Subscribe to the Bombay Chartered Accountant Journal Subscribe Now!

August 2019

DE-LAYERING RELATED PARTY TRANSACTIONS THROUGH INTERNAL AUDIT

By Ashutosh Pednekar
Chartered Accountant
Reading Time 13 mins

Virtually every
business has transactions with related parties. They are a business necessity.
Businesses have related entities and they transact in a regular and routine
manner. These could be genuine transactions executed in the same manner as any
other transaction with a non-related party. However, of late the phrase Related
Party Transaction (RPT) has taken on a kind of negative connotation. Is it
justified? Perhaps not. Is it true? Perhaps not. Is it due to a few events –
real as well as alleged – where the blame for a business failure / business
loss is placed on related party transaction/s? Perhaps.

 

Firstly, it is not
correct to paint all RPTs with the same brush. Further, to ensure that an RPT
is genuine and fulfils business needs, laws and regulations are already in
place. The Companies Act requires approval of RPTs by the Board of Directors
and confirmation that they are at arm’s length. Similarly, SEBI (Listing
Obligations and Disclosure Requirements) Regulations prescribe a comprehensive
mechanism for the manner of dealing with related party transactions, from
approval to monitoring. The Income-tax Act requires a justification of the
transaction to ensure that there is no disallowance while computing taxable
income, as well as to ensure that there is no adjustment in a transfer pricing
assessment. Accounting standards – both Indian and international – necessitate
disclosures of RPTs. All in all, there are sufficient checks and balances in
various regulations that businesses have to adhere to vis-à-vis RPTs.

 

A scrutiny
mechanism is in place to achieve / assess compliance with the requirements.
This scrutiny takes place at various levels and in diverse manners. Each
scrutiniser’s objective is different and that impacts the manner and detailing
of scrutiny. The various genres of scrutinisers and their objectives can be
summarised as under:

 

Management – they have primary responsibility to assert that the RPT is
necessary, genuine, at arm’s length pricing and at par with any other business
transaction. They are also responsible for seeking the required approvals, from
the Board of Directors / Audit Committee of the Board, as the case may be,
before entering into RPTs;

Board of
Directors
– assertions of internal control over
financial reporting and adequacy of internal financial controls rests finally
with the Board of Directors. Apart from according approvals to
management-recommended RPTs, the Board also has governance responsibility to
ensure the adequacy of IFC and ICFR. As part of this responsibility, the Board
scrutinises the RPTs before blessing them;

Statutory
Auditor
– true and fair opinion is the deliverable
of the statutory auditor. In arriving at this opinion, he / she needs to
scrutinise the RPTs, ensuring due authorisations are in place. He / she also
signs off the proper disclosures in tandem with accounting and other reporting
standards;

Tax authorities – they scrutinise with the intention of determining whether any
adjustment is required while computing taxable income or determining adjustment
for transfer pricing. The focus of such a scrutiny is pricing and not so much
the due authorisation of the RPT;

Other regulators – this scrutiny includes the process of approvals and disclosures;

Shareholders – a body that has in the recent years heightened its scrutiny by
ensuring the appropriateness of the RPT as well as its pricing. There have been
occasions where Board-approved RPTs have been scrutinised and inquired into by
shareholders.

 

What about scrutiny
by internal auditors? Does the internal audit fraternity consider RPT as a
major element to be audited? There are varied experiences across industries and
sectors. For RPTs to be covered by internal audit, it would be appropriate to
consider the following factors:

 

Is it part of the
internal audit charter or policy document? Many large and mature organisations
have a formal IA Charter / Policy. We need to determine whether such a document
has a reference to auditing RPTs;

 

Does the management
have a desire of including RPTs within the ambit of internal audit? It may so
happen that managements themselves identify RPTs to be an element to be
audited;

Whether the
internal auditor has determined RPTs to be a significant business component or
/ and a significant control parameter? In both these situations the internal
auditor will need to discuss with the management and convince them of the need
of auditing RPTs;

 

Lastly, the view of
the Audit Committee of the Board (ACB) is also to be considered. They may
desire all or certain RPTs to be covered by internal audit. They may desire
that the process of RPTs be audited because under governance norms, the buck
stops at the ACB.

 

Based on the
outcome of the above processes, it is advisable for the internal auditor to
perform a risk assessment of the processes around the RPT. On such an
assessment the audit universe for the RPTs can be determined and agreed upon
with the auditee management.

 

THE AUDIT PROCESS

First, one needs to start with identifying related parties and examining
transactions with them. Usual source points will be the entity’s mechanism of
identifying the related parties. Are the declarations of Directors sufficient?
Or does the internal auditor need to prod beyond them? In my view, the
internal auditor will need to do an assessment of the governance process of the
company and then arrive at his / her own conclusion on the robustness and
adequacy of the same.
If reliance can be placed on the governance process
it would be easy for the internal auditor to depend on the process of
identifying the related parties. The internal auditor could also look at the
various declarations that the company would have filed with, say, MCA or with
tax authorities (for transfer pricing or GST), as also declarations made to
customs authorities during cross-border transactions. Another important source
of information would be the one submitted to bankers and lenders on who are the
related parties. The internal auditor can inquire about the group structure of
the entity, both at its parent / holding company level, as well as the
subsidiaries (including step-down subsidiaries), associates and joint ventures,
both in India and overseas.

 

A major risk of
audit is not identifying all the related parties and, on the basis of the above
information, the internal auditor needs to determine whether reliance can be
placed upon the information furnished. In case the auditor determines that
complete reliance is not possible, he / she will need to scrutinise further.
There will be a need to scrutinise the ledgers of the entity and identify the
possibility of the entity missing out on identifying a related party. The
auditor’s eyes and ears should be open to spotting whether there are entities
who would qualify as related parties – entities with similar sounding names or
pattern of names, entities structured as trusts, overseas entities, and so on.
This scrutiny will also give comfort to the internal auditor on the
completeness of the identification of the related parties and the transactions
with them. Needless to say, in today’s terminology the word scrutiny is
substituted by data mining. With the ERP systems deployed across organisations
and the tools available to internal auditors, data mining, if done correctly,
throws up significant information.

 

The second
part of the audit process involves the pricing of the RPT. And pricing is the
culmination of a business process that involves recommendation and approval by
the persons who have the authority to do so. As an internal auditor the focus
will be on the mechanism of the company to ensure that the transaction is
priced appropriately. The following sources of information and inquiry will
help the audit process:

 

Does the entity
have a pricing policy for RPTs?

Is it clear and
unambiguous?

Is it applied
uniformly and consistently?

Does the policy
permit deviations? If so, how are the deviations authorised?

 

Assess the number
of instances of deviations – how many, for which related party, for any product
or service? Data mining on the deviations will certainly throw out signals for
the internal auditor to follow and assess the genuineness of the same;

 

Business groups,
and multi-national groups in particular, usually have a group pricing policy.
This policy lays down the criteria of how a product or service is priced. This
policy can also have differentiating factors based on geographies or even on
product offerings;

 

The views taken by
tax authorities are another important source of information. Though such views
may be taken with a completely different objective, but they definitely give a
perspective from an internal audit point of view;

 

Consider the nature
of the transactions. Are they within ordinary course of business, or are they
not in the ordinary course of business? Depending upon this, there would be
different processes followed by the company which the auditor needs to be aware
of. A transaction within the ordinary course will have a different approval
process or would be carried with omnibus approvals of the Audit Committee or
the Board. A transaction not within the ordinary course would require a
specific approval. These processes would be defined in the various policy
documents or would be indicative of the practices followed. It may be noted
that for transactions not in the ordinary course of business, the auditor would
need to examine whether the processes followed remain consistent or not. Any
inconsistency in processes also needs to be examined further.

 

All these sources
of information, when properly applied, will give reasonable comfort to the
auditors on the appropriateness of the pricing of the RPT.

 

The most important
part of the audit process is the deployment of professional scepticism
by the internal auditor. In fact, this needs to be deployed by the auditor all
through the audit process. This will help the internal auditor to de-layer the
RPTs and determine their genuineness or otherwise, as well as their
appropriateness or otherwise. Businesses enter into RPTs consistently and
across financial years. Transactions with some related parties are more
frequent than with others. They could also be more voluminous than others. In
such an environment, the auditor will need to dig deeper into his skills,
remain sceptical and inquire into the various decision-making processes of the
auditee vis-à-vis related party transactions. Such inquiries with various
levels of management, corroborated by further supporting evidence, will help
the auditor opine on the appropriateness of the RPTs.

 

With so much glare
on the rightfulness or perceived wrongfulness of RPTs, internal auditors need
to walk that extra mile and de-layer RPTs to come to a proper opinion on their
reasonableness. The following checklist is just a pointer on how to handle this
de-layering and may not be considered as exhaustive:

 

CHECKLIST FOR HANDLING DE-LAYERING OF RPTS

 

Sr.
No.

Particulars

Basic points

1

Internal approval
by

2

Nature of
transaction

3

Whether the same is
in ordinary course of business? Basis for deciding ordinary course of
business:

MOA, AOA for nature
of transactions

Frequency of such
transactions entered

4

Whether transacted
on an arm’s length basis

Agreement specific

5

Tenure of agreement

6

Whether the Related
Party Transaction would affect the independence of an independent Director?

7

Rationale for
entering into the RPT

8

Is there any
non-monetary consideration given?

9

Terms of payment

10

Any other expenses

11

Interest

Points related to
arm’s length pricing

12

Documenting the
arm’s length price

13

Whether the same
pricing is used as that for other vendors?

14

Whether the terms
of the RPT are fair and on arm’s length basis to the company and would apply
on the same basis if the transaction did not involve a related party? (such
as advance payment / received, pricing, supply and other terms)

15

Has a vendor / customer
rating been done for the related party like it is done for any non-related
party, and if so, how well do they compare?

16

Is this activity
with related party needed for the company to generate revenue or achieve its
purpose or objective?

17

How are the above
terms different for a related party from a transaction entered into with a
non-related party?

18

How is the pricing
arrived at? Are there any terms which are not mentioned in the contract for
arriving at price?

Company specific

19

Relation with
related party

20

Commencement of
business with related party

21

Other services
provided by / to same related party (estimated)

22

Whether the service
is provided on a regular basis or non-regular?

23

Whether the same
service is provided by vendor on sole basis or with other vendors (may be
related or not)?

24

Whether this
activity is very uniform when it happens?

25

How far is the
financial scale of this activity compared to the relevant common denominator?
(the denominator being total sales if selling to a related party, or total
purchase if buying from a related party, or total financial expenses if
paying interest on loans to a related entity

26

Secured / unsecured

27

Whether the price
charged / paid by the company can be considered at arm’s length pricing?

 

REPORTING

The internal auditor will need to report his / her opinion
on the appropriateness of RPTs and the adequacy of compliance with laws,
regulations as well as internal policies and procedures. On the basis of the
above audit processes, the internal auditor will need to indicate in the report
at a minimum the following:

 

Existence of due
approvals for the RPT;

Reasonability of
arm’s length pricing;

Execution of the
transaction in accordance with the approvals and the pricing; and

Deviations and
exceptions, if any.

Of course, all
other principles of reporting – materiality, brevity and preciseness – remain
fundamental.

 

Based on the scope
and objective of the internal audit, a report on RPT could be a distinct audit
area or it could be bundled into another audit area, e.g. if one is auditing a
P2P process all the above facets around an RPT can be examined; similarly for
any other area under audit.

CONCLUSION

In my view one of the key result areas of the internal
audit function is that when placing reliance on its reports, the top management
derives comfort on the existence of controls. It has been the experience that
comfort of existence of controls enables the Board and top management to take
appropriate risk-driven business decisions. Auditing RPTs fulfils a significant
management control function. It is time that the management (Audit Committee /
Board) extends the internal audit scope to specifically cover the audit of the
process of identification of related parties, fair pricing of RPTs, their
approval and full and fair disclosures and reporting. Inclusion of this area in
Internal Audit scope is necessary to empower the Internal Auditors to gain
access, ask relevant questions and undertake a deep-dive to ensure that the
process adopted is adequate and that the organisation is complying with the
regulations relating to related parties, not just in form, but also in spirit.

The BCAJ will
carry a sequel to this article where practical examples based on Internal Audit
of Related Party Transactions will be covered
.  

 

 

You May Also Like