In response to my previous column, a highly respected professional accountant, who was actively involved in the auditing profession for decades and who now sits on the boards of many companies as an independent director, wrote to me, If auditors never (or let us be charitable and say almost never) discover fraud because an audit is not meant to do so, how should we redesign the audit so that those who read the reports obtain a greater degree of comfort? And I believe we should not aim at the analysts etc who have their own way of judging things but also keep in mind the proverbial and judicial man in the street. This is an important observation and every one of us who has an interest in corporate governance needs to ponder over it.
Audit has a long history. Over a period of more than 200 years, it has served members of Joint Stock Companies quite well on the whole, notwithstanding instances of audit failure. The concept of audit was in existence even when auditors, as we know them now, did not exist as a separate profession. All through it was believed that detection of fraud is not the aim of audit.
The auditors task is to provide a reasonable assurance that financial statements provide a true and fair view. He/she collects and verifies evidence with scepticism but does not adopt the approach of a detective. Audit is not investigation. The auditor is not supposed to be a forensic expert. It is with this perception that audit tools and techniques and auditing standards have been developed over the years.
Audit techniques today are quite different from those in use even three decades ago. Auditors use cost-effective techniques that are adequate to form a judgement on whether financial statements provide a true and fair view. If we give the auditor the additional responsibility of detecting fraud, the cost of audit will go up very significantly.
The cost will have to be borne by the society in general and shareholders in particular. Therefore, the debate should focus on whether the benefits from that extension of auditors responsibility will exceed the incremental cost. In making the assessment we must keep in mind that audit failures are infrequent and generally regulators all over the globe have confidence in the profession.
Without carefully analysing costs and benefits, we may inappropriately widen the scope of audit and change the audit objective. The immediate need is to strengthen the system of audit and the institutions on which the auditor relies for planning and programming its audit.
There should be some agency, independent of The Institute of Chartered Accountants of India (ICAI) to audit the auditors. The decision of the Securities and Exchange Board of India (Sebi) to peer review the audit of listed companies might fulfil the present void in the system.
However, peer review will be effective only if the reviewer is selected on merit, is paid reasonable compensation, and if Sebi is empowered to impose sanctions on errant auditors and on the audit firm of which such auditors are partners or employees. ICAI already has a system of peer review. But we do not know whether the system is effective or not. ICAI should make public the outcome of peer review which is in place for more than five years.
Rotation of auditors may be an option to improve the quality of audit. Unfortunately the choice before companies is limited. For example, if a company wants to appoint one of the firms with international exposure, the choice is limited to the Big Four and a few Indian firms.
In India, there are not many firms big enough to invest in required technology and human resources, limiting the choice for a company that wants to appoint a big Indian firm. In this environment mandatory rotation of auditors might result in just the swapping of audit projects among the few big firms.
This will defeat the purpose of rotation of auditors. If the aim is to bring a new perspective, rotation of the lead partner will give the desired result without incurring additional cost that might arise from rotation of auditors.
Auditors, to a great extent, rely on the work of the internal auditor. Therefore, it is important to protect the independence of the internal auditor and to improve the quality of internal audit. It has been reported in the press that Sebi is contemplating framing external agencies to examine the work of internal auditors.
Currently, under the Companies Auditors Report Order (CARO) of 2003, the external auditor is supposed to report whether the company has an internal audit system commensurate with its size and nature of business. Therefore, there is already a system for review of the work of the internal auditor. The system might not have worked well.
The possible reason might be that auditors have benchmarked the audit function in a company with the prevalent practice which reflects poor appreciation of the potential of internal audit function by companies. It is now well accepted that the internal auditors independence is affected adversely if the chief of the internal audit function does not enjoy the status of a functional head (on a par , for e.g., with the finance director).
But, in most companies the chief of the internal audit function is placed at a level lower than the functional heads in the organisation hierarchy. Similarly, in most companies, the scope of internal audit does not include management audit. All these shows the lack of appreciation by Indian companies of the potential of internal audit.
Therefore, review of internal audit by an external agency will not serve any purpose unless internal audit standards are issued and those standards are made applicable to all listed companies by law. ICAI is now issuing internal audit standards. Sebi should explore the possibility of making those standards applicable to listed companies.
New laws cannot by themselves improve the independence and quality of internal audit. The present structure of corporate governance, if implemented correctly, is adequate to protect the independence of the internal audit and to improve the quality of audit.
Clause 49 requires the audit committee to review internal audit reports relating to internal control weaknesses and to review the appointment, removal and terms of remuneration of the chief internal auditor. Therefore, it is the responsibility of the audit committee that the company adopts the best practice to strengthen the internal control system. If the system of audit committee has not worked well, there is no guarantee that the new system will work any better.
Perhaps, the need of the moment is not to bring new rules and regulations. Rather, the need is to enhance the compliance of extant rules and rules and regulation and to strengthen the existing institutions. New rules and regulations should be brought in only after due deliberation involving a system analysis of costs and benefits rather than a knee-jerk reaction to the Satyam case, which is better seen as an aberration.