Key Points
- Any audit firm that issues or plays a substantial role in an audit report for a US-listed company must register with the PCAOB, regardless of where the firm is based.
- The PCAOB's March 2025 staff update reported a 52% deficiency rate at annually inspected non-affiliated firms in 2024.
- European firms acting as component auditors on US-listed group audits often trigger PCAOB registration obligations that mid-tier firms underestimate.
- PCAOB inspections follow a different methodology from AFM or FRC reviews, and inspection reports become public.
What is the PCAOB?
A 25-person firm in Frankfurt signs on as component auditor for a US-listed group. Six months later, an inspection letter arrives from Washington. The partner had never heard of PCAOB Rule 2100, and the firm isn't registered. That scenario plays out more often than you'd expect, and it's entirely avoidable.
Congress created the PCAOB through the Sarbanes-Oxley Act of 2002 after the Enron and WorldCom collapses exposed gaps in self-regulation of the US audit profession. The Board operates under SEC oversight. It registers audit firms, sets auditing standards (the AS series), inspects registered firms, and enforces compliance through disciplinary proceedings.
Registration is mandatory for any firm that issues an audit report for an issuer (a company registered with the SEC) or plays a substantial role in such an audit. Sarbanes-Oxley section 102(a) defines the trigger. For European firms, this means a Dutch or German practice auditing a subsidiary whose results feed into a US-listed parent's consolidated financial statements may need to register if the work constitutes a "substantial role" under PCAOB Rule 2100. The threshold is performing more than 20% of total audit hours, or auditing assets or revenues exceeding 20% of consolidated totals.
Firms auditing more than 100 issuers face annual PCAOB inspection. All other registered firms face inspection at least every three years. Part I findings (engagement-level deficiencies) are public immediately. Part II findings (quality control criticisms) stay non-public for twelve months under section 104(g)(2). If a firm fails to remediate, the Board publishes them.
Worked example: Schäfer Elektrotechnik AG
Client: German electronics manufacturer, FY2025, revenue €310M, IFRS reporter. Schäfer is a wholly owned subsidiary of TechCorp Inc., a company listed on NASDAQ. The group engagement team at a US Big Four firm instructs Schäfer's local auditor, Weiss & Partner WPG (a 25-person firm based in Frankfurt), to perform audit procedures on Schäfer's revenue (€310M) and inventory (€47M).
Step 1: assess the registration obligation
Schäfer's revenue represents 28% of TechCorp's consolidated revenue of €1.1B. Weiss & Partner's planned audit hours on the Schäfer component represent 24% of total group audit hours. Both thresholds exceed the 20% "substantial role" test under PCAOB Rule 2100. The firm must register with the PCAOB before accepting the instruction.
Step 2: adapt audit procedures to PCAOB standards
Weiss & Partner ordinarily audits under ISA (as adopted in Germany). For the PCAOB-registered component work, the firm must follow PCAOB auditing standards (the AS series). Key differences affect the engagement. AS 2810 requires the auditor to evaluate audit results in the context of the financial statements taken as a whole. AS 2401 on fraud places a stronger emphasis on journal entry testing than ISA 240 . You can't just keep ticking and bashing the same ISA work programme and expect it to pass a PCAOB review. The firm designs additional procedures: a complete journal entry population test on Schäfer's revenue account and expanded inventory observation at two warehouse locations instead of one. Each procedure is mapped to the specific AS requirement it addresses.
Step 3: prepare for PCAOB inspection
Because Weiss & Partner audits fewer than 100 issuers, it falls into the triennial inspection cycle. PCAOB inspectors visited the firm in 2023 and identified one Part I deficiency: insufficient testing of revenue recognition cut-off at year-end. No Part II findings were published. For the FY2025 engagement, the firm addresses that prior deficiency by extending cut-off testing from three days to ten days around the reporting date and documenting the rationale for the extended window.
A defensible file traces from the "substantial role" assessment through adapted PCAOB procedures to documented remediation of the prior inspection finding. That chain is what inspectors look for.
Why it matters in practice
In its March 2025 staff update on 2024 inspection activities, the PCAOB reported that non-affiliated firms inspected triennially had a 61% aggregate Part I deficiency rate, down from 67% in 2023. At smaller firms, the most frequent deficiencies related to audit evidence for revenue and accounting estimates. We've seen European firms new to PCAOB registration consistently underestimate the documentation expectations, which differ from ISA practice in both specificity and volume. Nobody looks forward to their first PCAOB inspection letter. The gap between what a firm considers a well-documented file under ISA and what a PCAOB inspector expects is wider than most partners anticipate.
Mid-tier European firms acting as component auditors frequently miss the "substantial role" registration trigger. The 20% threshold under PCAOB Rule 2100 applies to both hours and financial magnitude. Firms that track only hours may overlook that the subsidiary's revenue or assets independently exceed 20% of consolidated totals, resulting in unregistered firms performing PCAOB-scope work. In practice, the TGIF (thank God it's Friday) mentality of clearing sign-off deadlines can push registration checks to the bottom of the to-do list. This is a compliance violation that the group engagement team's own quality management system should catch during the component auditor evaluation under ISA 600 .
PCAOB inspection vs. AFM inspection
| Dimension | PCAOB inspection | AFM inspection |
|---|---|---|
| Jurisdiction | Any firm registered with the PCAOB (global reach) | Dutch-licensed audit firms (Wta-regulated) |
| Legal basis | Sarbanes-Oxley Act sections 104–105 | Wta articles 15–16; EU Regulation 537/2014 |
| Inspection frequency | Annual (firms auditing 100+ issuers) or triennial (all others) | Every 3 years (PIE firms) or 6 years (non-PIE firms) |
| Report publication | Part I public immediately; Part II public after 12 months if unremediated | Thematic reports published without firm names; enforcement decisions published with names |
| Standards applied | PCAOB auditing standards (AS series) | ISA as adopted in the Netherlands (NV COS) |
This distinction matters for European firms registered with both regulators. A firm may pass an AFM inspection under ISA-based standards while simultaneously carrying a PCAOB Part I deficiency on the same engagement (if the PCAOB-specific requirements such as the integrated audit of internal controls under AS 2201 were not met). Dual-registered firms must maintain separate quality responses for each regulatory regime.
Related terms
Related reading
Frequently asked questions
Does a European audit firm need to register with the PCAOB if it only audits a subsidiary of a US-listed company?
Yes, if the firm plays a "substantial role" in the audit of an issuer. PCAOB Rule 2100 defines this as performing more than 20% of total audit hours or auditing components whose assets or revenues exceed 20% of consolidated totals. Registration must be in place before the firm begins the work.
What happens if a PCAOB inspection finds deficiencies in a non-US firm?
The process mirrors US firm inspections. Part I deficiencies (engagement-level findings) are published with the inspection report. Part II findings (firm-level quality control criticisms) remain non-public for twelve months under Sarbanes-Oxley section 104(g)(2). If the firm does not remediate to the Board's satisfaction within that period, the Part II findings are made public. The PCAOB can also initiate enforcement proceedings, including fines and revocation of registration.
How do PCAOB auditing standards differ from ISA?
PCAOB standards (AS series) and ISA share a common ancestry but have diverged. AS 2201 requires an integrated audit of internal controls over financial reporting for large accelerated filers, which ISA does not. AS 2401 on fraud contains more prescriptive journal entry testing requirements than ISA 240. AS 1301 on audit committee communications requires specific two-way discussions beyond ISA 260. Registered firms must apply PCAOB standards (not ISA) for US issuer audit work.