Knitting Indian SOX

The Satyam debacle has made it apparent that corporate fraud, one of the darkest sides of capitalism, knows neither national nor cultural boundaries. Financial trickery of massive proportions, engineered in the highest of corporate offices, is not something restricted to the countries of the West. In hindsight, did the financial devastation wrought by the frauds at companies such as Enron and WorldCom in the US during the early 2000s prompt questions in India of Could this happen here? and What should we do to prevent it? If such questions were raised, apparently little was done, legislatively or otherwise, as the Satyam saga has so blatantly proven.

What does it take for a public company to function properly, in the best interests of the shareholders and, indeed, all stakeholders? What are the checks and balances necessary to counter greed and opportunism by the management? The answer lies in sound corporate governance, which can be thought of as a four-legged stool: corporate management as the first leg, the board of directors representing the second leg, internal auditors the third leg, and finally the independent (external) auditor as the fourth leg. It is almost pointless to argue about which of these four legs is more important than the others, for each must function honestly and efficiently in order for the system to work.

First off, the members of the corporate management must know that they are the stewards of the outside owners – ie, the shareholders. They are rewarded (usually quite handsomely) if the company does well, but they can not be so tempted by the rewards that they 'cook the books' to line their own pockets. Second, the board of directors must be truly independent, not just acting as a rubber stamp for corporate decisions. Importantly, at least one board member must be a financial expert, in order to comprehend the true financial ramifications of proposed corporate actions. As for auditors, to state the obvious, they must be independent and they must dig hard and deep in their search for the truth. Although internal auditors are employees of the company, they cannot just go through the motions as they apply their audit procedures.

Finally, external auditors must truly obtain "sufficient competent evidence" (as auditing standards require) to back their audit opinion on the company's financial statements. A legitimate question to raise in the Satyam fallout is whether PricewaterhouseCoopers, Satyam's London-based auditor, followed generally accepted auditing standards to gather "sufficient competent evidence", given that it apparently failed to verify some USD 1 billion in cash on Satyam's balance sheet, and one would have thought that cash would be the easiest asset to verify. In the end, it takes just one of the four legs to break for the stool to come crashing down, as Satyam did.

It is informative to review the actions taken in the United States in response to the corporate scandals of the early 2000s, in order to draw inferences for reforms in Southasia. The Sarbanes-Oxley Act of 2002, which passed quickly and with overwhelming support through both the House and Senate, sought to strengthen three of the four legs of corporate governance. This act – SOX for short – contains specific provisions directed at corporate management, the board of directors and external auditors. While corporate management was always responsible for the truth and accuracy of the financial statements, SOX makes that responsibility very explicit, by requiring top management to certify the accuracy of the statements in their annual filings. Severe criminal penalties can be levied against individual members of the top management team who knowingly submit false certifications, the hope being that the prospect of lengthy jail terms will deter at least some crooked managers. Six years after the passage of SOX, criticisms of the act remain due to the high compliance costs imposed on companies, who were forced to engage in an expensive process of documenting and testing thousands of existing controls and implementing missing controls that should have been in place. On balance, however, studies have shown that there has been a marked improvement in investor confidence in the quality of financial reporting – the main objective of SOX.

Strong at the top
A significant deterrent to fraud is a strong system of internal controls. One of the most controversial aspects of SOX is the requirement that company management periodically review the system of internal controls and certify that the controls are effective. This internal control certification is independent of the certification of the accuracy of the numbers in the financial statements. Such requirements have placed heavy financial burden on companies, as for the first time they have been forced to inventory, review and test their internal controls. The process has been an eye-opener for most companies, however, as they have discovered that thousands of controls that should have been present were not. Arguably, even if costly, this one provision in SOX has been extremely effective in checking deception. A side benefit of a strong system of effective internal controls is that it provides good information for decision-making – as corporate managers in the US have reluctantly come to agree.

How could the leg made up of the board of directors be strengthened? For one, as noted earlier, at least one board member should be mandated to be a financial expert. This requirement in SOX decreases the likelihood that the board could be fooled by complex financial shenanigans engineered by management. In virtually all large publicly held companies, one has to be well connected in order to be invited to sit on the board of directors. Given such a close nexus between board members and management, it is only natural that a board would often exhibit a tendency to go along with management's proposals 'on good faith'. After all, would you ask tough, critical questions of a friend you have known for years? It is unrealistic, and perhaps even undesirable, to expect board members to be completely impartial in their dealings with the company. However, it is not too much to ask at least one board member to be an expert who fully understands the complex financial transactions in which today's large companies often engage.

Better internal controls, requiring top management to certify the financial statements, and having a financial expert on the board of directors are measures that would prevent fraud. For the kinds of fraudulent schemes that were perpetrated at Satyam and elsewhere, however, one has to believe that at least a few internal employees were in the know. Does one really believe that Ramalinga Raju was exclusively handling the accounting books as chairman? More than likely, at least a few Satyam employees were involved in tinkering with the ledger. Might they have known they were doing something wrong? Of course. Would they have objected or reported the scam to the authorities? Highly unlikely, since doing so would almost certainly have meant a pink slip. An interesting provision in SOX is the protection for such employee whistleblowers. The act imposes criminal penalties for retaliation against whistleblowers, and requires companies to institute a mechanism to allow anonymous and confidential reporting of "questionable accounting or auditing matters" by company insiders.

It would behove lawmakers in India to consider similar provisions in reforms enacted to prevent, or at least minimise, the possibility of another Satyam. Indeed, taken together, the SOX provisions discussed here are very relevant in the Indian context. As in the US prior to the promulgation of SOX, auditors in India of course already review the company's internal controls, and company management is held primarily responsible for the financial statements. What SOX does is to explicitly require management certification of the financial statements, management certification of the quality of the internal controls, and heightened auditor responsibility for both. There is nothing uniquely different about the Indian context that should prevent the introduction of such key reforms. Indeed, one could argue that in light of the prevalence of family-owned and -run corporations in India, wherein the likelihood of fraud could be higher, SOX-like reforms are more needed in India relative to the US, with its higher proportion of widely held and professionally managed companies.

Peek-a-boo
Let us not forget the auditors. After all, they are the ones charged with the responsibility of obtaining the required financial evidence, evaluating that evidence, and finally providing 'reasonable assurance' (a term auditors love) that the financial statements are materially accurate. A serious threat to an auditor's propensity to ferret out wrongdoing is the lack of independence. The auditor is paid by the company being audited – something that could itself be viewed as a conflict of interest (more on this later), but which remains the current regime in virtually all countries of the globe.

Apart from being paid to check the accounts, in the past auditing firms also provided a number of additional services, for which the auditor was handsomely compensated. These so called 'non-audit services' ranged from implementing the company's computerised accounting system to advising on tax matters, as well as similar consulting services. In many cases, the fees for such non-audit services actually exceeded the audit fees – ie, for what the auditor was engaged to do in the first place. In the US, such non-audit services have now been severely curtailed by the SOX Act. No longer can the auditor reap huge income from non-audit services alone. There has thus been in the US a 'back to basics' movement, with the external auditor asked to perform primarily audit services. Again, it would seem to make sense to enact similar legislation in India, to prevent the proliferation of non-audit services (and hence lucrative fees) that could impair auditor independence.

Beyond restricting what auditors should not do, audit standards could be revamped in order to better specify what auditors should do, with an eye to increasing the likelihood that fraud and corporate wrongdoing can be discovered early on. In response to the auditors' failure to uncover the large-scale frauds of Enron, WorldCom and the like, auditing standards in the US now require external auditors to engage in "fraud brainstorming sessions" at the beginning and during the course of the audit. These brainstorming sessions involve auditors at various seniority levels getting together and collectively thinking about ways in which the audit client's financial statements might be fraudulently misstated. The hope here is that such explicit consideration of the risk factors at the start of the audit will sensitise auditors to the possibility of fraud as they proceed through the audit engagement. Requiring such brainstorming sessions for external auditors in India would seem to be a path worth pursuing.

When auditors give a clean bill of health to companies that are subsequently found to have been the victims of large-scale fraud, as in the case of Enron, WorldCom and now Satyam, we are faced with what is straightforwardly referred to as an 'audit failure'. In light of such failures in recent years, it is reasonable for the public to wonder whether the work of the auditors is itself subjected to some kind of scrutiny. In other words, who audits the auditors? Prior to the passage of SOX, this seemingly obvious question had a rather startling answer in the US: other auditors. Audit Firm A would periodically be audited by Audit Firm B, to ensure that the former was performing its auditing work in compliance with generally accepted standards. Not surprisingly, this often led to a wink-and-a-nod arrangement, with little by way of substantive 'auditing' of audit firms. In the US, this cosy arrangement between auditors ended with SOX, which has created an independent organisation called the Public Company Accounting Oversight Board (PCAOB) – often disparagingly referred to as 'Peek-a-boo' – that is charged with auditing the auditors. Thus far, the PCAOB has appeared to be rather effective, with many tales of audit firms being penalised for lax accounting procedures.

Within public companies, internal auditors too have a significant role to play. They are the watchdogs inside the company, who are of course considerably more familiar with the internal operations than are external auditors. Yet in many companies, internal auditors report to management, which is to say they report to the entity they audit – clearly a problematic set-up in terms of independence. This fourth and final leg of the corporate-governance stool can be strengthened by having internal auditors report directly to the board of directors, specifically to an audit committee constituted as a subset of the board. Directly reporting to the board will increase the likelihood that wrongdoing uncovered by internal auditors will at least get the attention of those charged with overseeing company management.

Both internal and external auditors could do much more to improve their audit procedures. One major issue to address up front is 'auditing' versus 'fraud examination'. So long as auditors have the mindset of providing merely 'reasonable assurance' that the financial statements are free of fraudulent misstatements, they will continue to employ archaic audit procedures that rely far too heavily on sampling. Indeed, most auditors merely sample sets of transactions, and subsequently draw inferences about the accuracy of financial statement numbers based on errors found (if any) in the sample. One does not have to be a financial expert to recognise that fraudulent transactions can easily be missed when such a sampling-oriented audit approach is employed. The interesting thing here is that audit software now exists to allow auditors to test 100 percent of transactions. The irony is that auditors of even high-tech IT outsourcing companies such as Satyam, let alone traditional 'low tech' companies, do not use much IT themselves as they audit these companies. If pushed, auditors would admit that they have little training in the use of advanced audit software tools – a deficit that needs to be addressed, not just in India but worldwide.

Dollars and sense
There are actually many opportunities to re-engineer the audit process such that corporate fraud would become difficult to conceal. Imagine an auditing regime in which virtually all internal controls are automated, and auditors test these automated controls from remote locations. What if audit evidence – for example, confirmations of balances by banks, debtors and creditors – were to be sent, electronically, directly to the auditor? What if the audit routines were to be embedded within the company's systems, and electronic alerts were sent to auditors whenever anomalies were detected, all in real time? The technology for such advanced audit procedures has existed for several years, but it has not been utilised for a variety of reasons, including resistance on the part of auditors, lack of client cooperation, and the actual or perceived high cost of implementation. Either way, it is high time to seriously consider such technology-enabled audit processes – not simply because they provide a bulwark against malfeasance, but also because, once automated, they can lower audit costs in the long run. So, while the initial cost of such advanced computer-based auditing techniques may be high, the benefit of being able to detect errors and irregularities virtually in real time is immeasurable. When billions of rupees stand to be lost, techniques that cost less than millions can be worthwhile.

Beyond sound corporate governance within the company and improved audit procedures, other participants in the capital markets also need to be extra vigilant given the high stakes involved. Financial analysts, banks and other financial institutions should themselves perform due diligence as they review financial statements of companies. Rather than simply assuming that auditors have done their job, these banks must review accounts with a view to spotting anomalies. Do the numbers make sense? Are the profit-and-loss statement and the balance sheet in line with what could be expected, based on the previous year's performance or on how other companies in the same industry are doing? Any accounting that seems out of the ordinary deserves special scrutiny.

In the end, auditor independence is perhaps the most crucial aspect of this issue. While auditors are currently paid by the company they audit, what if this arrangement were to change? A public company could pay an audit fee to the securities-and-exchange board that governs the stock exchange at which the company's stock is listed. This board could in turn engage auditors and pay them directly. This way, the auditor is paid not by the company being audited but rather by the exchange board. Many details would still have to be worked out, of course, including the audit fee. Subject to the refinement of such details, however, this arrangement would go a long way to ensure auditor independence, which is essentially the linchpin that provides for an impartial, honest and thorough audit of any company.

In the final analysis, though, it will always come down to ethical behaviour on the part of individuals operating within each of the four spheres of corporate governance. Every person working in these areas needs to know how to spot and identify unethical behaviour. And when he or she does, the response needs to come down to four simple words: Do the right thing.