A reversal of fortune becomes more likely the longer the bull market and economic expansion goes on.

The Big Four accounting firms bungled 31% of the most recent US audits analyzed by their quasi-governmental watchdog, the Public Company Accounting Oversight Board (PCAOB). Yet despite the abysmal findings, the oversight board—which the US government empowers to police the audit firms—has rarely taken action against them.

In its 16-year history, the PCAOB has made only 18 enforcement cases against the foursome—KPMG, Deloitte, EY, and PriceWaterhouseCoopers—according to an investigation published recently by the Project on Government Oversight (POGO).

The US Congress and Bush administration set up the PCAOB in 2003 after the collapse of Enron and WorldCom, Earth-shattering events in the corporate world that cost thousands of people their jobs and shareholders billions of dollars. At the heart of the scandals was Arthur Andersen, the former accounting giant (then part of what had been the “Big 5”), whose false audits helped the companies mislead the public on their financial health.

Since auditors are paid by the companies they scrutinize, critics argue they have a built-in incentive to produce reports that please those companies—and, academic research shows, they lose business when they don’t. The government created PCAOB to audit the auditors, and empowered it to punish them when they fail.

Since it began its work, PCAOB has issued just $6.5 million in fines on the Big Four, according to POGO. That’s far short of the maximum total penalties the oversight board could have demanded the firms pay—some $1.6 billion, POGO calculates.

While the Big Four failed to properly audit their clients in 31.1% of cases examined by the PCAOB since 2009, the PCAOB has only disciplined them in 6.6% of those cases, including in actions also taken by the Securities and Exchange Commission (SEC), according to POGO data. (The SEC oversees the PCAOB and sometimes takes on high-profile cases involving auditors.)

KPMG hasn’t been fined a single time, POGO reports—despite it boasting the worst failure rate at 36.6%. In 2017 alone, it failed to accurately audit its clients half the time. The audits examined by the PCAOB are not a representative sample—it decides which ones to analyze based on “perceived risk.”

John Coffee, director of the Center on Corporate Governance at Columbia Law School, told POGO that the fines levied against the Big Four were “trivial.”

“We have a watchdog who is not watching,” he said. “We have a watchdog who looks increasingly like a lapdog.”

“If they’re determining that companies are not following the rules or signing off on audits they shouldn’t have, then, yes, they should be held accountable—if that means more fines, they should be fining them,” said Tim Stretton, a policy analyst at POGO. He argued that the PCAOB could improve its process by making both enforcement actions and its analysis of audits more transparent.

Of the four firms, only Deloitte provided a comment to POGO on its investigation, saying it was “proud of the high quality audits” it performs, and that it was making “large investments” to drive technological innovation and improve its employees’ skillsets.

PCAOB spokesperson Torrie Matous told POGO that “the PCAOB has finite resources available to it,” and therefore “must prioritize carefully the matters it investigates and the cases it ultimately pursues.” Matous added: “Not every inspection-related deficiency rises to such a level of severity that it should result in an enforcement investigation or the institution of an enforcement proceeding.”

The plethora of allegedly poor audits is not just a US issue. On Sept. 9, Britain’s own accounting watchdog, the Financial Reporting Council (FRC), lamented “undesirable inconsistency across the market.” A quarter of large company audits required significant improvements, it said. The FRC has amped up its enforcement efforts, fining auditors £32 million ($39.5 million) during the year ending March 31.