In recent times, few instances were noted where Risk advisory professional was accused of being gross negligent and consequently either arrested or barred from practice as Chartered Accountant. It’s being said that if there is anything wrong happening in the Company, Risk advisory professional must be the first to know as he is working there all 12 months of the year compared to Statutory Auditors whose role is limited to 2-3 months a year.
Barring couple of regulations (for e.g. RBI guidance for audits of Banks), most Indian regulations and available guidance do not place direct accountability on risk advisory professionals for detecting frauds occurring in the organization.For instance, amended provisions for reporting fraud under the Companies Act 2013 or the revised Listing agreement do not specifically cover the role of risk advisory professionals in reporting frauds.
Risk advisory professionals covered under Section 138 are not specified as persons who are required to report under Section 143(2). Further, section 143(2) includes only fraud by officers or employees of the company.
In last few years the technological tools available to the risk advisory professionals have evolved significantly, however, the risk advisory professional contribution to fraud detection has reduced. The reasons is new technology changed the nature of frauds or red flags identified in the organization.
As per the Association of Certified Fraud Examiner’s (ACFE) Report to the Nations 2018, 15% of the occupational frauds were detected through internal audits, as compared to a decade ago, when 19.2% of occupational frauds were detected through internal audits.
However, there are multiple regulations/ guidelines which make reference to put reliance on the work of risk advisory professionals for detection of frauds. Here are the few examples:
- SA 240 requires statutory auditors to make enquiries of internal audit to check whether there is risk of fraud or whether he has knowledge of any fraud affecting the Company.
- SA 315 and 610 require statutory auditor to enquire with the risk advisory professional on procedures performed, if any, to detect fraud and whether management has responded to any findings resulting from these procedures.
- There is an illustrative checklist in ICAI guidance note on reporting of fraud u/s 143 (2) of the Companies Act 2013 for enquiries with board, audit committee and risk advisory professional.
- As per SIA 11, an risk advisory professional should exercise reasonable care and professional skepticism.
- Listing Agreement (clause 49) requires audit committees to review the findings of investigations by the risk advisory professionals and reporting the matter to the board.
- One of the key amendments to the Prevention of Corruption Act, 1988 (POCA) covers risk advisory professionals as key officers of the organizations and can be held liable if any offence of bribery is proved in the court to have been committed with the consent or connivance of the such officer.
- Public Company Accounting Oversight Board requires the auditor to consider the results of their fraud risk assessment at the time of planning the internal control’s audit.
- SAS 99 requires an auditor to make certain enquiries of risk advisory professionals that whether they have performed any procedures to detect fraud and has the management satisfactorily responded to any findings resulting from such procedures.Further,risk advisory professionals have knowledge of any fraud or suspected fraud.
- Management and external auditor to report on the adequacy of the company’s internal control on financial reporting. (Section 404 of the Sarbanes Oxley Act, 2002)
- The US Securities and Exchange Commission’s (SEC) stated that the assessment of a company’s internal control over financial reporting must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness. Controls subject to such assessment include controls related to the prevention, identification, and detection of fraud.
New expectations from a Risk Advisory Professional
- Role of the risk advisory professional in fraud prevention, detection and reporting to be formally documented as part of the organization’s fraud risk management policy.
- Cover and document process for internal audit to express concerns, if any, about:
- I) management’s commitment to appropriate internal controls,
- ii) suspicions or allegations of fraud
- Document and reinforce independence of risk advisory professional from management as part of the Charter.
- Adequately document additional measures taken and proactive procedures performed, if any, to address any significant control deficiencies or weak areas identified during the internal audit.
- Allocate resources for the assessment of fraud risks where necessary.
- Benchmark the organization’s internal controls periodically with industry leading practices.
- Stay updated with appropriate skills and technological tools to enable effective risk assessment during internal audits.
- Monitor frauds or incidents reported within the industry and incorporate learnings while carrying out subsequent reviews.
- Seek access to whistle-blower complaints relevant to internal audit and incorporate learnings.