PCAOB Inspection Findings: Most Common Deficiencies and How to Avoid Them

2024 deficiency rates by firm type

The PCAOB’s 2024 Spotlight broke the results down by firm category, and the differences are significant. The Big Four U.S. firms (Deloitte, EY, KPMG, PwC) had a combined deficiency rate of 20%. Among the six U.S. Global Network Firms (which add BDO and Grant Thornton), the aggregate rate was 26%. Deloitte had the lowest rate at 14%, followed by PwC at 16%. BDO, despite a large improvement from 86% in 2023, still sat at 60%. Grant Thornton came in at 48%.

Non-affiliated firms inspected annually held at 52%, while triennially inspected non-affiliated firms dropped from 67% to 61%. For the non-Big Four firms that ciferi’s audience works alongside or within, the message is plain. Inspectors find deficiencies in more than half the engagements they review.

The PCAOB attributed some of the improvement at larger firms to specific operational changes. More in-person fieldwork (reversing pandemic-era remote audit patterns), more focused training on recurring deficiency areas, increased resources devoted to audit quality, and better supervision and review practices. These aren’t abstract recommendations. The PCAOB Spotlight specifically called them out as observable factors that correlated with lower deficiency rates.

What makes the 2024 data useful beyond headline percentages is the consistency of deficiency areas across firm types. Revenue, ICFR, reliance on data, and supervision appear in virtually every firm’s inspection report, from PwC to Baker Tilly to Moss Adams. The deficiency areas don’t change because the underlying audit challenges don’t change. The fix is procedural, not conceptual.

Revenue: the deficiency that never goes away

Revenue and related accounts was the most frequently identified Part I.A deficiency area across the Big Four and the non-affiliated firms alike in 2024. It has held this position in every PCAOB Spotlight since at least 2020. The specific deficiency descriptions across firm reports cluster around two themes. Testing controls over revenue recognition (particularly IT-dependent controls), and substantive testing of revenue in arrangements with multiple performance obligations.

For PwC’s 2024 inspection, revenue deficiencies related primarily to substantive testing of revenue, including arrangements with multiple performance obligations (PCAOB Release No. 104-2025-040). For EY, deficiencies covered both substantive testing and testing controls over revenue, including controls over information technology systems (PCAOB Release No. 104-2025-037). The pattern across firms is the same. Complex revenue arrangements expose gaps in the design and operating effectiveness testing of controls and in the sufficiency of substantive procedures.

The root cause isn’t a mystery. Revenue recognition under ASC 606 requires identifying distinct performance obligations and allocating the transaction price, then determining the timing of recognition. When the issuer uses automated systems to perform these steps, the auditor needs to test both the logic within the system (the IT application controls) and the manual controls around inputs and exceptions. The PCAOB finds deficiencies when auditors test the manual controls but fail to test the automated ones, or test the automated controls but fail to verify the completeness and accuracy of the data flowing through them.

For firms with multi-element arrangements, the common gap is around the standalone selling price (SSP) allocation. AS 2501 (Auditing Accounting Estimates) requires you to evaluate the reasonableness of the method and the significant assumptions management used. If management estimated SSP using expected-cost-plus-margin but the auditor only checked whether the total contract revenue matched the signed agreement, the allocation hasn’t been tested. In our experience, teams stop at contract total because the SSP analysis is buried in a spreadsheet nobody wants to open. Nobody enjoys SSP work, but skipping it is how files get flagged.

ICFR testing: where most deficiencies actually originate

The PCAOB’s 2024 Spotlight reported that deficiencies in auditing ICFR remain pervasive across all firm types. The most common issues relate to AS 2201 (An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements) and fall into the four categories below.

Identifying controls to test

Auditors select controls for testing, but the selected controls don’t address the relevant assertion or the identified risk of material misstatement. If management’s control over revenue completeness is a system-generated reconciliation between the order management system and the general ledger, but you test a manual review of recorded revenue for unusual items instead, you haven’t tested the completeness assertion. The control you tested doesn’t address the risk.

Testing the design and implementation of controls

AS 2201.42 requires evaluating whether the control is suitably designed to prevent or detect material misstatements. The PCAOB finds deficiencies when auditors describe the control in the WP but don’t evaluate whether it would work. A control that says “management reviews the accounts receivable aging monthly” is only effective if the review has defined criteria and exception handling, with documentation of actions taken. Without those elements, the design isn’t sufficient, and your testing of operating effectiveness is moot.

Testing operating effectiveness

The most frequent deficiency here is insufficient sample sizes or inappropriate testing approaches. AS 2201.46 allows a range of approaches (inquiry combined with observation, reperformance, inspection of documentation), but inquiry alone is never sufficient for operating effectiveness. The PCAOB continues to find engagements where the auditor described the control and asked management how it operates, then concluded it was effective. That isn’t a test. That is a tick box exercise that looks like a test.

Evaluating identified deficiencies

When testing reveals a control deviation, AS 2201.62 requires you to evaluate the severity of the deficiency. The PCAOB finds auditors who identify deviations but don’t evaluate whether those deviations, individually or in combination with others, constitute a material weakness. A single deviation in a control operating quarterly (four opportunities per year) may be significant. The evaluation is the work. Finding the deviation is just the start.

Reliance on data and reports: the AS 1105 problem

The PCAOB highlighted reliance on company-produced data as a recurring deficiency area for 2022 through 2024. AS 1105.10 states that when using information produced by the company as audit evidence, the auditor should evaluate whether the information is sufficient and appropriate for the auditor’s purposes by testing the accuracy and completeness of the information.

In practice, this means every time you use a system-generated report as the population for your testing (an aging report, a revenue by customer report, an inventory listing), you need evidence that the report is complete and accurate. The PCAOB finds deficiencies when auditors rely on a report without testing it. Agreeing the report total to the general ledger tests accuracy at one level, but it doesn’t test completeness (items could be excluded from the report but included in the GL), and it doesn’t test accuracy at the detail level (individual records could contain errors that net out). Everyone does this. The inspectors know everyone does this. That is why the finding keeps repeating.

The fix is straightforward but requires discipline. For any system report you rely on, document what you did to test its completeness and accuracy. If you used the aged TB as your confirmation population, how did you verify that every customer with a balance appeared on the report? If you used a revenue detail report to select transactions for testing, how did you confirm the report included all transactions posted in the period?

This deficiency is especially common at smaller firms where the issuer’s IT environment is less mature. A client using an off-the-shelf accounting package with limited reporting capabilities may produce manual Excel exports that the auditor uses as the basis for substantive testing. The completeness and accuracy of that export needs testing just as much as a formal ERP report.

Supervision and review: the quality control dimension

The 2024 Spotlight also flagged supervision and review as a recurring quality control observation. Under QC 20 (which applies until QC 1000 takes effect for inspections of periods ending on or after 15 December 2025), the EP must supervise the engagement team and review the work performed. The PCAOB observes deficiencies when the EP signs off on WPs without evidence of substantive review, when RNs remain unresolved at the date the auditor’s report is released, or when the engagement quality reviewer doesn’t evaluate the significant judgements made by the engagement team.

For non-Big Four firms, the supervision finding often connects directly to the substantive deficiency. An insufficient revenue test or an untested data report might have been caught by a reviewer who knew what to look for. The PCAOB’s message, stated repeatedly across Spotlight publications, is that many Part I.A deficiencies are preventable through better real-time supervision rather than after-the-fact review.

Worked example: avoiding the most common findings at Columbia Precision Inc.

Client scenario: Columbia Precision Inc. is a U.S.-based manufacturer of medical device components. Annual revenue: $85 million. The client sells through a combination of long-term supply agreements with performance obligations for component manufacturing and separate installation services, and spot purchase orders. The client uses an ERP system (SAP Business One) to process orders and recognise revenue. It has a December 31 fiscal year. Your firm is a non-affiliated firm performing an integrated audit.

1. Revenue recognition testing (addressing the AS 2501 deficiency pattern)

Columbia has 42 long-term supply agreements, 28 of which include both manufacturing and installation performance obligations. Management allocates the transaction price using estimated SSP based on adjusted market assessment. Pull the SSP analysis for a sample of contracts. Don’t just verify the math on the allocation. Evaluate whether the SSP for the installation component is reasonable by comparing it to standalone installation pricing charged to other customers. If Columbia doesn’t sell installation services separately, test the expected-cost-plus-margin calculation by verifying the cost inputs against actual cost data and the margin assumption against industry data.

Documentation note: Record the SSP testing in a separate WP referenced from the revenue lead sheet. State the method management used and the assumptions you tested, along with your conclusion on reasonableness per AS 2501.

2. ICFR testing for revenue controls (addressing the AS 2201 deficiency pattern)

Columbia’s key revenue control is an automated three-way match in SAP Business One. Purchase order, delivery confirmation, and invoice. The system blocks invoicing if the delivery confirmation is missing. Test the design by confirming the system configuration prevents override. Test operating effectiveness by selecting a sample of transactions and verifying the three-way match occurred before the invoice was generated. Don’t stop at the automated control. Test the compensating manual control for exceptions (orders processed outside the system, manual revenue journal entries). If the IT general controls over SAP Business One aren’t effective, you can’t rely on the automated control, and your substantive revenue procedures need to expand.

Documentation note: Map the control to the revenue completeness and occurrence assertions. State which IT general controls you relied on and reference the ITGC testing WP. Document the sample selection method and the results, including any deviations found.

3. Data reliability for the revenue detail report (addressing the AS 1105 deficiency)

You plan to select revenue transactions from a SAP-generated revenue detail report. Before selecting your sample, test the report. Agree the report total to the general ledger revenue account. Then select a sample of shipping documents from the warehouse log (an independent source) and trace them to the revenue detail report to test completeness. This second step confirms that shipped items appear in the report. Without it, you’ve only tested the accuracy of what’s on the report, not whether the report includes everything.

Documentation note: Create a separate data reliability WP. State the report used and the procedures performed, along with the results. Reference this WP from every substantive procedure that relies on the report. AS 1105.10 requires this.

4. Supervision and review

Before the engagement quality review begins, the EP reviews all revenue WPs and the ICFR testing for key controls. The review isn’t just a sign-off. Confirm the partner evaluated whether the SSP testing addressed the allocation risk and whether the ICFR testing covered the right assertions. Verify the data reliability work was performed before the substantive sample was selected. Document the review with specific comments, not just initials and dates.

Documentation note: The partner’s RNs should reference the specific audit areas reviewed and any questions raised. If questions were raised, document how they were resolved. This is what inspectors look for when evaluating AS 1201 (Supervision of the Audit Engagement).

A reviewer looking at this file sees procedures that directly address the four most common PCAOB deficiency categories. None of the individual procedures are unusual. The difference is that each one is documented and references the relevant PCAOB standard, and the data reliability and ICFR work are connected to the substantive procedures.

The Part I.B findings: what else inspectors flag

Beyond the Part I.A deficiencies (insufficient evidence to support the opinion), the PCAOB’s 2024 Spotlight noted that the most common Part I.B deficiencies related to audit committee communications and consideration of fraud. These are lower-severity findings but still appear in the inspection report.

For audit committee communications, the deficiency is typically a failure to communicate required matters under AS 1301. Auditors communicate the overall audit strategy and timing but miss specific requirements like communicating critical accounting policies, significant unusual transactions, or disagreements with management. For fraud, the finding relates to AS 2401 and typically involves insufficient procedures around journal entry testing or an inadequate assessment of fraud risk factors. The journal entry testing gap is particularly common at smaller firms. The auditor selects journal entries for testing but doesn’t design the selection criteria to target entries with fraud risk characteristics (entries posted near period end, entries posted by unusual personnel, entries to infrequently used accounts).

Practical checklist for your current engagement

1. For every revenue arrangement with multiple performance obligations, test the standalone selling price allocation method and key assumptions, not just the total contract amount. Reference AS 2501 in your conclusion.
2. For each key ICFR control selected for testing, confirm the control addresses the relevant assertion and the identified risk of material misstatement. If it doesn’t, select a different control or add procedures. Reference AS 2201.42.
3. For every system-generated report used as a testing population, create a separate data reliability WP documenting the completeness and accuracy testing performed per AS 1105.10. Complete this work before selecting your substantive sample.
4. Ensure journal entry testing criteria include at least two fraud risk indicators (period-end timing, unusual preparer, infrequently used accounts, round-dollar amounts). Reference AS 2401.
5. Before the engagement quality review, have the EP perform a substantive review of all WPs in the areas most frequently cited in PCAOB inspections (revenue, ICFR key controls, credit losses if applicable, and data reliability).
6. Verify that all required audit committee communications under AS 1301 have been completed (critical accounting policies, management judgements, uncorrected misstatements, and significant unusual transactions).

Common mistakes

• Testing the operating effectiveness of ICFR controls through inquiry alone. The PCAOB has cited this deficiency consistently from 2020 through 2024 across all firm types. AS 2201 requires corroboration through inspection, observation, or reperformance. Inquiry alone never suffices for operating effectiveness.
• Using a company-produced report as the testing population without documenting the completeness and accuracy procedures. The PCAOB’s 2024 Spotlight specifically identified reliance on data and reports as a recurring deficiency area spanning the 2022 to 2024 inspection cycles.
• Identifying control deviations during ICFR testing but failing to evaluate their severity. AS 2201.62 requires assessment of whether deviations constitute a significant deficiency or material weakness. The PCAOB finds that some auditors document the deviation but skip the evaluation entirely.

Related content

• Audit sampling glossary entry. Covers the relationship between sample sizes and the level of assurance required under AS 2315.
• ISA 530 sampling calculator. Useful for computing sample sizes (PCAOB standards differ from ISA in key respects, but the statistical principles overlap).

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• PCAOB Spotlight: Staff Update on 2024 Inspection Results (March 2025): the aggregate deficiency rates and deficiency area analysis referenced throughout this guide.
• AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements: the standard governing ICFR testing requirements.
• AS 1105, Audit Evidence: the data reliability requirement for company-produced reports and information.
• AS 2501, Auditing Accounting Estimates: applicable to SSP allocation testing and other management estimates.
• AS 2401, Consideration of Fraud in a Financial Statement Audit: the standard governing journal entry testing and fraud risk procedures.