By Zubin F. Billimoria | Chirag Doshi
Chartered Accountants
INTRODUCTION
Audit firms have
always been subject to regulatory review by both the ICAI as well as the
regulators. Whilst initially they only underwent scrutiny by the ICAI in terms
of the disciplinary mechanism, over a period of time ICAI introduced the
concept of review of individual audits undertaken by the firms, as also the
firm itself through the FRRB, Peer Review and QRB mechanism.
Recently, the QRB Reviews have been substituted through oversight and
regulation by the NFRA for firms involved in auditing a certain class of
entities, whereas the QRB will be involved in other matters.
Accordingly,
it would be pertinent to note the background and role played by the NFRA and
its implications on the future of audit firms.
NFRA
After the
Satyam scandal took place in 2009, the Standing Committee on Finance proposed
the concept of establishing a National Financial Reporting Authority (NFRA) for
the first time in its 21st Report. The Companies Act, 2013
subsequently gave the regulatory framework for its composition and constitution.
The Union Cabinet approved the proposal for its establishment on 1st
March, 2018. The establishment of NFRA as an independent regulator is an
important milestone for the auditing profession and will improve the
transparency and reliability of financial statements and information presented
by listed companies and large unlisted companies in India.
The NFRA
was constituted on 1st
October, 2018 by the Government of India u/s 132(1) of the Companies Act, 2013.
As per the said section, NFRA is responsible for recommending accounting and
auditing policies and standards in the country, undertaking investigations and
imposing sanctions against defaulting auditors and audit firms in the form of
monetary penalties and debarment from practice for up to ten years.
APPLICABILITY
As per Rule 3
of the NFRA Rules, 2018, the Authority shall have power to monitor and enforce
compliance with accounting standards and auditing standards and oversee the
quality of service u/s 132(2) or undertake investigation u/s 132(4) in respect
of auditors of the following class of companies and bodies corporate, namely:
(a) Companies whose securities are listed on any
stock exchange in India or outside India;
(b) Unlisted public companies having paid-up
capital of not less than Rs. 500 crores or having annual turnover of not less
than Rs. 1,000 crores, or having, in aggregate, outstanding loans, debentures
and deposits of not less than Rs. 500 crores as on the 31st of March
of the immediately preceding financial year;
(c) Insurance companies, banking companies,
companies engaged in the generation or supply of electricity, companies
governed by any special Act for the time being in force or bodies corporate
incorporated by an Act in accordance with clauses (b), (c), (d), (e) and (f) of
sub-section (4) of section 1 of the Act;
(d) Any body corporate or company or person, or any
class of bodies corporate or companies or persons, on a reference made to the
Authority by the Central Government in public interest; and
(e) A body corporate incorporated or registered
outside India, which is a subsidiary or associate company of any company or
body corporate incorporated or registered in India as referred to in clauses
(a) to (d) above, if the income or net worth of such subsidiary or associate
company exceeds 20% of the consolidated income or consolidated net worth of
such company or body corporate, as the case may be, referred to in clauses (a)
to (d).
Thus, the
NFRA has stepped into the shoes of the QRB to concentrate on audit firms involved
in entities which are perceived as public interest entities. Currently
all private limited companies even if they satisfy the thresholds as per clause
(b) above are not covered. Consequently, the QRB will henceforth be
involved in the review of audits firms involved in undertaking audits other
than those covered above.
The concept
of establishing the NFRA has been greatly influenced by the establishment and
functioning of the PCAOB in the USA and hence it would not be out of place at
this stage to briefly discuss its role.
PCAOB
The Public
Company Accounting Oversight Board (‘PCAOB’) is a private-sector, non-profit
corporation created by the US Sarbanes-Oxley Act of 2002 (‘SOX’) to oversee
accounting professionals who provide independent audit reports for publicly
traded companies only, unlike NFRA which covers large unlisted public entities,
too. The annual budget of PCAOB for the year 2019 is $273.7 million for a
market cap of $9.8 trillion. The PCAOB’s responsibilities include the
following:
(i) registering public accounting firms;
(ii) establishing auditing, quality control, ethics,
independence and other standards relating to public company audits;
(iii) conducting inspections, investigations and
disciplinary proceedings of registered accounting firms; and
(iv) enforcing compliance with SOX.
Registered
accounting firms that issue audit reports for more than 100 issuers (primarily
public companies) are required to be inspected annually. This is usually around
ten firms. Registered firms that issue audit reports for 100 or fewer issuers
are generally inspected at least once every three years. Many of these firms
are international non-U.S. firms who are involved in the audit of
publicly-traded companies on the US Stock Exchanges. Consequently, some
Indian audit firms who are involved in issuing audit reports are required to be
registered with PCAOB and hence be subject to PCAOB inspections.
INSPECTION REPORTS
The PCAOB periodically issues inspection reports
of registered public accounting firms. While a large part of these reports are
made public (called ‘Part I’), portions of the inspection reports that deal
with criticisms of, or potential defects in, the audit firm’s quality control
systems are not made public if the firm addresses those matters to the Board’s
satisfaction within 12 months of the report date.
Those portions are made public (called ‘Part II’)
only if (1) the Board determines that a firm’s efforts to address the
criticisms or potential defects were not satisfactory, or (2) the firm makes no
submission evidencing any such efforts.
IL&FS OUTBURST
After having understood the role of NFRA and to a
certain extent PCAOB, it would be pertinent at this stage to examine the public
outbursts against the closely-held financial sector giant ILFS which piled up
huge debts amounting to around Rs. 90,000 crores by September, 2018. The
problems initially surfaced with defaults in the repayment of the most liquid
and known safest form of debt, viz., commercial paper, followed by a domino
effect which threatened and called into question the stability of the entire
NBFC sector. This understandably led to a public outburst on various aspects
and called into question the role of the government, the RBI and the auditors,
amongst others. The following were some of the key matters which triggered the public outburst:
(1) What was the RBI doing all these years as a
part of its inspection process, considering that there were reports of breach
of NOF, group exposure and capital adequacy norms in case of one of the group
entities?
(2) How did the Credit Rating Agencies fail to see
through the high leverage and the potential defaults without any warnings and
suddenly downgraded the rating from stable to default?
(3) The impact of the defaults on the mutual funds
which had heavily invested in the debt instruments and the consequential impact
on the common investors;
(4) The bailing out by the government through
investments by LIC and SBI and other similar profitable PSUs (‘family jewels’)
thereby potentially jeopardising the savings of millions of investors and
policy-holders;
(5) As is always the case, the role of the auditors
was also called into question on many fronts like adherence to independence
requirements, maintaining professional scepticism, failure to comply with
regulatory requirements, provide early warning signals, etc.
It would be
pertinent at this point to dwell on NFRA and assess its role and duties in
conducting Audit Quality Review (AQR) of CA firms. The first such
AQR was completed in December, 2019 in respect of the audit undertaken by a
firm of one of the IL&FS group entities, which is an NBFC, being the first
such within that group which is in the public domain and which has been used as
a basis for the discussion hereunder.
AQR PROCESS
This is one of the important tools provided to the
NFRA to regulate and monitor audit firms as covered in the Rules referred to
earlier, which was conducted by the Quality Review Board. The QRB Review and
AQR can also be considered as equivalent to the PCAOB reviews conducted in the
case of the US-listed entities referred to earlier.
Scope
and regulatory force
The scope and
the regulatory force for the AQR are provided in Rule 8 of the NFRA Rules,
2018. The said Rules provide that the NFRA may, for the purpose of
enforcing compliance with the Auditing Standards, undertake the following
measures which would broadly constitute the scope for the AQR:
(A) Review working papers and other documents and
communications related to the audit;
(B) Evaluate the sufficiency of the quality control
system followed by the auditor; and
(C) Perform such other testing of the audit,
supervisory and quality control procedures of the auditor as may be considered
necessary or appropriate.
Though Section 133 of the Companies Act, 2013 requires
the NFRA to inter alia monitor and enforce compliance with both the
Accounting and the Auditing Standards, the main focus of the AQR, which
we will discuss in the subsequent section, is on compliance with the auditing
and quality control standards.
Steps
involved in undertaking the AQR
The AQR which
is undertaken is not a one-way traffic but follows an elaborate process of
seeking information from the audit firm, followed by the draft findings against
which the replies of the audit firm are sought before the final report is
issued. The following are the various steps which are broadly undertaken before
the final report is issued and the same are included in a separate Annexure to
the report so that there is no ambiguity:
(a) Formal letter sent by NFRA to the engagement
partner (EP) asking for the audit file of the client selected for review.
(b) Subsequent letter sent to the EP asking for the
list of related parties and the details of the audit and non-audit revenue of
the selected client under affidavit.
(c) NFRA’s letter sent to the EP containing a
questionnaire sent via email and the replies against the same by the audit
firm.
(d) NFRA’s letter to the EP conveying its prima
facie observations against the various issues in the questionnaire referred
to in (c) above and the reply there against.
(e) Issuance of the Draft AQR Report (DAQR).
(f) Presentation made by the EP and the other team
members to the NFRA in pursuance of the observations in the DAQR.
(g) Written replies furnished by the EP to NFRA in
response to the observations in the DAQR.
(h) Issuance of the final AQR Report by NFRA.
Summary
of the NFRA’s conclusions in the AQR
The culmination of the above process resulted in
several findings, recommendations and conclusions covering a wide spectrum of
issues which were analysed under the following broad categories as tabulated
hereunder. Whilst a detailed discussion thereof is beyond the scope of this
article, the main findings as discussed here would not only provide an insight
into the thinking of the NFRA but also serve as an eye-opener to the audit
firms, especially the small and medium-sized ones, to enable them to ramp up
their audit quality keeping in mind the current circumstances.
|
Area
|
Key Findings / Observations
and Conclusions
|
|
|
|
|
Compliance with independence requirements
|
The NFRA has come down heavily on the independence requirements
violated by the audit firm, as evidenced by the following matters:
a) The audit firm had grossly violated the provisions of section
144 of the Companies Act, 2013 by providing various prohibited services
and also not taking the approval of the Audit Committee, including in
respect of services provided by associated / connected firms / companies
to both the company and its holding or subsidiary companies. The total
fees for such non-audit engagements in excess of the corresponding audit fees
has, in the words of the NFRA used in the Report, ‘undoubtedly fatally
compromised the windependence in mind required by the Audit Firm’
b) The approval of the Board of Directors for such
services is not permissible where the company has an Audit Committee and the
same would amount to an override of controls
c) There was a clear violation of the RBI Master
Directions since the EP was involved in the audit for a period of five
years as against the mandatory rotation after a period of three
years
d) The Senior Audit Engagement team comprising of the Audit
Director and Audit Senior Manager were involved in the audit for a period
in excess of seven years which is against the spirit of the staff
rotation and familiarity threat principles enshrined in SQC-1. The
contention of the audit firm that such requirements were applicable only to
the EP and the Engagement Quality Control Review (EQCR) Partner
was not acceptable to the NFRA since the EQCR is an entirely independent
exercise. This clearly compromised on the audit firm’s independence both in
letter and in appearance
|
|
|
|
|
Role of the EP
|
The reference by NFRA to the role of the EP is both interesting
as well as insightful, as reflected through the following key observations:
a) The practice of the audit firm in designating two partners
as EPs is clearly a violation of SQC-1 as well as SA-220 – Quality control
for an Audit of Financial Statements, which clearly mandates that member
firms should have only one EP, which aspect was also clearly laid down even
in the audit firm’s Internal Quality Manual
b) The time spent by the signing partner (who is
considered by the NFRA as the EP) and the evidence of the review of
documentation by him during the course of the audit, clearly shows
that almost all the important work of audit, i.e., independence evaluation,
risk assessment, audit plan, audit procedures, audit evidence, communications
with management or those charged with governance (TCWG) was not adequately
directed / supervised / reviewed
by the EP
|
|
|
|
|
Communication with TCWG
|
Since an ongoing two-way communication between the audit firm
and TCWG is an important element in the audit process, the following
observations by the NFRA in this regard merit attention:
a)The audit firm was not able to produce a single document
minuting the discussions held with TCWG
b) The assertion of the audit firm that they have
exercised their professional judgement in making their written communications
cannot be taken as a justification that nothing was required to be
communicated. This also runs contrary to the fact that the RBI
inspections and subsequent correspondence had revealed serious
non-compliances relating to NOFs, CRAR, NPAs and Group entity exposures,
amongst others, which are significant and require to be communicated under
SA-250 on Consideration of Laws and Regulations in an Audit of Financial
Statements and SA-260 on Communication to Those Charged with Governance
c) As per the minutes of the meetings of the Board of
Directors and the Audit Committee, there was also nothing on record to
demonstrate that the audit firm representatives had attended any meetings at
which the above matters were discussed, except the meeting at which the
accounts were approved and adopted. Further, even at the said meeting the
contention of the audit firm that there were no serious non-compliances with
laws and regulations does not hold water, considering the correspondence
referred to above and the non- disclosure in the
financial statements
|
|
|
|
|
Evaluation of Risk of Material Misstatement
(ROMM) Matters
|
Assessment of ROMMs being an important component in the entire
audit process has naturally received due attention by NFRA and the following
are some of the important observations in respect thereof:
a) The reference in the audit work papers to
compliance with International Auditing Standards is a clear
non-compliance with section 143(9) of the Companies Act, 2013. The Report
further states that ‘the Companies Act refers only to SAs prescribed by
that statute and to no other. Hence, any reference to any SAs other than so
prescribed is clearly non-compliant with the Companies Act. NFRA, as a body
constituted under the Companies Act, 2013,
obligated to consider only what is compliant with
that Act.’
b) The audit firm failed to appropriately deal with
identification, categorisation and minimisation of engagement risk,
especially looking at the size, nature and economic significance of the
auditee company. The risk of misstatement due to fraud was also ruled out by
the audit firm, especially with regard to revenue recognition which is a
presumed fraud risk as per SA-240. This led to inadequate audit responses.
Some specific instances to highlight the same are discussed in points
(d) to (f) below
c) There were significant contradictions in the assessment of
ROMM which lead to the conclusion that the assessment had been carried out in
so casual a manner as to result in a complete sham
d) There is no reference in the audit file to the fact that
the audit firm has noted the SI – NBFC character of the entity whilst
undertaking a risk assessment and the consequential risk classification as
normal which is reflective of an inadequate understanding of the
financial and business sectors of the economy. The NFRA has further
remarked that ‘the RBI, as the chief regulator of financial and
monetary matters, makes this determination, which
needs to be
respected and not treated
cavalierly.’
e) There were several inadequacies found in the testing and
evaluation of NPAs, including the requirement of early recognition of
financial distress and the resolution thereof and the classification of
Special Mention
Accounts in terms of the RBI guidelines
f) The audit firm should have maintained professional
scepticism throughout the audit by recognising the possibility that a
material misstatement due to fraud could exist as per SA-240, notwithstanding
the auditor’s past experience of the honesty and integrity of the entity’s
management and TCWG, by performing specific and adequate procedures to
address the following matters, amongst others:
(i) Suppression of defaults due to regular
‘ever-greening’ of loans,
(ii) Manual overriding of controls for a substantial
portion of loans sanctioned during the year as evidenced by the statement /
analysis in the audit file and the corresponding observations in respect
thereof in the
RBI Inspection Report,
(iii)
Procedures to test the completeness and accuracy of the listing of
NPAs,
(iv) Testing of journal entries, especially those
pertaining to items posted after the closing date, significant period end
adjustments and estimates, inter-company transactions, etc.
|
|
Testing / disclosure of specific matters arising
out of RBI Inspection Reports
|
a) The audit firm did not question the management and challenge
the inflation of profit by a material amount through inclusion of the value
of a derivative asset which was entirely unjustified. The Report mentions
that ‘the actions of the auditor in not having done so, and having
accepted the stand of the management without question, shows clearly a gross
dereliction of duty and negligence on the part of the audit firm’
b) The audit firm accepted the stand of the management
about not disclosing the fact that the Net Owned Funds (NOF) and the Capital
to Risk Assets Ratio (CRAR) of the entity as on 31st March, 2018
were both negative, based on the RBI Inspection Report and related
communications and that this situation could lead to cancellation of the NBFC
license of the entity. The audit firm also certified the accounts as showing
positive NOF and CRAR, accepting the explanations of the management which
were clearly contrary to law. The explanation of the audit firm seems to
imply that this communication of the RBI was not available to them. This
explanation was held to be unacceptable for the reason that this clearly
showed the complete lack of due diligence and professional scepticism on the
part of the audit firm. Had proper inquiries been made both with TCWG and the
RBI, it is certain that this communication would have been formally made
available to the audit firm
c) Consequent to the above matter, the audit firm did not
adequately question the going concern assumption on the basis of which
the management had prepared the financial statements
|
Learnings
and challenges for audit firms
A careful
evaluation of the findings arising out of the above report provides several
learnings as well as challenges, especially for the small and medium-sized
firms, considering that the observations have been made in respect of an
international firm which is supposed to have robust processes. The challenges
before the SMPs are broadly analysed under the following headings:
Adverse
publicity / reputational risk:
Unlike the
earlier QRB Review Reports, the NFRA shares its findings and publishes the
reports on its website and hence the same are available in the public domain,
which immediately leads to bad publicity and adverse reputational risk for both
the audit firm and the client / entity concerned. This is in line with the authority
provided to it in terms of Rule 8(5) of the NFRA Rules. It may,
however, be noted that Rule 8(6) of the NFRA Rules provides that no confidential
or proprietary information should be so published unless there are
reasons to do so in the public interest which are recorded in writing. However,
what constitutes confidential or proprietary information has not been defined.
One of the
ways in which this can be achieved is by dividing its report into two parts as
is done by the PCAOB as discussed earlier.
EMPHASIS ON AUDIT INDEPENDENCE AND AUDIT ADMINISTRATION /
COMMUNICATION
There is now
a growing expectation of independence both in letter and in spirit.
Whilst prima facie the requirements under the statute may appear to have
been complied with, independence of the mind in the eyes of the external
stakeholders / users of the audit report is also important. This may be a challenge
to smaller firms who have a limited number of audits and staff to perform the
same, making them vulnerable to the familiarity threat. Accordingly, in
future audit firms would have to keep in mind these aspects before they accept
fresh audit engagements since the ICAI / QRB has the power to regulate all
entities. Further, the general tendency of being an all-weather friend and
trusted adviser would need to be carefully calibrated with the regulatory
guidelines. Finally, a lot of emphasis would have to be placed on the extent
of the role played by the EP as against the tendency to rely on the work done
at the junior level due to both time and technical constraints (e.g. the EP
being a tax specialist). In this context, the observation of the NFRA of the audit
firm designating two EPs may not help since the concept of shared
responsibility did not cut ice with the NFRA. To mitigate these
problems, small and medium-sized firms would do well to undertake external
consultation on a more formalised and frequent basis since it is
also recognised as an important element in the overall quality control process
in terms of SQC-1.
IMPORTANCE OF FRAUD AND RISK ASSESSMENT
The
importance of these two aspects cannot be overemphasised. The current
environment of regulatory overdrive makes audit firms vulnerable to greater
scrutiny on these aspects. Several specific observations by NFRA on granular
aspects of fraud and risk assessment in the audit report like ever-greening of
loans, valuation of derivatives, testing of related party and inter-company
transactions, manual override of controls, etc. makes it imperative for audit
firms to exercise greater degree of professional scepticism since their
professional judgements would come under greater scrutiny. To mitigate these
problems, audit firms, especially the small and medium-sized ones, should have
regular training and orientation programmes, both external and internal, so
that apart from sharpening the technical skills the necessary soft skills are
also developed. Such training costs should not be considered as a cost but as
an investment.
COMPLIANCE WITH AND ATTENTION TO REGULATORY MATTERS
The NFRA Report has sent out a clear message that
audit firms ignoring regulatory matters do so at their own risk. Further, NFRA
has taken a strict view on certain matters like risk classification in case of
Systemically Important (SI) – NBFCs as greater than normal, which is
questionable. Another area flagged by them involves inadequate
communication and dialogue with the management and TCWG on regulatory matters.
Accordingly, it is important for audit firms to rigorously follow the
requirements laid down under SA-250 and SA-260 even though the primary
responsibility for compliance with laws and regulations rests with the management
and TCWG.
Robust
documentation of the audit engagement and firm level policies
The oft-used
phrase what is not documented is not done and also the fact that
audit documentation should be self-explanatory and be able to stand on its own,
has been clearly in evidence in the NFRA’s findings in several places,
e.g. reference to International Standards on Audit (this provides a subtle
message to the firms with an international affiliation that compliance with
international requirements is no substitute for compliance with the local
regulations, guidelines and pronouncements), non-availability of minutes of
meetings of discussions / communication with the management on important
matters, no specific documentation evidencing performance of key audit procedures
in respect of certain transactions having greater risk and fraud potential and
so on.
One of the
most important learnings for audit firms involved in the audit of covered
entities is to streamline and standardise routine audit documentation
by laying down clear policies, checklists and other documentation for execution
of audit engagements in general and keeping in mind the specific documentation
requirements as laid down in the various Standards on Auditing, as also on the
various elements of the system of quality control, as under, as laid down in
SQC-1:
(I) Leadership responsibilities for quality within
the firm;
(II) Ethical requirements (including independence
requirements);
(III) Acceptance and continuance of client
relationships and specific engagements;
(IV) Human Resource policies covering recruitment,
training, performance evaluation, compensation, career development, assignment
of engagement teams, etc.;
(V) Engagement performance, including
consultation, engagement quality review, engagement documentation retention and
ownership, etc.
Whilst
framing policies in respect of the above and any other related matters, care
should be taken to avoid mechanically copying the requirements laid down in the
Standards. The policies should be framed keeping in mind, among other things,
the size of the firm, the nature and complexity of the clients served and the
competence of the personnel to implement the same.
How
small and medium-sized firms can prepare for NFRA review
One of the
most important elements is to have an audit manual in place covering the
policies and procedures, with all templates, formats, and checklists in place
to ensure compliance with the applicable Auditing Standards. The structure and
significant content of the audit manual could be as follows:
- INTRODUCTION AND FUNDAMENTAL PRINCIPLES:
This chapter
introduces the fundamental principles related to reasonable assurance,
objective of an audit, audit evidence, documentation, financial reporting
framework, quality control, ethics, professional scepticism, technical
standards.
- PRE-ENGAGEMENT
ACTIVITIES:
In this chapter the
manual deals with the basic engagement information, engagement evaluation:
client acceptance / continuance, independence declarations, staff assessment
and audit budget, planning meetings, terms of the engagement.
This chapter covers
the audit approach, gathering knowledge of the business, laws and regulations
and understanding the accounting systems and internal controls, fraud risk
discussions and indicators, related parties.
- RISK ASSESSMENT PROCEDURES:
This chapter will
help auditors comply with the standards of auditing related to the
identification and mitigation of risk of material misstatement, fraud risk and
going concern risk at the initial stage of audit.
Planning
materiality is one of the most critical elements of an audit as it determines
the coverage of the audit. Planning materiality should be determined at the
planning stage and should be updated if required during the execution phase.
A well-designed
audit programme ensures compliance of auditing standards and quality standards
while performing the audit and also acts as a guiding checklist for the
engagement team.
- TEST OF CONTROLS AND SUBSTANTIVE TESTS:
This chapter guides
the team in determining the reliance on the test of controls vis-a-vis the test
of details, resulting in a balanced approach between the two to ensure an
efficient and effective audit.
This chapter is the
heart of the audit documentation. It deals with documentation of the execution
of the entire audit, determining the audit sampling, audit sampling procedures,
consideration of applicable laws and regulations, inquires with management and those
charged with governance, external confirmation procedures, analytical
procedures, procedures to audit accounting estimates and fair value
measurements, identification of related parties, going concern considerations,
considering the work of internal audit or experts, physical verification
procedures, etc.
- FINALISATION: AUDIT CONCLUSIONS AND
REPORTING:
The auditor needs
to ensure the adequacy of presentation and disclosure, subsequent event and
going concern consideration, final analytical review, evaluation of audit test
results, issue of the auditor’s report, communicate with those charged with
governance and coverage of management representations.
CONCLUSION
What is
not documented is not done has been the age-old mantra! Audit documentation helps the auditors to prove to the user of the
financial statements, usually the authorities, that a proper audit was
conducted. The data that has been recorded can help in ensuring and encouraging
that the quality of the audit is maintained. It also provides an assurance that
the audit that was performed was in accordance with the applicable auditing
standards. 
