By Kanwardeep Singh
On 10 January 2018, nine (9) years after the Satyam scandal hit Indian Inc., Securities & Exchange Board of India (SEBI) has passed the Order pursuant to which a slew of directions have been issued against the global accountancy firm PW and its network entities in India.
The directions, among others, include prohibiting PW and its network entities in India from issuing audit certificates to any listed company in India for a period of two years (prohibition not to be applicable to audit assignments that relate to the financial year 2017-2018).
A substantial portion of the 108 page Order (i.e., from paragraph 24 to paragraph 172 of the Order that consists of 207 paragraphs) has been dedicated by SEBI to deal with the question – whether the auditors in question have discharged their professional duties in accordance with the principles that regulate the undertaking of an independent audit. SEBI has while dealing with the said question, been agnostic to the question – whether the auditors in question had the knowledge of or were complicit in the fraud perpetrated by the senior management of Satyam Computer Services Limited, which SEBI has separately dealt with in the Order (paragraph 173 onwards). This article deals with the principles laid down by SEBI while dealing with the former question.
SEBI has in unequivocal terms concluded adherence to the following principles as a quintessential for the conduct of a proper and valid independent audit.
Attention to be drawn to the material departures made from the Auditing and Assurance Standards (“AAS”):
The Institute of Chartered Accountants of India (“ICAI”) is the statutory governing body for the audit of companies (falling within the purview of the Companies Act). ICAI, pursuant to AAS, has prescribed the principles that must be mandatorily followed by auditors while discharging their respective audit function. Therefore, the auditors must ensure compliance with AAS (in letter and spirit) while undertaking the audit function.
SEBI has concluded that if for any reason, the auditor has been unable to conduct the independent audit in accordance with the AAS, it must draw attention to the “material departures” from the principles prescribed by the AAS.
Reliability of audit evidence:
In common market parlance, the expression “audit evidence” is understood to mean the information relied upon by the auditor to certify, among others, the financial statements of a company. The reliability of audit evidence hinges upon (a) the nature of audit evidence; (b) source from where the audit evidence has been procured; and (c) the methodology adopted to obtain such evidence.
SEBI concluded that the evidence procured from an external independent resource is more reliable. The reason for the same being that external evidence provides greater assurance of reliability for the purposes of an independent audit as against the “internal evidence” that is obtained from within the company under audit.
Further, SEBI cautioned that even external confirmations may get compromised and become unreliable due to interception and alteration of the confirmation requests or responses, if appropriate procedures are not adopted and adequate control over them is not exercised. Therefore, it concluded that an auditor must maintain “control” over the process of collection of external evidence by maintaining direct channels of communication with the intended recipients from whom responses are expected.
Exercise of discretion must be to further the objective of the audit process:
Paragraph 7 of AAS 5 crystallises the thumb rule mentioned in sub-paragraph (ii) above i.e., external evidence (procured by the auditor himself) is usually more reliable than internal evidence (procured by the auditor through the company under audit). Paragraph 2 of AAS 30 provides discretion to the auditors to determine whether the use of external confirmations is necessary to obtain adequate audit evidence to support certain financial statement assertions. At first glance it might seem that the rule crystallised in AAS 5 gets diluted by AAS 30. However, the same is not correct as paragraph 2 of AAS 30 itself provides that such discretion must be used keeping in mind factors such as level of inherent and control risk.
SEBI concluded that the discretion envisaged by paragraph 2 of AAS 30 is not unfettered and cannot be exercised as per the whims and fancies of the auditor. Further, it concluded that the exercise of such discretion must be to “further the objective” of the audit process rather than compromising it. Therefore, if something occupies a high degree of materiality in the entire audit exercise, the necessity for external confirmation will be of utmost importance and the same must not be sidestepped by the auditors by opting for less stringent alternative procedures.
Presence of professional skepticism throughout the audit:
In common market parlance, the expression “skepticism” is understood to mean a doubting or questioning attitude or state of mind. Paragraph 18 of AAS 4 requires the auditor to proceed with the audit with an attitude of professional skepticism i.e., not to accept information or rely in information without testing the veracity of such information.
SEBI concluded that an auditor cannot while conducting an audit, accept the representations of a company just because the company and its management enjoy a very good reputation for corporate governance and compliance.
Assessment of adequacy of internal audit procedures:
The first step in such assessment to be undertaken by an auditor is to assess whether the company under audit has an internal audit system that is commensurate with the size and nature of the said company’s business.
Further, the auditor must (a) obtain knowledge of the design of the accounting and internal control systems and their operation; (b) obtain an understanding of the accounting system to understand, among others, the primary kinds of transactions that take place in the operations of the company under audit, initiation of such transactions, supporting documents for the said transactions; and (c) test the effectiveness of the design of the accounting and internal control systems to ascertain whether the same is suitably designed to prevent or detect and correct material misstatements and ensure operation of the internal controls throughout.
SEBI concluded that an auditor must necessarily acquire knowledge of the internal audit procedures (implemented by the company under audit) as the auditor is duty bound to adequately understand the internal control systems as a part of the audit process.
The writing on the wall (by SEBI) is very clear – the above mentioned principles must be followed by auditors while they conduct audit of (listed) companies – any digression from the same can land the respective auditor in a similar soup!
Kanwardeep Singh Kapany presently works as a securities lawyer with a law firm in Mumbai. He can be reached at Kanwardeepskapany@gmail.com.