In the last three months, we have handled multiple fraud investigations, fashionably called, Forensic Audit. In all the cases, the narrative has been common. Strong CFO with a dedicated team, gone rogue. The CFO has been in the organization for over ten years and has risen through the management. He understands the process, the IT controls and is handling the ‘service charge’ payments, a respectable word for bribes. These companies have reputed Statutory Auditors, Internal Auditors and experienced Board members. So what went wrong and who is responsible?
Let us start with the Internal Auditors (IA). They are given an audit calendar approved by the Management and the CFO plays a major role in directing the areas selected. IA ends up reporting to the CFO as IA is always identified as a financial audit. The audit is always around processes and controls. The sample for actual transaction testing is not representative, unless and until the findings lead to a suspected failure in controls. Hence, the IA end up checking a few transactions, not enough samples and not the areas where the problem is. This is reported to the CFO who then uses this tool (IA) for settling scores with other departments.
Then come to the Statutory Auditors (SA). They depend on the IA report and have a short window to complete the audit. They look at the statutory reporting formats, compliance and basically test it for Accounting Standards. Hence, transactions are beyond their purview and whatever testing they do is very restrictive. They again report to the CFO!
Remember the professional fee is a great leveler. So when you pay peanuts, the firms send monkeys!
Then comes the Management. They are totally dependent upon the reports of IA and SA. They do not have the time to devote to analysis and in most of the cases have limited exposure to the nature of business.
So when the frauds are exposed, either on the CFO quitting or then by a disgruntled employee complaining, a lot of water has already flown under the bridge. Then what can the management do? They bring in a Forensic Auditor, who collects evidence, builds a case against all those involved. An internal inquiry is conducted based on this report and the people are asked to go. Very rarely does a company file an FIR against these employees or then files a case against them. The company is supposed to take the report on record. The Directors need to mention this in the Board meeting and the same needs to be reported to the ROC. But wait! How will this reflect on the Board members? What happens to their assessment? Will this impact their credibility? Will this affect their role on other Boards?
The last block of the puzzle is getting the IT, Social Media bit right. What happens when this is leaked to the media?
Too many questions! So the Board discusses and ‘kills’ the report.
We have designed a Board Familiarisation Program to help the Board sidestep such land mines. We take the Board through steps they should take to derisk such situations. Join us at the next Corporate Governance education session.
