AUDIT: BUILDING PUBLIC TRUST

The spotlight has been sharply focused in the recent past on corporate failures and consequential loss of public trust. Various regulators and authorities, such as the Ministry of Corporate Affairs, the National Financial Reporting Authority, the Reserve Bank of India, SEBI’s Committee on Corporate Governance and Committees of the Institute of Chartered Accountants of India, have advised several measures with a clear focus on enhancing audit quality and improving the standards of corporate governance. In that context, this article traces various enablers relevant to audit quality.

ASSESS THE ECOSYSTEM

It is important to articulate what stakeholders should legitimately expect from the audit profession. This should be translated into an appropriate audit framework: should auditors merely opine in a limited manner on management’s financial statements, or should they go further and, if so, how far and which way? This will allow a course to be charted where the audit profession becomes a part of the national solution. It can contribute to fixing, maintaining and raising the standards of audit quality, as necessary, rather than being stigmatised as ‘guilty until proven innocent’.

The environment in which public company audits are conducted has changed drastically for several reasons, including increased business complexities, use of technology and intricate local and global regulations. However, the primary objective of an audit has remained the same over time, i.e., to provide stakeholders with a reasonable, though not absolute, assurance that the financial statements prepared by the management are fairly presented. The current audit framework continues to be based on the concept of watchdog and not bloodhound. However, the auditors’ responsibilities are continuously increasing and the expectation gap continues to remain unaddressed in terms of setting up or awareness of standards, and a level of audit outcome that is understood and acceptable to all concerned.

For creating trust, there is a need to educate the stakeholders, too. Some of the initiatives that may help bridge the gap include: (i) review of framework by the ICAI and mandatory inclusion of elements of technology and periodic forensic reviews, and auditors’ reporting thereon, (ii) disclosure of Audit Quality Indicators of an audit firm, (iii) a wider message that not every ‘business failure’ means that there was an ‘audit failure’, and (iv) an active platform between ICAI / auditors and various regulators to provide clarity in case of large-scale conflicts.

Enhanced role and accountability of audit committee

An audit committee, as a representative of the wider group of stakeholders, and not the management, is the client of the auditor. The audit committee should lead discussions around capability evaluation and, accordingly, decide on the appointment of auditors. In order to ensure transparency, disclosures to stakeholders may include detailed criteria for evaluation, selection and competitive analysis. The audit committee should monitor the auditor’s performance to ensure that auditors maintain professional scepticism, challenge management and deliver high quality audits. The audit committee should affirmatively confirm to the board periodically that the audit is adequately resourced, independent to undertake a quality audit, with commensurate fees.

Capacity-building and encouraging creation of large audit firms

There is a strong need to develop a forward-looking approach towards the growth of the audit profession in India. There is a need for larger and consolidated audit firms, with adequate skills, capacity, size and reach to deal with large corporations and conglomerates. The current capacity of audit firms in India is fragmented, with individual practitioners making the bulk and a minuscule number of large firms. It is important to encourage consolidation of the existing landscape of small and medium-sized firms. The current business / economic scenario and rapidly evolving technology in the country demand multiple skillsets for any business or regulatory propositions. Audit is not restricted to simple accounting and certainly needs support from specialised professionals skilled in the fields of law, taxation, information technology, forensics, cyber security and secretarial services. Given the environment, there is a strong need to encourage networking and consolidation. Multi-disciplinary firms, as already acknowledged by the Companies Act, 2013, will contribute immensely in this direction. Clarity of networking regulations for chartered accountants, including with overseas accounting firms, would also help in achieving this objective.

Centre of Excellence for Audit Quality

The creation of a Centre of Excellence for Audit Quality, with an objective to develop standards and parameters of audit quality, technology, tools, consistency of methodology and training to teach the highest levels of professional scepticism, would help in creating awareness and enhancing skills. The main objectives of the Centre could be to:

• encourage and support capacity-building

•  create opportunities to network and share best practices and views among firms

•  enhance audit quality through use of technology, especially to provide better insights to stakeholders

• knowledge dissemination to professionals on key matters

•  contribute to harness talent and build relevant skills

•  drive inclusive and balanced growth across the country

•  enhance excellence in the audit profession.

Use of tools and technology in audits

The situation created by Covid-19 has established that technology can play a crucial role in any audit. The audit profession needs to evolve and respond to similar challenges by upskilling and adopting technology / tools and artificial intelligence in the audit process. Data & Analytics may play a significant role in achieving a higher satisfaction level in audits. In the current situation, even virtual audits may be as effective as traditional techniques. No doubt one has to be cautious, as would be the case in any technology-driven process. This also requires a shift in mindset to adopt technology and facilitate the process through extensive training programmes for practitioners.

There are two essential components for adopting technology in the audit process, viz., a Smart Audit Platform and a Data Analytics Tool. A Smart Audit Platform contains (i) an audit workflow; (ii) audit methodology, based on the regulatory framework; and (iii) document management system. A Data Analytics Tool helps in moving away from a limited sample testing to covering a larger population in many fields. Overall, this approach supports data extraction using scripts; smart analytics using the Tool; and exception reporting using visualisation techniques which helps assessing the existence / effectiveness of controls. To make it a success, we require a multi-disciplinary approach to invest in resources and related technology.

Auditor’s independence and conflict management

It is always presumed that any large-scale audit failure is due to the lack of independence of the auditors. While this may be true in certain cases, there may be a strong perception in many others. The existing statutory restrictions, comparable with international standards, are well established in this area. The new Code of Ethics issued by the ICAI is aligned to the International Code of Ethics issued by the IESBA. These, along with self-regulated safeguards exercised by auditors, monitoring by audit committees and enhanced disclosures required by SEBI should generally suffice to ensure independence.

Certain reforms and a strong monitoring mechanism to implement them would help in enhancing governance. For example, SEC requires every non-audit relationship with an audit client to be pre-approved by the audit committee. Further, instead of varying interpretations by stakeholders and regulators, clarity from the MCA on terms like Management Services would be appropriate. Any ambiguities in this area may be clarified by the ICAI through the Code of Ethics and Networking Guidelines. Certain regulators globally (such as PCAOB and SEC in the USA) have a process of regular interaction with the auditors / corporates. They do provide an opportunity to the auditors and corporates to objectively consult and provide guidance / solutions in case of issues of independence and professional conflicts. This consultative process is not only efficient and objective, it also creates an atmosphere of trust between the auditors and the regulators. It would be fruitful to have a similar arrangement here, instead of creating conflicting interpretations and prolonged legal resolution.

Strengthening whistle-blower mechanism

A strong whistle-blower mechanism with strong legal protection goes a long way in keeping a check on potential unethical and corrupt practices. Several corporate frauds have been unearthed based on a good whistle-blower mechanism.

Increasing the role, responsibility, independence and accountability of internal auditors
An internal audit function provides much needed assurance on the effectiveness and reliability of internal controls and governance in any company. The internal audit team is uniquely positioned to provide early warning signals of impending failures. The recent reinstatement in CARO requiring an auditor to evaluate the internal audit system of a company is a step in the right direction. Audit committees should be responsible to ensure that the function is robust, independent and adequately resourced, with the scope of the work sufficient to provide the desired level of assurance. Internal auditors’ scope should move away from a transactional approach to substantive matters like design and operating effectiveness of critical controls.

DEEP DIVE IN CRITICAL AREAS

Recent experiences indicate certain critical aspects that require a deep dive and critical evaluation by the auditors. There is no alternative to the diligence and continuous scepticism of an auditor. An auditor is expected to consider and evaluate the economic substance of transactions while carrying out an audit.

Accountability and extent of reliance placed on others and management representations
While discharging their duties, auditors must critically evaluate the extent of reliance they intend to place on various elements, e.g., Regulatory Oversight (such as inspections carried out by Banking or Market Regulators), Specialists (such as Valuation or Information Technology Experts), Joint and Component auditors, Credit Rating agencies and Internal Auditors. Auditors are obligated to assess and critically evaluate such evidence before placing reliance on them.

Further, while a written representation from the management may provide audit evidence, it may not be ‘sufficient appropriate audit evidence’ on its own. Unwillingness to provide underlying evidence, replaced by a management representation, may be treated as a red flag and auditors would need to exercise scepticism in such cases. Accordingly, auditors must evaluate a management representation critically and obtain sufficient and appropriate underlying evidence. While ICAI’s existing guidance deals with the matter, ICAI may consider issuing case studies to clarify situations and showcase that accepting a management representation is not an alternative to appropriate audit procedures.

Related party transactions
It is the responsibility of a company’s management to identify and ensure an appropriate mechanism for related party transactions. However, this has been a matter of concern and governance in many ways. There are enhanced reporting requirements in the recently amended CARO also, which support an objective and deeper evaluation of related party transactions.

In this context, there have been instances of (i) incorrect / incomplete identification of related parties, (ii) lack of economic substance in related party transactions, and (iii) consequent inadequate or lopsided disclosures. Irrespective of these anomalies, such transactions may meet the regulatory and disclosure requirements.

Audit committees and auditors are well equipped to address the root cause. For example, (i) auditors have an obligation to exercise a high degree of scepticism and challenge the management on the economic substance of a related party transaction; (ii) auditors of a component in a group must have visibility of transactions with the group companies; (iii) the audit committees should affirmatively confirm to the Board on identification and adequate evaluation of such transactions; and (iv) related party transactions should mandatorily be included in the scope covered by internal auditors’ review.

Going concern
The appropriateness of going concern assumption in any audit is a fundamental principle. This forms the foundation for any stakeholder to place reliance on a company before making any decisions. There is a responsibility on a company’s management to assess its position and on the auditors to challenge and obtain appropriate evidence to support the same. There have been instances where the auditors failed to assess and report such situations and companies failed soon thereafter. This may be attributable to several reasons, including lack of transparency, or inadequate skills to assess. Specific situations like Covid-19 continue to pose additional challenges, creating responsibility on the auditors to maintain an appropriate level of scepticism.

There are certain measures that may help address these concerns, e.g., (i) auditors are supposed to challenge management assumptions of future projections, to avoid fatal errors and consequent sudden downfall of a company; (ii) in case auditors do not have expertise to validate future assumptions, sector experts, as specialists in audit process, must be involved to address the issue; and (iii) composition and skills of independent directors and the audit committee to understand the business and challenge management.

All this would involve a cost and skill-set worth investing in.

Third party complaints / whistle-blow mechanism
While the prime responsibility of addressing whistle-blower complaints is of the management, for auditors such complaints may lead to additional information, critical to assess any assertion in the financial statement audit. Even if such complaints are anonymous, it would not be wise for an auditor to ignore them without logical conclusions. The recent amendment in CARO, requiring an auditor to consider whistle-blow complaints, is a step in the right direction.

Documentation of audit evidence
While appropriate audit diligence is essential, an auditor’s work cannot be demonstrated without adequate documentation of evidence. Each audit essentially requires a logical sequence of work papers, demonstrating the work carried out at each stage of an audit. These may primarily include audit eligibility / independence requirements, acceptance of audit engagement, adequacy of planning and timing of proposed audit steps, team composition and appropriate delegation of work according to skills, control and substantive testing procedures to obtain sufficient / appropriate evidence, evaluation of work of any experts or component auditors involved, legal consultations, recording of audit observations and their resolutions, communications with those charged with governance, minutes of meetings with management, engagement with quality control review steps, supervisory controls including accountability and review of work done, management confirmations / representations and final opinion.

The framework clearly recognises that ‘if the work has not been documented, it has not been done’. At the same time, excessive expectation, focusing merely on audit documentation, could have an adverse effect where auditors may focus more on gathering documentary evidence than exercising professional scepticism given the limited time available. A balanced approach in this regard is necessary.

ENABLERS, CONDUCIVE ENVIRONMENT AND ROLE OF REGULATORS

A constructive role of a regulator, with the focus on remediation instead of disproportionate punishment and prolonged litigation, is important. The regulatory regime should provide greater confidence through effective policy measures. The recent move to decriminalise certain offences will help create the basis for consultation and a compromise and settlement approach. In a profession with scattered capacity, undertaking rapid investigation and constructive resolution, including commensurate punitive measures and remediation, will encourage audit quality. Certainly, there is a need to distinguish between criminality and professional negligence. In addition, clarity on the role, jurisdiction and multiplicity of regulators needs re-evaluation.

There have been significant efforts by the Government in the past few years to assess the adequacy of the current Regulatory Framework and clarify overlaps or areas of needed coordination among the regulators. A few such examples are (i) Recommendation by the MCA’s Committee of Experts, pursuant to the Supreme Court’s order; (ii) Consultation Paper by the MCA to look at critical areas relating to auditors and auditor independence; and (iii) Formation of the National Financial Reporting Authority (NFRA) as a new audit regulator. These activities demonstrate much-needed regulatory attention. There is a need to implement some of the measures recommended and that have been awaited since long.

In substance, a few initiatives will help establish trust between the regulators and the auditors, e.g., (i) a balanced approach towards time-bound penal action proportionate to the offence and / or negotiated settlements so that deterrence may be accomplished with minimal disruption; (ii) coordination amongst various regulators governing the auditors to provide uniform guidance and to avoid multiplicity and overlap; (iii) implementation of well-deliberated recommendations of committees formed in the past; and (iv) time-bound clarity and guidance on matters of interpretation or conflicts.

While there are no alternatives to the professional scepticism and diligence of an auditor to ensure audit quality, an overall ecosystem and a constructive role of the regulators are essential enablers in that direction.

(The views expressed here are the personal views of the author)