Financial Frauds and Auditor’s Reporting Responsibility

We increasingly hear about regulators becoming more vigilant, changes being introduced to various Acts and compliances becoming more meaningful. Ironically, despite all this, the instances of financial frauds in corporates also keep increasing in a seemingly direct proportion.

Very recently, a Rs.350 crore bill discounting scam was unearthed in one of the largest public sector banks, where, as per the bank, it discounted the bills but never got the payment. A week into this revelation, the enforcement Directorate (ED) and the Central Beaureau of Investigation (CBI) raided some branches of the same bank in connection with illegal remittance of around Rs.6,172 crore to Hong Kong between August 2014 and August 2015, purportedly for importing dry fruits, rice and pulses.

We as finance professionals have grown up hearing about the term ‘fraud’ in one context or the other. Most of us have been taught that an auditor is a ‘watchdog’ and not a ‘bloodhound’, which essentially implies that it is not the auditors’ job to go and look for a fraud and certainly not his responsibility to unearth one! However, in case an auditor while discharging his duties as an auditor comes across a fraud, he should take note of it.

Further, those of us who have either worked in a banking company or have been associated with one as a consultant/ auditor, would know that a bank is one organization with the maximum amount of oversight, be it from the regulator (Reserve Bank of India), statutory auditors, concurrent auditors, internal inspections etc. Infact, the sheer amount of reportings that a bank has to submit to RBI on a periodic basis is enough for one to be convinced that anything with a semblance of fraud will be tracked. How did this bank fraud then occur?

While the facts are still being pulled out and the CBI and the ED are doing their jobs, the modus operandi appears to be quite straightforward. First, 59 new current accounts were opened in a particular branch of the bank in the name of different companies. Thereafter, crores of cash was deposited into these accounts. These companies, whose owners are shown to be different persons, then requested the bank for forex transfers to certain companies in Hong Kong as ‘Advance’. To avoid automatic detection by the bank software, these remittances were sent by splitting the payments into amounts below $100,000.

It must be added that the above fraud was detected by the internal auditors of the bank, who informed the finance ministry and the CBI and ED were approached thereafter for a probe.

The Companies Act, 2013 (‘The Act’) which became effective from 1 April 2014 has also given due importance to fraud, both from the managements’ as well as the auditors’ standpoint.

There are no two views in the fact that it is the management’s primary responsibility to establish adequate internal control systems to prevent and detect frauds and errors. In the case of a company, the Board of Directors, in terms of the provisions of Section 134(5) of the Act, are required to, inter alia, state as a part of the directors’ responsibility statement in the Board report to the shareholders, that they had taken proper and sufficient care for safeguarding the assets of the company and for preventing and detecting fraud and other irregularities.

Further, though the auditors were always bound by SA-240 on ‘The Auditor’s Responsibilities relating to Frauds in An Audit of Financial Statements’, the inclusion of section 143 (12) in respect of reporting on fraud by the auditors has given more teeth to the audit profession.

Section 143 (12) requires inter alia:

 ‘Notwithstanding anything contained in this section, if an auditor of a company, in the course of the performance of his duties as auditor, has reason to believe that an offence involving fraud is being or has been committed against the company by officers or employees of the company, he shall immediately report the matter to the Central Government within such time and in such manner as may be prescribed.

A careful reading of the contents of this section will clarify that not all ‘frauds’ will fall under the category of frauds to be reported by the auditors under this section.

One aspect that clearly stands out in the requirement is that only a fraud against the Company, that too committed by the officers or employees of the Company needs to be reported. This implies that frauds by the Company and even those on the Company but committed by third parties will not fall under the purview of this reporting. This is in stark contrast of the reporting under Companies (Auditor’s Report) Order, 2015 (CARO, 2015), which requires the auditor to report on frauds on or by the Company.

To give more practical guidance to members in respect of reporting under this section, the ICAI also issued a Guidance Note on this aspect. In addition to elaborating on the section itself, the Guidance Note (GN) has also given detailed guidance as to the circumstances under which the auditor would be required to report as well as the procedure that needs to be followed while reporting. This will ensure only meaningful reporting by the auditors under this section as anything that does not strictly fall under the definition of this section will have to be left out of reporting.

One of the primary tests for reporting under this section is that the information in the hands of the auditor should be such that it provides him ‘Sufficient Reason to Believe’ (SRTB) that a suspected offence involving fraud is being or has been committed. If it does, reporting under this section is triggered and the auditor is supposed to first report it to the management, giving them sufficient time (45 days) to respond before he proceeds to report to the Central Government (CG). Further, the reporting to CG is not required if the management is able to prove to the auditors satisfaction that the fraud didn’t exist in the first place itself.

Another interesting aspect that the GN discusses is that though the reporting under 143 (12) is applicable to the statutory auditors of the Company, it also equally applies to the cost accountants in practice, conducting cost audit under Section 148 of the Act; and to the company secretaries in practice, conducting secretarial audit under Section 204 of the Act. However, these requirements would not apply to other professionals rendering other services to the company such as Sales Tax Auditors. Further, Internal Auditors also would not be covered.

The GN also intends to give some succor to the Company in cases where a fraud was already reported / identified/ detected by the management and has been/is being dealt with by them. In such cases, the Act does not cast unnecessary burden of repetition on the auditor and he will not be required to report the same under Section 143(12) since he has not per se identified the fraud.

All in all, the GN attempts to cover almost all the scenarios that an auditor is expected to encounter ranging from consideration of materiality, responsibility in case of limited reviews, consolidated financial statements and responsibility of branch auditors, to name a few.

Looking at it objectively, the auditors could have reported under the earlier regime (Companies Act, 1956) as well, however, there was no requirement or laid down procedure. By including a specific section on the auditors reporting on fraud and also making the Board of Directors more accountable in terms of stating their responsibility in the Directors Responsibility Statement in terms of safeguarding the assets of the Company and preventing and detecting frauds, more onus has been put on both the sides.

Whether putting more responsibility on the Board and enhancing regulatory oversight will mean lesser frauds, remains to be seen. However, insofar as the reporting responsibility of the auditors is concerned, he may have to be more diligent while considering reporting a fraud. Unless the stated parameters for identification of an instance as a reportable instance of fraud are followed, there is a risk of the auditor either going overboard in his reporting or end up reporting too less.

Puneet heads the Assurance and Risk Advisory practice at International Business Advisors. He is a Chartered Accountant with 13 years of post qualification experience. He has rich experience in the field of accounting and auditing, due diligences and risk advisory to various mid-sized and large companies (Indian as well as trans-nationals) across various sectors. For most of his professional career he has worked with Big4 consulting firms such as KPMG and Deloitte. He has also spent a few years with Mazars India, where he was also looking at the risk management function for the organization, in addition to being a partner with the Assurance division. He regularly writes on various accounting and auditing matters. For any professional assistance, he can be reached on