Disclosure Of Forensic Audit: A Blunt Instrument

Forensic audit has acquired the status of an important tool in corporate governance to unearth financial fraud or other wrongdoing in a company. It is often launched internally by company managements, or externally by lenders, business partners, or regulators. Such a forensic audit or investigation acquired centre stage in high profile instances involving companies such as Infosys, ICICI Bank, and IL&FS to varying results: in some cases, the companies received a clean chit while in others they were the subject matter of regulatory action following such audit.

Despite the increasing prominence of forensic audits, concern has emerged that investors in the companies have been kept in dark regarding the launch of these audits as well as their outcomes, thereby inducing a great deal of opacity.

The Securities and Exchange Board of India formed the view that the continuous disclosure requirements governed by the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 were insufficient to encompass the specific disclosures pertaining to forensic audits.

With a view to addressing this lacuna, SEBI amended the Listing Regulations with effect from Oct. 8, 2020, to impose an obligation on companies to make disclosures in the public domain when they initiate a forensic audit and to publicise the final forensic audit report (along with comments of the management).

More importantly, SEBI has elevated this item to one where disclosure is required whether or not the information is material: the forensic audit-related information is “deemed to be material”.

SEBI’s measures to reduce information asymmetry in the securities markets in the context of forensic audits are noteworthy. When a company commissions a forensic audit, it does so usually (though not necessarily) when it suspects shenanigans. Public disclosure of this fact enables a uniform release of information to the market and prevents selective disclosures and leakages that benefit specific investors and erode market integrity.

While SEBI’s aims of imposing an onerous obligation on disclosing forensic audits are understandable, its design suffers from some misgivings that need to be addressed.

Being a blunt instrument rather than a precision tool, an overarching disclosure requirement may generate unintended consequences that might have an adverse impact on the desirability and utility of forensic audits.

The Definitional Quandary

At the outset, SEBI makes the disclosure requirement applicable to “forensic audit (by whatever name called)”, thereby imposing a carte blanche. This aggravates matters because forensic audits are a nascent phenomenon and elude precise definition. In their paper ‘Defining a Forensic Audit’, Smith and Crumbley note that forensic audit “is focused on the identification, interpretation, and communication of the evidence of underlying strategic economic and reporting events”. The Institute of Chartered Accountants of India has also recently put out an ‘Exposure Draft on Standard on Forensic Accounting and Investigation – Framework’, which defines forensic accounting and investigation. All of these suggest that forensic audits could encompass financial as well as non-financial matters. The use of the expression “forensic” is an indication that the result of the audit is for consumption either in a dispute before a court of law or in regulatory intervention.

At the same time, there is also recognition that forensic audit need not necessarily be reactive in nature, for example, the typical scenario when the board or audit committee of a company receives a whistleblower complaint -- but may be commissioned on an ongoing basis as a preventive measure and as part of the company’s internal controls.

The unduly wide scope SEBI has employed will ensnare both reactive as well as proactive measures by companies.

Moreover, given that the emerging conception of forensic audit transcends matters of financial reporting, there is bound to be ambiguity surrounding what other types of investigation would fall within the ambit of the disclosure requirement. The very definitional challenges that may have motivated SEBI to introduce an expansive disclosure requirement could come in the way of meaningful adoption and implementation by companies that are subject to it.

Disincentive To Conduct Forensic Audit

Apart from the definitional concerns, there are also timing considerations. SEBI’s disclosure requirements apply to the “initiation of forensic audit”. Whether reactionary or preventive in nature, when the company commissions a forensic audit it necessarily has limited information. It is either operating on the basis of a suspicion of wrongdoing or the motive to implement robust control mechanisms. The merit of going public at this early stage is in considerable doubt. In a strong response to SEBI’s regulatory change, industry body NASSCOM has represented that disclosure at such an early stage in the process “can have an unintended effect of harming the interest of the company without any corresponding benefit”. Apart from hurting the reputation of the company, argues NASSCOM, this is likely to in fact mislead the investors, especially when the forensic audit ultimately returns a negative result regarding any wrongdoing.

Another concern is that premature and overarching disclosure requirements may have a counterproductive effect, in that companies may lack the incentives to initiate forensic audits for the fear of attracting adverse effects from the mandatory disclosure obligation. It may induce companies to defer the launch of forensic audits when warranted, such as in response to a whistleblower complaint, or may minimise the incidence of routine internal investigations that are ameliorative in nature.

Disclosure Of Report: Regulatory Overload

SEBI also requires that, upon receipt, companies must publicly disclose the final forensic audit report. In doing so, the regulator appears to be driven by the concern that companies may quietly close forensic audits by giving clean chits to the alleged wrongdoers, without the investors ever obtaining information about the true nature of the audit. While it is useful to shine some light on the goings on in a company, the requirement to disclose the full report has generated apprehensions from industry. NASSCOM argues that it would be imprudent to disclose entire reports, as they may contain proprietary information. Moreover, since a forensic audit is likely to involve witness testimony and other documentary evidence, the possible unwanted publicity surrounding these may inhibit witnesses from providing necessary information without the risk of unveiling their identity. Such excessive disclosure requirements, therefore, have the effect of jeopardising an effective investigation.

An alternative would be for companies to disclose to their investors summary information from the report, after redacting sensitive information and also concealing the identity of whistleblowers and other witnesses. Unless such an intermediate approach is adopted, the zeal to go public with the forensic report may come in the way of obtaining an honest and thorough outcome in the forensic audit.

Exclusion of Regulatory Forensic Audits

Curiously, SEBI’s prescription treats forensic audits initiated by regulatory or enforcement agencies differently. While there is a requirement for companies to disclose the initiation of such audits, they are exempt from the disclosure of the final report. A SEBI memorandum that sets out the background to the disclosure of forensic audits indicates that the objective of a forensic audit initiated by a regulatory or enforcement agency “may be specific to the mandate of the agency and may be part of a broader investigation”. However, the reason for obtaining differential treatment and the non-disclosure of government-led forensic audits is unclear. The objective of transparency arising from internal or private forensic audits should apply equally to government-led ones as well. If not, this exception may also create distorted incentives.

A company that wishes to avoid the onerous obligation of making public a forensic audit report that it initiates might be incentivized not to conduct a forensic audit or investigation, but rather await the action of a regulator or enforcement agency in originating an audit and avoid a public airing of laundry.

Conclusion

SEBI’s eagerness to ensure parity of information on matters relating to forensic audit is well-intentioned but reveals chinks in design and operation. The over-encompassing nature of the obligation has spawned a push back from industry, as evident from NASSCOM’s representation. Even otherwise, as seen above, the overly stringent disclosure requirements may produce skewed results that militate against the very objectives of a forensic audit. While the need for disclosures cannot be undermined, one option would be for SEBI to reconsider the scope of the requirements. For instance, rather than “deem” information pertaining to forensic audit as material, the element of materiality can be determined by a company’s board depending upon the individual circumstances involved. They can do this at the peril of regulatory sanctions for incorrect determinations, a power that SEBI must exercise in a timely and effective manner.

Umakanth Varottil is an Associate Professor of Law at the National University of Singapore. He specialises in company law, corporate governance and mergers and acquisitions.

The views expressed here are those of the author and do not necessarily represent the views of BloombergQuint or its editorial team.