Reporting of Fraud by Auditors: Issues & Suggestions

How does an auditor assert fraud, when traditionally his/ her duties are confined to performing enhanced audit procedures to ensure financial statements are not misstated?

While the auditor may suspect, or in rare cases, identify the occurrence of fraud, he/ she does not legally determine whether fraud has actually occurred. The definition of “fraud” as per Section 447 of the Companies Act, 2013 is very wide. Significant judgments may be needed in determination of the occurrence of fraud, as fraud connotations are very wide. Since, fraud is a criminal offence under the Indian Penal Code, 1860, wherein the intention is to be established, the auditor will not be in a position to assert fraud. Therefore, when a suspicion of fraud is reported by the auditor, the Board or Audit Committee is required to evaluate the matter and take appropriate action including, conducting an investigation or a forensic audit (either using qualified internal teams or seeking assistance from external specialists/ experts). Further the Board or Audit Committee is expected to respond to the auditor within 45 days of the suspected fraud being highlighted.

What if the company is unable to investigate into suspected fraud within 45 days and send a report to the auditor?

Depending on the nature of fraud suspected and the robustness of the organization’s fraud response framework, the investigation time frame can vary and it may not always be possible to conclude investigations in 45 days and communicate outcomes to the auditor. In such cases, the MCA notification suggests that the company respond by providing information on the steps taken – such as commencement of the investigation and the case status – and any other observations by the Board or Audit Committee on the matter, within 45 days to the auditor.

What if a company discovers multiple small value frauds in the course of an investigation that may add up to less than rupees one crore? What is the reporting process to be followed?

The reporting of fraud is done only if it is detected during the course of the audit by the auditor and not already known to the management as per the ICAI Guidance Note on Reporting on Fraud under Section 143(12) of the Companies Act, 2013 (Revised 2016) (the “Rules”). But, the same has not been endorsed by MCA in the Rules relating to fraud reporting. In case of a fraud involving less than rupees one crore (individually), the auditor needs to report the matter to the Audit Committee or the Board, instead of the Central Government, immediately or within 2 days of becoming aware/ suspecting such a fraud. Only fraud above rupees one crore is to be reported to the Central Government, to be considered on an individual basis and not the sum total of all frauds in a year put together.

Depending on the complexity and duration of fraud it may become difficult to determine the quantum of fraud loss. In such cases, the MCA notification allows companies to use a management estimate or reasonable range of estimate made by the auditor for the purposes of reporting the fraud. However, estimation of the amount involved is not always feasible and if the estimation goes wrong, despite taking reasonable care, then one can end up reporting a less than rupees one crore fraud or not report a fraud above rupees one crore to appropriate authorities. Subsequent reporting may be required, if the amount initially estimated was lower than the rupees one crore limit, but eventually determined to exceed this limit, resulting in the need to report the same to the government within 45 days of the determination of the revised fraud loss.

Can non-compliance be considered fraud and does it have to be reported, especially if there is a significant financial repercussion involved?

Fraud can also encompass regulatory non-compliance and its determination and quantification could pose challenges. The MCA notification does not appear to make a distinction between fraud and regulatory noncompliance, as long as the quantum of fraud loss can be reasonably quantified. Therefore, if the auditor comes across instances of corruption, bribery, money laundering and other regulatory non-compliances committed by the employees of the company, he/ she will then need to communicate the same to the Audit Committee or the Board and/ or also report to the matter to the Central Government (depending on the value of fraud loss).