NFRA has issued its Audit Quality Review Report (AQRR) dated 22/06/2022, highlighting serious flaws in IL&FS’s Statutory Audit for Fiscal Year 2017-18, done by CA Firm ‘SRBC & Co. LLP’.
This report of NFRA covers examination of the overall audit quality in terms of compliance with the auditing standards and the effectiveness of the quality control procedures of the audit firm.
1.3.Executive Summary of Observations in the AQRR
NFRA has summarised its findings on the violations by the Audit Firm, as under:
1.3.1. Violation of the norms on Auditor’s Independence
1.3.2. For an audit engagement, it is extremely critical that an auditor should be independent of the entity (the auditee) under the audit to rule out any potential conflict of interest and threat of independence. Apart from the professional standards, the Companies Act, 2013 mandates Auditor’s independence through restrictions and safeguards prescribed in Sections 144 and 141 of the Act. Section 144 prohibits the statutory auditor from providing directly or indirectly certain types of non-audit services to the auditee group of companies. Section 141 of the Act imposes certain disqualifications for being appointed as an auditor. Such disqualifications will be applicable, inter alia, if the proposed auditor has a business relationship with the auditee group of companies, or if the proposed auditor directly or indirectly provides prohibited services as per Section 144 to the auditee. The term directly or indirectly is defined in the Act to include relationships like parent or associate entities of the auditor, entities whose name, trademark or brand is used by the auditor. These restrictions are to ensure that the Auditor does not get into any conflict of interest and is thereby able to perform its functions independently and issue an appropriate report, which will be relied on by various stakeholders such as the shareholders, investors, creditors etc. Lapses in complying with the provisions regarding auditor’s independence are viewed seriously internationally by other audit regulators. The US regulator PCAOB, in a case , observed that “For one audit client, Issuer A, PwC violated the auditor independence rules of the Commission and the Public Company Accounting Oversight Board (“PCAOB”) by performing prohibited non-audit services, including exercising decision-making authority in the design and implementation of software relating to the company’s financial reporting and engaging in management functions for the company during the 2014 audit and professional engagement period.”
1.3.3. NFRA observes that the initial appointment of SRBC & Co LLP and the continuation of SRBC & Co LLP as statutory auditor of IL&FS Limited was violative of the norms of independence. This is because its network (Ernst & Young Global Limited/EY) provided prohibited services to the IL&FS group and also had a business relationship with the auditee (IL&FS) group. How closely the Audit firm, i.e. SRBC, is related to EY has been dwelt at length in Chapter 2 of the AQRR. SRBC, its partners and employees have been using the brand, name, email domain, policy documents etc of the EY. SRBC had also admitted before PCAOB that it is a part of the network of EY. Therefore, there is no doubt that SRBC is a network firm of EYG. EYG entities have been earning significant non-audit revenues from the IL&FS which is audited by one of its network firms i.e., SRBC. Even SRBC too has directly earned non-audit revenue from IL&FS group entities. The total non-audit fees of ₹ 4.57 Crore earned by EYG entities, including SRBC, from IL&FS and its group entities (for the relevant period of 4 years up to the financial year 2017-18) was much more than the Audit fee of ₹ 2.3 Crore from IL&FS. The details of the business relationship, revenue earned by the Group from IL&FS group companies for non-audit and prohibited services rendered are given in this report. Such services resulted in the loss of independence and violation of Sections 141(3)(e), 141(3)(i), 141(4) and 144 of the Companies Act 2013. The audit engagement also suffered from self-review and self-interest threats, hence, failed to meet the independence norms and SRBC should not have accepted the appointment as Auditor in the first place. (All these matters have been explained in detail in Chapter 2 of this AQRR). Nevertheless, NFRA has proceeded to examine compliance by the Audit Firm with the SAs, in their performance of this Engagement, without prejudice to the above findings.
1.3.4. Lapses in the Audit of Investments
1.3.5. The total value of investments shown in the standalone financial statements of IL&FS as on 31st March 2018 amounts to ₹12,320 Crore, which is almost 50% of its balance sheet size. The Audit Firm failed to properly verify these investments in almost 80% of the cases. The deficiencies are observed in the areas of use of valuation experts, fair valuation, and impairment loss evaluation. Also, there are certain investments (₹1,637 Crore) for which no evidence of verification is available in the audit documentation. There is no evidence that the Audit Firm has ensured that the management had tested each investment individually for impairment4 . The Audit Firm also failed to notice non-compliance with the provision of Section 177 of the Companies Act, 2013, which requires prior approval of the Audit Committee for the related party transactions, however, the transactions were approved post facto by the Audit Committee. The Audit Firm’s assertion that post-facto approval is sufficient because the word ‘prior approval’ is not mentioned in the law is misplaced. A full reading of Section 177 of the Companies Act will itself make it clear that the word ‘approval’ therein means prior approval because the third proviso to the section 177(4)(iv) makes a specific provision, which allows post facto approval only in some classes of cases involving relatively smaller amounts not exceeding Rs One Crore. If the word ‘approval’ were to mean or include post facto approval for all cases involving amounts even above Rs One crore, then there would have been no need for the legislature to provide the third proviso as above. This has been explained in detail in Chapters 3 and 4 of this AQRR.
1.3.6. In the majority of the cases relating to investments, the Audit Firm simply relied on the management assumptions and assessments regarding the impairment of investments without independently verifying the veracity of such assumptions and assessments and failed in challenging the same. In that process, the Audit Firm ignored the visible impairment indicators such as insolvency proceedings, permanent decline in the market value of investments, the negative net worth of component entities, etc. This has resulted in not testing the provision of impairment loss on investments made by the Company, leading to the Audit Firm’s non-reporting of inflated profits (in the stand-alone financial statements) by the company for FY18. Such lapses in challenging the management and absence of professional skepticism are viewed seriously by audit regulators across the world. The UK’s audit regulator FRC observes that “On two audits the audit team did not sufficiently challenge the reasonableness of management’s assumptions in relation to cash flow forecasts.”. The US regulator PCAOB observes that “Grant Thornton failed to exercise due professional care, including appropriate professional skepticism, and failed to obtain sufficient appropriate audit evidence concerning the reported value of Bancorp’s net loans, the effectiveness of Bancorp’s controls relating to its allowance for loan and lease losses”. These lapses have been discussed in detail in chapter 3 of this AQRR.
1.3.7. Lapses in the Audit of Loans and Advances
1.3.8. IL&FS had disbursed loans amounting to ₹8,124 Crore to approximately 26 related parties during the FY 2017-18. The related party transactions were made in violation of section 177 of the Companies Act, 2013 under a related party policy of the Company which contains provisions ultra vires the Act. A company’s policy dealing with related party transactions cannot override the provisions of the Act. The Audit Firm failed in designing and performing sufficient and appropriate audit procedures to mitigate the risks, including risks of management override of internal controls, associated with the sanction of these loans, and disbursement of loans by the Company. The Audit Firm ignored potential cases of evergreening and rollover of loans and failed to understand its implications on the financial statements of the Company. The details of the potential evergreening of loans by the company which the Audit firm did not sufficiently examine are given in para 4.13.13 and other parts of chapter 4 of this AQRR. The audit documentation in this regard was insufficient, inadequate and largely absent, vis-à-vis the applicable professional standards.
1.3.9. Lapses in the Audit of Revenue from Operations
1.3.10. Around 93% of the total revenue (₹1,899 Crore in the standalone financial statements) of the Company was from related parties. However, the transactions were made in violation of section 177 of the Companies Act, 2013. The Audit Firm failed to perform enough tests of details to verify the occurrence of revenue, completeness of revenue transactions, and the accuracy of the revenue recorded. The Audit Firm failed to evaluate the management assertion that related party transactions were conducted on terms equivalent to those prevailing in an arm’s length transaction. The details of these lapses are given in Chapter 5 of this AQRR.
1.3.11. Failure to Comply with the Basic Requirements of an Audit
1.3.12. The AQRR details various instances of non-compliances of the Audit Firm with some of the fundamental requirements of a statutory audit. A few instances are as follows:
a) IL&FS group consists of several subsidiaries, associates and joint ventures (components). The Companies Act, 2013 requires all subsidiaries and associates to be included while preparing Consolidated Financial Statements (CFS) of the holding company, IL&FS. It is observed that two associate companies were excluded while preparing CFS in violation of the Act. The Audit Firm failed to raise any questions to the management in this regard and also regarding the discrepancies in the total number of components. The details of these lapses are given in Chapter 6 of this AQRR.
b) Standards on Auditing (SA) require that when establishing the overall audit strategy, the auditor shall determine materiality. This requires establishing an amount below which uncorrected misstatements, individually or in aggregate, will be evaluated as immaterial for the financial statements as a whole. It is further mandated that the auditor shall also determine performance materiality, which involves the auditor setting an amount at less than the materiality level for particular account balances for purposes of assessing the risks of material misstatement and determining the nature, timing and extent of further audit procedures. The Audit Firm determined materiality at ₹100 Crore and the performance materiality at ₹50 Crore. However, there is no evidence in the audit file that the Audit Firm used this materiality while conducting the audit. No workings were shown as to how the Audit Firm determined the performance materiality. The factors considered, and judgement used to arrive at performance materiality are also not documented. The details of these lapses are given in Chapter 8 of this AQRR.
c) The SAs applicable to a financial statement audit engagement mandate effective twoway communication by the auditor with “Those Charged With Governance” (TCWG) of the Company. TCWG is essentially those persons(s) or organization(s) (e.g., a corporate trustee) with responsibility for overseeing the strategic direction of the Company and obligations related to the accountability of the Company. Therefore, the proper identification and subsequent two-way communications with them play a crucial role in the effective and independent carrying out of the audit engagement. However, the Audit Firm failed to determine the persons comprising TCWG. Further, NFRA could not trace any communication with TCWG relating to the auditor’s independence, and the relationships and other matters between the firm and network firms, as mandated by the professional standards. The Audit Firm did not even communicate with TCWG an overview of the planned scope and timing of the audit, significant deficiencies identified during the audit and lapses in the internal controls of the Company. The Audit Firm’s assertion that it made a presentation of its report to the Audit Committee which meets the requirement of ‘effective two-way communication with TCWG’ cannot be accepted, since the audit committee is not synonymous with TCWG. A mere discussion in the audit committee at the stage of approval of the Audit Report cannot substitute the statutory requirement of effective two-way communication by the auditor with TCWG. Lapses in communication with TCWG are viewed seriously internationally as well. The UK audit regulator FRC has noted that “During their audit of Ted Baker’s accounts for FY13 they failed to ensure that those charged with governance of Ted Baker were informed of all significant facts and matters that impacted upon KPMG’s objectivity and independence as auditor, whether on a timely basis or at all.” The details of these lapses are given in Chapter 9 of this AQRR.
d) One of the basic objectives of the auditor is to identify and assess the Risks of Material Misstatement (ROMM), i.e., the risk that the financial statements contain material errors/discrepancies (materially misstated) before the audit, whether due to fraud or error, at the financial statement and assertion (i.e., representations by management, explicit or otherwise, that are embodied in the financial statements) levels. This is achieved through understanding the entity and its environment, including the entity’s internal controls. A proper understanding of the ROMM will provide the auditor with a basis for designing and implementing responses to the assessed risks of material misstatement. This will help the auditor to reduce the ROMM to an acceptably low level. However, in assessing the ROMM, the Audit Firm failed to appropriately assess the risk of material misstatements due to a lack of performance of adequate risk assessment procedures. It failed to discuss the susceptibility of the financial statements to material misstatement due to fraud. This ultimately has resulted in several instances of non-reporting of violations by the Company like those observed by NFRA in revenue from operations, impairment of investments, related party transactions etc. These omissions have made the audited financial statements unreliable. The details of these lapses are given in Chapter 10 of this AQRR.
e) The Audit Firm wrongly asserted that the auditing standards are “not prescriptive but are principle based” and it is not possible to make “extensive detailing in work papers on compliance with each para of the standards of auditing” (Emphasis in italics added by NFRA). Such an understanding and application of the standards of auditing goes against the fundamental and mandatory nature of the standards. This claim of the Audit Firm completely goes against the compulsory and statutory requirements when the relevant standards themselves use the words such as “shall” in the requirement portion of the standards. Section 143 (9) of the Companies Act, 2013 mandates that “Every auditor shall comply with the auditing standards”. Para 18 of SA 200 requires that the auditor shall comply with all SAs relevant to the audit. It may also be recalled that after the Enron and other such episodes the International Auditing and Assurance Standards Board (IAASB) initiated a Clarity project to improve the clarity of its standards based on revised drafting conventions. The new format, which has been made applicable on 1st April 2008 and is also followed by India, incorporates the fundamental principles of the Standards of Auditing (SAs) in the Requirements section of each SA, and these are represented by the use of “shall”, whereas prior to the new standards, the word used for this purpose was “should” (Reference: ICAI Handbook of Auditing Pronouncements). The above facts and legal requirements clearly underline the mandatory nature of each requirement of the SAs, as the word “shall” denotes unconditionally mandatory responsibilities.
1.3.13. Failure to Comply with the Quality Control Norms
1.3.14. Para 7 of SQC 1 stipulates that the Audit Firm’s system of quality control shall include policies and procedures to address elements such as leadership responsibilities, ethical requirements, etc. The quality culture of the firm depends inter alia on the requirement to perform work that complies with professional standards and regulatory and legal requirements applicable in India. Despite such a stipulation in the Standards, NFRA observed that the majority of the documents in the quality control policy (the internal document that sets out rules, policies, procedures, ethics etc. for the functioning of the Audit Firm in compliance with respective laws and professional standards) submitted by the Audit Firm are the policies of the global network entity EY and had not been drafted with reference to Indian laws, rules and regulations. The quality policy is silent on certain matters like details about the actions to be taken by the Audit Firm to mitigate and eliminate the threats to independence, particularly with reference to the prohibited services as per section 144 of the Companies Act, 2013, and the criteria to choose a benchmark for determining materiality. This makes the quality policy at variance with the Indian regulatory framework. The Audit Firm has taken the stand that though it does not have its own policy but it has adopted EY’s quality policy which is more stringent than what is required by Indian laws and which meets international standards. Except for this general claim, the firm has not demonstrated how this adopted policy meets the specific requirements of the Indian laws. Therefore, the firm’s claim that “our Firm’s policies and procedures, are more stringent” has no relevance since the Companies Act, 2013 makes it clear that every auditor shall comply with the SAs. The Companies Act, 2013, nowhere does it mention that an auditor can comply with any standards other than those issued by ICAI. Being a statutory body under the Companies Act, 2013, the monitoring functions by NFRA are performed only with reference to standards that are in force in India. The firm’s claim of equivalence of International standards is not relevant for the purposes of examination by NFRA of certified financial statements. The quality policy of an Indian audit firm should detail the ethical requirements, including independence norms applicable in India, specific aspects of acceptance and continuance of client relationships, such as the matters covered in sections 139,141 and 144 of the Companies Act etc. Therefore, the quality policy may vary from country to country. For example, independence norms as mandated under Section 144 of the Companies Act are different from those prevailing in many countries. The Audit Firm’s quality policy has to address country-specific mandates. Merely stating that the EY’s policy is more stringent and meets international standards is not good enough. The details of the Audit Firm’s violations are given in Chapter 11 of this AQRR
1.3.15. In relation to the practice of the Engagement Quality Control Review (EQCR), which is a mandatory requirement for a listed company audit and wherein a qualified individual, appointed by the Audit Firm, objectively evaluates the works done by the engagement team, NFRA found no evidence of the procedures performed, and conclusions made by the EQC Reviewer. There was no evidence to show that the Audit Firm’s EQC Reviewer objectively evaluated the significant judgements and conclusions reached by the engagement team. The EQC Reviewer is required to discuss with the engagement partner the significant matters arising in the audit and is also required to independently evaluate the conclusions reached by the engagement team while conducting the audit. NFRA found that the EQC Reviewer had merely ticked a Yes/No checklist, which is claimed by the Audit Firm as evidence for the works done by the EQC Reviewer. In NFRA’s view, this cannot be considered as compliance with the mandatory requirements of the SAs. The superficial nature of the work of the EQC Reviewer is amply demonstrated by the fact that the EQC Reviewer did not find a single issue despite many large-scale violations by IL&FS and the firm that were subsequently found by NFRA and which have been detailed in this AQRR. This compels us to believe that the review work done by the EQCR was a mere formality. Failure to do a meaningful review led to the overlooking of several lapses made by the engagement team thereby compromising the quality of the audit. Such lapses are taken seriously by the international audit regulators as well. The UK’s audit regulator FRC observes that “On two of the audits, there was insufficient evidence of the involvement of the Engagement Quality Control Reviewer (EQCR). On one of these audits, there was insufficient evidence of the EQCR’s review and challenge, for certain areas of significant risk. In the other audit, the EQCR did not discuss matters arising with the key audit partner of a significant component or clarify why this was not considered necessary, as required by Auditing Standards. While conversations were held between the EQCR and the key audit partner for another significant component (on the same audit), there was insufficient detail of the matters discussed or the extent of evaluation by the EQCR”. The details of our findings on the EQCR are given in Chapter 12 of this AQRR.
1.4.1. The above is a summary of the NFRA’s important observations in the AQRR. Details of the facts and evidence in support of these observations, and the reasoning leading thereto, are provided in the subsequent chapters of this AQRR.
1.4.2. While reference has been made in most cases to the applicable Standard on Auditing which has a direct bearing on the issues under consideration, it needs to be borne in mind that certain generally applicable requirements of the Standards on Auditing, such as the need to exercise professional scepticism, the need to obtain sufficient appropriate audit evidence, the performance of procedures to address the assessed risks, etc., are integral to all individual cases discussed in this AQRR even if they are not specifically mentioned in individual paragraphs of the Report.
1.4.3. Based on these AQRR observations, NFRA concludes that the Audit Firm has formed an opinion on the financial statements of the Company and issued its audit report without obtaining reasonable assurance about whether the financial statements as a whole were free from material misstatement, whether due to fraud or error and thereby failed to meet the requirements of Standards on Auditing 700 (SA 700). Para 15 of SA 200 requires that the auditor shall plan and perform an audit with ‘professional skepticism’ recognising that circumstances may exist that cause the financial statements to be materially misstated. The AQRR identifies instances such as impairment of investments, evergreening of loans, approval of related party transactions, recording of revenue, violation of capital and leverage ratios, and numerous other instances given in this AQRR where the Audit Firm failed to exercise professional skepticism and failed to challenge the management assumptions and claims in key areas of financial reporting. It is needless to emphasise the importance of maintaining professional skepticism throughout the planning and performance of the audit.
Source: NFRA’s AQRR dt. 22/06/2022: CA Firm SRBC & Co. LLP (IL&FS Audit 2017-18)