AI Analytics

Technical writing

One in four audits flagged: indexing PCAOB deficiency data across the Big 4

· 9 min read· AI Analytics
Regulatory dataPCAOBAudit qualitySECAccounting

The Public Company Accounting Oversight Board publishes structured inspection data for every registered audit firm. That data shows that in 2023, 26% of audits reviewed at US global network firms had Part I.A deficiencies — findings so severe that the auditor could not demonstrate they had obtained sufficient evidence to support the opinion they signed. More than one in four audits, at the four firms that sign off on nearly every S&P 500 filing.

This post documents what PCAOB is, what the structured deficiency data contains, how the firm-by-firm breakdown looks for 2023, and where the data falls short for anyone trying to identify which specific issuers were affected.

What PCAOB does

The Public Company Accounting Oversight Board was created by the Sarbanes-Oxley Act of 2002 in direct response to the Enron and WorldCom accounting failures. Before Sarbanes-Oxley, public accounting firms were largely self-regulated through the profession's own peer-review process — auditors reviewed other auditors. Congress judged that system inadequate and created PCAOB as an independent oversight body with statutory inspection authority.

PCAOB inspects every registered audit firm. Large firms — those that audit more than 100 public company clients annually, which covers the Big 4 and most mid-tier firms — are inspected annually. Smaller firms are inspected triennially. The inspections are not limited to financial statement review: PCAOB can and does inspect the actual audit workpapers for specific engagements, reviewing the evidence the auditor gathered before signing the opinion. This is a materially different form of oversight from what the SEC exercises over issuers.

The inspection reports and what they contain

PCAOB publishes inspection reports for every registered firm. The reports are public and available at pcaobus.org. They contain two categories of deficiency findings, labeled Part I.A and Part I.B in the structured data:

Part I.A — insufficient audit evidence

A Part I.A deficiency means the auditor failed to obtain sufficient appropriate audit evidence to support the opinion they issued. This is the most severe finding PCAOB can make short of a formal disciplinary action. It means the auditor signed off — issued an unqualified opinion saying the financial statements are fairly presented — without an adequate evidentiary basis for that conclusion. The deficiency is not that the financial statements are wrong; it is that the auditor cannot demonstrate they did enough work to know.

Part I.B — standards noncompliance

A Part I.B deficiency means noncompliance with PCAOB auditing standards or SEC rules during the conduct of the audit. These are procedural violations: failure to obtain required confirmations, documentation deficiencies, inadequate supervision of engagement staff, failures in quality control. Part I.B findings are less severe than Part I.A because they do not necessarily mean the auditor lacked a basis for the opinion — the opinion may still be supportable — but a material procedural failure occurred.

The structured data files

PCAOB makes structured inspection data available at pcaobus.org/oversight/inspections/firm-inspection-reports. Three files are published in CSV, XML, and JSON:

  • Firm Data and Audits Selected for Review. Contains the inspection year, the firm name, the number of issuer clients, the number of audits selected for inspection, and aggregate counts for each deficiency category. Annual firms have coverage from 2021; triennial firms from 2019.
  • Part I.A Deficiency Dataset. One row per deficiency finding, with the inspection year, firm identifier, a deficiency code, the audit area affected (revenue recognition, goodwill, CECL, etc.), and an issuer reference key. The issuer reference key is a deliberate anonymization: PCAOB assigns an opaque identifier to the audited company rather than naming it. The key is consistent within a firm-year, so multiple Part I.A findings in the same audit share a key, but the key does not directly identify the issuer.
  • Part I.B Dataset. Same structure as Part I.A, with the specific PCAOB standard or SEC rule violated identified by section and paragraph.

The 26% number

PCAOB's 2023 inspection results for US global network firms — the Big 4 and their affiliates — showed Part I.A deficiencies in 26% of audits selected for review. That number had been 40% in 2022, a rate PCAOB described as unacceptably high and a significant driver of new enforcement activity. The 2023 improvement to 26% was real but still historically elevated. Prior to 2020, Part I.A rates at Big 4 firms typically ran in the low double digits.

It is important to understand what the denominator is. PCAOB does not inspect every audit a firm conducts — it selects a sample, weighted toward higher-risk engagements. A 26% deficiency rate in the inspected sample is not a claim that 26% of all Big 4 audits have deficiencies. The inspected sample is adversarially selected. But that is exactly the point: among the audits PCAOB chose as higher-risk, more than one in four had findings severe enough to constitute a Part I.A deficiency.

Firm-by-firm breakdown for 2023

PCAOB publishes per-firm Part I.A deficiency rates in individual inspection reports. For 2023, the rates at the four largest US firms were:

  • KPMG: 36% of audits reviewed had Part I.A deficiencies.
  • Ernst & Young: 28%
  • PricewaterhouseCoopers: 24%
  • Deloitte: 13%

These figures come directly from PCAOB inspection reports published at pcaobus.org/oversight/inspections. The variation across firms is large and consistent year over year, suggesting genuine differences in quality control systems rather than sampling noise. Deloitte has had the lowest Part I.A rate among the Big 4 for several consecutive inspection cycles; KPMG has been persistently highest.

The deanonymization problem

PCAOB explicitly anonymizes the issuer reference key in the Part I.A dataset. But the anonymization is not absolute. SEC EDGAR records the auditor for every public company filing: the auditor name appears in the audit report included in every 10-K. Cross- referencing EDGAR's auditor field against PCAOB's inspection sample size creates a candidate pool.

The Part I.A deficiency descriptions, while not naming the issuer, typically specify the industry classification and an approximate revenue range. The deficiency area (goodwill impairment, revenue recognition, CECL) further narrows the field. For large, unusual deficiency findings — the cases where PCAOB's description is specific enough to be distinctive — the intersection of auditor, year, industry, revenue range, and deficiency type can narrow to a very small number of issuers. This is not reliable enough for automated attribution, but it is worth understanding as a limitation of the privacy model.

What the deficiencies cover

The most common Part I.A deficiency areas across recent PCAOB inspection cycles, as reported in PCAOB annual inspection reports, are:

  • Revenue recognition (ASC 606). Post-606 revenue recognition involves more management judgment than prior standards. Auditors are expected to test the five-step model, assess variable consideration estimates, and evaluate whether performance obligations are appropriately identified. PCAOB has flagged inadequate testing of management's estimates as a persistent failure.
  • Goodwill impairment testing. Goodwill impairment requires discounted cash flow analysis of reporting units. Deficiencies typically involve inadequate testing of the assumptions underlying management's DCF model — growth rates, discount rates, terminal values — or failure to independently assess the reasonableness of those assumptions.
  • Expected credit loss (CECL implementation). CECL's forward-looking loss estimation model requires auditors to evaluate complex statistical models. Deficiencies here reflect the difficulty of auditing model-derived estimates and the relative newness of the standard for many institutions.
  • Lease accounting (ASC 842). The lease standard moved most operating leases onto balance sheets. Deficiencies involve inadequate testing of lease classification, discount rate determination, and completeness of the lease population.
  • Going concern assessment. Auditors are required to evaluate whether there is substantial doubt about an entity's ability to continue as a going concern. PCAOB has found cases where auditors failed to adequately assess this even for distressed issuers.

The specific PCAOB auditing standard violated in connection with each deficiency is included in the Part I.B dataset by section and paragraph, providing the precise regulatory citation for each finding.

Historical context

The argument that PCAOB inspection data is irrelevant because Big 4 firms are trustworthy is difficult to sustain historically. Wirecard — the German payments company that fabricated €1.9 billion in cash balances — was audited by EY Germany through its collapse in 2020. NMC Health, the UAE healthcare group that concealed $4 billion in undisclosed debt, was also audited by EY. Luckin Coffee, the Chinese coffee chain that fabricated RMB 2.2 billion in revenue, was audited by EY China. Three of the largest accounting frauds of the past decade share the same auditor.

PCAOB's international inspection program, which covers Big 4 affiliates in foreign jurisdictions, was blocked by China for years. Chinese regulatory authorities refused PCAOB access to the workpapers of Chinese-based audit firms, including Big 4 Chinese affiliates, on the grounds that the workpapers contained state secrets. The standoff was resolved in 2022 under the Holding Foreign Companies Accountable Act (HFCAA), which threatened delisting of Chinese issuers from US exchanges if PCAOB could not inspect their auditors. PCAOB gained inspection access in late 2022. The first inspections identified deficiencies consistent with what PCAOB had suspected during the years of blocked access.

Accessing the data

The PCAOB inspection dataset is available through the Federal Regulatory Data Hub at:

https://api.ai-analytics.org/datasets/pcaob-inspections

The endpoint exposes the structured Part I.A and Part I.B deficiency files alongside the firm-level aggregate data, with consistent field naming across inspection years. The issuer reference key is preserved as published by PCAOB — no deanonymization is attempted or provided. Firm-level deficiency rates are computed from the raw counts in the Firm Data file and included as a derived field for convenience.

# Firm-level deficiency rates, most recent inspection year
curl https://api.ai-analytics.org/datasets/pcaob-inspections/firms?year=2023

# Part I.A deficiency records for a specific firm
curl https://api.ai-analytics.org/datasets/pcaob-inspections/deficiencies?firm=KPMG&year=2023&type=partIa

# All Part I.B findings with standard citation
curl https://api.ai-analytics.org/datasets/pcaob-inspections/deficiencies?firm=EY&year=2023&type=partIb

For PCAOB disciplinary orders as a component of entity compliance screening — how audit firm sanctions feed into a 0–100 risk score across 30+ federal lists: Compliance screening across 30+ federal enforcement lists: how the risk score works →

For Open Payments and Part D data as companion datasets for healthcare industry regulatory research: CMS Open Payments and Part D: what the data covers and how to query it →