PCAOB inspections: An analysis of entity-level and application-level control audit deficiencies

Abstract

The Public Company Accounting Oversight Board (PCAOB) inspection process identifies deficiencies related to how firms conduct audits. Our work extends prior research by examining the type of internal control audit deficiencies (entity-level or application-level). Internal control audit deficiencies of both types may increase the risk of material misstatement, so the PCAOB is concerned with whether audit firms are performing appropriate procedures to identify entity-level and application-level internal control audit deficiencies, including those involving information technology general controls (ITGCs). Using text analysis to examine audit deficiencies by internal control type and firm size, we find that PCAOB inspection reports identify significantly more application-level than entity-level control audit deficiencies. Application-level control deficiencies generally involve revenue, inventory, and accounts receivable accounts whereas entity-level deficiencies often involve lack of centralized controls or controls over period end financial reporting. The number of application-level deficiencies identified for both Big 4 and second-tier firms varied between inspection years 2010 and 2015. However, the number of entity-level deficiencies, including ITGCs for both Big 4 and second-tier firms, held nearly steady during the period. Our findings should be of interest to practicing accountants, regulators, and other users of PCAOB inspection reports.