When it comes to auditing, it seems like we reach the proverbial stable door only after the horse has bolted. The aftermath of the Nirav Modi-Punjab National Bank (PNB) fraud, like others that have surfaced before it, has brought much recrimination about the lax standards of governance in public sector banks (PSBs) and their indifferent adoption of technology.
Oddly though, the accountability of auditors in not detecting a fraud that had been going on for several months hasn’t been questioned. In its in-house investigation, PNB absolved the auditors of any responsibility, and admitted that there were “..several discrepancies in LoUs (letters of undertaking) which could have been easily detected by ordinary due diligence”. If that was true, shouldn’t the auditors have detected that too?
Auditor accountability for detecting fraud is a hotly debated issue; external or statutory audit firms keep reiterating that their business is not investigation, but assessing fraud in financial statements. In other words, their responsibility is to check for financial misstatements or misappropriation of assets. Internal auditors on the other hand are responsible for compliance with company policies and practices, including fraud prevention.
But let’s look at some numbers. In its 2012 Report to the Nations on Occupational Fraud and Abuse, the US-based Association of Certified Fraud Examiners (ACFE) said that companies lose up to five per cent of their revenues via fraud. That AFCE survey covered 94 countries, including India.
Adjusted for Gross World Product – or the combined GDP of all nations – that amounts to a staggering $3.5 trillion (in 2012 dollars that’s two years of the Indian GDP by value). Apply that estimate to India, and the amount of potential fraud works out to Rs 6.5 lakh crore a year! Is there an extraordinary amount of undetected fraud out there?
Which begs another question: Can the auditing profession really hide behind a grass skirt given the scale of stressed assets across PSBs? There is both anecdotal and other evidence to suggest that the Institute of Chartered Accountants of India (ICAI) needs to take a hard look at the design and implementation of its auditing standards.
The ICAI publishes the standards of accounting (SA) – you can find it on their website – and updates those standards appropriately. The one applicable to fraud is SA 240; the chapter in the Handbook of Auditing Pronouncements titled ‘The auditor’s responsibilities relating to fraud in an audit of financial statements’.
At the outset, it defines the primary responsibility of prevention and detection of fraud as resting with those charged with company governance (the board of directors, presumably) and management. An auditor, on the other hand, ‘is responsible for obtaining reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error’.
Now let’s take that one step further. In the next paragraph it says ‘The risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting one resulting from error’. The difference between fraud and error is one of intent; ascertaining that is not the auditor’s responsibility, of course. They simply call it an ‘inherent limitation’.
This ‘passive philosophy’ of auditor responsibility for fraud detection goes back to Lord Justice Lopes’ ruling, in the UK: ‘An auditor is not bound to be a detective, or …to approach his work with suspicion, or with a foregone conclusion that there is something wrong. He is a watchdog, not a bloodhound.’ Except that Justice Lopes delivered his statement in 1896; we are in the twenty-first century now.
Elsewhere, the United States has had its fair share of financial frauds and big ones at that: Enron and WorldComm come to mind as two of the most sensational cases that ruined employees and investors lives; employees in Enron had their retirement funds (or pensions) invested in the stock of their company and lost their life savings.
But they have learned from past mistakes. In 2003, they adopted SAS 99, the Statement on Auditing Standards: Consideration of Fraud in a Financial Statement Audit. It requires auditors to overcome tendencies like relying excessively on what the client says, and approach the audit with skepticism, even suspicion. According to SAS 99, the audit team has to discuss the potential for fraud from material misstatement in the financial statements, both before and while the information-gathering process in on. ‘Brainstorming’ was a new idea, and firms had to work out how best to implement it. The key is that brainstorming is mandatory, applied with the same due care as any other audit procedure.
This kind of engagement sets the tone for the audit, and sensitises people to look more closely at process implementation and compliance. When conducted with management and perhaps even the audit committee of the board, the implications are significant. No question is off limits: for example, “If you were the CFO, how would you embezzle funds and not get caught?”
Compare that to some complaints heard from Indian companies about the personnel that audit firms put on the job: a senior partner in the firm may be in charge of the audit, but many juniors are involved in actually vetting a sample of transactions and often work without on-ground guidance. They do not have the skills or knowledge set to detect fraud or assess fraud risk, especially when it comes to sophisticated fraud.
In the Nirav Modi-PNB case, it transpired that fraudulent activity had been going on for months, maybe even more than a year. Yet, despite warnings in successive Financial Stability Reports (FSRs) issued by the Reserve Bank of India (RBI), no one paid attention, including the auditors. Instead, they are now dealing with explaining the ‘expectation gap’, between what is expected of them and what they are actually capable of doing.
To be fair, SA 240 does lay our objectives for an audit as part of procedure. They are, as cited in the Handbook “(a) To identify and assess the risks of material misstatement in the financial statements due to fraud; (b) To obtain sufficient appropriate audit evidence about the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and (c) To respond appropriately to identified or suspected fraud.”
You could just as well substitute ‘error’ for ‘fraud’ to see that nothing really changes. So that leaves us with internal auditors who are not accountants but focus on compliance, and external and statutory auditors who cannot distinguish between fraud and error when defining the purpose of auditing. So, in the world of Indian auditing, welcome to the nineteenth century.
The writer is a senior columnist and former journalist. He tweets @shrisrinivas.
Your guide to the latest election news, analysis, commentary, live updates and schedule for Lok Sabha Elections 2019 on firstpost.com/elections. Follow us on Twitter and Instagram or like our Facebook page for updates from all 543 constituencies for the upcoming general elections.
Updated Date: Apr 10, 2018 15:49:04 IST