Key Points
- Any audit firm that issues or plays a substantial role in an audit report for a US-listed company must register with the PCAOB, regardless of where the firm is based.
- The PCAOB's March 2025 staff update reported a 52% deficiency rate at annually inspected non-affiliated firms in 2024.
- European firms acting as component auditors on US-listed group audits often trigger PCAOB registration obligations that mid-tier firms underestimate.
- PCAOB inspections follow a different methodology from AFM or FRC reviews, and inspection reports become public.
What is PCAOB (Public Company Accounting Oversight Board)?
Congress created the PCAOB through the Sarbanes-Oxley Act of 2002 after the Enron and WorldCom failures exposed gaps in self-regulation of the US audit profession. The Board operates under SEC oversight. It registers audit firms, sets auditing standards (AS series), inspects registered firms, and enforces compliance through disciplinary proceedings.
Registration is mandatory for any firm that issues an audit report for an issuer (a company registered with the SEC) or plays a substantial role in such an audit. Sarbanes-Oxley section 102(a) defines the trigger. For European firms, this means a Dutch or German practice auditing a subsidiary whose results feed into a US-listed parent's consolidated financial statements may need to register if the work constitutes a "substantial role" under PCAOB Rule 2100. The threshold: performing more than 20% of total audit hours or auditing assets or revenues exceeding 20% of consolidated totals.
The PCAOB inspects firms auditing more than 100 issuers annually; all other registered firms face inspection at least every three years. Part I findings (engagement-level deficiencies) are public immediately. Part II findings (quality control criticisms) stay non-public for twelve months under section 104(g)(2); if the firm fails to remediate, the Board publishes them.
Worked example: Schäfer Elektrotechnik AG
Client: German electronics manufacturer, FY2025, revenue €310M, IFRS reporter. Schäfer is a wholly owned subsidiary of TechCorp Inc., a company listed on NASDAQ. The group engagement team at a US Big Four firm instructs Schäfer's local auditor, Weiss & Partner WPG (a 25-person firm based in Frankfurt), to perform audit procedures on Schäfer's revenue (€310M) and inventory (€47M).
Step 1 — Assess the registration obligation
Schäfer's revenue represents 28% of TechCorp's consolidated revenue of €1.1B. Weiss & Partner's planned audit hours on the Schäfer component represent 24% of total group audit hours. Both thresholds exceed the 20% "substantial role" test under PCAOB Rule 2100. The firm must register with the PCAOB before accepting the instruction.
Step 2 — Adapt audit procedures to PCAOB standards
Weiss & Partner ordinarily audits under ISA (as adopted in Germany). For the PCAOB-registered component work, the firm must follow PCAOB auditing standards (AS series). Key differences affect the engagement. AS 2810 requires the auditor to evaluate audit results in the context of the financial statements taken as a whole. AS 2401 on fraud places a stronger emphasis on journal entry testing than ISA 240. The firm designs additional procedures: a complete journal entry population test on Schäfer's revenue account and expanded inventory observation at two warehouse locations instead of one.
Step 3 — Prepare for PCAOB inspection
Because Weiss & Partner audits fewer than 100 issuers, the firm falls into the triennial inspection cycle. The PCAOB inspected the firm in 2023. The inspection report identified one Part I deficiency: insufficient testing of revenue recognition cut-off at year-end. No Part II findings were published. For the FY2025 engagement, the firm addresses the prior deficiency by extending cut-off testing from three days to ten days around the reporting date and documenting the rationale for the extended window.
Conclusion: the file is defensible because it traces from the "substantial role" assessment through adapted PCAOB procedures to documented remediation of the prior inspection finding.
Why it matters in practice
The PCAOB's March 2025 staff update on 2024 inspection activities reported that non-affiliated firms inspected triennially had a 61% aggregate Part I deficiency rate, down from 67% in 2023. The most frequent deficiencies at smaller firms related to audit evidence for revenue and accounting estimates. European firms new to PCAOB registration often underestimate the documentation expectations, which differ from ISA practice in specificity and volume.
Mid-tier European firms acting as component auditors frequently miss the "substantial role" registration trigger. The 20% threshold under PCAOB Rule 2100 applies to both hours and financial magnitude. Firms that track only hours may overlook that the subsidiary's revenue or assets independently exceed 20% of consolidated totals, resulting in unregistered firms performing PCAOB-scope work. This is a compliance violation that the group engagement team's own quality management system should catch during the component auditor evaluation under ISA 600.
PCAOB inspection vs. AFM inspection
| Dimension | PCAOB inspection | AFM inspection |
|---|---|---|
| Jurisdiction | Any firm registered with the PCAOB (global reach) | Dutch-licensed audit firms (Wta-regulated) |
| Legal basis | Sarbanes-Oxley Act sections 104–105 | Wta articles 15–16; EU Regulation 537/2014 |
| Inspection frequency | Annual (firms auditing 100+ issuers) or triennial (all others) | Every 3 years (PIE firms) or 6 years (non-PIE firms) |
| Report publication | Part I public immediately; Part II public after 12 months if unremediated | Thematic reports published without firm names; enforcement decisions published with names |
| Standards applied | PCAOB auditing standards (AS series) | ISA as adopted in the Netherlands (NV COS) |
The distinction matters for European firms registered with both regulators. A firm may pass an AFM inspection under ISA-based standards while simultaneously carrying a PCAOB Part I deficiency on the same engagement if the PCAOB-specific requirements (such as the integrated audit of internal controls under AS 2201) were not met. Dual-registered firms must maintain separate quality responses for each regulatory regime.
Related terms
Frequently asked questions
Does a European audit firm need to register with the PCAOB if it only audits a subsidiary of a US-listed company?
Yes, if the firm plays a "substantial role" in the audit of an issuer. PCAOB Rule 2100 defines this as performing more than 20% of total audit hours or auditing components whose assets or revenues exceed 20% of consolidated totals. Registration must be in place before the firm begins the work.
What happens if a PCAOB inspection finds deficiencies in a non-US firm?
The process mirrors US firm inspections. Part I deficiencies (engagement-level findings) are published with the inspection report. Part II findings (firm-level quality control criticisms) remain non-public for twelve months under Sarbanes-Oxley section 104(g)(2). If the firm does not remediate to the Board's satisfaction within that period, the Part II findings are made public. The PCAOB can also initiate enforcement proceedings, including fines and revocation of registration.
How do PCAOB auditing standards differ from ISA?
PCAOB standards (AS series) and ISA share a common ancestry but have diverged. AS 2201 requires an integrated audit of internal controls over financial reporting for large accelerated filers, which ISA does not. AS 2401 on fraud contains more prescriptive journal entry testing requirements than ISA 240. AS 1301 on audit committee communications requires specific two-way discussions beyond ISA 260. Registered firms must apply PCAOB standards (not ISA) for US issuer audit work.