Normally when I write I have a fair idea on the pros and cons of my viewpoint, and the questions that can be raised on the topic. In this case I would like to say, my thoughts are still in a fluid state and I welcome my readers to share their opinion on this post.
Let me get to the point of the discussion, the title itself is somewhat confusing. I was reading “The Black Swan” authored by Nassim Taleb. I found couple of his statements very relevant to financial statements auditing.
Here is a paragraph from the prologue under the heading –The Bottom Line. This is what got me thinking regarding financial statements auditing, so read carefully.
“Note that I am not relying in this book on the beastly method of collecting selective “corroborating evidence”. For reasons I explain in Chapter 5, I call this overload of examples naïve empiricism successions of anecdotes selected to fit a story do not constitute evidence. Anyone looking for confirmation will find enough of it to deceive himself- and no doubt his peers. The Black Swan idea is based on the structure of randomness in empirical reality.”
Is this not exactly what auditors do when conducting a financial statements audit? An auditor gives an opinion on the financial statements of the company. According to the Indian Companies Act, the financial statements and related documents should “give a true and fair view the state of the company’s affairs as at the end of its financial year and such other matters as may be prescribe”.
Since the auditors are not required to comment on 100% accuracy of the statements, they use various auditing and sampling techniques to find corroborating evidence regarding the fairness of the financial statements. Auditors are not required to look for or detect all frauds. Hence, the sampling techniques are selected based on normal population. Fraud as such is an exception to the rule; an unpredictable event in most industries (except banking and financial services where some level is expected) hence, can be considered a black swan.
Audit techniques are not designed to identify black swans and find a solution for them. They are all focused on a set number of transactions and auditing steps. The macro level views of the situation in not seen though auditors might have a list of inherent risks. Then we are shocked that mass scale fraud of an organization was not detected by the auditors. A post facto analysis in most cases shows that auditors had reasonable ground to suspect fraudulent activities and should have reported the same. Let me give you a couple of examples here to put my point across to you.
The recent Citi Bank Rs 300 crore (USD 67 million) frauds (now estimated at Rs 400 crore). The auditor’s statement by S.R. Batliboi (member of Ernst & Young) states that the organization had adequate risk management procedures and practices. Now Shiv Raj Puri, the rogue operator, during the year did transactions worth Rs 900 crore (USD 201 million). Basically, 1/3 to 1/2 his total transactions were fraudulent. If the risk management systems were in place, then these should have been detected since they were done for more than a year. Can we now from a historical viewpoint say that auditors actually assessed the risk management functions and operations properly before forming an opinion?
In my view, the auditors should have done the following:
- Conduct an analysis of yearly frauds reported
- Link them to specific processes and identify the control weaknesses in the processes and technology
- Assess the various risk management initiatives implemented by the organization in respect to the high fraud risk processes
- Determine whether they are sufficient to detect and prevent frauds
Without a detailed study, commenting on the adequacy of risk management processes doesn’t really help.
Now let me take another example to show how macro level systemic risks are not connected with auditing of an organization. As we know, in India corruption is high and laws are frequently broken to close business deals. The Corruption Perception Index 2010 issued by Transparency International shows India ranked 87th of the 178 countries listed. The score is 3.3, which comes under highly corrupt countries.
KPMG India Fraud Survey Report 2010 states the following:
“Bribery and corruption is viewed as an inevitable aspect of doing business in India. Bribery and corruption are most rampant in seeking routine regulatory approvals and to win new business from prospective clients.”
The report indicates that 37% bribes are paid to get routine or administrative work done from the government. Secondly, 38% of the respondents reported that paying bribes is an integral part of doing business.
Now this is interesting data. I am assuming that KPMG sent the survey questionnaire to most of its clients and they responded with the completed questionnaire. Did KPMG link these responses of their audit clients? At least some of the clients who have responded in affirmative would be multinationals. If I deduce further, the multinationals are impacted by the US Foreign Corrupt Practices Act. Has KPMG while conducting the audit found that the clients were paying bribes and reported the same to their global office? Did KPMG India or US report these unethical practices to the concerned authorities? I think nothing was done to relate the information collected in the survey while conducting the audit and no unethical practices were reported.
Under these circumstances is it not right to say that auditors are basically looking for evidence to corroborate that financial statements represent true and fair status? Are auditors really questioning the premise they are evaluating their decisions on? What’s your opinion?
- KPMG India Fraud Survey Report 2010
- Transparency International Corruption Perception Index 2010
- Auditor’s Statement of Citi Bank India March 2010