version, its specific use in the close process, the inputs provided, the outputs generated, and the human review step that validated the output. Retain this as part of your audit support file. The PCAOB's active research project on technology use by preparers signals that inspection teams will start asking these questions.







