PCAOB Inspection Findings: Most Common Deficiencies and How to Avoid Them

2024 deficiency rates by firm type

The PCAOB’s 2024 Spotlight broke the results down by firm category, and the differences are significant.

The PCAOB attributed some of the improvement at larger firms to specific operational changes: more in-person fieldwork (reversing pandemic-era remote audit patterns), more focused training on recurring deficiency areas, increased resources devoted to audit quality, and better supervision and review practices. These aren’t abstract recommendations. The PCAOB Spotlight specifically called them out as observable factors that correlated with lower deficiency rates.

What makes the 2024 data useful beyond headline percentages is the consistency of deficiency areas across firm types. Revenue, ICFR, reliance on data, and supervision appear in virtually every firm’s inspection report. The deficiency areas don’t change because the underlying audit challenges don’t change. The fix is procedural, not conceptual.

Revenue: the deficiency that never goes away

Revenue and related accounts was the most frequently identified Part I.A deficiency area across the Big Four, the GNFs, and most non-affiliated firms in 2024. It has held this position in every PCAOB Spotlight since at least 2020. The specific deficiency descriptions cluster around two themes: testing controls over revenue recognition (particularly IT-dependent controls), and substantive testing of revenue in arrangements with multiple performance obligations.

For PwC’s 2024 inspection, revenue deficiencies related primarily to substantive testing of revenue, including arrangements with multiple performance obligations (PCAOB Release No. 104-2025-040). For EY, deficiencies covered both substantive testing and testing controls over revenue, including controls over information technology systems (PCAOB Release No. 104-2025-037). The pattern across firms is the same: complex revenue arrangements expose gaps in both the design and operating effectiveness testing of controls, and in the sufficiency of substantive procedures.

Revenue recognition under ASC 606 requires identifying distinct performance obligations, allocating the transaction price, and determining the timing of recognition. When the issuer uses automated systems to perform these steps, the auditor needs to test both the logic within the system (the IT application controls) and the manual controls around inputs and exceptions. The PCAOB finds deficiencies when auditors test the manual controls but fail to test the automated ones, or test the automated controls but fail to verify the completeness and accuracy of the data flowing through them.

ICFR testing: where most deficiencies actually originate

The PCAOB’s 2024 Spotlight reported that deficiencies in auditing ICFR remain pervasive across all firm types. The most common issues relate to AS 2201 and fall into four categories.

Identifying controls to test

Auditors select controls for testing, but the selected controls don’t address the relevant assertion or the identified risk of material misstatement. If management’s control over revenue completeness is a system-generated reconciliation between the order management system and the general ledger, but you test a manual review of recorded revenue for unusual items instead, you haven’t tested the completeness assertion. The control you tested doesn’t address the risk.

Testing the design and implementation of controls

AS 2201.42 requires evaluating whether the control is suitably designed to prevent or detect material misstatements. The PCAOB finds deficiencies when auditors describe the control in the working paper but don’t evaluate whether it would actually work. A control that says “management reviews the accounts receivable aging monthly” is only effective if the review has defined criteria, exception handling, and documentation of actions taken. Without those elements, the design isn’t sufficient, and your testing of operating effectiveness is moot.

Testing operating effectiveness

The most frequent deficiency here is insufficient sample sizes or inappropriate testing approaches. AS 2201.46 allows a range of approaches (inquiry combined with observation, reperformance, inspection of documentation), but inquiry alone is never sufficient for operating effectiveness. The PCAOB continues to find engagements where the auditor described the control, asked management how it operates, and concluded it was effective. That isn’t a test.

Evaluating identified deficiencies

When testing reveals a control deviation, AS 2201.62 requires you to evaluate the severity of the deficiency. The PCAOB finds auditors who identify deviations but don’t evaluate whether those deviations, individually or in combination with others, constitute a material weakness. A single deviation in a control operating quarterly (four opportunities per year) may be significant. The evaluation is the work; finding the deviation is just the start.

Reliance on data and reports: the AS 1105 problem

The PCAOB highlighted reliance on company-produced data as a recurring deficiency area for 2022 through 2024. AS 1105.10 states that when using information produced by the company as audit evidence, the auditor should evaluate whether the information is sufficient and appropriate for the auditor’s purposes by testing the accuracy and completeness of the information.

In practice, this means every time you use a system-generated report as the population for your testing (an aging report, a revenue by customer report, an inventory listing), you need evidence that the report is complete and accurate. The PCAOB finds deficiencies when auditors rely on a report without testing it. Agreeing the report total to the general ledger tests accuracy at one level, but it doesn’t test completeness (items could be excluded from the report but included in the GL), and it doesn’t test accuracy at the detail level (individual records could contain errors that net out).

This deficiency is especially common at smaller firms where the issuer’s IT environment is less mature. A client using an off-the-shelf accounting package with limited reporting capabilities may produce manual Excel exports that the auditor uses as the basis for substantive testing. The completeness and accuracy of that export needs testing just as much as a formal ERP report.

Supervision and review: the quality control dimension

The 2024 Spotlight also flagged supervision and review as a recurring quality control observation. Under QC 20 (which applies until QC 1000 takes effect for inspections of periods ending on or after 15 December 2025), the engagement partner must supervise the engagement team and review the work performed. The PCAOB observes deficiencies when: the partner signs off on working papers without evidence of substantive review; review notes remain unresolved at the date the auditor’s report is released; or the engagement quality reviewer doesn’t evaluate the significant judgements made by the engagement team.

For non-Big Four firms, the supervision finding often connects directly to the substantive deficiency. An insufficient revenue test or an untested data report might have been caught by a reviewer who knew what to look for. The PCAOB’s message, stated repeatedly across Spotlight publications, is that many Part I.A deficiencies are preventable through better real-time supervision rather than after-the-fact review.

Worked example: avoiding the most common findings at Columbia Precision Inc.

Client scenario: Columbia Precision Inc. is a U.S.-based manufacturer of medical device components. Annual revenue: $85 million. The company sells through a combination of long-term supply agreements with performance obligations for component manufacturing and separate installation services, and spot purchase orders. The company uses SAP Business One to process orders and recognise revenue. December 31 fiscal year. Your firm is a non-affiliated firm performing an integrated audit.

1. Revenue recognition testing (addressing the AS 2501 pattern)

Columbia has 42 long-term supply agreements, 28 of which include both manufacturing and installation performance obligations. Management allocates the transaction price using estimated SSP based on adjusted market assessment. Pull the SSP analysis for a sample of contracts. Don’t just verify the math on the allocation. Evaluate whether the SSP for the installation component is reasonable by comparing it to standalone installation pricing charged to other customers. If Columbia doesn’t sell installation services separately, test the expected-cost-plus-margin calculation by verifying the cost inputs against actual cost data and the margin assumption against industry data.

2. ICFR testing for revenue controls (addressing the AS 2201 pattern)

Columbia’s key revenue control is an automated three-way match in SAP Business One: purchase order, delivery confirmation, and invoice. The system blocks invoicing if the delivery confirmation is missing. Test the design by confirming the system configuration prevents override. Test operating effectiveness by selecting a sample of transactions and verifying the three-way match occurred before the invoice was generated. Don’t stop at the automated control. Test the compensating manual control for exceptions (orders processed outside the system, manual revenue journal entries). If the IT general controls over SAP Business One aren’t effective, you can’t rely on the automated control, and your substantive revenue procedures need to expand.

3. Data reliability for the revenue detail report (addressing AS 1105)

You plan to select revenue transactions from a SAP-generated revenue detail report. Before selecting your sample, test the report. Agree the report total to the general ledger revenue account. Then select a sample of shipping documents from the warehouse log (an independent source) and trace them to the revenue detail report to test completeness. This second step confirms that shipped items appear in the report. Without it, you’ve only tested the accuracy of what’s on the report, not whether the report includes everything.

4. Supervision and review

Before the engagement quality review begins, the engagement partner reviews all revenue working papers and the ICFR testing for key controls. The review isn’t just a sign-off. Confirm the partner evaluated whether the SSP testing addressed the allocation risk, whether the ICFR testing covered the right assertions, and whether the data reliability work was performed before the substantive sample was selected. Document the review with specific comments, not just initials and dates.

The Part I.B findings: what else inspectors flag

Beyond the Part I.A deficiencies (insufficient evidence to support the opinion), the PCAOB’s 2024 Spotlight noted that the most common Part I.B deficiencies related to audit committee communications and consideration of fraud.

For audit committee communications, the deficiency is typically a failure to communicate required matters under AS 1301. Auditors communicate the overall audit strategy and timing but miss specific requirements like communicating critical accounting policies, significant unusual transactions, or disagreements with management.

For fraud, the finding relates to AS 2401 and typically involves insufficient procedures around journal entry testing or an inadequate assessment of fraud risk factors. The journal entry testing gap is particularly common at smaller firms: the auditor selects journal entries for testing but doesn’t design the selection criteria to target entries with fraud risk characteristics (entries posted near period end, entries posted by unusual personnel, entries to infrequently used accounts).

Practical checklist for your current engagement

1. Test SSP allocations substantively. For every revenue arrangement with multiple performance obligations, test the standalone selling price allocation method and key assumptions, not just the total contract amount. Reference AS 2501 in your conclusion.
2. Confirm control-to-assertion mapping. For each key ICFR control selected for testing, confirm the control addresses the relevant assertion and the identified risk of material misstatement. If it doesn’t, select a different control or add procedures. Reference AS 2201.42.
3. Create data reliability working papers. For every system-generated report used as a testing population, create a separate data reliability working paper documenting the completeness and accuracy testing performed per AS 1105.10. Complete this work before selecting your substantive sample.
4. Design fraud-targeted journal entry tests. Ensure journal entry testing criteria include at least two fraud risk indicators (period-end timing, unusual preparer, infrequently used accounts, round-dollar amounts). Reference AS 2401.
5. Partner review before EQR. Before the engagement quality review, have the engagement partner perform a substantive review of all working papers in the areas most frequently cited in PCAOB inspections: revenue, ICFR key controls, credit losses (if applicable), and data reliability.
6. Complete audit committee communications. Verify that all required communications under AS 1301 have been completed, including critical accounting policies, management judgements, and uncorrected misstatements.

Common mistakes

• Testing ICFR operating effectiveness through inquiry alone. The PCAOB has cited this deficiency consistently from 2020 through 2024 across all firm types. AS 2201 requires corroboration through inspection, observation, or reperformance. Inquiry alone never suffices for operating effectiveness.
• Using a company-produced report without documenting data reliability. The PCAOB’s 2024 Spotlight specifically identified reliance on data and reports as a recurring deficiency area spanning the 2022 to 2024 inspection cycles. Every report used as a testing population needs a completeness and accuracy work paper.
• Identifying control deviations without evaluating severity. AS 2201.62 requires assessment of whether deviations constitute a significant deficiency or material weakness. The PCAOB finds that some auditors document the deviation but skip the evaluation entirely.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• PCAOB Spotlight: Staff Update on 2024 Inspection Results (March 2025): the aggregate deficiency rates and deficiency area analysis referenced throughout this guide.
• AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements: the standard governing ICFR testing requirements.
• AS 1105, Audit Evidence: the data reliability requirement for company-produced reports and information.
• AS 2501, Auditing Accounting Estimates: applicable to SSP allocation testing and other management estimates.
• AS 2401, Consideration of Fraud in a Financial Statement Audit: the standard governing journal entry testing and fraud risk procedures.