ASSESS THE ECOSYSTEM
The environment in which public company audits are conducted has changed drastically for several reasons, including increased business complexities, use of technology and intricate local and global regulations. However, the primary objective of an audit has remained the same over time, i.e., to provide stakeholders with a reasonable, though not absolute, assurance that the financial statements prepared by the management are fairly presented. The current audit framework continues to be based on the concept of watchdog and not bloodhound. However, the auditors’ responsibilities are continuously increasing and the expectation gap continues to remain unaddressed in terms of setting up or awareness of standards, and a level of audit outcome that is understood and acceptable to all concerned.
For creating trust, there is a need to educate the stakeholders, too. Some of the initiatives that may help bridge the gap include: (i) review of framework by the ICAI and mandatory inclusion of elements of technology and periodic forensic reviews, and auditors’ reporting thereon, (ii) disclosure of Audit Quality Indicators of an audit firm, (iii) a wider message that not every ‘business failure’ means that there was an ‘audit failure’, and (iv) an active platform between ICAI / auditors and various regulators to provide clarity in case of large-scale conflicts.
Enhanced role and accountability of audit committee
Capacity-building and encouraging creation of large audit firms
Centre of Excellence for Audit Quality
Use of tools and technology in audits
There are two essential components for adopting technology in the audit process, viz., a Smart Audit Platform and a Data Analytics Tool. A Smart Audit Platform contains (i) an audit workflow; (ii) audit methodology, based on the regulatory framework; and (iii) document management system. A Data Analytics Tool helps in moving away from a limited sample testing to covering a larger population in many fields. Overall, this approach supports data extraction using scripts; smart analytics using the Tool; and exception reporting using visualisation techniques which helps assessing the existence / effectiveness of controls. To make it a success, we require a multi-disciplinary approach to invest in resources and related technology.
Auditor’s independence and conflict management
Certain reforms and a strong monitoring mechanism to implement them would help in enhancing governance. For example, SEC requires every non-audit relationship with an audit client to be pre-approved by the audit committee. Further, instead of varying interpretations by stakeholders and regulators, clarity from the MCA on terms like Management Services would be appropriate. Any ambiguities in this area may be clarified by the ICAI through the Code of Ethics and Networking Guidelines. Certain regulators globally (such as PCAOB and SEC in the USA) have a process of regular interaction with the auditors / corporates. They do provide an opportunity to the auditors and corporates to objectively consult and provide guidance / solutions in case of issues of independence and professional conflicts. This consultative process is not only efficient and objective, it also creates an atmosphere of trust between the auditors and the regulators. It would be fruitful to have a similar arrangement here, instead of creating conflicting interpretations and prolonged legal resolution.
Strengthening whistle-blower mechanism
Increasing the role, responsibility, independence and accountability of internal auditors
An internal audit function provides much needed assurance on the effectiveness and reliability of internal controls and governance in any company. The internal audit team is uniquely positioned to provide early warning signals of impending failures. The recent reinstatement in CARO requiring an auditor to evaluate the internal audit system of a company is a step in the right direction. Audit committees should be responsible to ensure that the function is robust, independent and adequately resourced, with the scope of the work sufficient to provide the desired level of assurance. Internal auditors’ scope should move away from a transactional approach to substantive matters like design and operating effectiveness of critical controls.
DEEP DIVE IN CRITICAL AREAS
Accountability and extent of reliance placed on others and management representations
While discharging their duties, auditors must critically evaluate the extent of reliance they intend to place on various elements, e.g., Regulatory Oversight (such as inspections carried out by Banking or Market Regulators), Specialists (such as Valuation or Information Technology Experts), Joint and Component auditors, Credit Rating agencies and Internal Auditors. Auditors are obligated to assess and critically evaluate such evidence before placing reliance on them.
Further, while a written representation from the management may provide audit evidence, it may not be ‘sufficient appropriate audit evidence’ on its own. Unwillingness to provide underlying evidence, replaced by a management representation, may be treated as a red flag and auditors would need to exercise scepticism in such cases. Accordingly, auditors must evaluate a management representation critically and obtain sufficient and appropriate underlying evidence. While ICAI’s existing guidance deals with the matter, ICAI may consider issuing case studies to clarify situations and showcase that accepting a management representation is not an alternative to appropriate audit procedures.
Related party transactions
It is the responsibility of a company’s management to identify and ensure an appropriate mechanism for related party transactions. However, this has been a matter of concern and governance in many ways. There are enhanced reporting requirements in the recently amended CARO also, which support an objective and deeper evaluation of related party transactions.
In this context, there have been instances of (i) incorrect / incomplete identification of related parties, (ii) lack of economic substance in related party transactions, and (iii) consequent inadequate or lopsided disclosures. Irrespective of these anomalies, such transactions may meet the regulatory and disclosure requirements.
Audit committees and auditors are well equipped to address the root cause. For example, (i) auditors have an obligation to exercise a high degree of scepticism and challenge the management on the economic substance of a related party transaction; (ii) auditors of a component in a group must have visibility of transactions with the group companies; (iii) the audit committees should affirmatively confirm to the Board on identification and adequate evaluation of such transactions; and (iv) related party transactions should mandatorily be included in the scope covered by internal auditors’ review.
Going concern
The appropriateness of going concern assumption in any audit is a fundamental principle. This forms the foundation for any stakeholder to place reliance on a company before making any decisions. There is a responsibility on a company’s management to assess its position and on the auditors to challenge and obtain appropriate evidence to support the same. There have been instances where the auditors failed to assess and report such situations and companies failed soon thereafter. This may be attributable to several reasons, including lack of transparency, or inadequate skills to assess. Specific situations like Covid-19 continue to pose additional challenges, creating responsibility on the auditors to maintain an appropriate level of scepticism.
There are certain measures that may help address these concerns, e.g., (i) auditors are supposed to challenge management assumptions of future projections, to avoid fatal errors and consequent sudden downfall of a company; (ii) in case auditors do not have expertise to validate future assumptions, sector experts, as specialists in audit process, must be involved to address the issue; and (iii) composition and skills of independent directors and the audit committee to understand the business and challenge management.
All this would involve a cost and skill-set worth investing in.
Third party complaints / whistle-blow mechanism
While the prime responsibility of addressing whistle-blower complaints is of the management, for auditors such complaints may lead to additional information, critical to assess any assertion in the financial statement audit. Even if such complaints are anonymous, it would not be wise for an auditor to ignore them without logical conclusions. The recent amendment in CARO, requiring an auditor to consider whistle-blow complaints, is a step in the right direction.
Documentation of audit evidence
While appropriate audit diligence is essential, an auditor’s work cannot be demonstrated without adequate documentation of evidence. Each audit essentially requires a logical sequence of work papers, demonstrating the work carried out at each stage of an audit. These may primarily include audit eligibility / independence requirements, acceptance of audit engagement, adequacy of planning and timing of proposed audit steps, team composition and appropriate delegation of work according to skills, control and substantive testing procedures to obtain sufficient / appropriate evidence, evaluation of work of any experts or component auditors involved, legal consultations, recording of audit observations and their resolutions, communications with those charged with governance, minutes of meetings with management, engagement with quality control review steps, supervisory controls including accountability and review of work done, management confirmations / representations and final opinion.
The framework clearly recognises that ‘if the work has not been documented, it has not been done’. At the same time, excessive expectation, focusing merely on audit documentation, could have an adverse effect where auditors may focus more on gathering documentary evidence than exercising professional scepticism given the limited time available. A balanced approach in this regard is necessary.
ENABLERS, CONDUCIVE ENVIRONMENT AND ROLE OF REGULATORS
There have been significant efforts by the Government in the past few years to assess the adequacy of the current Regulatory Framework and clarify overlaps or areas of needed coordination among the regulators. A few such examples are (i) Recommendation by the MCA’s Committee of Experts, pursuant to the Supreme Court’s order; (ii) Consultation Paper by the MCA to look at critical areas relating to auditors and auditor independence; and (iii) Formation of the National Financial Reporting Authority (NFRA) as a new audit regulator. These activities demonstrate much-needed regulatory attention. There is a need to implement some of the measures recommended and that have been awaited since long.
In substance, a few initiatives will help establish trust between the regulators and the auditors, e.g., (i) a balanced approach towards time-bound penal action proportionate to the offence and / or negotiated settlements so that deterrence may be accomplished with minimal disruption; (ii) coordination amongst various regulators governing the auditors to provide uniform guidance and to avoid multiplicity and overlap; (iii) implementation of well-deliberated recommendations of committees formed in the past; and (iv) time-bound clarity and guidance on matters of interpretation or conflicts.
While there are no alternatives to the professional scepticism and diligence of an auditor to ensure audit quality, an overall ecosystem and a constructive role of the regulators are essential enablers in that direction.
(The views expressed here are the personal views of the author)