Registration with the Board

To meet the SOX Section 102 “registration with the Board” requirement, you must ensure that any firm preparing or issuing your issuer audit report is a registered public accounting firm with the PCAOB; otherwise, issuing that audit report is unlawful. Operationally, your job is to gate auditor selection, engagement, and report issuance on verified PCAOB registration and to retain proof in your audit and third-party governance files. ¹

Key takeaways:

• You cannot accept an issuer audit report from an unregistered public accounting firm. ¹
• Build a control that verifies PCAOB registration before engagement signing and again before report issuance.
• Keep durable evidence: registration verification, engagement terms, and an approval record that ties the check to the specific legal entity and audit period.

SOX Section 102 is a hard eligibility rule, not a “best practice” control. If your company is an issuer (a public company with SEC reporting obligations) and you obtain an audit report for financial statement purposes, the accounting firm issuing that audit report must be registered with the PCAOB. The statute frames this as an unlawful act by the unregistered firm to prepare or issue an audit report with respect to an issuer, but in practice your exposure is operational: selecting the wrong auditor can derail filings, trigger restatement risk, and create governance failures that surface quickly in audit committee oversight.

For a Compliance Officer, CCO, or GRC lead, the fastest path to operationalizing this requirement is to treat auditor registration as a third-party onboarding “stop-ship” criterion. That means (1) defining what counts as an “audit report” and “issuer” in your internal scoping, (2) verifying PCAOB registration for the signing firm and the correct legal entity, (3) embedding the check into procurement and audit committee workflows, and (4) retaining evidence in a way that survives turnover, auditor changes, and re-tender cycles.

Regulatory text

Statutory requirement (excerpt): “It shall be unlawful for any person that is not a registered public accounting firm to prepare or issue any audit report with respect to any issuer.” ¹

Operator interpretation (what you must do):

• If your organization is an issuer, you must ensure the public accounting firm that prepares or issues your audit report is registered with the PCAOB before the firm signs or issues the report. ¹
• Treat PCAOB registration as a mandatory gate for auditor selection and audit report acceptance. If you cannot evidence registration, you cannot proceed with that firm for issuer audit reporting. ¹

Plain-English interpretation (requirement-level)

This requirement means: no PCAOB registration, no issuer audit report. If you are a public company, you do not have discretion to “risk-accept” this. Your controls should prevent:

• Engaging an unregistered accounting firm to perform the issuer audit.
• Allowing any report to be issued under your name for issuer purposes without confirming the firm’s registration status.

This is one of those requirements where “paper compliance” fails. Examiners, internal audit, and the audit committee will expect a clean, repeatable check tied to the specific firm entity that signs the report.

Who it applies to

In-scope entities

• Registered public accounting firms preparing or issuing audit reports for issuers must be registered. ¹
• Issuers (your organization, if publicly traded) must operationalize selection and oversight so you do not end up with an audit report from a non-registered firm.

Operational contexts where this comes up

• Auditor selection and RFPs (new auditor or rotation).
• Engagement letter drafting and approval.
• Subsidiary audits that roll up into issuer financial statements (watch for cross-border components and affiliate firm involvement).
• M&A, carve-outs, IPO readiness, or first-year public company audits where legacy private-company auditors may not be registered.

What you actually need to do (step-by-step)

1) Define your “issuer audit report” inventory

Create a short register of audit reports your organization relies on for issuer reporting. Include:

• The specific financial statements and reporting period.
• The signing audit firm legal name and (if applicable) affiliate/member firm structure.
• The internal owner (Finance Controller, SEC reporting lead, Audit Committee liaison).

Output: “Issuer Audit Report Register” (a controlled document in your GRC repository).

2) Build a PCAOB registration verification control

Your control should answer one question with evidence: Is the signing firm a registered public accounting firm at the time the audit report is prepared/issued? ¹

Implementation pattern that works in practice:

• Control point A (pre-engagement): verify registration before the engagement letter is executed.
• Control point B (pre-issuance): re-verify registration shortly before the audit report is signed/issued, to catch status changes.

Define the control owner (often GRC/Compliance with Finance) and the required approver (often Controller, SEC reporting, or Audit Committee delegate).

3) Embed the check in intake and contracting workflows

Add a mandatory step in your third-party onboarding for audit firms:

• Procurement intake question: “Will this third party prepare or issue an audit report with respect to an issuer?”
• Conditional requirement: if “yes,” then PCAOB registration evidence is required before PO/engagement execution.

In contracting:

• Ensure the engagement letter references the specific signing firm entity (not just the brand name).
• Require the auditor to represent that it is appropriately registered to issue the report for an issuer (keep this precise and within your counsel’s approved language).

4) Address affiliate and component auditor involvement

Even if the top-tier firm is registered, component work may be performed by affiliates. Your operational goal is simple: the firm issuing the report must be registered. ¹ For execution:

• Identify which entity signs the report.
• Map participating firms (component auditors) and document who does what.
• Escalate any ambiguity to Finance leadership and counsel early, because late discovery causes filing stress.

5) Create an exception path that ends in “do not proceed”

Because the statutory text is a prohibition, your “exception” process should be a controlled stop, not a workaround:

• If registration cannot be verified, the engagement cannot proceed for issuer audit reporting.
• Route the issue to the audit committee chair/CFO and document the decision to select an alternative registered firm.

6) Operationalize with lightweight tooling (where Daydream fits)

Most teams fail on two points: missing evidence at the moment it matters, and losing the audit trail across Finance/Procurement/GRC. Daydream can act as the system of record for:

• The auditor’s third-party profile (engagement scope, legal entity, ownership, renewal).
• The PCAOB registration verification artifact and approval workflow.
• Control testing evidence bundles for internal audit and external auditors.

You want the control to run the same way every time, regardless of who is on the Finance team.

Required evidence and artifacts to retain

Maintain these artifacts in a single, auditable package tied to the audit period and issuing firm entity:

Core evidence (must-have)

• PCAOB registration verification for the issuing/signing firm (e.g., screenshot/PDF capture from the PCAOB public registry page showing the firm identity and registration status at the time of verification).
• Dated control sign-off showing who performed the check and who approved proceeding.
• Engagement letter identifying the signing firm legal entity and scope (issuer audit report).

Supporting evidence (strongly recommended)

• Auditor RFP evaluation notes showing registration was an eligibility requirement.
• Audit committee materials/minutes referencing auditor appointment and oversight.
• Component auditor mapping (if multiple firm entities participate), with clarity on who signs.

Retention tip: store evidence in a way that preserves timestamps and prevents link rot (PDF capture over “live link only”).

Common exam/audit questions and hangups

Expect these questions from internal audit, external audit, or regulators:

1. “Show me proof the signing firm was registered.”
   Hangup: you have the engagement letter but no registry capture tied to the date.

2. “Which legal entity issued the report?”
   Hangup: the engagement is with “Brand LLP,” but the issuer audit report is signed by a different affiliate entity.

3. “Is this control performed consistently each year?”
   Hangup: ad hoc emails instead of a defined control with an owner and evidence standard.

4. “What happens if the firm’s status changes mid-cycle?”
   Hangup: you checked at onboarding but never rechecked pre-issuance.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Checking the brand, not the legal entity.
  Fix: require the engagement letter and the registration evidence to match the signing entity name exactly.

• Mistake: Treating this as a procurement checkbox.
  Fix: make it a compliance gate with documented approval and a stop condition.

• Mistake: Only checking once.
  Fix: perform the check pre-engagement and again pre-issuance; store both artifacts.

• Mistake: Evidence scattered across email threads.
  Fix: store an “audit-ready bundle” in your GRC repository (Daydream or equivalent) with a standard naming convention.

Enforcement context and risk implications

The statutory text makes issuer audit reporting by an unregistered firm unlawful. ¹ Even without discussing specific enforcement cases here, the operational risks are straightforward:

• Financial reporting disruption: you may be unable to rely on the report for issuer purposes.
• Governance failure: audit committee oversight and auditor appointment processes can be challenged.
• Control deficiency exposure: inability to evidence eligibility checks can surface as a control design or operating effectiveness gap.

For a CCO/GRC lead, the practical takeaway is to treat this requirement like a licensing gate: verify, approve, retain evidence, and re-verify before the report is issued.

Practical 30/60/90-day execution plan

Because this page cannot assume a specific implementation timeline, use phased execution. The goal is fast control establishment, then maturity.

Immediate phase (stabilize and stop exposure)

• Identify all issuer audit reports and signing firms in use.
• Confirm PCAOB registration evidence exists for the current cycle; if not, perform verification and capture artifacts.
• Implement a temporary manual sign-off requirement before any audit report issuance.

Near-term phase (systematize and embed)

• Draft and approve a short procedure: “PCAOB Registration Verification for Issuer Audit Firms.”
• Add the control to procurement/third-party intake and to the audit committee calendar (auditor appointment/renewal).
• Create standardized evidence templates: verification record, approval record, exception record.

Ongoing phase (operate and test)

• Perform the control at each engagement/renewal and again pre-issuance.
• Add periodic internal audit testing (sample evidence bundles, entity name matching, approval completeness).
• Centralize records in Daydream so control owners can produce evidence on demand without chasing emails.

Frequently Asked Questions

Does this requirement apply to every accounting firm we hire?

No. It applies to any firm that will prepare or issue an audit report with respect to an issuer. If a firm is not issuing that issuer audit report, this specific requirement may not be triggered. ¹

What exactly must be registered “with the Board”?

The public accounting firm that prepares or issues the audit report must be a “registered public accounting firm.” Your operational control should confirm the registration status of the signing firm entity. ¹

Is an engagement letter clause enough to satisfy the requirement?

A contractual representation helps, but you still need independent verification evidence in your files. Audits and exams typically look for proof of the registration check, not just reliance on contract language.

How do we handle affiliate firms or component auditors?

Start by identifying the legal entity that will sign/issue the issuer audit report and verify that entity’s registration. Then document which other firm entities participate so you can explain the structure during audit committee review and audits. ¹

Who should own this control, Compliance or Finance?

Finance typically owns auditor relationship management, but Compliance/GRC should own the control standard, evidence requirements, and testing. A joint RACI avoids the common failure where each team assumes the other did the registration check.

What evidence is “good enough” for an audit?

Keep a dated capture of the PCAOB registration verification for the signing firm, plus an approval record that authorizes proceeding, tied to the engagement and audit period. Pair it with the engagement letter naming the same legal entity.

Footnotes

1. Public Law 107-204