Inspections of Registered Public Accounting Firms

SOX Section 104 requires the PCAOB to run a continuing inspection program for registered public accounting firms, inspecting firms that audit more than 100 issuers annually and other registered firms at least every three years ¹. To operationalize this, you must manage your auditor (a critical third party) so PCAOB inspection status, findings, and remediation flow into your SOX, audit, and third-party risk processes.

Key takeaways:

• Confirm your external auditor is PCAOB-registered and understand its inspection cycle and latest results ¹.
• Treat PCAOB inspection outcomes as third-party risk signals that trigger governance, escalation, and remediation tracking.
• Maintain an “audit firm oversight file” with evidence you reviewed inspection information and addressed implications for your ICFR and financial reporting.

“Inspections of registered public accounting firms” sounds like a requirement aimed at audit firms, and legally it is. SOX Section 104 directs the PCAOB to inspect registered public accounting firms on a set cadence and assess compliance with laws, rules, and professional standards ¹. However, if you are a public company Compliance Officer, CCO, or GRC lead, Section 104 still creates a practical obligation: you need a repeatable way to oversee your external auditor as a high-impact third party and to respond when inspection results raise questions about audit quality or independence.

Most teams struggle here for two reasons. First, “PCAOB inspection” is owned by the audit committee and finance, while “third-party oversight” is owned by compliance or procurement. Second, organizations often collect PCAOB information but fail to connect it to decisions: auditor appointment/renewal, audit plan changes, ICFR testing scope, or remediation commitments.

This page translates Section 104 into operator-ready steps: who should do what, what artifacts to keep, what exam and audit reviewers ask for, and how to stand up an oversight routine that will survive turnover and timing pressure.

Regulatory text

Excerpt (SOX Section 104): “The Board shall conduct a continuing program of inspections to assess compliance of each registered public accounting firm. Firms auditing more than 100 issuers must be inspected annually.” ¹

Operator interpretation:

• The legal duty to perform inspections sits with the PCAOB, not with issuers.
• Your operational requirement is indirect but real: because your external auditor must be a registered firm subject to PCAOB inspection, you should treat inspection cadence and inspection findings as governance inputs for auditor oversight, audit quality risk, and SOX/ICFR reliance decisions ¹.

Plain-English requirement (what it means for you)

Section 104 creates a predictable oversight mechanism for the audit firms that serve public companies ¹. For an issuer, the “requirement” to operationalize is:

1. Engage and retain only an appropriate audit firm (registered and in good standing for your needs).
2. Maintain ongoing visibility into PCAOB inspection outcomes relevant to the firm.
3. Use that visibility to drive governance actions: questions to the auditor, audit plan adjustments, escalation to the audit committee, and tracking of any commitments your auditor makes in response to inspection issues.

If you cannot show that someone reviewed PCAOB inspection information and considered its implications, you will look flat-footed during SOX governance reviews, external audit oversight discussions, and audit committee reporting.

Who it applies to

In-scope entities

• Registered Public Accounting Firms are directly subject to inspection cadence requirements (annual if they audit more than 100 issuers; at least every three years for others) ¹.

In-scope operational context for an issuer (your program)

Even though you are not the inspected party, this matters when you:

• Select, renew, or replace the external auditor (third-party onboarding/renewal).
• Oversee audit quality through the audit committee and management controls.
• Rely on ICFR and financial reporting assurance that depends on the auditor’s professional standards and quality controls ¹.

What you actually need to do (step-by-step)

Below is an issuer-side implementation checklist that maps Section 104 to operational controls without overreaching the statute.

1) Assign ownership and define the oversight workflow

• Name an owner for “external auditor oversight file” maintenance (commonly SOX PMO, controllership, or compliance).
• Define the handoffs between compliance/GRC, finance, and the audit committee. Your workflow should answer: Who collects PCAOB inspection artifacts? Who reviews them? Who escalates? Who tracks action items?

Practical tip: Put this in your SOX governance calendar so it does not depend on memory.

2) Confirm your auditor’s PCAOB registration and scope fit

• Document that the audit firm engaged for issuer audits is a registered public accounting firm subject to PCAOB oversight ¹.
• Record basic facts that matter for cadence planning: does the firm audit more than 100 issuers (annual inspections) or fall into the at-least-every-three-years cycle ¹?

3) Establish an inspection monitoring cadence tied to your audit cycle

You need a repeatable routine, aligned to events you already run:

• Pre-planning (before interim testing): request the most recent PCAOB inspection report summary the audit firm can share and management’s view of relevance to your engagement.
• Planning (before year-end fieldwork): ask the engagement partner to brief the audit committee (or management, with readout to the audit committee) on inspection themes and the firm’s remediation program.
• Post-audit: confirm whether any inspection-related issues influenced audit approach, staffing, supervision, or consultation.

Keep the cadence simple. A lightweight routine that happens every year beats a “perfect” process that collapses during close.

4) Convert inspection outcomes into third-party risk signals

Treat inspection information like other third-party risk inputs (SOC reports, breach disclosures, regulatory actions), and force a decision:

• No material relevance: document the rationale and who approved it.
• Potential relevance: create action items (targeted questions, additional walkthroughs, expanded control testing, quality review request).
• High concern: escalate to audit committee leadership; consider whether you need changes in the audit plan, engagement team, or even auditor retention.

If you use a third-party risk platform like Daydream, this is a clean fit: create an “External Auditor” third-party record, attach inspection artifacts, and track remediation items with due dates, owners, and audit committee reporting notes. Keep it boring and auditable.

5) Track remediation commitments and close the loop

If the auditor states they have remediated inspection findings:

• Record what changed (process, training, internal quality control, engagement supervision).
• Record what it means for your audit (audit procedures, review depth, consultation requirements).
• Record how you validated the change (usually through documented inquiries and audit committee discussion; you are not re-performing PCAOB work).

6) Build audit committee-ready reporting

Prepare a short, consistent briefing pack:

• Inspection cycle status (annual vs at-least-every-three-years, based on firm profile) ¹
• Summary of inspection themes shared by the auditor
• Management’s assessment of impact on your audit and ICFR reliance
• Open items and planned follow-up

Required evidence and artifacts to retain

Maintain an “audit firm oversight file” with:

• Auditor identification and confirmation it is a registered public accounting firm ¹
• Notes or minutes showing inspection discussion with management and/or audit committee
• Copies of materials the auditor provided about PCAOB inspection results (as available)
• Your internal assessment memo: relevance to your engagement, planned follow-up, and approvals
• Action item log: questions asked, responses received, decisions made, and closure evidence
• Auditor renewal or selection documentation showing inspection considerations were part of due diligence

Keep artifacts in the same system you use for SOX governance evidence (GRC repository, SOX tool, or controlled document management). Consistency matters more than tool choice.

Common exam/audit questions and hangups

Expect these:

• “How do you consider PCAOB inspection outcomes in auditor oversight?” Have the workflow and last review packet ready.
• “Who reviews this and when?” Show calendar alignment to audit planning and audit committee meetings.
• “What did you do with what you learned?” This is the hangup. A binder of PDFs without decisions looks weak.
• “How did you escalate concerns?” Produce meeting minutes, an email trail, and action tracking.

Hangup to anticipate: teams confuse “audit firm inspection” with “company inspection.” Your narrative should be precise: PCAOB inspects the firm ¹; the issuer oversees the auditor as a third party and governs implications.

Frequent implementation mistakes (and how to avoid them)

1. Treating PCAOB inspection as “finance-only.”
   Fix: define a cross-functional RACI. Compliance/GRC can own the process; finance can own technical evaluation.

2. Collecting inspection info but not documenting decisions.
   Fix: require a short assessment memo and action log for every review cycle, even when you conclude “no impact.”

3. No escalation threshold.
   Fix: predefine triggers for audit committee escalation (for example: repeated themes, staffing concerns, or issues tied to your risk areas). Use qualitative triggers if you do not have validated quantitative criteria.

4. Overpromising validation.
   Fix: you are not re-performing the PCAOB’s work. Document inquiry, governance, and audit plan impacts. Keep claims factual and bounded to what you did.

Enforcement context and risk implications

This requirement exists because audit quality and professional compliance need external inspection ¹. Even without issuer-directed enforcement in your source set, the practical risk is clear:

• If your auditor has inspection issues and you cannot show oversight, you may face audit committee scrutiny, confidence erosion, and harder conversations during restatements or control failures.
• Weak auditor oversight also undermines your SOX governance posture because it suggests management cannot manage a critical assurance third party.

Practical 30/60/90-day execution plan

You asked for speed. Use this phased plan without adding invented timing metrics.

First 30 days (Immediate stabilization)

• Assign an owner and backups for auditor oversight evidence.
• Create the “audit firm oversight file” structure in your repository.
• Document auditor registration confirmation and inspection cadence category ¹.
• Add PCAOB inspection review to your SOX governance calendar and audit committee agenda template.

Next 60 days (Operationalize and run once)

• Collect the latest inspection-related materials the auditor can share.
• Run a structured review meeting (management + engagement partner). Capture minutes.
• Draft the assessment memo: relevance, planned questions, and any audit plan considerations.
• Stand up an action log and route key items to the audit committee chair or full committee.

Next 90 days (Embed and automate governance)

• Standardize templates: assessment memo, action log, and audit committee briefing pack.
• Integrate into third-party risk workflow (intake, review, escalation, closure). If you use Daydream, create the auditor as a third party with recurring tasks and evidence requirements.
• Perform a dry-run “exam response”: can you produce the full story (inputs → review → decisions → follow-up) from one folder in under an hour?

Frequently Asked Questions

Does SOX Section 104 require my company to perform PCAOB-style inspections of our auditor?

No. The statute directs the PCAOB to inspect registered public accounting firms ¹. Your job is to oversee your auditor as a critical third party and document how inspection outcomes factor into governance decisions.

How often should we review PCAOB inspection information for our audit firm?

Align reviews to your audit planning and audit committee cycle so the information can influence decisions. Section 104 sets the inspection cadence for firms (annual for firms auditing more than 100 issuers; otherwise at least every three years) ¹, but issuers should review on a cadence that supports oversight.

What evidence will an auditor or SOX reviewer expect from us?

They will expect proof you gathered inspection-related information, evaluated relevance to your engagement, and tracked follow-ups. Keep meeting minutes, an assessment memo, and an action item log tied to audit committee reporting.

Our audit firm won’t share much detail about PCAOB inspections. What can we do?

Document what you requested, what you received, and what you asked the engagement partner to explain. Your control is governance: structured inquiries, documented responses, and escalation when answers are incomplete.

Who should own this process: compliance, SOX, finance, or the audit committee?

The audit committee owns auditor oversight, but management must run the operational process and retain evidence. In practice, SOX/controllership often owns execution, with compliance/GRC ensuring third-party risk discipline and consistent documentation.

How does Daydream fit without turning this into extra bureaucracy?

Treat the external auditor like any other high-impact third party in Daydream: a record with required evidence, scheduled review tasks, and tracked remediation items. That gives you a clean audit trail from inspection inputs to decisions and closure.

Footnotes

1. Public Law 107-204