Perceptions, comprehensions and distinctions between forensic, internal and statutory audits
Accounting scams like Satyam, PMC Bank, ILFS, etc. besides global financial statement frauds like Enron, WorldCom, Tyco, Kanebo, etc. have resulted in focussed attention on the accounting profession in the recent past. Society at large has different perceptions of the audit function, whereas the literature and regulatory requirements are different based on the scope and role.
The “Expectation Gap” between public perception and the activity of a chartered accountant is widening by the day and is a matter of debate on various platforms. In this article, we will look at different types of audits with an eye to differentiate the role, responsibilities, and scope of the audit work. While different kinds of audits are carried out in various organisations (company or otherwise), for the sake of simplification, we will discuss the issue with the example of companies, especially where the public interest is involved. Though various jurisdictions across the globe might have different requirements, here we will restrict our debate to Indian Jurisdiction only. Let us look at some basics about different kinds of audits.
Statutory Audits
These kinds of audits are required by law. Section 139 of the Companies Act 2013 deals with the appointment of auditors whereas section 143 of this act details the powers and duties of auditors and the applicability of auditing standards. Section 144 of the same act prohibits auditors from rendering certain services. This act requires that all companies registered in India (public, private, or foreign) need to get their financial statements audited by an independent auditor (a chartered accountant). Tax Audit is also required to be carried out under The Income Tax Act where the turnover of the company is above the threshold. The scope of audit, role and responsibility of auditors have been defined under these regulations. The prime objective of a Statutory Audit is to get ssurance from an independent professional auditor, who will provide a report containing an ‘opinion’ on whether the financial statements have been prepared by the management as per the applicable framework of accounting standards and whether these are presenting ‘True and Fair’ picture of performance (Statement of Profit and Loss) and state of affairs (Balance Sheet), along with changes in financial position (Cash flow statements). The Statutory Auditor will arrive at that opinion after carrying out audit procedures as enumerated in ‘Auditing Standards’ issued by the Audit and Assurance Standard Board (AASB) of ICAI.
As mandated under Section 132(2) (b) of the Companies Act, 2013, the National Financial Reporting Authority (NFRA) is required to monitor and enforce compliance with auditing standards in such manner as may be prescribed. Rule 8 of the NFRA Rules, 2018, provides that for monitoring and enforcing compliance with auditing standards under the Act, NFRA may.
(a) Review auditors’ working papers (including audit plan and other documents) and communication related to the audit.
(b) Evaluate the sufficiency of the quality control system of the auditor and the manner of documentation of the system by the auditor; and
(c) Perform such other testing of the audit, supervisory, and quality control procedures of the auditor as may be considered necessary or appropriate.
Internal Audits
The Internal Audits are carried out for and on behalf of the management. While the Companies Act requires specified companies to have a system of internal audit in place, generally it provides assurance to the “Those Charged with Governance” (TCWG) about the existence and operative effectiveness of internal controls. The scope of internal audits has to be decided by the management and the statutory auditors need to consider the scope and those reports.
According to the Definition of Internal Auditing in The IIA’s International Professional Practices Framework (IPPF), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
The current Indian regulations permit internal audit functions to be performed either by an entity’s own employee or by a professional who is part of an external agency. The Standards on Internal Audits apply to ICAI members in both situations, irrespective of whether the internal audit is conducted by them in the capacity of an employee or as a representative of an external agency.
Forensic Audit
This is an investigation-oriented activity, to collect evidence that could be produced in the court of law. These audits are generally specific to the event which has already happened or is in the process. Many times, the objective is to identify and prove with evidence whether fraud has happened. The scope of such audits is generally defined by the appointing agency, which might be a regulator, investor, or the management itself.
The process for carrying out a forensic audit is somewhat similar to a traditional financial audit, with a little extra dimension. These procedures should include planning, gathering evidence, and writing a report, but with an additional step of a possible appearance in the court of law if required. The ICAI has published study material to differentiate between forensic audit and financial audit, which explains that a financial auditor may detect fraud. However, the procedures for financial audits are designed to detect material misstatements and not frauds. Reasons for the same include the dependence of financial auditors on a sample versus examining the events and activities behind the documents, which is the role of a forensic auditor. The time involved and the cost differ significantly in both cases. Forensic audits may expose illegal activities, as the motive and objective desire.
Of late, it is observed that various regulators (besides NFRA) and law enforcement agencies are questioning the auditors about their roles, responsibilities, and activities in addition to asking for audit work papers. These include the Registrar of Companies (ROC), Serious Fraud Investigation Office (SFIO), Central Bureau of Investigation (CBI), Enforcement Directorate (ED), Direct or Indirect tax departments and other regulators like the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), etc. while the Institute of Chartered Accountants (ICAI) has its own mechanism of regulating and guiding the members through Peer Review Board, Quality Review Board, Financial Reporting Review Board (FRRB) and Disciplinary Committee etc, who understand the nuances of different roles being played by a chartered accountant in various capacities.
One may argue that the power to enquire and inspect work papers to judge whether professional duties were duly performed has been provided under the regulations of acts or rules and nothing is wrong in questioning the auditors, in case something has gone wrong. On the contrary, few debate whether it is necessary to summon Statutory Auditors at the drop of a hat is necessary in all suspect cases. Moreover, people or officers who question for example, the Statutory Auditors, have little idea about knowledge of auditing and accounting standards, leaving aside understanding the differences between the scope, role, and responsibilities of different type of auditors. From an auditors’ perspective, it becomes extremely difficult to explain to different agencies what all audit procedures have been carried out and why and how the professional activities and judgements were justified under the scope defined for that job. Few jurisdictions around the globe will summon Statutory Auditors once a collusion or fraudulent activity has been confirmed.
It becomes important to understand the difference between different types of audits. The following table provides a summary at a macro level enumerating key differences between these different types of audits.
|
|
Particulars |
Statutory Audit |
Internal Audit |
Forensic Audit |
|
1 |
Objective |
Primarily a regulatory requirement |
Required by a regulation and sometimes for providing assurance to the management |
To establish and collect evidence. In some-cases required by the court of law. |
|
2 |
Scope |
To provide an opinion on the True and Fairness of Financial Statements, whether prepared as per applicable Accounting Standards besides other reporting requirements |
To provide a report on the matters as defined in the scope agreed between the management and the auditors |
To collect evidence as per the scope defined by appointing agency |
|
3 |
Standards |
Auditing Standards are applicable |
Internal Auditing Standards |
Forensic Accounting Standards |
|
4 |
Appointed by |
Shareholders in case of a company and Owners / Top Management in other cases |
The Management |
Any-one (Investors, regulators etc) |
|
5 |
In Focus |
Primarily, Financial Statements and Disclosures therein besides Internal Controls |
Internal Controls |
Frauds and Evidence |
|
6 |
Qualifications of Auditors |
Must be a Chartered Accountant or a firm or LLP of CAs. |
No specific qualification defined. |
Depends on Scope |
|
7 |
Reporting to |
The Shareholders and the Regulators (SEBI, RBI etc) |
The Management |
The appointing agency or the court of law |
|
8 |
Methodology |
Audit is carried out using audit techniques (for example sampling, control testing and substantive testing etc.) |
May be concurrent and transaction based or periodic review of internal controls. |
Specific event based and collection of evidence |
|
9 |
Approach |
To comment on True and Fairness of reporting in financial statements based on finding of audit procedures |
To provide assurance to the management about internal controls |
Fact finding approach |
|
10 |
Observations |
Mentioned in report as modifications, adverse report or disclaimers as defined in the Auditing Standards |
Observations, Risks, Recommendations and Management Action plan with anticipated time frame |
Need to have evidence which should be acceptable in the court of law. |
|
11 |
Report visibility |
Report is in generally in public domain |
For consideration of ‘TCWG’ |
For the purpose of appointing agency and the court of law |
|
12 |
Independence |
Statutory Auditors need to be Independent |
May be part of the management |
Generally Forensic Auditors are supposed to be Independent |
National Head, Assurance,
ASA & Associates LLP
While one must go into detail to understand the difference between the role and responsibility of the Auditors in each case, it is suggested to have a framework and mechanism of monitoring and questioning the auditors in an appropriate manner and by a centralised regulator only (viz. ICAI), which understands the Accounting and Auditing profession. This should help not only the regulators from going through the hassles of understanding the complex auditing profession, but also the auditors will be saved from facing ungracious situations.
