SCAM FALLOUT: AN Auditor is not bound to be a detective, or to approach his work with suspicion
When it comes to auditing, only after the horse has bolted, it feels that we hit the proverbial stable entrance. Like those that have arisen before it, the aftermath of the Nirav Modi-Punjab National Bank (PNB) scam has brought a great deal of recrimination regarding the weak governance practices in public sector banks (PSBs) and their indifferent implementation of technology.
When it comes to auditing, only after the horse has bolted, it feels that we hit the proverbial stable entrance. Like those that have arisen before it, the aftermath of the Nirav Modi-Punjab National Bank (PNB) scam has brought a great deal of recrimination regarding the weak governance practices in public sector banks (PSBs) and their indifferent implementation of technology.
Oddly, however, the auditors' liability for not finding a scam that had been going on for many months has not been challenged. Through its through-house inquiry, PNB released the auditors of all blame and accepted that there were "... many inconsistencies in LoUs that should have been readily found through ordinary due diligence." If that was valid, shouldn't that have been noticed by the auditors too?
Auditor responsibility for fraud identification remains a hotly contested issue; external or statutory audit firms appear to reiterate that their organization is not investigating, but in financial statements examining fraud. In other words, it is their duty to search for financial errors or wealth misappropriation. On the other hand, internal auditors are liable for compliance with business policies and procedures, and the avoidance of fraud.
So, let's get those figures to look at. The US-based Association of Accredited Fraud Examiners (ACFE) said in its 2012 Study to the Nations on Workplace Fraud and Harassment that firms lose up to five percent of their profits by fraud. 94 countries, including India, were covered by the AFCE survey.
Adjusted for Gross World Product, or all nations' combined GDP, that amounts to a staggering $3.5 trillion. Apply the calculation to India, and Rs 6.5 lakh crore a year works out to the sum of possible fraud! Is there an extraordinary volume out there of undetected fraud?
Another question arises: Will the auditing profession really hide under a grass skirt because of the size of stressed assets through PSBs? There is both anecdotal and other data that show that the Indian Institute of Chartered Accountants (ICAI) needs that take a close look at the nature and execution of its auditing requirements.
The ICAI publishes the accounting guidelines (SA), which you can find on their webpage, which properly updates those guidelines. The chapter in the Handbook of Auditing Pronouncements entitled 'Responsibilities of the auditor relating to misconduct in an audit of financial records' is SA 240, the one applicable to misconduct.
In the beginning, it describes the primary duty of fraud prevention and identification as that of those responsible for corporate governance (presumably the board of directors) and management. On the other hand, an auditor is liable for obtaining fair assurance that the accounting statements taken as a whole, whether caused by fraud or accident, are free from material errors.
Let's take it a bit forward now. ‘The risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting one resulting from error’ is mentioned in the next paragraph. The distinction between fraud and mistake is that of intent; deciding it, of course, is not the duty of the auditor. They call it clearly an 'inherent constraint.'
This 'passive philosophy' of auditor transparency for the detection of wrongdoing dates back to the ruling of Lord Justice Lopes in the UK:' An auditor is not obliged to be an investigator, or... to treat his job with skepticism, or with a forgotten conclusion that something is wrong. He is a watchdog, not a bloodhound.' Except that his argument was made by Justice Lopes in 1896; we are now in the 21st century.
Elsewhere, the United States has its fair share of financial fraud: Enron and WorldComm come to mind as two of the most sensational incidents that destroyed the lives of workers and investors; Enron workers have their pension plans (or pensions) deposited in their company's shares and spent their life savings.
But from previous failures, they have learned. In 2003, the Recommendation on Auditing Standards: Consideration of Misconduct in a Financial Statement Audit was adopted by SAS 99. It needs auditors to transcend tendencies such as focusing heavily on what the customer says, and skeptically, even suspiciously, approach the audit. According to SAS 99, both before and when the information-gathering process is on, the audit committee must address the risk for deception from material errors in the financial statements. A new concept was 'brainstorming' and businesses had to figure out how best to execute it. The key is that brainstorming, applied with the same due diligence as any other audit technique, is compulsory.
This kind of effort sets the tone for the audit and sensitizes individuals to look more carefully at the execution and enforcement of procedures. The consequences are important when undertaken with executives and maybe even the board's audit committee.
"No problem is off-limits:" If you were the CFO, for instance, how would you embezzle funds and not get caught?
Compare that to some concerns received from Indian businesses about the workers that audit companies bring on the job: the audit can be carried out by a senior partner in the company, but often juniors are actually engaged in vetting a sample of transactions and frequently work without on-site supervision. They do not have the expertise or expertise to identify fraud or determine the risk of fraud, especially when it comes to advanced fraud.
In the Nirav Modi-PNB case, it turned out that for months, maybe even more than a year, fraudulent activities had been going on. Yet, despite notices given by the Reserve Bank of India (RBI) in successive Financial Stability Reports (FSRs), no one, even the auditors, paid heed. Instead, they are now faced with the 'expectation difference' being clarified between what is expected of them and what they should really achieve. CA Manish Kaushik
To be honest, as part of the protocol, SA 240 sets out our audit priorities. As alluded to in the Handbook, they shall: (a) define and evaluate the risks of material misrepresentation due to fraud in the financial statements; (b) collect satisfactory audit information on the measured risks of material misrepresentation due to fraud by planning and executing effective responses; and (c) respond accordingly to reported or alleged fraud. (M Kaushik and co)
To see if its else changes, you might just as well substitute 'error' for 'fraud'. So that leaves us with internal auditors who are not accountants who focus on compliance, and foreign and statutory auditors who, while determining the purpose of auditing, do not differentiate between fraud and error. So, welcome to the nineteenth century in the field of Indian auditing.