If the world were perfect, then every system would work perfectly. Then there would not be need to put the systems under the manifold controls. Yet, controls are not always ultimate protection. In the field of accountancy, we find that there are so many Accounting Standards. Despite of this we find that frauds keep happening. Promoters siphon off money; management jacks up profit figures in attempt to beef up stock prices (and their share of profits); and, employees do their own bit of embezzlement.
However, individual interest does not always work in the interest of the organisation or that of the society. And individual greed, in most cases is counter to the interests of the organisation and the society.
Fraud is risk both for business entity and the Auditor. For the auditor, and audit assignment entails managing of audit risks. This risk arises because 100% checking is neither done, nor is feasible. 100% checking of all transactions and processes would mean reinventing the wheel, and lead to duplication, and increase in costs.
Consequently, auditors have to rely on audit procedures, sampling, and test checking - and thereby arrive at opinion for the financial statement as a whole. In this context audit risk means that the auditor gives a wrong opinion when financial statements are materially misstated either from fraud or error. For example, if the financial statement is materially statement is misstated, and the auditor reports it as true and fair - either due to unintentional omission or due to collusion.
Audit Risk (AR) is a function of Inherent Risk (IR), Control Risk (CR), and Detection Risk (DR) ie. AR=IRxCRxDR
Inherent Risk relates to material misstatements that arise due to transactions recorded erroneously by error or due to fraud. Control Risk relates to risks that the material misstatements will not be prevented or detected by the internal control system. For an external auditor, the IR and CR are a given fact and not under his control.
Detection Risk is simply the risk that the material misstatement would escape detection.
DR = RTD x RAP
RTD is Risks related to Test of Details (totals, vouching, sampling etc), and RAP is Risks associated with Analytical Procedures (ratio analysis, etc). These are the methods, by which Auditors analyse the financial data to come to conclusion regarding the truth and fairness of the accounting and financial statements.
When Corporate entities indulge in Fraud - whether the Promoter or the Management - they try to cover up in every ways possible - this increases the audit risk.
Take for example the case of WorldCom which was a communication giant of US. Its usual for Auditors to use Analytical Procedures (AP) and Trends of Ratios. The problem with AP is that it uses the same data for assurance, which itself is suspect from audit point of view. Now, WorldCom had simply capitalised $3.8 billion of routine expenses as assets. This increased the profits and inflated the assets. All these was fudged in such a manner that the various ratios remained in line with industry averages. Obviously, as the auditors later testified, they had found nothing suspect!
Another case that gave the biggest jolt to the audit profession was that of Enron. Enron had many issues - those relating to financial engineering - like off balance sheet financing, ignoring of accounting standards, and issues relating to governance. This took in its toll not just the business entity, but also its auditors. And in its turn the stock market took its toll to the tune of $35 billion.
For audit profession, Enron became a turning point. Not just because it was a big corporate fraud - but it brought to public debate the role of Auditors. These were not statistical isues, but issues like:
- how could one reconcile the role of a watchdog with that of a consultant?
- how can revenue pressures from non audit fees affect the Audit work
- what should be the corporate liabilities and the liabilities of auditors
- how to protect the independence of auditors
- how to improve the financial reporting framework
US instituted the Sarbans Oxlay Act (SOX) in 2002 that addressed many of these issues. Among many of its measures:
- It established PCAOB - the Public Company Accounting Oversight Board - to oversee Auditing of Public Companies regarding quality control and ethics standards
- Under section 404 of the Act, it requires management to certify its internal controls and thereafter the Auditors after following the procedures established by the PCAOB, the Auditors are required to attest that.
From Indian point of view, any Indian company listed in NYSE, AMEX or NASDAQ or coming under the purview of the Securities Act of USA has to comply with SOX, and the Auditors for such purposes would be subject to US court jurisdiction.
Audit Standard 70 (SAS 70) of US is important for BPO sector of India, as under that US standard, the Auditor of the BPO has to express opinion on the internal controls of the services provider.
Even in India, many measures have been taken. ICAI has set up Financial Report Review Panel to check presence of frauds in published accounts of corporates.
Under CARO 2003, special reporting responsibilities has been put on the Auditor for frauds “noticed or reported” during the period under audit. CARO 2003 also requires the auditor to express opinion on the internal controls of the company.
Most important initiative in India as regards Corporate Governance within the regulatory framework has been Clause 49 of Listing Agreement issued by SEBI. Like Sarbans Oxlay, Clause 49 also deals with various issues - eventhough in INdian case, it has not been a reaction to corporate frauds as in US. Clause 49 has been a result of series of initiatives since mid 90s and is based on recommendation of various committees like Kumar Mangalam Birla Committee, Naresh Chandra Committee & Narayan Murthy Committee.
Specifically from audit point of view:
- It requires certification by CEO / CFO that the financial statement do not contain materially untrue statement
- It requires disclosure relating to risk management & minimisation of risk is mandatory
- 2/3 rd of audit committee is required to be formed of independent directors
- The audit committee has been charged with specific reponsibilities like - (1) Review the management discussion on financial condition of the company, (2)review related party transactions entered into by the management, (3) review the internal audit and internal control weaknesses
It can be said that whatever tightening of the regulatory framework and whatever sophistication of analysis available, auditors should keep the basic concepts of professional scepticism handy and abide by the audit standards. Only then they would be able to successfully deal with corporate frauds. In doing such thing they would be doing a great service to the society, as in that they would also be safeguarding the interests of thousands of shareholders, who individually have no control over the doings of the management.