William J. McDonough has a particularly tough job: as chairman of the Public Company Accounting Oversight Board (PCAOB), he is charged with policing an industry unused to outside regulation and under fire as never before.
But judging from his first year on the beat, McDonough won't hesitate to crack down if necessary. The PCAOB's initial inspections of Big Four audits found "significant accounting issues," McDonough recently told Congress. The inspections also identified instances in which they failed to follow generally accepted accounting principles, or GAAP (see "Audits: How Bad Is Bad?" at the end of this article). The 70-year-old former president of the Federal Reserve Bank of New York insists that it is the responsibility of the firms, particularly the Big Four, to "win back the confidence of the American people." But given the depths of the problems and the power of his position, he isn't shy about forcing them to.
McDonough is heavily armed for his job. The PCAOB, for example, is responsible for auditing the largest accounting firms annually and all other firms every three years. And its options range from "giving quiet advice to putting them out of business" if they don't perform to acceptable standards. In addition, the board, through its registration process, has final say over who gets to audit public statements. By the end of June, 976 U.S. and foreign firms had been registered and one had been rejected.
That power will only increase as the board's mission is refined. This year the PCAOB is setting audit standards, creating an enforcement program, and staffing up to full capacity. At the agency's full strength, McDonough expects to oversee some 300 employees and add Chicago and Southern California to its growing network of offices. Meanwhile, the accounting firms continue to demonstrate that oversight is a necessary evil: Ernst & Young LLP, for example, is waiting out a six-month ban on new clients because it violated independence rules, while KPMG LLP continues to be dogged by problems with tax-shelter advice.
McDonough, who describes himself as "painfully straightforward," lays much of the real blame on fundamentals. In the limited inspections that the PCAOB conducted, he says, "we noticed that a fair amount of audits were really not very well done." Given the thoroughness of the current inspections as well as new requirements under Section 404 of the Sarbanes-Oxley Act — calling for audits of internal controls as well as financial statements — it's clear that poor-quality audits will no longer be tolerated. Moreover, he considers the idea that auditors are not responsible for detecting fraud to be nonsense. "With relatively few exceptions," he says, "they should find it."
McDonough recently sat down in his Washington, D.C., office — ironically, in the same building that Arthur Andersen once occupied — with CFO deputy editor Lori Calabro to discuss the ongoing audits, the impact of 404, and why increased due diligence by auditors will ultimately restore investor confidence.
You've been the PCAOB's chairman for just over a year. How has your perception of the auditing profession changed during that time?
I know the auditing profession considerably better now. However, having been a chief financial officer at First Chicago and then president at the Federal Reserve Bank of New York, I was already familiar with what auditors do. So [the last year has been] more about getting to know the key people in the profession.
The board had an inauspicious start. The first designated chairman, William Webster, withdrew because of alleged conflicts of interest, and that ultimately led to the resignation of then-Securities and Exchange Commission chairman Harvey Pitt. Did that upheaval handicap you?
No. There's an external view that the board got off to a rough start, [because certain things] happened and therefore the board did not have a permanent chairman until I arrived. But I'm not sure that's true. When I arrived, I felt that the board had not made a single decision with which I disagreed — and I looked at all of them. I was also extremely happy with the people they had hired. So while you might think it was high risk to enter an institution and immediately become its most visible face, it turned out that everything had been done so well that I had nothing but admiration for [their] work.
You've described your role as imparting "tough love" on auditing. In this situation, how do you define tough love?
My background is that of a banking supervisor in the largest financial institutions in the United States. If the managers ran a safe and sound institution in the public interest, as well as that of the shareholders, I, as their supervisor, would be supportive and helpful. If, on the other hand, they did something that was not in the public interest, I would be an extraordinarily difficult supervisor. Since the PCAOB represents the public interest, we cannot be only supportive of the accounting profession; that would make us just cheerleaders. The best way for accountants to win back the confidence of the American people is to do it voluntarily. But if they won't do it voluntarily, we will make them do it. That's the tough part of tough love.
Have you seen evidence that auditors are taking the initiative?
I tell accounting firms that the American people have lost confidence in the profession. That's why we inspect them. It's irrelevant if they think that's a bum rap; we represent the public interest. If they are caught, say, giving tax-shelter advice — and there's a whole new series of stories about XYZ firm giving tax-shelter advice — the American people will decide those firms do not have the judgment to be trusted. So my very strong advice is, don't do the stuff that will lead to that conclusion. Are we seeing progress? Yes. Was Rome built in a day? No. But the trend is right.
You're now conducting full-scale inspections of the auditing firms. What do they entail?
Last year, the PCAOB did limited inspections. The statute requires annual inspections of any firm that does more than 100 public audits. So this year, we will be doing much more thorough inspections of the Big Four, plus the other four American accounting firms that audit more than 100 public companies. Once every three years, we are also required to inspect all other auditors of public companies.
Part of the work will be a very intense look at the overall management and conduct of the firm, what we call "tone at the top." Are they getting the message across that audit is their most important product? Are good auditors being compensated for being good auditors — not for bringing in collateral business, the cancer that destroyed Arthur Andersen?
We will also be looking at individual audit engagements. Last year we examined 16 in each Big Four firm. This year we will be doing several hundred each. The reviews are very thorough. We review the work papers, interview the engagement partner, the partner that reviewed the engagement partner's work, and then talk with people involved in the audit, to see whether this message of absolutely high-quality audits is being carried to the rank and file.
Will the interview extend to the people who are being audited — the companies?
Generally not. Last year there were telephone discussions in quite a number of cases with the chairpersons of some audit committees. This year [the issuers audited] will be slanted heavily toward high-risk engagements, and a random sample of others. But, generally speaking, we will be looking at the auditor rather than the auditee.
Obviously, these inspections are supposed to identify what needs to be changed. What in your view will constitute a weakness?
All kinds of things. Let's say we discover that the issuer has made what appears to be an accounting mistake. Since we are not in the accounting-theory business but rather the audit business, we would say to the auditor and the issuer, "We question your application of GAAP." Then, if they wished to appeal to a different authority, they could go to the SEC.
On the other hand, if we felt that the audit firm simply was not conducting very high-level audits, that would be a quality issue. Depending on the gravity of it, we would say, "This is so serious we will [open] an investigation with the possibility of an enforcement action," or, "We want this fixed within the next 12 months and the details will remain confidential." Our capabilities [range] from quiet advice to putting them out of business.
You say that you won't be talking to clients. Yet some CFOs are preparing their finance staffs for PCAOB audits as well as potential SEC inspections.
They are making a leap that I'm not sure I agree with. It would happen if we were so confused by what was going on in an audit that we simply had to go to the issuer. But it certainly wouldn't be a frequent event.
How do you respond to auditors' insistence that it isn't their job to detect fraud?
We have a very clear view that it is their job. If we see fraud that wasn't detected and should have been, we will be very big on the tough and not so [big] on the love.
Ultimately, is there a silver bullet for preventing fraud?
To have auditors understand that, with relatively few exceptions, they should find it. To me, the relatively few exceptions are those cases where you would have some extremely dedicated, capable crooks. In most cases, though, the crooks are either not that smart or they don't cover their tracks that well.
The firms have a 12-month window to fix weaknesses without disclosing them. Companies don't receive the same treatment under Section 404. Isn't that a double standard?
That aspect of the statute is clearly controversial. The positive side is that 12 months is not a very long time, and therefore it puts tremendous pressure on the audit firms to get things fixed. But should the statute have been written so that [weaknesses] are immediately cleared with the public? I don't know, because I didn't write the statute. I deal with it as it was written. [Overall, however,] I think the algebraic total is that it's a good thing.
Did you anticipate how all-consuming Section 404 would be for companies?
For companies with strong internal controls, essentially they have to document them; that is not all-consuming. If, on the other hand, a company does not have particularly good internal controls, my attitude is that they should have. I don't have a lot of sympathy for the scrambling they have to do. I have great sympathy for the small and midsize companies that in some cases actually have very good internal controls, but are much less formal than a large, complicated company.
We've heard rumblings that since companies are spending so much time on 404, they're neglecting growing their businesses.
I've heard that. I don't think there's a whole lot to it. CFOs and their staffs will undoubtedly be spending a lot of time on 404. But I don't really know any documentable cases in which the strategic future of the company is being adversely affected. I suppose I could waggishly say, "Well then, they ought to spend weekends working on one and the rest of the week working on the other."
How can you be so sure that 404 passes the cost-benefit test?
In getting the right cost-benefit relationship, there is going to be some tugging and pushing between the audit committee and the outside auditor. The audit committee might say, "We really want you to do a lot of testing," and then there's nothing to discuss. On the other hand, the auditor might say, "We need to do this much testing," and the audit committee will say, "We don't really see that." But at the end of the day, the auditor has to say, "[This] is what we have to do to attest." We don't expect the auditor to either run up hours or be difficult. It's a judgment that we expect to be rational.
Some people are concerned that many companies will fail these audits.
I don't think anybody knows that until we get into them. Another thing no one knows is whether there will be cases where the auditor gives a clean opinion on the financial statement, but not on the internal-control assessment. Nor do we know the reaction of the marketplace. Would it be, "Oh my gosh, tank the stock!" or "This is the first year of 404; that's not too surprising"?
Personally, I am a believer in rational markets. I think markets will distinguish [between] cases in which a company just isn't very well managed [and cases in which] a company has work to do, but it will probably get a clean opinion next year. Right now, though, everybody is afraid of the unknown.
What would you say if there were no failures?
[I'd say,] "So what?" If an audit firm could say, "We have done a really thorough job of our attestation work, and each and every issuer gets a clean opinion," then that's OK with me.
There are rumors that quotas will guarantee that some companies fail.
If an audit firm has quotas, I think it's nuts. We certainly don't have any quotas.
Many CFOs also believe that 404 has tipped the scales firmly in favor of the audit firms. Is that your view?
We have made it very clear to the audit firms that 404 is not the way that they can afford to send all of their grandchildren to Harvard. The law establishes new requirements for attestation, which clearly are going to be a new expense for companies. But the amount of work they've done should be reasonable and justified. That is why I expect the audit committee not to roll over dead, but rather to have a meaningful discussion with the outside auditors on how much work is needed. It's like auditing a financial statement: at the end of the day, the auditor has to decide if it gets a clean opinion or not. So while I don't think 404 inappropriately shifts the balance of power to the audit firms, we do not expect auditors to be using it inappropriately to enrich their firms.
As a former CFO yourself, what responsibility do you see finance chiefs now having in the audit process?
The CFO has traditionally been the corporate officer with major responsibility for dealing with the outside auditors. This role will and should continue, but it will also have to change. The audit committee, and particularly the chairman of the audit committee, now has the primary corporate-governance relationship with the outside auditors. I believe the CFO should have as open a relationship as possible with both the chairman of the audit committee and the engagement partner. The goal is to have highly reliable financial statements for the good of investors and the general public. That is also in the clear interest of the issuer.
Finally, what kind of grade would you give the PCAOB at this juncture?
The PCAOB has been in business for just over a year and a half. When I joined on June 11, 2003, I was person number 42 on the rolls. For a start-up with a massive responsibility to the public, I give us as high a grade as one can imagine. With the superb staff we have assembled, I expect to keep meriting that high grade. A colleague once described me as "the most demanding man who ever lived," so I do not give high grades easily.
Audits: How Bad Is Bad?
This month, the Public Company Accounting Oversight Board will publish edited findings of its 2003 limited number of inspections of accounting firms. Those inspections unearthed "significant audit and accounting issues," said PCAOB chairman William J. McDonough, testifying before the House Capital Markets Subcommittee in late June. "We found some situations where their issuing clients...did not appear to follow generally accepted accounting principles."
The Big Four received draft reports outlining the PCAOB's charges and were given 30 days to respond. Any appeals, however, must be made to the Securities and Exchange Commission, "because the SEC is in charge of accounting policy, not the PCAOB," says McDonough. At the same time, the firms are under no obligation to make the infractions public as long as they clean them up during the next 12 months.
Because of that confidentiality factor, it's unclear just how serious the disputed issues really are. Still, there seems little danger that the audit weaknesses are going to reconfigure the accounting hierarchy anytime soon. For one thing, McDonough believes that the Big Four are actually "paying attention to doing audits better." The problems that were observed, he says, mainly reflect the lack of time to improve their processes before the initial PCAOB inspections. Moreover, while McDonough "cannot say that it is absolutely essential to the American people that each of the Big Four survive," he believes there is only a "remote" chance that one of the firms will be found to be as poorly managed as Arthur Andersen — and thus deserve to be put out of business.
But, he says, "we have to make sure." —L.C.