Preamble :
After the Enron debacle, auditing all over the world has come
under the scanner. The age-old saying that ‘an auditor is a watchdog and not a
blood hound’ is being re-examined, if not questioned. Legislation which seeks to
lay a greater emphasis on detection and reporting of fraud by auditors has been
introduced all over the globe. In this context, the article examines an
auditor’s duty as regards detection and reporting of fraud. It examines the
causative factors that led to Enron’s bankruptcy and some of the subsequent
legislation in India and ICAI’s pronouncements affecting an auditor’s duty and
responsibility towards the issue of fraud. For this purpose, the relevant
clauses in the Companies (Auditors Report) Order, 2003 (CARO), the Auditing and
Assurance Standard (AAS) 4, and certain observations made in a recent High Court
judgment in Maharashtra (Note 3) have been considered. To get an
international flavour, the article also examines the findings of the O’Malley
Report (Note 1) on audit effectiveness. To make this study more interesting, the
new enhanced role of the auditor is examined with the help of a case study.
Comparison of auditing scenarios before and after the turn of the
millennium :
In the last decade, two things have impacted the auditors’
role a great deal : (a) The rapidly evolving IT environment, and (b) the Enron
debacle in 2001. E-commerce and computerisation in all walks of life, for all
the conveniences offered, have made business practices and business models more
complex. New business models have sprung up as commerce transcends not only
distances, but also time zones, currencies, and countries. Data volumes are huge
and products with incredible technical specifications are introduced every other
day. Consequently, the audit scenarios in this rapidly changing IT environment
have become far more challenging. Amidst this, the Enron bankruptcy (as well as
the fall of several other corporate giants during the 2001-02 period), brought
the auditor’s role under the scanner. Panic buttons were pressed all over the
world and new legislation and statutory pronouncements enhancing the role of
auditors were announced. The Sarbanes-Oxley Act came into force in 2002 with
revolutionary reporting and disclosure requirements in audited accounts. For the
first time the CEO and CFO were obligatorily required to attest the financial
statements and also comment on existence of fraud. World over, questions were
raised about the performance of the auditors. Undoubtedly, the auditor’s role
was questioned. Auditing practices, and auditing standards were revisited to
make auditors address the issue of fraud, thereby emphasising the need for
greater audit effectiveness. In order to understand the auditor’s role from the
point of view of detection and reporting of fraud, it would be useful to conduct
a simple case study.
Case Study of a ‘Van Sales’ — business model :
Consider a business model applying the ‘Van Sales’ method of
selling Fast Moving Consumer Goods (FMCG). This model was conceived by a company
with a view to reach out to geographically far-flung untapped areas of potential
demand. The model required deployment of a fleet of multiple trailer vans
stacked with FMCGs like soaps, toothpastes, gels, creams, biscuits, etc. The van
crew would consist of a driver and a sales representative given a specific
route, (which could be hundreds of kilometres long in the country), to find
retailers, shops and other buying entities to sell the products. Both cash and
credit sales were permissible within policy norms. These sales operations were
monitored through palm-top computers and small portable printers provided to
salesmen in the vans. Each palm-top was linked to the main central server at the
head office. The salesmen made efforts to maximise their sales by approaching
retailers/shops and buying outlets spotted all along the route. The sales
deliveries, invoices and collection receipts were raised at the remote locations
by the salesmen using the palm-top computers and printers provided. The palm-top
sales system had well-designed controls built in to monitor credit limits, sales
returns, discounts, and promotion/festival/season offers. Each van would return
to the main warehouse to replenish its stocks and deposit the collections after
a tour was completed. In addition, all the vans were required to report, all
together, once in a year at one central place to facilitate stock verification,
which was carried out by the management. In such a business model, how does the
auditor perceive his role and what kind of audit procedures does he apply ?
Conventionally, an auditor would apply the following
procedures :
(a) Review and vouchsafe sales, receivables and inventory
data furnished to him at the head office, through the central server,
(b) Carry out tests of the sales application software for
evaluation of controls,
(c) Apply substantive tests to ensure compliance with
rates, discounts, etc., and terms and conditions in sales policies,
(d) Apply substantive tests to ensure that collections
deposited at the warehouse by the van crew were deposited into the bank,
(e) Observe the annual stock verification procedure of
stocks in vans, and,
(f) Debtors’ scrutiny and call for confirmations from
debtors.
Would the foregoing tests be enough for him to express an opinion on the correctness of the sales, collections, and debtors? A couple of decades ago, the foregoing audit plan would have been considered adequate. Unless some serious indication or sign of fraud came up in his routine audit, or was brought to his notice, the thought of a possible fraud or misuse would not even have crossed an auditor’s mind. In other words, he would not be specifically hunting for such a sign or indicator of fraud, nor would he even consider discussing with his team the possibility that any process or control could be exposed or circumvented to commit fraud. However, in the current auditing scenario, the above procedures would not be adequate. An auditor has a duty to consider the overall business model with ‘professional scepticism’ to understand its vulnerability and then apply appropriate audit procedures to maximise his chances that any sign or indicator will be spotted. For example, in the above case study, the auditor would have to consider the business model and its control systems with professional scepticism. If he does this, he will immediately realise that a business of this kind is fraught with several significant risks of revenue loss in myriad ways.
Huge geographical distances within which the van stocks move, virtually unmonitored and unchecked, along with sales to parties with unknown credentials expose the business model to risks of stock shortages, pilferage of cash or stocks, fictitious sales, unaccounted sales returns, teeming and lading of collections, abuse or misuse of vans for personal purposes or parallel business, etc. Countless other kinds of misuse could take place. While drafting his audit plan, the auditor cannot be completely impervious to these possibilities and merely carry out the tests stated above, on data given to him. He has to think of and apply various customised tests to address all the business risks envisaged. If he does not do this, fraud will occur and devastate a business as happened in Enron’s case. The failure of the auditors of Enron to detect irregularities and/or their apparent will-ingness to support some questionable transactions, permitted wrongful accounting practices and diluted or misleading disclosures and eventually brought Enron to bankruptcy. Corporate governance was at its nadir and exposed that audit effectiveness was very low. It would be immensely useful to study some of the findings in the Enron investigation.
Insights from Enron bankruptcy:
There is a very comprehensive report tabled on February 1, 2002 by Enron’s Special Investigative Committee (Note 2), which had a mandate to examine in detail certain transactions as regards their nature, what went wrong, why they took place and who was responsible. This report provided not only valuable information about the possible causative factors which led to Enron’s bankruptcy, but also insights of immense value to auditors, such as issues relating to accounting practices, corporate governance, audit effectiveness, management over-sight and public disclosures. Much of the subsequent legislation such as the Sarbanes-Oxley Act, 2002, and other acts and auditing standards around the world were based on the revelations in this report. Some of the major revelations are summarised below as they are relevant to the subject matter of this article:
1. The auditors’ and legal advisors’ role. The report revealed that the legal advisors of Enron and their auditors had actually reviewed these transactions and had even cleared them. The report did not actually go to the extent of stating that the auditors had participated in the wrongdoing. However, a reader can draw his own conclusions about this aspect from the meaningful disclosures about the enormous fees paid to them during the relevant period. Auditors billed US$5.7 million for advice for these transactions alone, above and beyond the regular audit fees. At the minimum, there was gross negligence on the part of the auditors.
2. Corporate Governance failure. The report clearly indicated that the Board failed to stop or deter transactions of conflicting interest to Enron. The Chief Financial Officer (CFO) and the Chief Accounting Officer (CAO) had dual and conflicting interests in the suspected transactions. The Board was aware, at least about the CFO’s interest, yet it failed to exercise sufficient checks and controls to ensure that all dealings were above board, fair and equitable to Enron interests.
3. Ineffectiveness of audit procedures to spot malicious ‘off-balance sheet’ transactions. Auditors ignored the implications of transactions with entities referred to as ‘Special Purpose Vehicles’ (SPVs) which were created to enable Enron to camouflage its losses and debts and remove them from Enron’s balance sheet. SPVs with whom such transactions were effected were adroitly portrayed as external independent entities (which they were not), so that it was possible to conceal Enron’s losses and debts, without the necessity of disclosing these in Enron’ sown financial statements. These SPVs were, in fact, entities owned and controlled by Enron’s own employees.
4. Ineffectiveness of audit procedures to spot book entries. The report pointed out that the management resorted to ‘complex structuring of transactions that lacked fundamental economic substance’. In simple words – book entries were created without basis and in contravention of accounting principles, possibly like ‘hawala’ entries commonly referred to in India.
5. Misleading Disclosures. The disclosures in the reports were ‘obtuse, and did not com-municate the essence of the transactions’. The disclosures were made to ‘downplay the significance of related-party transactions, and in some respects, to disguise their substance and import’.
If one considers the possible business risks in the above case study and the Enron fraud there are a lot of similarities. In the above case study, the overall business risk could be quite high. The SPVs in the above case study could be fictitious retailers and creative book entries could be fictitious sales, the creative accounting treatment could be use of teeming and lading practices and perpetrating other sales, collection and inventory accounting manipulations. The conventional audit plan would not necessarily expose these frauds.
Thus, concerns of audit effectiveness were raised in India too, and the auditor’s role and CARO and ICAI’s auditing standards have been revised. The relevant clauses of these pronouncements have been examined below:
1. Auditing Assurance Standard – AAS 4 :
This is a specific auditing and assurance standard pronounced by the ICAI (effective from April 1, 2003), relating to an auditor’s duty as regards ‘fraud and error’ in financial statements. This standard states that the primary responsibility for the prevention and detection of fraud and error rests with both (1) those charged with governance, and (2) the management of an entity. The standard also spelt out the auditor’s enhanced responsibility and laid down expectations of a far more penetrative audit than ever before in the past. The salient features of this AAS 4 are:
(a) An attitude of professional skepticism. No longer can an auditor rely merely on any management representation. In effect, he must obtain evidence that either agrees with, or, brings into question the reliability of management representations. An auditor must adopt, necessarily, an attitude of professional sk ticism that will enable him to identify and properly evaluate matters that increase the risk of a material misstatement in the financial statements resulting from fraud or error. He now has to examine and question the management’s influence over the control environment, industry conditions, and operating characteristics and financial stability.
(b) Importance of teamwork in conducting an audit. The standard also expresses the importance of teamwork. In planning the audit, the auditor should discuss with other members of the audit team, the susceptibility of the entity to material misstatements in the financial statements resulting from fraud or error.
(c) Perform additional, extended orcommensurate audit procedures where fraud is suspected. When the auditor encounters circumstances that may indicate that there is a material misstatement in the financial statements resulting from fraud or error, the auditor should perform procedures to determine whether the financial statements are materially misstated.
(d) Reporting obligations When the auditor identifies a misstatement resulting from fraud, or a suspected fraud, or error, the auditor should consider the auditor’s responsibility to communicate that information to management, those charged with governance and, in some circumstances, when so required by the laws and regulations, to regulatory and enforcement authorities also.
(e) Where an auditor has obtained evidence that fraud exists, even materiality is not a point for consideration for communicating this matter to the appropriate level of the management timely.
Thus as per AAS 4, an auditor has to virtually move heaven and earth to satisfy him-self while carrying out an audit, that no serious red flags exist. If they do exist, he has to necessarily apply appropriate procedures to confirm his suspicions or dispel his doubts, about the existence of fraud. In case there is evidence of fraud, then, even materiality is not a factor for consideration – the matter of fraud has to be communicated to the appropriate level of management on a timely basis and he has to even consider reporting it to those charged with corporate governance.
CARO also casts a sigmficant responsibility on the auditor which has been considered next.
2. Clauses of CARO relating to reporting of fraud by auditors:
Clauses 4(iv) and 4(xxi) of CARO are very important for auditors, especially with regard to their duty towards fraud. 4(iv) requires an auditor to report whether there are adequate internal control procedures commensurate with the size of the company and the nature of its business, for the purchase of inventory and fixed assets and for the sale of goods. What is significant is that the auditor is expected to report whether there is a continuing failure to correct major weaknesses in internal control. The key phrase is ‘continuing failure’. The continuing failure could stem from incompetence or fraud, but either way the auditor cannot ignore the possibility of existence of fraud. If he reports such a continuing failure but not a fraud, and if fraud is discovered later, the auditor may find himself in an unenviable situation to escape the responsibility for not carrying out appropriate audit procedures and also perhaps for not reporting the fraud. Clause 4(xxi) is even more serious, in that, it actually casts a direct responsibility on the auditor to report whether any fraud on or by the company has been noticed or reported during the year; if the answer is affirmative, the nature of the fraud and the amount involved have to be indicated. Here too, it is pertinent to note that materiality is not a factor for consideration by the auditor. If a fraud has been noticed or even reported, he has no choice but to report its nature and the amount involved. Furthermore, by virtue of being an auditor, and the very definition of audit as explained later, his duty does not end merely in mentioning that a fraud was noticed or reported; as an auditor his role automatically requires him to carry out an investigation and apply such other checks and verifications so as to enable him to be satisfied that the fraud is not isolated and that it does not have any other implications on the financial information he is expressing an opinion on.
Thus, CARO clearly spells out the duty of the auditor towards fraud detection and reporting. In the recent past, an auditor’s duty towards fraud detection was further accentuated by the High Court in a recent judgment given below.
3. Sales Tax Practitioners’ Association (STPA) of Maharashtra v. the State of Maharashtra (Note 3):
This case is also very relevant to this article because it examines the definition of audit and concludes that detection of fraud is of primary importance in an audit. While considering the petition of the STP (refer note 3 for details) the High Court examined the very definition of audit. After considering certain definitions, it concluded that the word audit has a specific connotation in the matter of examination, investigation and auditing of. accounts, where detection of fraud is of primary importance. One of the definitions of audit referred to is that of R A Irish in his book ‘Practical Auditing’. It says that an audit may be said to be a skilled examination of such books, accounts and vouchers as will enable the auditor to verify the balance sheet. The main objects of an audit are: (a) to certify the correctness of the financial position as shown in the balance sheet and the accompanying revenue statements, (b) the detection of errors and (c) the detection of fraud – the detection of fraud is generally regarded as being of primary importance. The High Court also observed ‘The object and purpose of compulsory audit is to facilitate the prevention of evasion of taxes, administrative convenience …. “. It is a specialised job which can be undertaken only by a person professionally competent and trained to audit. Thus, auditors are expected to possess skills which could act as even a deterrent for tax evasion fraud. However, the High Court, also accentuated the risks accompanying the privileges: “The Chartered Accountant, by his very privileged status exposes himself to the consequences of civil liability for negligence, liability for professional misconduct in disciplinary proceedings under the Chartered Accountants Act, 1949, and sometimes to criminal liability under the Penal Code.”
Thus the above judgment clearly emphasises that an auditor’s role includes fraud and error detection and detection of fraud is of primary importance and that the auditor is exposed to severe penal consequences for non-performance of his duty.
4. Insights from the O’Malley Report:
Thus far, this article has reviewed the auditor’s role within the domain of the Indian legislation and the ICAI’s pronouncements. It would be useful to examine some views from the international arena too. In this regard, there can be nothing better than the O’Malley Panel Report (Note 1). The Panel made some important revelations about the auditor’s role towards fraud. The Panel recommended that auditors should perform some ‘forensic-type’ procedures on every audit to enhance the prospects of detecting material financial statement fraud. Audit work would be based and directed to detect and find the possibility of dishonesty and collusion, overriding of controls and falsification of documents. Auditors would be required, during this phase, in some cases on a surprise basis, to perform substantive tests directed at the possibility of fraud. The Panel recommendation also calls for auditors to examine non-standard entries, and to analyse certain opening financial statement balances to assess, with the benefit of hindsight, how certain accounting estimates and judgments or other matters were resolved. The intent of this recommendation is twofold: to enhance the likelihood that auditors will be able to detect material fraud, and to establish implicitly a deterrent to fraud. This can be achieved by greater audit effectiveness which would pose a threat to perpetrators in successful concealment of fraud. The Panel also advocated stronger standard setting for auditors. It observed that the Auditing Standards Board should make auditing and quality control standards more specific and definitive to help auditors enhance their professional judgment. The Panel recommended that audit firms should review, and where appropriate, enhance their audit methodologies, guidance, and training materials; and peer reviewers should ‘close the loop’ by reviewing those materials and their implementation on audit engagements and then reporting their findings.
Audit firms should put more emphasis on the performance of high-quality audits in communications from top management, performance evaluations, training, and compensation and promotion decisions.
The auditor’s enhanced role towards fraud:
In the past, the issue of fraud was a ‘once in a blue moon’ phenomenon for auditors. There was no compulsion for an auditor to keep an eye open for red flags or warning bells, or even to under-take extended audit procedures in areas where potential red flags were noticed. Therefore, the actual reporting of fraud in any report ‘was rare. Furthermore, auditors had limited digital tools and techniques, nor any specialised training to be able to conduct interviews, mathematical data pattern analysis, nor did they have trained investigators to carry out field inquiries. The scenario changed completely after the Enron debacle and the advances in IT. Society’s expectations increased and auditors have started using sophisticated software, digital tools and have done further research and training to address the issue of fraud. Risk-based auditing plans and fraud risk detection is now a component of all audit plans.
Considering all the foregoing, consider the case study of the van sales business once again. Is the auditor concerned about all the business risks envisaged – stock shortages, pilferage of cash or stocks, fictitious sales, unaccounted sales returns, teeming and lading of collections, abuse or mis-use of vans for personal purposes or parallel business, etc. ? Yes, the auditor must necessarily recognise these risks, and based on the issues brought out in AAS 4, CARO, O’Malley Report and the High Court judgment, an auditor cannot complete his audit of this business merely on the conventional audit plan detailed earlier. In order to really provide a meaningful opinion on the van sales operating results, an auditor would have to supplement the conventional audit plan with at least the following :
1. Process study and Gap Assessment: The control environment of the entire business model has to be studied and examined by the auditor. Complete process walk through study of the van sales process has to be carried out by the auditor to identify vulnerabilities and gaps in the controls. An overall gap assessment of unaddressed risks must be conducted. In the case study illustrated, an auditor would have to study all the built-in controls in each of the processes on a typical route of a sales van. For example, he must study all the processes such as loading the van, scheduling the route, visiting the retailers, raising invoices, and issuing collection receipts, accepting sales returns and submitting an account, at the end of the day.
2. Teamwork: Have a brainstorm session for designing appropriate audit tests and procedures with all the members of the team to address the risks, corresponding controls in place and gaps identified in step 1 earlier.
3. Testing of controls: Based on steps 1 and 2 above, and other appropriate audit tests to address the risks would have to be applied including surprise tests at warehouse, visits to some retailers, and covert observation of van sales operations by having observers on the route.
4. Additional IT tests of palm-top computer/ printer controls for sales invoicing and issuance of cash receipts to address the issue of fictitious documents.
The above is not an exhaustive list – it is merely an indication of the penetrative approach which an auditor must adopt. Depending upon his findings, he may need to report errors/fraud or control weaknesses in CARO. As per the CARO reporting requirement if these weaknesses have been continuing persistently without being addressed by the management, it may stem from fraud and therefore needs appropriate tests and verifications. The auditor needs to decide at what level of management he needs to report the issue of fraud, and perhaps to the audit committee as well. In such a case, as per the O’Malley Panel, forensic-type procedures may also be necessary, which may include multi-dimensional trend analysis of sales and collections, examination of palm top logs for changes, deletions, alterations, warehouse stock discrepancies, etc.
Conclusion:
While the duty of detecting and preventing fraud lies primarily with the management, the auditor’s role is not insulated from this issue. Auditors cannot be a substitute for the enforcement of high standards of conduct by management, but, auditors can be an important factor in promoting high standards’. Auditors must possess the discipline, fortitude and ability to stand up to management or to an audit committee or board of directors. They need to be able to say, “No, that’s not right!” where deemed essential. The O’Malley Panel called on all individual professional auditors to heed this message’: “Only quality audits serve the public interest, and the public is the auditor’s most important client.”