Who audits the forensic auditor?

Recently, a founder of a large information technology (IT) company demanded that his company make public the report prepared by the forensic auditor in its entirety. His comments suggested that he might be having doubts about whether the report’s conclusion concealed more than it revealed. The cloak of secrecy around forensic audit raises questions around regulations that guide this nascent practice.

Experts point out that a forensic audit is a thorough and systematic process that involves undertaking a series of analysis, primarily aimed at establishing the accuracy and authenticity of the set of financial transactions under review. Evidence gathered through forensic audit is part of litigation and admissible in the court of law. 

The government’s recent drive against money laundering, black money and use of inactive companies to park and divert illicit funds has only intensified the use of forensic audit tools by regulators and investigating agencies. Sensing a business opportunity, several global audit and advisory firms have over the last couple of years ramped up this practice area in the country.

Stakeholders, however, point out the nascent field is not institutionalised in India. The Companies Act, 2013, mandates auditors to report instances of fraud in accounts of a company. “But this process of identifying and reporting fraud is not codified. There is no formal body in India – like a Fraud Institute – that is researching best practices in the area of forensic audits, providing training in this field or regulating forensic audits. There is a need to develop such a code,” says Reshmi Khurana, managing director and head of South Asia in Kroll’s investigations and disputes practice.

Stakeholders, both clients and practitioners, point out that there is no oversight mechanism to ensure the quality of forensic audits. They note that the emerging practice suffers from lack of standardisation and a regulatory framework. Multiplicity of regulators in the financial sector has further complicated the usage and understanding of forensic audit by various stakeholders and what they seek from it.

The erstwhile Forward Markets Commission (FMC), which regulated the commodity derivatives market, was among frequent user of third-party forensic audits. The commission itself did not have an elaborate staff. Neither did it have the capabilities to conduct detailed and complicated investigations. In the aftermath of the National Spot Exchange (NSEL) scam, the commission had ordered forensic audits by third-party agencies on various aspects of the exchange and its sister concerns.

Other regulators such as the Securities and Exchange Board of India have developed detailed investigative wings, but at times have relied on external agencies, such as in the case of the controversy around algorithmic trading.

Recently, the Sebi ordered forensic audits on a number of suspected shell firms. Last week alone, the regulator has referred three firms to such audits.

As the demand for audits rise, it is not clear if there are enough service providers with requisite skills and integrity. Also, there is an issue of avoiding conflict of interests in such audits. In large groups, where there are multiple entities, there could be situations where most of the top audit firms are engaged by one sister concern or the other, resulting in the mandate falling in the wrong or inexperienced hands.

Rajendra Kumar, head of education, Indiaforensic, a Pune-based research and education firm related to forensic accounting and fraud investigation, raises a moot point: “Is there any mechanism of doing the auditor integrity checks in India?    

Recently, the Reserve Bank of India laid down a framework for dealing with loan frauds, under which certain red-flagged accounts have to be compulsorily referred to forensic audits. An RBI circular, issued in 2015, lays down rules as to when an account should be referred and what needs to be done after such a forensic audit is done. However, it is not very clear what process should be followed during the audit itself and who qualifies to do it. The demand for a forensic audit has become common among investors and other stakeholders. In the Jaypee Infratech case, where thousands of homebuyers are awaiting delivery of flats, this demand has been submitted to the Supreme Court. However, in many cases, the question arises who will set the terms of reference, and could a potential suspect be the person commissioning the audit.

Already, there are some sceptics of the outcome a forensic audit. Atanu Mukherjee, president, M N Dastur and Co, who has studied in detail several of the companies bound for insolvency, notes that forensic audit may not reveal everything. “It is not as deep as you think or as it should be.”

As a credibility enhancing measure, Kroll’s Khurana says there is a need to ensure that the regulator of forensic audits should be independent from the certification body. Some countries have rules governing private investigations, says Mark Hoestra, global leader, forensic & investigation services, Grant Thornton. Large professional accounting firms have internal controls and processes and strict eligibility criterion on who becomes a forensic auditor, he says. Experts say globally, the profession of forensic audit has largely been governed by rules of accounting.

In India, the Council of the Institute of Chartered Accountants of India (ICAI), which regulates the accounting profession, has launched certificate courses on forensic accounting and fraud detection. Though forensic audit involves a lot of financial and accounting work, that is not a sufficient skill set. Audit of servers, IT systems, mining of data and emails also could reveal critical information. So, the regulatory framework should go beyond just accounting, say experts.  “We need certified fraud professionals who are trained in a specialised manner and are held accountable for their work,” says Khurana.