KPMG auditors should know PCAOB inspections are risk-based reviews

What gets tested hardest now

PCAOB inspections are not a broad scorecard, and that is the first thing KPMG auditors need to keep in mind. Inspectors are looking for the places where risk was highest, complexity was greatest, or judgment mattered most, then checking whether the file tells a coherent story from planning through conclusion. If the work paper trail does not explain why a team chose a procedure, challenged management, or accepted an estimate, that gap becomes exposure fast.

That makes the pressure more immediate than a generic annual review. A bad answer in an interview, a thin memo, or a missing tie-out can pull an entire engagement into the spotlight. In practice, the most vulnerable areas are the ones that depend on judgment and speed: significant estimates, revenue, controls testing, going-concern assessments, and any issue where the team relied on coaching instead of writing down the rationale.

How PCAOB inspections actually work

The Public Company Accounting Oversight Board says inspections are designed to assess compliance with PCAOB standards and rules, along with other professional requirements tied to a firm’s system of quality control. They are not intended to review every audit, every part of the QC system, or every deficiency that may exist. For large firms, inspections are annual; smaller firms are inspected at least once every three calendar years, with exceptions.

That matters because the report that comes out of the process is not meant to be read like a balanced performance review. It is a targeted look at selected audits and selected areas within those audits. Inspectors review work papers, interview engagement personnel, and can issue written comment forms when they believe a deficiency remains after discussions with the firm. For audit teams, that means the file has to stand on its own long after the fieldwork is done.

Why the risk-based lens matters on the ground

The inspection process is intentionally risk-based, and that changes what “good” looks like day to day. Teams should expect the toughest scrutiny in areas where the audit involved higher judgment, greater complexity, or a bigger chance of material misstatement. If a procedure was performed because it was “standard,” but the file does not show why it was the right response to the actual risk, inspectors can treat that as a weakness.

The practical takeaway is simple: documentation is no longer just about proving work was done. It has to show that the team identified the right risks, matched procedures to those risks, and followed through when the evidence pointed to a problem. For managers, that raises the bar on coaching, review notes, and whether post-issuance lessons are captured in future engagements rather than forgotten after busy season.

QC 1000 pushes quality beyond the engagement file

QC 1000 turns that pressure into a firmwide expectation. The standard, effective December 15, 2026, creates an integrated, risk-based quality-control framework built around eight components: risk assessment, governance and leadership, ethics and independence, acceptance and continuance, engagement performance, resources, information and communication, and monitoring and remediation.

That is a bigger ask than signing off on the quality of a single engagement. It means KPMG professionals have to think about how the firm detects risk, responds to it, and learns from it over time. Staffing decisions, coaching, review intensity, and how quickly issues get escalated all become part of quality control, not just operational detail. For teams used to treating QC as something handled by specialists, QC 1000 makes quality everyone’s job.

The SEC approved the standard on September 9, 2024, in a 3-2 vote, which shows how consequential the rule is. The effective date was later pushed back by one year to December 15, 2026, giving firms more time, but not changing the direction of travel. The expectation is still clear: firms must identify specific risks and design controls that respond to those risks.

What KPMG’s own numbers say about the pressure

KPMG is subject to PCAOB inspection annually, while its nonpublic-entity practice goes through external peer review every three years. Its most recent peer review for the year ended March 31, 2023, received a pass rating. That distinction matters because public-company audit teams are being watched on a much tighter cycle than the rest of the practice.

The firm also said it expected its 2024 PCAOB inspection report, covering 2023 audits, to show a Part 1.A deficiency rate of 20%, which it called its lowest since 2009. The PCAOB released KPMG’s 2024 inspection report on March 31, 2025. That gives the firm a concrete benchmark to defend internally: the story is not just whether results improved, but whether the improvement is durable enough to survive another round of inspections.

There is also broader market pressure behind those numbers. In the PCAOB’s 2024 inspection cycle, the aggregate Part I.A deficiency rate for all inspected firms fell to 39% from 46% in 2023. The Big Four’s combined rate fell to 20% from 26%. Thomson Reuters reported that KPMG examined 64 audits in 2024 and found deficiencies in 13, which is a reminder that even a lower deficiency rate still leaves a meaningful number of files under scrutiny. The PCAOB said it reviewed portions of more than 800 public-company audits across 171 firms, so the comparison set is wide and the lens is sharp.

What this means for the next file you sign

For KPMG auditors, the survival guide is to treat every major judgment as if an inspector will read it with fresh eyes. If the answer to “why did we do it this way?” lives only in hallway conversations, the file is exposed. If review notes were handled verbally and never translated into final documentation, the engagement is exposed. If the team cannot connect a local audit decision to the firm’s broader quality-control system, QC 1000 will expose that gap too.

The standard now is not just clean work on one engagement. It is showing that the firm can spot risk early, staff to it intelligently, document it clearly, and learn from it before the next inspection cycle. That is the real test PCAOB inspections and QC 1000 together will keep applying to KPMG audit teams.