Keynote – Mark Olson, PCAOB

From the Compliance Week Conference Summary:

Audit firms and issuers take note: Guidance on implementing the new Auditing Standard No. 5 is coming.

During remarks at Compliance Week 2007 on Thursday, Public Company Accounting Oversight Board Chairman Mark Olson noted that the board is “working with practitioners to develop tailored implementation guidance for audits of internal controls in smaller companies.” Olson said that guidance will be released later this year, well in advance of the Section 404 compliance deadline for non-accelerated filers, who are slated to comply with the management requirements for fiscal years ending on or after Dec.15, 2007, and the required auditor assessment a year later.

AS5 takes effect for fiscal years ending on or after Nov. 15, 2007. However, once the Securities and Exchange Commission approves the standard (which must still be published for comment by the Commission), earlier adoption will be permitted, Olson said. The Board’s inspection program will also be adjusted to be consistent with the new standard. This has been one of the complaints of the audit firms.

Olson urged audit firms that have already done internal control audits to “take a step back and re-challenge every aspect of their methodology” to ensure that it’s appropriately risk focused, to ensure it takes adequate advantage of the top-down approach, and to ensure that it encourages audit professionals to exercise judgment.

While “the market will bear out how the new standard affects overall audit costs,” Olson said the PCAOB will monitor AS5 implementation carefully to make sure it allows “room for companies and auditors to evolve.”

…the new audit standard is a departure from its predecessor, the highly detailed (and highly criticized) AS2. For instance, AS5 does not require auditors to evaluate or opine on management’s process for assessing the effectiveness of its internal controls over financial reporting.

AS5 also includes an added emphasis on fraud risk and anti-fraud controls that Olson said “should make it clear to auditors the importance of assessing fraud risk throughout the audit process.”

The more top-down, risk-focused approach has “eliminated the need to look at many lower-level risk exposures,” Olson said. “For multinational companies, that’s had a huge impact.”

Separately, he noted that the increased use of fair value accounting by issuers poses challenges for auditors and the PCAOB. I will write separately about this topic later…

My question to Mark Olson:
The PCAOB is a regulator of the audit firms themselves, not just the audit process. Is there any hope that we’ll see more information about the firms’ business and operations quality and maybe voluntary disclosure of the private report segment of the firm inspection reports?

His answer: The PCAOB will continue to add more information and commentary to the public report, when possible. However, the PCAOB sees itself as regulators of the audit firms with regard to audit quality, and so any additional disclosure will come only as it relates to audit quality. Olson did note that the detailed findings related to quality assurance which are now in the private report must be responded to adequately and satisfactorily by a firm within a year after the report is issued. If the PCAOB is not satisfied with progress towards improving quality, the findings will be made public. He feels this is a big incentive for the firms to fix issues identified in a timely and satisfactory manner or risk this public disclosure of their problems.

There have been very few instances, so far where private parts of the report have been made public due to inadequate response by an audit firm to PCAOB findings. I have written already about this issue here. I think Olson’s comments tell me that the PCAOB, and perhaps the SEC, are still loathe to pass judgement, especially publicly, on how the audit firms are managing their business and their business model. The firms discourage this type of criticism, given their disdain for anyone questioning their expertise. The regulators are walking a fine line between being responsive to investors and responsive to the firms and the business executive community. I think we know which constituencies still have the upper hand…

Someone else asked if the PCAOB/SEC is considering enforcement actions and penalties for the audit firms for overauditing as well as underauditing. Although many in the audience chuckled, given that it was an audience which is largely industry executives versus audit firm professionals, Olson took the question very seriously. He said that there could be enforcement or penalties for such a fault, but it would probably comes as a result of misapplication or non-application of a standard, rather than any other qualitative judgement on whether work was efficient or necessary.