Overview The businesses in the today’s world have grown far bigger and complex. Who knew that a company will run the biggest taxi aggregation business without owning a single car and an e-commerce company will become the biggest retail marketplace without having any inventory or a warehouse. No one ever imagined that just with a click on the mobile phone one can do online shopping. Just when people started realizing the benefits of using plastic cards, cutting edge technology that replaced the need to carry the wades of paper currency, online wallets on the mobile phones came into vogue providing far more convenience to users for carrying out commercial transactions. With the new complexities in the businesses and to cover the monetary risks exposing the stakeholders the regulators across the globe have become stricter in terms of ensuring there is proper monitoring mechanisms and the interest of all is protected.
Stakeholders are using different kinds of audits to provide assurance to the capital markets, Board of Directors and also proactively prevent frauds.
The Companies Act, 2013 (“the Act”) has introduced certain path breaking concepts, such as mandatory auditor rotation, restriction on non-audit services etc. Under the Act every company needs to get its accounts audited by a statutory auditor meeting the qualifications prescribed thereunder, certain classes of companies need to get its internal audit carried out by a chartered / cost accountant. The Act has also introduced a requirement for the auditor to report on frauds noticed during the year to the Central Government. This points towards increasing focus and scrutiny over the operations and processes of the company requiring various types of audits being conducted, such as statutory audit, internal audit, forensic audit, etc. among other things. It is therefore important to understand the differences between these audits. These differ substantially in terms of its scope, legal requirements, status of the auditor, reporting, etc. In the ensuing sections we will try to cover the expectations of the stakeholders from these different types of audits in brief and understand the critical differences in their approaches and functioning.
Statutory Audit
Statutory audit is mandated by the Act under Section 143 and it requires that the books of account of the company, be audited by a chartered accountant who is a member of the Institute of Chartered Accountants of India (‘ICAI’). The appointment of statutory auditor is through a process whereby the appointment is proposed by the Board of Directors / Audit Committee and is approved by the Shareholders in the AGM.
The standards on auditing (‘SA’) issued by the ICAI states that the objective of audit is to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework.
The qualifications and disqualifications of the statutory auditor are specified under the Act. This covers, among other things, restriction on providing certain nonaudit services that could impair the statutory auditor’s independence, e.g. providing accounting services or internal audit services.
Generally the team of professionals carrying out the statutory audit comprises of chartered accountants who may be further assisted by tax specialists, IT specialists, etc. These specialists work under direct supervision of the statutory auditor who reviews the work performed by the specialists and takes responsibility for such work.
With the increasing complexity of the business operations and use of technology, the statutory auditors have also started rising up to the occasion by using technology in auditing, however, presently use of such technology is limited to:
– Sampling methodology
– Audit work flows
– CAATs
– Other analytical tools
The statutory auditor draws his powers from the statute that requires the company to provide access to the statutory auditor of company’s books of account, records and other information that is considered to be necessary for performing his duties.
From above it is clear that statutory audit entails examination of the books of account and records maintained by an entity so as to enable the auditor to satisfy himself that the financial statements are drawn as per the applicable reporting frame work and present a true and fair view of the financial state of affairs of the entity and profit or loss and cash flows for the period. The reporting format is as provided in the Standards on Auditing issued by the ICAI (now deemed to be prescribed by the Act) which is in the form of an expression of “an opinion” on the financial statements.
The primary objective of the statutory audit is to form an independent opinion on the financial statements and ensure that the financial statements confirm to the accounting framework prescribed under the relevant statute.
In summary the key features of statutory auditor comprise:
appointment by shareholders
auditor’s powers, qualifications, remuneration, responsibilities enshrined in the statute
communicates with the audit committee / board of directors
opines on the financial statements and the internal financial controls
opinion is made public
independent of the company which is being audited
report format prescribed by the ICAI
subject to class action suit
Internal Audit
The Act has prescribed internal audit for certain classes of companies which include all listed companies, unlisted public companies and private limited companies meeting the prescribed criteria. The internal auditor is appointed by the management, in consultation with the Board of Directors / Audit Committee. The ICAI has laid down Standards on Internal Auditing (SIA) for governing the audits carried out by chartered accountants in India. The Act also permits internal audit to be carried out by a cost accountant or such other professional as may be decided by the Board of Directors.
The Act has not defined any scope for the internal audit function. It is therefore driven more by the company’s / management’s requirements and can be very broad and may include any matter that affects the organizational objectives. Generally, there is a wide spectrum of areas as enlisted below covered through internal audit.
Risk management policies and procedures
Effectiveness, efficiency, and economy of operations and process
Internal controls and financial reporting
Routine operational activities
Analysis of financial and non-financial information
Audit of a particular areas of operations / financial reporting, e.g. factory assets, consumption process, cycle inventory counts, payroll system, payments of statutory dues, etc.
Audit of processes of the company over its procurements, sales, fixed assets and other records to report and financial statements close processes
Audit of compliance with factory laws, labour laws and other applicable laws, rules and regulations
Audit of IT systems Compared to statutory audit approach, use of technology in performing internal audit is more prevalent and includes but is not limited to:
– Sampling methodology
– Data analytics
– IT systems
– CAATs
– Other developed tools for business intelligence
The team performing internal audit can include chartered accountants, cost accountants, MBAs, Engineers or any commerce graduate. Members of the internal audit team can be employees of the company or external professional firm. The internal auditor, being appointed by the management and pursuance to the terms of reference of their engagement is governed by the internal policies of each company.
Hence the objective of internal audit extends more towards process improvements, identifying efficiencies and finding revenue leakages, etc. in operations rather than forming an opinion on the financial information. There is no specific format in which the internal auditor is required to report and the format generally varies – from issuing management letter comments, power point presentations to detailed textual report in the form of Agreed Upon Procedures (AUP) report. Unlike statutory audit, the report is not made available to the public.
In summary, the key features of internal audit are:
it is an appointment made by the audit committee / management
it is an “internal assurance function”
the report is for internal consumption
key focus is to ensure that operations of the company are carried out in an efficient manner
also ensure that operations of the company are carried out in accordance with the policies and procedures of the company
Forensic Audit
This audit is discretionary and is not governed under any statute. It is basically an investigative exercise. If the management or any stakeholder has any suspicion about the embezzlement or misappropriation of funds or other fraudulent activities occurring in the organization, a need for detailed investigation to confirm or dispense off such suspicion may be required and a forensic audit is undertaken.
Forensic engagements generally falls into several categories e.g.
Criminal offenses
Investigating fraudulent expense claims
Anti-Money Laundering,
Insurance claim damages;
Fraud relating to taxes;
Fraud relating to issuance / dealings in securities and other marketable instruments;
Disputes on pricing, covenants, warranties and representations, etc. in business combinations;
Dissolution, insolvency, bankruptcy and reconstruction;
Computer forensics.
Techniques such as data analytics through electronic data collation and mining with an objective to identify, reconstruct or confirm a financial fraud are widely used by the forensic auditors. The main steps involved in such forensic analytics are:
(a) collection of data that is required to be analysed,
(b) reconstructing and reorganizing data in a manner conducive to perform analytics,
(c) performing data analytics and exploratory techniques, and
(d) reporting the findings.
For example, exploration and analytical technique could effectively be applied in reviewing a procurement manager’s activity to assess whether there were any kickbacks taken. Another example is to perform analysis of the activities of sales team of a company to determine where the contracts were negotiated at a much lower price than the actual cost and resulting in loss to the company. The audit driven by high-end technology, and includes:
– Data analytics
– IT systems
– E-Discoveries
– GPS tracking
– Surveillances
– Cyber securities
– Professional hacking
Forensic audit requires an understanding of the business economics, financial reporting systems, data analytics for detecting frauds, gathering of evidence and investigation, and litigations and other civil/ criminal procedures. This will necessitate the requirement of specialized skills within the team performing such audits and could include chartered accountants, certified fraud examiners, lawyers, IT professionals, ex-police personnel, ex–investigators, etc. Banks have recently started conducting forensic audits to trace the end use of the funds and try to nail the defaulting borrowers.
Findings of the forensic auditor takes shape similar to that discussed in case of internal audit, i.e. it could vary in form of power point presentation to a detailed textual AUP report. Like internal audit report, the forensic audit report is also not available to the public.
Conclusion
As businesses are growing and becoming more complex there is a heightened expectations – through the objective, approach and reporting – from the three forms of audit, viz. statutory audit, internal audit and forensic audit. The skills required to perform these audit also vary and risks associated are also very different. The stakeholders clearly need specialized services and based on the aptitude and risk appetite we should decide which audits one should specialize in.
