Auditor’s Communication With Audit Committee

Finally, the US audit committees will be getting the full picture of the financial statements from the auditors. The Public Company Accounting Oversight Board (“PCAOB” or the “Board”) of US  is adopting Auditing Standard No. 16 – Communications with Audit Committees. It is aimed at improving dialogue between auditors and audit committees to enable better oversight and financial reporting.

The scope of communications has increased from the previous practice of discussing – accounting policies, procedures and estimates, quality of financial reporting, unusual transactions and significant auditing and accounting matters. It covers a  more matters that will increase clarity.

Previously the status of communication was aptly described by George Bernard Shaw’s quote – “The single biggest problem in communication is the illusion that it has taken place.” Audit committees in my view lacked critical information . Secondly, as there is a shortage of financial experts (just one is mandatory) they were in no position to analyse the details of the financial statements. It was easy to hide artistic accounting from them. This standard will reduce communication gap between the auditors and audit committee.

In India, though the roles and responsibilities of the auditor and audit committee are defined in the Listing Agreement of SEBI and New Companies Bill, the nature, content and quality of communication is not specified. It mandates audit committee should meet at least four times a year, however doesn’t shed light on the quality of discussion to take place. The audit committees in India, are required to look into loan transactions, related party transactions and a couple of other things. These requirements are not mentioned in the list below.

In brief, as per Auditing Standard No. 16 the auditor would be required to communicate the following to the audit committee:

a.  The terms of appointment and engagement, objective of the audit, and responsibilities of management and auditor.

b. An overview of the overall audit strategy, including timing of the audit, significant risks the auditor identified including risk assessment procedures, and significant changes to the planned audit strategy or identified risks;

c. Information about the nature and extent of specialized skill or knowledge needed in the audit, the extent of the planned use of internal auditors, company personnel or other third parties, and other independent public accounting firms, or other persons not employed by the auditor that are involved in the audit;

d. The basis for the auditor’s determination that he or she can serve as principal auditor, if significant parts of the audit will be performed by other auditors;

e. Significant accounting policies and practices including changes. Reasons certain policies and procedures were considered critical and the effect on them in respect to current and future events. Effect of policies and disclosures in controversial area and where there is lack of authoritative guidance.

f. Situations in which the auditor identified a concern regarding management’s anticipated application of accounting pronouncements that have been issued but are not yet effective and might have a significant effect on future financial reporting;

g. Description of process for developing critical accounting estimates including the significant assumptions. If any significant changes are made in the process or estimates.

h. Significant unusual transactions with policy and procedures used by management for accounting unusual transaction;

i. Quality of financial reporting including whether auditor identified bias in management’s judgement about the amounts and disclosures in financial statements. Assessment and conclusion of critical accounting policies. Auditor’s understanding of the business rationale for significant unusual transactions.

j. The results of auditor’s evaluation about financial statement presentation. Whether the reporting including form, content and arrangement are in conformity to standards.

k. Difficult or contentious matters for which auditors consulted external consultants

l. Auditor is aware management consulted external sources, the auditors should also give their opinion;

m. The auditor’s evaluation of going concern;

n. Uncorrected and corrected mis-statements including those discussed with management;

o. Material written communication with management

p. Disagreements with the management

q. Departure from the auditor’s standard report;

r. Difficulties encountered in performing the audit, and

s. Other matters arising from the audit that are significant to the oversight of the company¡¦s financial reporting process, including complaints or concerns regarding accounting or auditing matters.

Closing thoughts

The various auditing and accounting standards in India cover most of the points mentioned above. The auditor is required to ensure conformity to the standards and comment on the same if there are variances. However, there is no specific guideline for communication between auditor and audit committee. As the US standard just defines minimum communication requirements it would be beneficial to formulate and adopt a similar one in India and other countries. It will ensure a specific level of interaction with auditor and audit committee is maintained and the audit committee makes informed decisions.

What do you say? Should there be a global standard for communication with audit committees? What other steps can be taken to reduce barriers to communication between the auditor and audit committees?

References:

PCAOB Adopts Auditing Standard No. 16, Communications with Audit Committees, and Amendments to other PCAOB Standards

 

Why Auditors Fail To Detect Frauds?

When media reports a new fraud, the first few thoughts of public are – “What were the auditors doing? How did they miss it? Were they involved?” The auditors get labelled as morons, conspirators or criminals. Generally most people jump to the conclusion that auditors had malafide intentions and became accomplices to get more business. While this may be true in some cases, auditors need the benefit of doubt. They sometimes genuinely miss the cases despite their best effort to diligently perform their duties. This post is an attempt to explain why auditors miss the frauds.

I want to share a joke with you before I explain. Two drunkards were walking on a railway track. The first said to other – “I am really tired, I hope the steps will end soon.” The second replied – ‘Yeah. I wish they had put the handrails at a better height, my back is killing me.”

1. Auditors responsibility to detect frauds

We can laugh at this, but if I say most of us don’t see clearly, there will a lot of angry reactions. So I am not saying anything, and am requesting you to watch this video.

Now did you see the moon walking bear?

Auditors have the same problem. They have to to give a true and fair opinion on the financial statements. They are not required to focus on detecting frauds. Hence, the audit programs are not designed to conduct tests to  detect fraud symptoms and probability. Therefore, with no specific coverage auditors fail at detecting frauds. Extract from Section 143 of New Companies Bill is given below:

The auditor shall make a report to the members of the company on the accounts examined by him and on every financial statements which are required by or under this Act to be laid before the company in general meeting and the report shall after taking into account the provisions of this Act, the accounting and auditing standards and matters which are required to be included in the audit report under the provisions of this Act or any rules made thereunder or under any order made under sub-section (11) and to the best of his information and knowledge, the said accounts, financial statements give a true and fair view of the state of the company’s affairs as at the end of its financial year and profit or loss and cash flow for the year and such other matters as may be prescribed.”

2. Auditors punishment on failure

The second question frequently debated is – “Should auditors be punished if they fail to detect frauds?” Section 147, clause 4 of New Companies Bill states auditor’s liabilities in respect to fraud in the following words:

Where, in case of audit of a company being conducted by an audit firm, it is proved that the partner or partners of the audit firm has or have acted in a fraudulent manner or abetted or colluded in any fraud by, or in relation to or by, the company or its directors or officers, the liability, whether civil or criminal as provided in this Act or in any other law for the time being in force, for such act shall be of the partner or partners of the audit firm and of the firm jointly and severally and such partner or partners of the audit firm shall also be punishable in the manner as provided in section 447.”

This clause puts auditors on shaky ground. It is difficult to prove innocence once a fraud is detected. How can an auditor state – “I did my work properly, saw these documents, looked at the same audit evidence but didn’t find anything wrong with it.” Most will jump to the conclusion that the auditor knowingly ignored all the evidence. So here is another video. Watch it, and then you will see how this situation can occur.

According to various experiments, 75% of the people failed to observe the person swap in the experiment.

Think of this from an audit evidence perspective. An auditor is checking 100 vouchers with supports. One voucher among the 100 is fraudulent. What is the probability of the auditor noticing it? One can safely assume that it will be less than 25%.

Is it surprising that auditors fail to detect frauds after seeing these experiments. Though they are trained, they are human. The same psychology works with them too.

Closing thoughts

The success rate of detecting frauds will be higher when the auditors – external and internal – have specific responsibility to detect frauds. Without the specific responsibility, regulators can continue to complain and investors will share their anguish, however all will be futile. The laws need to be devised to hold someone responsibly for detecting frauds. What is your opinion?

A modified version of this article was published in the Middle East Accountant Magazine.

LIBOR Scandal – What Went Wrong?

This week Barclays Plc made banking history for the wrong reasons. The unheard occurred – the chairman, chief executive officer and chief operating officer – all resigned within one week. While chairman of Barclays, Marcus Agius took the blame saying “the buck stops with me“, initially Bob Diamond said the incident was “inappropriate“. An understatement or lack of adequate vocabulary for describing a manipulation with such huge impact on the financial markets? LIBOR is used as a benchmark for prices of approximately $ 350 trillion of financial products. British and US authorities fined Barclays $453 million!

In the parliamentary hearing yesterday, Mr. Diamond did modify his viewpoint and said “behavior is inexcusable“. In the hearing, Mr. Diamond implicated Bank of England and the Financial Regulatory Authority. With a dozen more banks under investigation, this story of rigging interest rates  isn’t going to blow over. It is just going to get murkier with time.

Watch this video to get an inside view on the procedures for calculation of LIBOR and the lack of monitoring by the regulators. Some speakers have given volatile views, but these are definitely worth listening in case of such a serious breach of business ethics.

In the last couple of months, titans of banking industry are facing the public ire. First Jamie Dimon was called in for questioning by US senate, yesterday Bob Diamond was questioned by UK parliament. The winds are blowing in a different direction; public is outraged by lackadaisical attitude of bankers towards ethical practices. Since the financial crises, many have written about the need to change culture within the banking organizations. However, from the frequent scandalous news stories, it doesn’t look that the wizards of the industry are understanding the social strategic inflection point.

With senior bankers’ ambition to join billionaires club, even the best minds have developed blind spots. The ambition is for more and more money; they have forgotten that more is not always better. We need banking CEOs to have the ethical mindset of Dalai Lama to bring about a positive change in the industry. Is it possible, what do you say?

References:

Barclays CEO Bob Diamond Resigns After Rates Scandal – Business Standard

Performance of Indian Boards

The board of directors have the responsibility for steering the organization in the right direction and guiding the CEO and senior management. However, worldwide they are lambasted for catering to the manifested interest of CEO and senior management at the expense of shareholder interest. The criticism is that boards’ failure to maintain independence results in  under-performance.

A prime example is the decision of Satyam board to acquire Matyas. The board approved a deal of USD 1.6 billion to acquire Maytas Infra for USD 300 million and Maytas Properties for USD 1.3 billion. Ramilanga Raju after admitting the Satyam fraud stated that deal was to fill Satyam with real assets instead of fictitious assets. The scandal came out as shareholders refused to approve the deal and Raju didn’t have a way to cover the fraud. The recent case of  Kingfisher Airlines debacle clearly shows that the board was not asking the right questions.

Mr. N. R. Narayan Murthy, founder of Infosys, in his book “A Better India, a Better World” succinctly describes the prevailing trends. He wrote – “A a result, the 1990s was the era of the stock-option-fattened, superman-superwoman CEOs who could do no wrong in the eyes of their admiration-heavy boards, and who were seen as demigods. Lax oversight by the boards made these CEOS more or less omnipotent.” He has lead corporate governance in India by walking the talk and his scathing comments are right on target. He has given a number of suggestions to improve corporate governance and board performance.

Let us see, whether Indian boards are up to the task. To analyse the performance of the boards, I have taken the best practices of the board from the report of Trinity Group and Mr. Narayan Murthy’s book. The statistics are from  India Board Governance report 2011 and the relevant laws are from the New Companies Bill 2011.

1. Constitution of the board

Corporate governance practices mention ideal board size of 8-12 members with around one-third to half the members being non-executive and independent directors.  Indian boards on an average had 9.6 directors of which 5.2 were independent directors in 2010 and 60% of the boards have separate roles for CEO and Chairpersons. On the whole, this sounds good, however, in light of the additional information given below, the perspective changes.

a)    In 2010 in India, board chairpersons were members of 9.5 external boards though majority of the memberships were of private companies. According to the survey “the maximum public board memberships held by an individual was 12, and the maximum private board memberships a whopping 37″.

b)   The CEOs & managing directors were on an average board members of 7 external boards. “The highest number of public company board memberships held by a CEO was 10, whereas it was 32 for private company boards.”

c) Non-executive directors, on an average held a total of 6.7 total board memberships, with 2.1 public and 4.6 private memberships.

d) 56% of the directors surveyed identified the limited talent pool as an impediment, with 38% perceiving it as a major hindrance. Yet, less than 10% used search firms or other 3rd party sources to locate suitable talent.


The lack of experienced and trained directors is the key reason for a few directors available in the talent pool holding multiple memberships. When most independent directors are selected from the social circle of the CEO or Chairperson, there are very few who would not toe the line stated by the CEO. With the multiple holdings, a conflict in one board may impact the relationship in another board. Hence, instead of independence, diplomacy and self-interest prevails.

Mr. Murthy candidly mentions that “board independence from management continues to be affected by directors who have limited accountability to shareholders and are ill-equipped in exercising management oversight.” He stated that in Infosys, directors are given training and a job charter to ensure that they fulfill there responsibilities appropriately.

2) Strategy review by the board

According to the best practices given in the Trinity report, “the board’s primary responsibilities include : (a) reaching agreement on a strategy and risk appetite with management, (b) choosing a CEO capable of  executing the strategy, (c) ensuring a high-quality leadership team is in place, (d) obtaining reasonable assurance of compliance with regulatory, legal, and ethical rules and guidelines and that appropriate and necessary risk control processes are in place, (e) ensuring all stakeholder interests are appropriately represented and considered, and (f) providing advice and support to management based on experience, expertise, and relationships.”

On the other hand, the Companies Bill mentions the board’s power as: “ (a) to make calls on shareholders in respect of money unpaid on their shares; (b) to authorise buy-back of securities under section 68; (c) to issue securities, including debentures, whether in or outside India; (d) to borrow monies; (e) to invest the funds of the company; (f) to grant loans or give guarantee or provide security in respect of loans; (g) to approve financial statement and the Board’s report; (h) to diversify the business of the company; (i) to approve amalgamation, merger or reconstruction; (j) to take over a company or acquire a controlling or substantial stake in another company; (k) any other matter which may be prescribed

The theoretical legal powers given are quite different from the actual working of an effective board. On an average in India in 2010, board members met 6.5 times during the year. The minimum number of meetings were four, that is a statutory requirement and maximum were 19 board meetings by a company. The boards met on an average three times during the year for strategic and business review.

Considering the number of meetings conducted by the board, with the legal responsibilities and practical requirements, it is not feasible for the boards to do a constructive strategic review of the business or provide regulatory oversight. Too big a mandate has been given, while the time spent on it is relatively small. It is not surprising that most boards are acting as rubber stamps to the senior management plans. It is a case of imbalance between power, responsibility and time commitment.

3. Focus on risks

After the Satyam scandal and financial crises, the board focus on risk management has increased. The boards ideally need to determine the risk appetite, review internal audit reports and external auditors reports, understand various strategic, financial and operational risks, and maintain compliance oversight.  In India, the Company Bill mandates an audit committee for listed companies, with majority being financially literate independent directors.

In 2010, in India, 69% of the board members respondents stated that boards are considering risks as top priority. However, 31% mentioned that boards are not involved in systematically addressing corporate risk management.

My view is that the focus on Indian boards is more on risk of misreporting financial statements rather than others. Risk management field as such is still in young stage in India, and board members are ill-geared or untrained on the various aspects.

4. Information availability

The decision-making of the board is subject to the information available with it. As per law, board members are ideally required to receive all relevant information about board resolutions and decisions, seven days before the meeting. However, board members responded that most of the documents are given prior to the meeting or just a couple of days in advance.

Moreover, “a vast majority of boards depend largely on management reports (90%) and informal management discussions (79%) for business information. Third party reports and stakeholder views are used as tools only by 23% of the companies.”

With such limited information, and high dependability on company sources, the directors may not be in a position to make informed decisions. The directors don’t even have sufficient time to study the presented information to make independent decisions and cross question the senior managers. Hence, this could be a key reason for poor performance.

5. Performance Review of CEO & senior management

The compensation committees recommend the CEO and other senior managers. In India, around 80% the respondent companies had a compensation or remuneration committee. The issue of CEO compensation isn’t as big as the western world, however, it is fast gaining prominence. Some high earning CEOs in the top 100 list are being evaluated on the basis of returns to investors.

The board as such has to evaluate  CEOs performance. In the west, the “star” CEOs are in the limelight and are paid high salaries in relationship long-term company performance. However, India scenario is different. Most of the critical positions in family organizations are held by family members and relatives. In such a scenario, the board or compensation committee are hardly in a position to evaluate the performance or recommend salary.

6. Performance review of board

As per law, the nomination committee reviews directors performance , and recommends removal. However, two-thirds of the independent directors stated the roles and responsibilities of non-executive directors are not defined clearly. Hence, without the clarity in role, the evaluations can hardly be constructive.

As such, the boards in India have the following three priorities: “ensuring overall corporate and statutory compliance (90%), monitoring business and operating performance (87%), and establishing and monitoring financial standards and internal controls (82%). Leadership development, succession planning, CSR and risk management continue to be low on the board priority list.”

The professionally run organization do claim for independent evaluation. For instance, Tata  and Infosys succession, the nomination committees were said to be doing independent evaluation. However, in both cases, questions were raised on the final selection. Though Mr. Murthy in his book mentioned that – “At Infosys, the chairman of the board sits with each board member, discusses his/her evaluation, and suggests remedies and course-corrections. The chairman’s performance review is handled by the lead independent director.

In my opinion, the practice of evaluating board performance only exists in some companies in India.

Closing thoughts

Unless the mindset changes to compassionate capitalism where business is done with integrity, decency and in a principled manner, boards will continue to be tutorial heads without much power and say. To ensure boards perform better, shareholders and investors need to become more active. The regulators need to ensure governance codes are followed in spirit and not just tick box mentality. A more elaborate role can be defined by regulators with mandatory requirement of time commitment and reporting requirements.

References:


Reflections on New Companies Bill Auditor Rotation Clauses

The New Companies Bill 2011, tabled at the Parliament proposes a few clauses on auditor rotation. According to the new provisions, an auditor will be appointed in the first annual general meeting for a five-year term. Thereafter, the auditor will be changed as per the members’ decisions.

An additional clause for listed companies states that the same individual auditor cannot be appointed for a term exceeding five consecutive years. Secondly, an audit firm cannot be re-appointed for more than two five-year terms. For re-appointment purposes for the individual auditor or audit firm, there has to be a gap of five years. Moreover, for appointment or re-appointment purposes, there should be no common partners between the new firm and old audit firm.

Another interesting clause is that members can resolve to ask the audit firm to rotate the audit partner and team every year.

These clauses will ensure that auditors rotate every five years in the listed companies. As investor confidence is based on independent reporting of the auditors, the thought behind these clauses is that rotation of auditors will ensure independent reporting. The move is good, as economic growth is dependent on investor confidence in financial reporting. These clauses were incorporated in the draft after the Satyam fiasco. However, rotation isn’t a silver bullet that will resolve all auditor independence issues. A few concerns about the clauses are listed below:

1. Appointment of auditors for listed multinational companies.

Similar auditor rotation provision do not exist in other countries. In US, PCAOB recently held discussions on auditor rotation and independence. The general opinion of US auditors was that rotation does not ensure independence and comes with a huge financial cost. Hence, the question comes up whether multinational companies will be open to having different auditors in India, than in their headquarters. For large organizations, consolidation of accounts from different locations is a huge task, and with different auditors the information flow and audit practices may differ. Hence, the head office auditor may find it difficult to rely on the work of a local auditor.

Multinational companies are generally comfortable with big four, hence the audit will continue to rotate between big four. Very few Indian companies have the skill set and bandwidth to audit large multinationals. Therefore, this clause will put some practical challenges for multinational listed companies.

2. Audit firms’ partnerships

Indian audit firms scenario is unique in a way, as Institute of Chartered Accountants of India prohibits foreign audit firms to practice in their own name. Pricewaterhouse is the only one allowed, since it entered the market before these guidelines were passed. Others, for instance, Ernst & Young Indian member firm is S.R.Batliboi and company, and all audits are performed in Indian firm’s name, though partnerships are common. The provision of not having common partners applies in this scenario, as some audit firms are auditing under multiple names. PWC audits under the names of PW and Lovelock & Lewis.

The challenge in this clause is that audit partners move among the group companies. Some firms have organized the partnerships in a way to avoid common partnerships, however work under the same management. It will be a difficult task for companies to identify linkages between various audit firm partnerships. The onus should ideally rest with the audit firm to ensure that there are no common partners.

Another interesting aspect is  audit partners movement among big 4 and other companies. If an audit firm is pursuing an appointment, they now will have to be careful that another firms audit partner is not recruited in their partnership at the same time. This might again result in some fancy footwork to avoid the loss of a client.

3. Independence of the retiring auditor

According to the provisions, audit firm will mandatory be changed after two consecutive five-year terms. In simple words, ten years is maximum period an audit firm can audit a client on a single stretch. Hence, the audit firm knows that it is going to lose the audit client, however, the option to provide non-audit related services opens up. Law prohibits auditors from providing the following services to audit clients:

(a) accounting and book-keeping services;
(b) internal audit;
(c) design and implementation of any financial information system;
(d) actuarial services;
(e) investment advisory services;
(f) investment banking services;
(g) rendering of outsourced financial services;
(h) management services; and
(i) any other kind of services as may be prescribed

These services generally are more lucrative than the audit fees earned. Hence, a retiring auditor may wish to keep good client relationships to obtain future assignments. In such a scenario, one has to view rotation benefit skeptically, as the audit firm may not maintain independent reporting  as desired. Rotation of auditors in such a case may just result in adherence to legal requirement instead of contributing to auditor independence. As such, old Indian business houses have 2-3 audit firms that they use interchangeably in various subsidiaries for audit and other services. The work would just get shared among them.

4. Selection of new audit firm

As mentioned earlier, selecting a new audit firm will be difficult for large organizations. Reason being, besides big four there are just a handful of Indian audit firms who have the capability of conducting audits of multinational organizations. A few of these would already be providing some consulting services to the audit client, hence would not be eligible for appointment as auditors. If the potential of earning from consulting services is more, they might not drop those assignments in favor of audit.

Next aspect is that the provisions have additional clauses for barring a person from becoming an auditor. These relate to the usual clauses of individual, partner or his relative not having in holding or subsidiary companies – securities, directorships, loans, business relationships, managerial positions, or any other conflict of interest.

These clauses result in audit firms and client doing a lot of leg work to ensure that all legal requirements are met. All these aspects limit the choice of selection of new auditor to 3-4 audit firms. Since the audit business is going to circulate among the same set of audit firms, it is doubtful that mere auditor rotation would result in better financial reporting.

Closing thoughts

Auditor independence is a complex subject as it forms the bedrock of investor confidence in financial reporting.  Auditor rotation is a good step to ensure that auditors do not lose their professional skepticism and independence by doing the same audit for decades. However, additional quality monitoring procedures of audit firms and review procedures of financial reports need to be built in the regulatory system in India. India lacks a few aspects of US and other developed countries in this matter, however, that is a discussion for another post. On a positive note, the rotation clauses give an opportunity for medium-sized Indian audit firms to build skill sets to pitch in for business of large organizations.

Retaliation faced by Risk Managers and Auditors in India

Washington Post article “Maryland parks agency demotes auditor after spending questions, sources say” again brought to the forefront the retaliation auditors and risk managers face while doing their job. According to the article – “Abinet Y. Belachew was placed in a staff auditing position and his $124,000 salary was cut by more than $30,000, according to records from the agency after he questioned spending by top agency officials“. This is nothing new, the Ethics Resource Center survey of 2011 of US companies states that – “Almost one-fourth of those reporting bad behavior said they experienced some form of retaliation, up from 15% in 2009 and only 12% in 2007.”

The most surprising bit is, that there are hardly any such cases reported by Indian media. At most, media reports if a bureaucrat is fired or transferred from a critical position after a damaging disclosure of government wrongdoing. In respect to retaliation on risk managers and auditors in private sector, there is no coverage.

One can presume either that there is no retaliation or Indian auditing institutes haven’t lobbied to protect their members from retaliation. Indian institutes, namely, Institute of Chartered Accountants of India, Institute of Company Secretaries of India, etc. are governed by Ministry of Corporate Affairs. That could be reason for lack of awareness and action in this field. Moreover, India doesn’t have a whistle-blower protection act and a number of activists have been shot dead in broad daylight. Though, the listing agreement has a clause for whistle-blower protection, it is more in name only. Additionally, law and enforcement agencies are not without corruption. Hence, the cumulative affect is that private sector auditors and risk managers are left without recourse when facing retaliation.

1. Nature of Retaliation

Auditors and risk managers in India, therefore, have far tougher choices to make than their counterparts in the Western world. Doing the right thing and reporting against management, can cause more than just a job loss. In India, following methods are employed for retaliation against risk managers, auditors and whistle-blowers. These sometimes continue even after termination of the employee for a number of years :

a) Downgrade or transfer the individual from the position.

b) Isolate the person, turn the team against the person and bosses give threats of job loss.

c) Spread rumors about personal life of the person. For instance – if a person is married they inform the spouse about an affair, or if the person is single, they spread rumors on sex life and sexual orientation. Take photographs in compromising positions to blackmail the individual.

d) Spread rumors in professional circles to destroy the person’s credibility. The person is told that previous employers will be asked to do a negative background verification. After terminating the employee, organizations still do and even inform head hunters not to process the candidates papers.

e) Use detectives to tap phones, including mobile phones;  hack personal systems to monitor correspondence and internet activity. Inform individual’s contacts not to respond to phones and emails, and threaten if they do so.

f) Enter employee homes without authorization, install bugs and cameras to watch personal activities. Even steal items to make employee feel more vulnerable.

h) Pay relatives, friends and neighbors to stalk the person – physically, on phone and internet - to cause a psychological breakdown. The person is isolated and humiliated publicly on every occasion to instill fear in others.

i) Threaten the person with murder and rape to ensure that they do not go to law enforcement agencies or media. Bribe law enforcement agencies, attorneys and media to not accept the complaint and report the same.

j) Ensure all other sources of income are stopped as the person becomes financially liable and cannot fight back.

k) Try and make the person physically sick, by food poisoning and other means. Deny medical aid or ask doctors to provide incorrect medicines for treatment.

l) Lastly, in rare cases the person is murdered.

Considering the risks of retaliation and the unwritten rule that reports should be published according to management directives, auditors and risk managers deal with internal conflict at multiple levels. It is at one level, between doing the right thing and progress within the organization. At another level, it is about passion for auditing and risk management versus fear of endangering career and life. Overall, the choice is between following an ethical path for the benefit of society versus the option of compromising them for self-interest. With the high-level corruption in Indian society, it appears to be losing battle as a lone person battles mighty organizations.

2. Some Suggestions

The choices would be simpler if institutes provided mentoring and support in dealing with such cases. The institutes ensure that all members sign of on a code of ethics; however, do not provide the training and support on dealing with ethical dilemmas and protection against retaliation.  In this aspect, Indian institutes would do well to adopt practices of international institutes.

Moreover, international institutes have a stake in developing these practices in India. Not only Indians are members of the institutes, a number of multinationals operate in India. As multinationals are aware that it is easier to break the law and rules in India, due to high-level corruption and limited education on risk management areas, they are more prone to undertake unethical behavior and accounting practices in Indian and other emerging countries. Indian employees of multinationals are unlikely to whistle-blow on international law enforcement agencies websites as most don’t know where to report and the risks of reporting are high. Without support at local level, it is difficult to report at international level.

Closing Thoughts

In the end, the decision each risk manager and auditor needs to take is based on the reason for joining the profession. In India, chartered accountants earn equivalent to doctors, engineers and MBA’s. If they joined the profession to earn well and climb the corporate ladder, they may willingly compromise ethical standards. On the other hand, if they joined because they were passionate about the subject and wished to make a difference, they may compromise their own self interest for the betterment of society.

Overall, retaliation is tough to deal with and a higher level can make many buckle down in fear. Auditors and risk managers have a lot of power in their hands to ensure good practices are adopted by the corporate world, it is best to use it wisely. People need to be educated that by retaliating against risk managers and auditors, they are playing in the hands of people using unethical practices, thereby risking their own investments and well-being. The institutes should build the public awareness about the same.

References:

  1.  Maryland parks agency demotes auditor after spending questions, sources say – Washington Post
  2.  Ethics Resource Center 2011 Survey

Highlights of Ernst & Young India Fraud Survey 2012

Ernst & Young, a fortnight back released an India based fraud survey report titled “Fraud and corporate governance: Changing paradigm in India”.  The survey had 114 online completed forms with respondents categorized in three groups – 45% foreign MNCs, 32% Indian MNCs and 23% Indian companies with domestic operations. Though the survey information is worth reading, the results are not truly representative of the Indian corporate world. In India, around just 10% of the companies are listed, 90% of the companies are private or unlisted public companies, and less that 5% are foreign companies. Hence, the results shows a tilt towards MNCs understanding of fraud risks.

1. Main Fraud Risks

  As per the survey the following are the top five risks of fraud :  

a. Data and information theft and IP infringement   
b. Bribery and corruption
c. Fraud by senior management and conflict of interest.      
d. Vendor fraud or kickbacks.
e. Regulatory non-compliance.

Further on, the profile of the fraudster is a male middle management level employee in his 30s working in procurement or sales department. This maybe true for the smaller amount of frauds, as the survey doesn’t discuss accounting manipulations, though does state that senior management involvement is there in high value frauds. The high level window dressing and accounting manipulations of financial statements at the behest of CEO, CFO and Board is an unmentioned aspect in India due to the power equations. The survey gives a contrary viewpoint than that mentioned in the Fraud Symptom series. In this aspect, the survey shows that Indian fraud scene is better than the US fraud scene, and that is quite hard to believe.

2. Fraud Reporting

In India, most frauds go unreported, specially senior managers. The survey makes this candid observation, that I am in complete agreement with – “Companies are reluctant to take legal recourse against employees responsible for committing fraud. Only 35% of the respondents said that their company takes any disciplinary action against unscrupulous employees. ” Although fraud incidence has increased, the organizations do not report due to the time taken in judicial resolution, to escape regulatory repercussions and avoid huge reputation damage. Moreover, the practice is to ask police to help recover the defrauded money, and after that let the law takes its own course. Since, the plaintiff (in this case the company) is provided a public prosecutor, the company stops pursuing the case after some time. Hence, usually the fraudsters go unpunished.

Due to this approach, fraud in private sector is mainly unreported. The government sector auditors (CAG) are doing a far better job in highlighting fraud cases. In comparison to government reporting on fraud and bribes, private sector is not even showing one-tenth of the cases. The situation is absolutely unlikely and has to be viewed skeptically. When the demand side (government) bribe cases are high, the supply side (private sector) has to be equivalent. The private sector is in no position to hold the holier than though attitude.

3. Fraud Detection

The survey mentions the paradox – “fraudsters are using advanced tools and technology to perpetrate frauds” and organizations are using excel based worksheets to detect frauds. It states – “Less than 50% of the respondents are aware of  fraud-prevention and detection tools. Moreover, in spite of the current popularity of social media, only one-fourth of the respondents are aware of IT based        tools that can be employed to identify unethical behavior, based on a social network analysis”. In India, fraud detection and investigation skills are in short supply. Since organizations aren’t focused on risk management, the fraud risks remain unaddressed.

Another challenge, brought out very well in the survey is absence of whistle blowing systems in Indian organizations and high level of retaliation due to lack of whistle-blower protection laws. The survey mentions –  “Less than half of the respondents reported that their companies have a telephone hotline.” Additionally, as the hotlines are internal, anonymity is low and risk of retaliation is high.

Closing Thoughts

The survey gives, in addition to fraud risks, interesting insight on bribe and corruption, and new regulatory changes. It is a good read and there are very few fraud surveys available solely focused on India. Disclosure: I am ex-E&Y, hence am likely to be biased. Mind you, I haven’t written previously of E&Y surveys and reports, hence, you can presume that some level of independence in thought has been maintained.

References:

1.Fraud and corporate governance: Changing paradigm in India – Ernst & Young Survey

A Philosophical Discussion on Murder of Whistle Blowers

This Sunday, Anna Hazare is fasting in Delhi in support of Whistle Blower Protection Act. Indian laws don’t provide for whistle-blower protection and the damage is evident. Over the years, numerous whistle-blowers have lost their life. A few cases are covered up as personal dispute due to the high level corruption in the system.

Corruption benefits the majority, so does it make it acceptable? Legally, public will say – of course not. But even Hazare’s big protests in 2011 have lost public support. The government used delay tactics and maligned the name of key leaders of his team. Most state leaders didn’t want a Lokayukta in their states. There is no political will among the politicians, bureaucrats and business to pass a strong bill against corruption.

Then it isn’t surprising, that even on  witnessing the death of whistle blowers, public doesn’t protest about it. On the other hand, most keep quiet, lest they become the target. In such circumstances, majority of the people have given implicit consent to murder for their own self-interest. Of course readers would be outraged by this suggestion and claim they were no way involved in the murder. They didn’t give implicit consent!

Let us discuss this from a philosophical lens. Micheal Sandel, the Havard professor discusses this point in his video lectures : Justice – The Moral Side of Murder and The Case of Cannibalism. In the episode “Moral Side of Murder” he discusses a hypothetical case:

“Suppose you were driving a trolley on a rail track and its breaks failed. Five workers are ahead on the track, if you continue to drive straight, all five will die. On the other hand, in a diverging track, there is just one worker.  If you change track, that one worker will die but the other five will live. What is the right thing to do?”

Most students responded that they will swerve to the diverging track and chose to kill one to save five. At a psychological level, they have given moral justification of murder. Then Mr. Sandel gives another example :

“Suppose you are standing on a bridge with the track below, and you see this trolley hurtling without breaks. There are five workers on the track. There is a fat man standing next to you. If you push the fat man over the bridge, on the track, the lives of five workers would be saved. Would you do it?”

Majority of the students said – “No, they wouldn’t do it”. The reason is that it would involve explicitly murdering a person. Can we conclude from these examples, that human race is fine with implicit consent to murder however have qualms on explicitly murdering?

Some whistle blowers due to the psychological torture have committed suicide. That is an indirect attempt to murder. The rich and middle class gain from corruption, hence they give an implicit consent to murder of whistle-blowers. Does this statement hold true, or would you debate it?

Mr. Sandel discusses this in the next part of the lecture on cannibalism. He discusses The Queen v. Dudley and Stephens case, and the facts are as follows:

“At the trial of an indictment for murder it appeared, upon a special verdict, that the prisoners D. and S., seamen, and the deceased, a boy between seventeen and eighteen, were cast away in a storm on the high seas, and compelled to put into an open boat; that the boat was drifting on the ocean, and was probably more than 1000 miles from land; that on the eighteenth day, when they had been seven days without food and five without water, D. proposed to S. that lots should be cast who should be put to death to save the rest, and that they afterwards thought it would be better to kill the boy that their lives should be saved; that on the twentieth day D., with the assent of S., killed the boy, and both D. and S. fed on his flesh for four days; that at the time of the act there was no sail in sight nor any reasonable prospect of relief; that under these circumstances there appeared to the prisoners every probability that unless they then or very soon fed upon the boy, or one of themselves, they would die of starvation.”

To protect oneself or the majority, is murdering someone else justified? The students raised interesting aspects :

1) Some said if selection was done by lottery, then maybe it is illegal but more acceptable. Reason given was they would consider it that all participants on the boat knew the risks of losing.

2) A few students stated that if the boy would have volunteered to die for the benefit of others, it would be acceptable. The boy was an orphan and all others had family responsibilities.

In case of whistle-blower murders, the person dies without have consented to die or being made aware of the decision of the most. The majority votes behind his/her back for murder to safeguard themselves. Does that make majority behavior acceptable?

Watch the hour-long video, and share your thoughts.

In whistle blowing, most feel threatened about the repercussions from people in power and say that they have family responsibilities and cannot expose themselves to the risk. Hence, it is better to go against the whistle-blower attempting to do the right thing, than the person who is doing the wrong thing. Do the same psychological reasons as given in the above mentioned case apply when society goes against whistle blowers?

References:

Harvard University – Justice with Michael Sandel

Fraud Symptom 12 – Unethical Compromises by External Auditors

In the recent corporate frauds, auditors’ professional robes were soaked in dirty money. Their unblemished reputations tarnished, they dealt with allegations of compromising ethics, code of conduct and reporting responsibilities for self-interest and business opportunities. Auditors, the bastions of corporate governance and maintaining shareholders interests miserably failed in performing their duties. In some cases they failed to detect the frauds, and in others they collaborated with clients to facilitate them in conducting frauds.

The contract clauses of reasonable assurance, limited liability and others lets them escape criminal liabilities usually. The regulators, shareholders, employees, third parties and the public helplessly watch the organization going bankrupt and/or closing down because auditors failed to detect wrong doing or failed to report the same. The financial crises showed that without due care, global economies go in recession. That should make auditors more responsible; however, it is not the case.

Francine McKenna author of blog re: The auditors  is a pro in digging dirt about big four and openly shares her views. This extract from her blog shows the interrelationships between big four and corporate giants. With these relationships independence of external auditors is easily questionable and suspect frequent compromises. Though I normally don’t post big extracts from other blogs, this one is too good to miss.

“KPMG audits Citigroup, Wells Fargo – who now owns client Wachovia – GE, and GM.  They used to audit two big mortgage originators before they blew up – Countrywide and New Century. They also used to audit Fannie Mae and Moody’s before they were fired and sued. They also audit the US Treasury.

PricewaterhouseCoopers audits JP Morgan Chase, Bank of America, Goldman Sachs, AIG, the Federal Home Loan Banks, and Freddie Mac. PwC is also responsible for Satyam, Northern Rock in the UK, Glitnir in Iceland, and Russia’s Yukos.

Deloitte, who is now Fannie Mae’s auditor, was also auditor of four other housing related companies that had issues: Taylor Bean & Whitaker, Beazer, Novastar, and American Home. (The bank that TBW bankrupted, Colonial Bank was audited by PwC.) Deloitte audited three no-longer-independent large firms sunk by bad mortgages: Merrill Lynch, Bear Stearns, and Royal Bank of Scotland. Deloitte used to audit Washington Mutual before it was taken over forcibly by JP Morgan. They also audit the Federal Reserve Bank and Buffett’s Berkshire Hathaway.

Ernst & Young, everyone knows, audited Lehman Brothers. But don’t forget UBS and Societe Generale, home of the “rogue” traders, and Anglo Irish in Ireland. EY also audits News Corp and S&P, the ratings agency.”

The issue is can shareholders expect auditors to report independently and forgo lucrative business to adhere to ethical standards. Audit organizations need an organization culture that focuses on social responsibility with profit motive. However, some successful ones have a competitive aggressive culture that fails to build in the ethical aspects of auditing.

Therefore, the cultural climate in auditing firms raises questions. The research  paper “Public Accountants’ Perceptions of Ethical Work Climate” authored by Howard Buchan  evaluates Ethical Climate Questionnaire developed by Victor & Cullen for public accountant firms. The following questions were asked from partners to staff to assess the instrumental climate.:

  • “E1 In this Firm, people protect their own interests above all else._____
  • E2 In this Firm, people are mostly out for themselves._____
  • E3 There is no room for one’s own personal morals or ethics in this Firm._____
  • E4 People are expected to do anything to further the Firm’s interests, regardless of the consequences._____
  • E5 People here are concerned with the Firm’s interests-to the exclusion of all else._____
  • E6 Work is considered substandard only when it hurts the Firm’s interests._____
  • E7 The major responsibility of people in the Firm is to control costs._____”

The instrumental climate emphasizes individual self-interest and company interests above all others. Though the study mentions that participants didn’t perceive an instrumental climate, the mean responses ranged from between “mostly false” to “somewhat false”. The results indicate that partners and junior staff perceive ethical climate differently in the firms. Hence, more focus is required on building an ethical culture within the auditing firms

Moreover, though audit firms have been asked by regulators to segregate non-audit and consulting practices, the  bifurcation is cosmetic and not in spirit. A recent example is of PWC India whose partners were implicated in the Satyam fraud.  Times of India reported the insurance claim by PWC for Satyam fraud is fraught with irregularities and arms length distance was not maintained between various PWC entities as required by Institute of Chartered Accountants of India (ICAI).

Price Waterhouse (PW) Bangalore, the tainted auditor of scam-hit Satyam, utilized over 95% of a $60-million (Rs 280 crore approximately) insurance cover available to all Price Waterhouse entities in India to meet post-fraud litigation expenses and damages without paying a single rupee towards the premium. The revelation raises questions about the arguments put forth by the global financial services company that each of its Indian firms is a separate legal entity and not responsible for the acts or omissions of any other member firm. 

PW Bangalore, which had the mandate for the Satyam audit before the fraud came to light in 2009, did not contribute any money towards the Professional Indemnity Insurance (PII) of $60 million, but surprisingly enjoyed the cover when it faced trouble and litigation for the lax audit, documents accessed by TOI showed. PW Bangalore even used the cover to pay $15.5 million towards settlement of a class-action suit filed against it in the US. Till financial year 2011, various entities of PricewaterhouseCoopers India (PwC India)-including a private limited company which renders only non-audit related services-had a common insurance cover. “

The blame for the malpractices has to be shared by regulators, board of directors and shareholders. Most of the fortune 500 companies select big four as auditors. Though audit committees are required to annually review and recommend auditors, in most cases the auditors are not changed. In my previous post on audit committees, I had mentioned this data from Economic Times article - “Can the big four survive a break-up attempt”.

  • In top 100 (US) companies, the average tenure of audit firms was 28 years. 20 companies had the same audit firm for 50 years or more.
  • 85% of the companies in EU are audited by big four.
  • 99% of the audit fees paid by FTSE 100 (UK) in 2010 were earned by big four.
  • Just 2.3% of FTSE firms changed their auditor between 2002 and 2010.

Without regulators taking their responsibilities seriously the audit firms aren’t going to change. For instance, ICAI disciplinary committee for chartered accountants have big four partners as members. In other committees also, big four partners have an influential position. Considering this, it is not surprising that the disciplinary process is slow, as was in the case of Satyam.

Recommendations

1. Regulators must lobby for laws to mandate audit firms rotations. For instance, the new Companies Bill 2011 (India)  requires rotation of audit firm every 5 years and audit partner every 3 years. It also states that no audit firm will audit a company for more than 10 years. These laws will ensure some level of independence and also give a growth option to other audit firms.

2. ICAI and other institutes granting permission for practice to audit firms may periodically conduct an assessment to evaluate the ethical climate of the firm.

3. ICAI and other institutes should either segregate disciplinary responsibilities to another organization or become proactive in disciplining errant chartered accountants.

4. Audit committees, boards and shareholders must proactively manage the appointment of audit firms and evaluate the financial reporting systems.

5. Audit firms should take a leaf out of their own book and focus on building a benevolent organization culture to balance their social responsibility with profit earning objectives.

References:

  1. re: The Auditors by Francine McKenna
  2. PwC arm’s insurance cover under cloud - Times of India 29 February 2012
  3. Public Accountants’ Perceptions of Ethical Work Climate: An Exploratory Study of the Difference Between Partners and Employees within the Instrumental Dimension by Howard Buchan

If you wish to read the Fraud Symptoms series, click here.

Shattering Perceptions About Audit Committees

Imagine driving a car with a speedometer in the rear. When you crash, a voice from the back of the car gives the depressing message – “You crashed because you broke the speed limit of 60 miles an hour”. Now this question will get most of the auditors and risk managers upset, but I shall stick my neck out on this one. Don’t you think this metaphor fits the role audit committees are fulfilling presently?  Should the audit committees function differently to help the CEO and board members perform better?

I am sharing below come controversial views on role and performance of audit committees. Let us say, I am auditing “auditing committees”. It might force you to rethink some issues. Do you share my views or hold different views?

1.  Formation of Audit Committee

Generally, audit committees are formed with 3-4 non-executive independent directors. The premise is independent directors are in a better position to give impartial and unbiased views. Hence, the committee is entrusted with responsibility of advising the board on effectiveness of systems of internal controls, compliance and governance in relation to financial reporting obligations.  The pertinent questions that arise are whether the independent directors are actually independent and capable of fulfilling their responsibilities. To shed light on this area, I am discussing some scenarios on appointment of independent directors.

Usually, independent directors are invited to join the board since they are either socially connected to the CEO or some other director. Delving into their backgrounds reveals commonalities between education, employment and/or social background. A board survey done in 2005-2006 in India showed that a “good 90% of the non-executive independent directors were appointed using CEO/chairperson’s personal network/referrals, and the remaining 10% through executive search firms.”

 Another challenge is getting independent directors with the right industry experience and expertise. To illustrate, in 2010 48% UK FTSE companies were unable to comply with the provision of 3 non-executive directors forming the audit committee, as there were  insufficient non-executive directors available in the board. Moreover, around 10-11% of the companies did not specify a director with relevant financial expertise.

Looking from another angle, appointment of independent directors to other company boards is dependent on favorable reviews and recommendations from existing board members. In light of this, wouldn’t the audit committee members be tempted to look the other way and avoid raising issues where CEO or board involvement is suspected in frauds. Can we really consider them independent?

Additionally, the value-add provided by the audit committee members is sometimes questionable.  I couldn’t find specific data relating to India, but Grant Thornton report on UK companies states that audit committee meetings on an average were held 4-5 times during the year and non-executive directors attended meetings on an average 17-18 times during the year. If I do back of the envelope calculations,  in rare cases only audit committee members would be spending more than 10 days per annum to fulfill their responsibilities for a particular company.

Considering this, I personally have doubts whether audit committee members are in a position to understand the complexities of business, the control environment and various risks impacting the organization. Keeping the size of organizations in mind and their global spread I sometimes feel that audit committees provide an illusion of confidence to shareholders rather than real confidence.

 2.  Selection & Appointment of External Auditors

 The appointment and selection of external auditors is one of the key recommendatory functions of the audit committee. The board in the annual general meeting generally proposes the name of the external auditor recommended by the audit committee.  .

Hence, the assumption is that audit committees take this responsibility seriously. I came across this Economic Times article “Can the big four survive a break-up attempt”. It highlighted some interesting facts:

  • In top 100 (US) companies, the average tenure of audit firms was 28 years. 20 companies had the same audit firm for 50 years or more.
  • 85% of the companies in EU are audited by big four.
  • 99% of the audit fees paid by FTSE 100 (UK) in 2010 were earned by big four.
  • Just 2.3% of FTSE firms changed their auditor between 2002 and 2010.

Separately, a Grant Thornton 2010 report states that average duration for UK FTSE companies of an external auditor is more than 31 years. Additionally, 55% companies provided minimum insight on selection process of external auditor and just 15% companies provided detailed information on the decision-making process.

I am going to let you decide whether with these facts you can presume the audit committees are ensuring proper selection and appointment of external auditors. The logical argument given would be that big four have the geographical reach and expertise to audit multinationals. I have a straightforward question – with the same audit firm continuing for numerous years, can one assume objectivity and independence in reporting.

I am personally in favor of the new Companies Bill 2011 (India) clauses relating to audit firm and audit partner rotations. It mandates rotation of audit firm every 5 years and audit partner every 3 years. In my view, that is a step in the right direction.

 3.  Relationship with Chief Audit Executive

Grant Thornton 2011 CAE Survey of US companies revealed some startling data. A quarter of the CAE’s had not met the audit committee chair outside of board and committee meetings. 29% had met 1-2 times and 31% had met 3-5 times during the year.

Another interesting fact from Grant Thornton 2010 report is that 13% of the UK FTSE 350 companies did not have an internal audit function. That is, 40 of UK largest companies did not have a third line of defense, so most probably didn’t have a CAE. Moreover, 25% of the companies did not disclose compliance to this provision in the reports. This fact is fascinating as in India internal audit is mandatory for listed companies and external auditors are required to comment on the function.

Seeing the above US data, that 85% CAEs had minimal interactions with audit committee chair, can one say that they have a good relationship with the chair and members of audit committee?  Without having a good one-to-one personal relationship, do you think audit committee members are in a position to assess the real performance of internal audit department or gather critical information about the company from the CAE. With such limited communication among audit committee members and CAE, would you have doubts on their effectiveness?

Now add to this, a CEO can terminate CAE services if s/he shares an opposing view than the board. Very few boards are mature enough to allow CAEs to constructively confront their ideas. Audit committee members may not be able to protect the CAE in all circumstances. Under these circumstances, would you say that audit committee and internal audit departments are effectively assessing the internal controls environment of the organization?

My view is that most audit committee members spend time on audit committee charter, internal audit charter and internal audit reports submitted by the CAE. They don’t delve deeply into  procedures used to conduct internal audits. Additionally, in some companies there might be just superficial support given to the internal audit function.

 4.  Challenging Board Decisions

Audit committees have immense power in the sense that it can challenge board decisions. As per Companies Bill (India) if the “board does not accept any recommendation of the audit committee, the same shall be disclosed in the report along with reasons thereof.” However, I have rarely seen a report that states audit committee’s recommendation was not followed. This would make us presume that audit committee members are exercising their power properly and keeping a control on board activities. However, the picture is somewhat different.

A KPMG Audit Committee survey conducted in 2010 mentions that – just 27% boards encourage contrarian views and discourage groupthink, 64% do it somewhat and 9% do not accept different viewpoints at all. As I had mentioned in a previous post, Satyam fraud case portrays board’s failure to exercise judgment. Although Satyam’s board consisted on renowned personalities, Central Bureau of Investigation report–

  “The members of the Board of Directors had acted as “rubber stamps”, unwilling to oppose the fraud. Not a single vote of dissent has been recorded in the minutes of the Board meetings.”

Moreover, the lack of personal accountability in independent directors’ mindset was apparent after Satyam fraud came into light. In a short period, subsequent to the disclosure of fraud 109 independent directors voluntarily resigned although their term had not ended, fearing being held liable for fraud or non-detection.

SKS Microfinance case is another example of the extent to which the board will not raise issues. CEO Suresh Gurmani was fired at the behest of the Chairman Vikram Aluka. Eight of the ten directors voted in favor of his termination, the other two were absent, although the CEO had no previous performance issue.

The situation is similar across the world. Enron, WorldCom or Swiss Air failure reflects board’s ineffectiveness. They are not exercising their powers judiciously for the benefit of the shareholders. In my opinion, audit committee members and other board members can do much more by challenging the viewpoints of the CEO and his/her team

5.  Evaluation of Finance Function

Ensuring the integrity of financial statements is one of the key responsibilities of audit committees. The members are required to review the financial statements with the external auditors before submission of the board.  Just to give you an example, Tata Motors 2010 corporate governance report defines the responsibilities of audit committee in respect to financial reporting as follows:

Reviewing the quarterly financial statements before submission to the Board, focusing primarily on:

  • Compliance with accounting standards and changes in accounting policies and practices;
  • Major accounting entries involving estimates based on exercise of judgment by Management;
  • Audit Qualifications and significant adjustments arising out of audit;
  • Analysis of the effects of alternative GAAP methods on the financial statements;
  • Compliance with listing and other legal requirements concerning financial statements;
  • Review Reports on the Management Discussion and Analysis of financial condition, results of Operations and the Directors’ Responsibility Statement;
  • Overseeing the Company’s financial reporting process and the disclosure of its financial information, including earnings press release, to ensure that the financial statements are correct, sufficient and credible;
  • Disclosures made under the CEO and CFO certification and related party transactions to the Board and Shareholders.”

Hence, it is crucial to evaluate the performance of finance function.

As I had mentioned in an earlier post, CFOs after CEOs are the most likely people to do accounting manipulations. CFOs either do it on their own or at the instigation of CEO. Due to the nature of their role in preparation of financial reports, they are in the unique position to hide critical information, change accounting policies, pass dubious transactions and present false reports. A Satyam or Enron couldn’t have occurred without CFOs involvement.

Another aspect to look into is that the role of CFO has expanded and become more critical. CFOs are not only managing financial reporting, but also play a key role in strategy development, risk management and business monitoring. The question is what audit committees need to take into account to evaluate the performance of the finance function. Below are some pointers:

  • Evaluate the role of the CFO in the organization to understand the functioning and power dynamics.
  • Assess whether CFO is able to maintain independence and hold his/her own position with the CEO.
  • Understand the logic given for changing accounting policies and methods, entering into transactions that may not be arms-length and inter-group company transactions.
  • Review the history of accounting frauds and manipulations, notices from regulatory agencies and industry specific risk impact on the organization.
  • Evaluate CFOs relationship with external auditors to determine whether he/she is unduly influencing them. Obtain CFOs viewpoint on qualifications and disclaimers given by external auditors.
  • Review the systems and processes used for maintaining accounts and preparing financial statements. Understand the finance department organization structure and segregation of duties matrix.
  • Determine CFOs focus on cost control, risk management, cash-flow management, and acquisition and mergers.

In my view considering the crucial role of CFOs, audit committees need to spend time understanding the various facets of finance function and gathering critical information to evaluate the integrity of financial reports.  From the past corporate scandals, one cannot assume that audit committees are doing a good job at raising red flags and/or identifying accounting manipulations.

 6.  Nature of External Reporting

The present day hot topic of discussion is about the aspects audit committees should include in external reporting. As such, law requires that audit committees review the financial reports and related media releases. The question is should audit committees ensure that a company sticks to minimal reporting requirements or should it go beyond them.

In my view, corporate governance is about building good and transparent relationships with investors, shareholders, creditors, public and regulators. Hence, information that contributes to a healthier relationship between management and other parties should be disclosed.

Let me explain my viewpoint. Taking the example of India, a number of listed companies are family owned-managed companies (example, Reliance group, Tata group, Birla group etc.). Shareholders, especially the minority shareholders do not have significant say in company. The perception exists that family owned groups sometimes do not invest funds for shareholder benefits and squander them for personal privileges. Moreover, Indian corporate laws are good on paper, the regulation is not so great, though improving. Hence, Indian shareholders are a vulnerable lot. Additional information builds trust and confidence as seen in the case of Infosys.

The business benefits for upholding transparency are huge.

  • The market value of shares increases. Velocity of share trading is also higher than other companies.
  • Financial institutions show more propensities to invest.
  • Foreign investors – institutional and individual – are open to trading in the shares.
  • The companies have lower legal and regulatory costs as regulators are comfortable.
  • Customers prefer buying products from companies that are ethical and socially responsible, hence transparency impacts sales directly.

The most important job of audit committees and board members is to ensure that management aligns company and personal objectives with shareholder interests. If the company is doing bare minimum reporting then audit committee is not really keeping shareholder interests in mind. For instance,  Grant Thornton report of UK companies’ corporate governance practices mentions that of the 303 largest companies in 2009-2010, just 11% of the chairpersons commented on the corporate governance practices.

In my view, audit committees should focus more on the extent and level of external reporting.  To enhance shareholder confidence more details can be provided on functioning of board, and internal audit, finance and risk management departments. A discussion on organization objectives, strategy and evaluation parameters would also be helpful. An explanation about the external auditor selection process and fees would be beneficial. Lastly, the company’s efforts in fulfilling corporate social responsibility would provide an added advantage.

7.  Information Available with Audit Committees

Besides the abovementioned activities, audit committee members are required to look into other aspects of the business also. For example, review – the utilization of funds through public issues, transactions that indicate conflict of interest,  cases of suspected fraud, financial statements of subsidiary companies, political spending and overall compliance with regulatory provisions.

Normally audit committee members rely on getting information from board meetings, minutes of the meeting, discussions with external auditors, reports and discussions with internal auditors, fraud investigation reports, whistle blowing hotline investigation reports etc. However, the question remains – do audit committees get the real information to make informed decisions? A KPMG 2010 US survey report states that 77% of the audit committees are activity engaged in obtaining information.

However, I do not see the same occurring in India. At the time of Satyam scandal and more recently on formation of new Companies Bill, there was a lot of discussion about responsibilities of independent directors in respect to fraud or inaccurate financial reporting. The independent directors had complained that they are not privy to the internal workings and thinking of the organization. Especially in case of family owned group. Hence holding them responsible is not the right step. If one considers this view, then audit committee members are actually abdicating their responsibility.

Another issue to deal with is that audit committee members may lack industry expertise, hence may not know the questions to ask. In my view, audit committee members should use their right to hire external consultant in case of doubt. Moreover, they should get additional information. A few pointers are:

  • Obtain strategy and implementation plans.
  • Review key performance indicators – financial and non-financial with status
  • Interact with external and internal auditors of subsidiary companies directly
  • Hold discussions with senior and middle managers were required of various business units
  • Discuss with company secretary all legal and compliance challenges
  • Discuss with ethics officer the key issues on maintaining code of conduct
  • Discuss with fraud risk, information security and other risk officers the key issues they have faced during the year and their overall functioning.
  • Review in detail all documentation relating to material transactions, acquisitions and mergers.
  • Travel to other offices and locations to understand business operations.

This is not an exhaustive list, however will be beneficial in fulfilling audit committee members responsibilities better. Without gathering this information, the audit committee members would in my mind is doing superficial oversight.

8.  Effectiveness of Risk Management Programs

The financial crises got the focus back on risk management. In the annual reports boards are required to comment on the performance of risk oversight function is. Board has to the responsibility to ensure that the organizations risk management procedures are commensurate with the company’s risk profile. In most cases, board delegates responsibility for risk oversight to audit committees, especially when the organization does not have a separate risk oversight committee.

Risk reporting is generally done in the business review section, though integrated reporting of risks and internal controls is being encouraged. As per Grant Thornton UK report, 63% of 350 FTSE gave detailed descriptions of risks and focused on operations risks. The question that comes up is how audit committees assess the effectiveness of risk management function and programs.

Let me take some of the challenges of risk management in the financial industry:

  • Risk management is increasingly complex for financial institutions as it involves managing interlinked strategic, financial, operational and systemic risks
  • Risk managers do not have sufficient authority and are frequently overruled by business teams. In few cases, they play a role in strategic decision-making.
  • Risk managers do not strong relationships with business teams
  • Risk appetite is defined by the organization but data is so scattered that it is difficult to monitor when actual organization risk exceeds risk appetite.

During the financial crises some of the key examples were –

  • Royal Bank of Scotland (RBS) acquired ABN Amro Bank without sufficient details. It faced quite a few unpleasant surprises later on.
  • Lehman did not get timely funding as actual worth of CDOs was considered overestimated, hence had to file for bankruptcy.
  • AIG faced challenges in finding an investment partner since it didn’t have financial systems for integrated reporting.

Still banks are increasing their risk profile in the coming year. Some may have improved the risk management function and reporting, while others may not have learnt their lessons.

In light of this, my question is simple. Are audit committees really in a position to comment and provide reliable assurance on effectiveness of risk management programs?

 9.  Assessing Risk Culture

Loud noises after major frauds and financial crises repeatedly proclaim the same thing – “The risk culture of the organization was wrong”. It all boils down to the culture of organization and the attitude of the management towards risk taking. When Wall Street bankers received bonuses after the crises, there was uproar in the government and public. The outcry was bankers should be penalized for excessive risk taking, and not rewarded for nearly collapsing the financial sector.

Hence, the question arises why doesn’t management do anything about the risk culture? The logic is simple if you view it from CEO/CXO perspective. Their performance is evaluated on the quarterly numbers they give in the financial reports. To give that incremental growth high risk taking is required. Building a risk culture requires a long-term commitment to reap rewards. While implementing a risk culture program, in the first year the performance might be lower as employees will not be as enthusiastic about taking risks. Moreover, most of the professional CEOs duration is of 4-5 years in a company.

Considering these aspects it is not surprising that only a few are committing to building a risk culture. Though the corporate scandals have reduced investor confidence and resulted in closure of many organizations, the belief persists that they will not land up in the same soup. However, there is enough evidence that a high risk taking culture can nullify all the efforts of risk departments.

To counteract the effects of high-risk taking, proactive chief risk officers focus on building the risk culture. Their challenge is that regulatory guidelines ensure lip service and real commitment is missing.  The question remains, can audit committees help them in doing so?

Audit committees in my view can assess the risk culture by focusing on:

  •  Remuneration of key personnel, including the bonus component linked to performance.
  • Code of business ethics adopted and implemented by the company
  • Analyzing the extent of reputation and regulatory risks the organization is facing
  • Reviewing reported ethical breaches
  • The amount of risk appetite board has determined it is willing to take to meet strategic objectives.
  • The processes implemented to monitor risk appetite and key risk indicators
  • Transactions entered that reflect conflict of interest to some degree.

In my view, audit committees can do much more to improve the tone at the top about risks. A continued focus from board members is likely to influence management in incorporating a good risk culture. A detailed explanation on the risk culture in the annual returns would be beneficial.

 10.  Internal Controls

Last but not the least, audit committees responsibilities include ensuring that the organization has effective system of internal controls. In some countries including India, the board is required state in the annual report that proper systems are in place to ensure compliance to all the applicable laws of the country. If it is not so, then they need to provide an explanation.

As you recall history, the focus on internal controls had increased worldwide after the spate of frauds (Enron etc) in US and subsequent introduction of Sarbanes Oxley Act. On that premise, one would assume that most companies would have vibrant internal control systems now. Though all companies report on internal controls, the Grant Thornton report states that in UK just 25% companies provide a detailed description on procedures adopted to evaluate the effectiveness of internal controls.  Just 3 companies disclosed material weakness in internal controls. Hence, the quality of assessment of effectiveness of internal controls by audit committees comes in doubt.

Therefore, the question comes up – how do audit committees improve quality of assessment. Although regulations are more geared towards audit committees reporting internal controls on financial systems, a broader view covering operational and compliance controls is preferable. To do so, audit committees need to understand the business objectives, strategy, processes and information systems of the organization. This will facilitate them in understanding whether the organization is geared and equipped to deal with day-to-day operational problems. In the current environment, management requires real time information for decision-making  and managing business operations.

After gathering the abovementioned information, audit committees would be in a position to assess whether:

  • The right financial and operational areas were selected for internal controls review
  • Procedures and practices followed for assessing internal controls was sufficient.
  • Any areas require further review.
  • The reported control weaknesses are material

In short, though audit committees are focused on ensuring organizations have a proper internal control systems, additional work can be done to improve the confidence in the assessments.

Closing Thoughts

Audit committees are a critical tool for corporate governance. However, presently in my view they are not significantly effective. Hence, emphasis on working of audit committee can add value not only to the board but also to the investors and shareholders. It might appear a tall order, but ensuring that audit committee meetings are frequent, maybe monthly, would very much improve the performance. Worldwide, the corporate world needs to take this route to ensure better governance and build investor confidence.

I rest my argument here; share your opinion with me.

References:

  1.  Economic Times article – “Can the big four survive a break-up attempt”
  2. Evolution and effectiveness of independent directors in Indian corporate governance – by Umakanth Varottil, Faculty of Law, National University of Singapore
  3. Grant Thornton 2011 Chief Audit Executive Survey – Looking to the future: Perspectives and trends from internal audit leaders
  4. Grant Thornton 2010 Report on UK
  5. Corporate Governance in India – Evolution and Challenges by Rajesh Chakrabarti College of Management, Georgia Tech
  6. Tata Motors 2010 Corporate Governance Report
  7. KPMG- Highlights of the 6 Annual Audit Committee Issues Conference 2010