ADVERTISEMENT

Form But No Substance In Deloitte’s IFIN Audit, Says R Narayanaswamy

Lapses in Deloitte, Haskins and Sells’ audit of IL&FS Financial Services for FY18 are a “big letdown”, said the IIM-B professor.

Infrastructure Leasing and Financial Services’ headquarters in Mumbai. (Source: IL&FS Annual Report)
Infrastructure Leasing and Financial Services’ headquarters in Mumbai. (Source: IL&FS Annual Report)

The lapses in Deloitte, Haskins and Sells’ audit of IL&FS Financial Services Ltd. for 2017-18 are a “big letdown” by the auditor, said R Narayanaswamy.

The professor of finance and accounting at Indian Institute of Management, Bangalore, said the Audit Quality Review report by regulator National Financial Reporting Authority revealed “so many holes, so many compromises, inadequacies, lack of procedure. This is something I wouldn’t have associated with a reputable firm”.

Earlier this month, in its very first such AQR, the NFRA found that Deloitte allowed IFIN’s management to conceal negative capital ratios so as to save the company’s NBFC licence. This was one of many other violations of auditing standards that led NFRA to state that Deloitte’s quality control system and processes are “severely inadequate and ineffective”.

I never imagined that it would happen with one of these firms. If it were a mid-sized or small firm, may be due to lack of technical abilities, maybe due to possibility of lack of real independence and so on this is understandable, but not acceptable in case of a large firm. I think, this is something which we just don’t expect.
R Narayanaswamy, Professor of Finance and Accounting, IIM Bangalore

On the specific issue of concealing negative capital ratios, Narayanaswamy said the auditor should have exercised professional scepticism and “put brakes” on the management’s aggression. “Remember this wasn’t something that happened on one day, this must have been happening over a period of time and therefore this is something the auditor would have paid attention over a period of time.”

But more concerning to the accounting expert was that the negative capital ratios raised doubts regarding IFIN being a ‘going concern’ and that, he said, should have been brought to the attention of the board, investors and regulators.

The AQR also found the independence of the auditor was compromised by the provision of non-audit services for substantial fees. Company law prohibits an audit firm from providing certain non-audit or ‘management services’ to the auditee or the company that it audits. Deloitte contested the definition of management services in its representations to the regulator, to make the point that the services the firm provided were not prohibited. The regulator didn’t agree and neither did Narayaswamy.

There’s no definition of management services in the Act—given that I think each one will come up with their own definition. Deloitte being an audit accounting firm with global connections, they should have been more conservative in the definition. That I think would have been better for them, but it would also be much better if you move away from these permitted services to prohibited services.
R Narayanaswamy, Professor of Finance and Accounting, IIM Bengaluru

Narayanaswamy also expressed concern about Deloitte having two engagement partners for IFIN, when only one is permitted. That the audit firm claimed to have relied on independent directors to alert on the ‘going concern’ issue. And that, the audit firm’s documentation wasn’t up to the mark.

“...if you see the AQR you get the impression that there was a lot of form here but there was no substance in the audit, because it seems a case of only box ticking done.”

Deloitte declined to participate in the discussion or offer any comment.

WATCH | IIM Bangalore’s R Narayanaswamy on Deloitte’s IFIN audit

Here are the edited excerpts from the interview...

When you read this AQR, what was your response or assessment of the gravity of the offences that Deloitte has been found guilty of under this audit quality review?

To begin with, my immediate response was one of disbelief. I couldn’t quite believe that a ‘Big Four’ accounting firm would do an audit where there were so many holes, so many compromises, inadequacies, (and) lack of procedures. So, this is something I wouldn’t have associated with a reputable firm. To begin with, it was one of disbelief. I never imagined that it would happen with one of these firms. If it were a mid-sized or small firm, maybe due to lack of technical abilities, or due to a lack of real independence some of this is understandable, if not acceptable. But in the case of a large firm, I think, this is something which we just don’t expect.

If the whole thing turns out to be eventually true, which is what I’m assuming, it’s a big let down by the auditor. I don’t think they have really stood by the investors who trusted and appointed them. (Neither did they stand by) the regulator, the RBI. It’s a huge let down. That was my immediate response when I saw the report.

Before I get into the details of one or two of these very egregious findings of the AQR, I also want to quickly inform readers and viewers about what the scope of an AQR is. This is because the NFRA itself is a new regulator, appointed under the Companies Act and from what I understand, the scope of an AQR is essentially to gauge the compliance or the ability of the auditor to meet auditing standards.

That’s right. The NFRA has multiple roles. One, it’s responsible for establishing accounting and auditing standards; as of now, it doesn’t have sole jurisdiction in this matter. It’s done by the Ministry of Corporate Affairs but the NFRA recommends the standards to them. And these standards by now, are well accepted, would be international standards with maybe exceptional tweaks were required to be in sync with Indian law and so on. Otherwise, by and large, we would just take the international standards and follow them. (Therefore), NFRA is the agency that does the last check before the government (which is what the National Advisory Committee on Accounting Standards used to do).

Second, NFRA is also responsible for AQR, which according to the law means the quality of service provided by the auditors. Obviously, auditing is a major service provided by them, but NFRA can also under the law take up non-audit services, although they haven’t come that far. They are also responsible for taking disciplinary action, monitoring compliance and so on. So, they, therefore, have several roles. They are standard setters, standard enforcers, and also disciplinary authorities. They can play all these roles.

So, (let’s) come back to that AQR with regards to this Deloitte Haskins & Sells audit of IFIN. I thought the most egregious finding was the fact that the AQR found that the audit firm had helped the management conceal negative capital ratios in an effort to save IFIN’s NBFC licence. Now, the AQR says Deloitte’s contention was that “companies in the same group”, that definition wasn’t very clear under the Companies Act, 1956, which was the prevalent statute then. Whereas the AQR found that that’s incorrect. The AQR has also mentioned that the RBI had noted the divergence in the computation of both the capital ratios which is Net Owned Funds and Capital-to-Risk Asset Ratio and provided corrected computation with negative NOF and CRAR, but this was ignored by Deloitte. (Further), they have said that Deloitte did not exercise due diligence and professional skepticism and misled the audit committee of IFIN by supporting the management without conducting any independent inquiry. How do you assess the gravity of these failure?

This is extremely serious because a financial institution with negative net own funds wouldn’t be able to carry on business. It’s not just negative net owned funds, even with a positive net owned funds, which is below the capital adequacy norms described by the RBI, it wouldn’t be acceptable. So, this would, in fact, had the RBI acted, (I didn’t know why the RBI did not proceed further with it) would have led to it potentially cancelling their licence and stopping their business altogether. So, therefore, there was this big issue of ‘going concern’ overhang that I think the auditor would have been very much aware of. I think the board, the audit committee, and obviously the management ought to have been aware of this. So, to my mind, the auditor not raising a red flag over this within the company, the regulator, and within the investment community through the report is very serious. This is effectively saying that the company had no financial health issues when the company’s financial health was gone.

The AQR suggests the RBI had, in fact, given IFIN some time to meet the required ratios as per (the) regulations. Now, my question is that the AQR says Deloitte has accepted the stand of the management about not disclosing the fact that NOF and CRAR were both negative. Deloitte certified the account showing positive NOF and CRAR. Is this just an audit standard failure? If you’re colluding with the management to accept that something is positive when actually it’s negative and you’re allowing for that to be reflected in the accounts as positive instead of negative, (then) it’s far more serious than just audit standard failure?

Here what has happened, sometimes there can be legitimate differences between the regulator and the financial institutions. So, it’s quite possible that they can take a view which is different from what the regulator says. But under the law, the regulator’s view is final. If you don’t like the regulator’s view then you will have to take legal action. If you don’t take legal action, then you have to just comply with the regulator’s position. That’s what everyone understands.

So, given this, for Deloitte to be accepting the management position uncritically and then proceeding with that definition (is the case here). The management says that the RBI told them to take steps to meet those capital adequacy requirements. The job of the auditor is also to find out whether the RBI’s instructions were being acted upon. For example, there could be, let’s say, a case of the company going out to raise capital. That would have addressed this issue to an extent. So, these are the things which the company is supposed to be doing.

And is this fairly within the responsibility of the audit firm?

(Yes), it is within the responsibility of the audit firm because capital adequacy norms are certified by the auditor. So, when you certify something, this is not being (merely) reported upon, but you are saying that these numbers are correct. So, this is not, “in our opinion,” “to the best of our information,” “according to the explanations given to us”. It is not of that type. It is a factual certification. This is the first point.

Second, it is the management’s contention in a case like this (that needs to be looked at). I think there is a lot that the NFRA has said on this matter and on many other matters. There needs to be professional skepticism. So, the auditor would know more than anyone else that there was an issue of the management being aggressive in its interpretation. So, the auditor should have put breaks on the management’s aggression and ensured that this did not go this far. Remember, this was not something that happened on one day. This must have been happening over a period of time and, therefore, this is something the auditor would have paid attention to over a period of time. So, this is not something that happened all of a sudden. If it is because of a shock event, it is perfectly understandable since the auditor would not have known about it before. So, it has been happening over time so they should have been in some ways more alert of which way it is going.

So, my worry is more than this NOF and CRAR technicality, which possibly is debatable. I don’t know details of this, but I think it raises a serious going concern issue which the auditor should have drawn the attention to. It should have drawn the attention of the board and that of the investors in this matter. It should even probably have alerted the RBI. So, I would think the auditor actually did not apply professional skepticism. In fact, I would also say one more thing. On the RBI’s instructions, the auditor should also have looked for proof of how the company was going to go about raising capital and what methods they would have (followed).

That is also the part of auditor’s responsibility?

Yes, so they have to test the management’s claims. If the management says something, they can’t just accept it. So, they have to test the claim and then they have to make sure that it has some basis.

That’s exactly what the AQR also says about the ‘going concern’ basis. They said that Deloitte didn’t adequately question the going concern assumption of the management when preparing financial statements. Is this approach common among the audit firms? What if the audit firm were to say that (even though) RBI knew about the negative capital ratio, it didn’t say anything. Why is it our problem that we didn’t say anything? That could be a defense, right? Because RBI knew that this institution IFIN did have a capital adequacy problem. RBI was the one that flagged it off. That’s the basis of the AQR as well.

RBI is not only the stakeholder in capital adequacy; lenders to this institution are also involved. So, they need to be informed and also the wider investment community. Everybody needs to be told about the seriousness of this matter.

The other thing is there’s actually a pattern which I am seeing these days. If you ask a bunch of professionals why they didn’t do something, they immediately point you to another set of people. So, for example, valuers say they depend on financial statements, the auditor says it depends on credit rating agencies, credit rating agencies say they depend on financial statements (and so on). But I don’t think it’s the job of a regulator to do anything about it. If the auditor has been given a task and he hasn’t done it, then he owes an explanation. Saying that the RBI ought to have been aware (is hot good enough).

Since you mentioned this, I have noticed something very bizarre here. The auditors say in the AQR on page 106 - the independent directors of the company by all accounts are knowledgeable of financing and accounting whom we have the right to rely on and did so. If they had any doubt in the company as a going concern, they would have alerted us of the matter as they, in any case, had the responsibility under the Company’s Act to make the assertion about the going concern assumption.

So, this is the auditor relying on the independent directors to red-flag the going concern assumption as opposed to taking on the responsibility or accountability of that themselves?

Now, this is very strange. So, you ask the independent directors, they would say that they expect the auditor to review and tell them. (On the other hand), the auditors, of course, say that the independent directors ought to have told them. To put it very mildly, this is simply ridiculous. This can’t go on.

What has happened here’s that they simply tell us that there are a set of people who are in charge of governing this company, they’re good people, they know what they are talking about and they know when to say what, so we trusted them.

If this argument is taken to its limit, I think, the auditors can simply take the numbers given by the management and the board and they can simply sign on them and give. Why do we need an audit at all, if this is the case?

So, what I am saying is we need to test the claim and actually there is another issue here. I have been on the bank’s board so I know this problem.

Many times, you wouldn’t know the details of the transaction that happens at the board level. So, we, in fact, would expect the auditors also to tell us of what we might think of as egregious transactions. We wouldn’t have known about this because management won’t come and tell you this. So the board also is in some ways a stakeholder in this whole thing. So, to say that the RBI knew and so on isn’t going help us at all in this matter and this looks to me like a very casual approach to an extremely serious matter.

Passing the buck as you pointed out?

Yes.

The second issue that I wanted to bring up as laid out in AQR is an equally important one about auditor independence and the AQR very clearly states that they thought that Deloitte’s independence in the matter of IFIN was compromised and found a couple of reasons for that. I am going to pick a main one. They said Deloitte was found to have either directly or indirectly provided prohibited services to the auditee company, or its holding company, which is IL&FS. (Moreover), they have said that the total fee for those services was actually more than Rs 6 crore, whereas the audit fee for that year was Rs 4 crore.

When you looked at this, did you think this was black and white violation of the audit standards and of the Company’s Act or is there a grey area in the law itself that allows for an audit firm to interpret which services it can provide and which it cannot?

I think, this is a bad design of the law. What I feel is instead of laying down a set of ‘Don’ts’, it would have been much better in the law to lay down a set of ‘Dos’. These ‘Don’ts’ are always problematic. Let us take a case of ‘management services’, which is a big bone of contention between the NFRA and the audit firm. Now, management services - the audit firm interprets as those which the management had the responsibility to do. They are saying that’s not what we have done. They are saying we have not done things which the management would have to do. Essentially, operational activities, running the business and so on. But NFRA says these are services which the management needs. These are non-audit services, which are not essential for the auditors to provide to the management at all.

There’s no definition of management services so the whole thing is up in the air. So, that’s why I’m saying this is a bad design. I just want to tell you that in fact that it happened just about two days back. The Financial Reporting Council in the U.K. issued a proposal some months back and now it has become part of the ethical standards. They have issued a list of permitted activities and permitted services. It’s very interesting. The permitted services are only those which the auditor can provide. So, anything which someone else can provide, the auditor is prohibited from doing. For example; stock exchange requires a certificate. When an Indian company goes to stock exchange abroad and wants its securities to be listed, they typically say we want a statutory auditor of a company to give a certificate. Now, if anyone gives, they won’t accept.

But those are black and white. You have said because ‘management services’ aren’t defined, there can be more than one interpretation. Then, is it justifiable for an audit firm to be confused about what’s management services or is it disingenuous?

I would think if you’re providing any services, some of which are prohibited under the law, I think you should take a cautious view because things could turn out to be wrong. So, if things turn out to be wrong then there would be a big problem for the audit firm. I think they should have applied a higher threshold.

One of the things I have noticed here is the response given by Deloitte. Typically, it’s something like (referring to) the letter of the law everywhere. think taking the letter of the law is unhelpful, especially when some of the services have been banned.

So, coming back to that section again, I think it will be much better if they clearly mention that you can only do those things which auditors alone can do, everything else is banned. For example, taxation. Auditors can provide taxation advice. There’s a very clear conflict because if you are a tax advisor to someone, you would want their taxable income to be reduced. But if you’re an auditor to the same person, you would want the profit to be reported in a neutral fashion.

So, there is an inherent conflict even in the services that are permitted?

So, that is something I would certainly like to see be prohibited on a priority basis.

So, when the NFRA finds that Deloitte has compromised auditor independence by providing these services which are otherwise prohibited, is NFRA justified or is Deloitte justified in saying that they didn’t think that these services fall within the definition of prohibited services?

There’s no definition of ‘management services’ in the Act. Given that, each one will come up with their own definition. So, what I would think is Deloitte being an audit accounting firm with global connections, they should have been more conservative in the definition. That I think would have been better for them, but it would also be much better if you move away from these permitted services to prohibited services. The U.K. already gives us a model for doing this. That would solve all these problems altogether. I think they should be completely eliminated.

The other thing you mentioned about non-audit services, and this is well known so I’m not sharing any secret here, (is that) every firm under-quotes auditing and then tries to make up (for it) by doing non-audit services. So, if these permitted services are the only things they can do they can do, what will happen is firms will realise that there is no other way that they can make money. They will increase their audit fees, which, by the way, are actually lower than what they are ought to be.

So, audit fees have to go up and non-audit services have to go out.

I think the other thing about this is with regards to Section 144 of the Companies Act, 2013, the reference to directly or indirectly providing such services.

Now, many of such contracts, say for valuation assignment, have been given to their own group entities. Now, this is clearly going to come under the definition of indirectly. It may not be directly, but it is indirectly, right? They are not doing it, but they say someone in the same group. It also says if someone shares the same trade name and so on, then this is an issue. So, many things were not captured by their radar.

It is very difficult for me to believe that a big firm claiming to have very strong quality control systems and high standards and so on would let all of these things go.

Fair enough. (There are) 15 engagements as the AQR points out. It also points out that the requisite board approval that Deloitte should have sought from the company’s board was not gotten by Deloitte and then that’s another area of failure.

Actually, it’s the audit committee approval which they should have got. Deloitte has again given a very interesting response to this they said, “...the board or audit committee as the case may be.”

It’s not up to the management to decide to go to the board for one project and the audit committee for another. A reasonable interpretation for this would be (since an audit committee is not mandatory for every company) that they would have to go to an audit committee if there is an audit committee. If there is no audit committee, or the committee can’t be asked to do it for any reason, then we go to the board. So, it’s not as if the audit committee or management can say for one case they will go here, (and for another they’ll go there). This is a ridiculous interpretation of the law and actually a perversion of the law.

Is there anything else that stood out to you as an astonishing finding of the AQR that spoke very poorly of Deloitte’s audit quality or quality control?

One of the things I realised here is, there are two engagement partners which Deloitte seems to have in different ways and at different times. I think this isn’t done

So, in surgery, you have this “Captain of The Ship Doctrine”, which means only one person, not two, can be in charge. So, two people cannot be in charge at different times in the same audit, unless for some reason the same person can’t continue.

Now, we always have had joint audits which are extremely difficult because you don’t know to whom you’re talking. When you talk to one person and they say we aren’t responsible for this, somebody else is. So, again this is the case of passing the buck. Now, I also realised there’s one more thing called joint engagement partners, which is very strange.

This, you said, is strictly prohibited by the audit standards. You are supposed to have a single engagement partner in charge of the audit. How could a large audit firm like Deloitte have missed something this important?

I have no idea why they let this happen. I think they made it appear that this was some kind of partner providing support. They seemed to have argued that this partner was not an engagement partner but at some stage, they also have said that there were two engagement partners. This is very messy. I think they themselves probably realised this was (a lapse on their part).

Another thing is documentation. I find a big gap in the documentation. For example, the management apparently has had a meeting with RBI and comes and tells Deloitte that this is what they discussed. The RBI doesn’t say anything about this. You can’t say that the RBI has agreed to the entire minutes of the discussion as said by these people (management).

The minutes of the discussions as approved by the RBI will be RBI minutes. The RBI didn’t say anything maybe because they thought it was so clear that they didn’t have to say anything. So, Deloitte seems to have said this is something which the management wrote to the bank, therefore they went by what was said.

And your point is that they should have sought a response from RBI?

No, RBI won’t respond to this.

Then what could Deloitte have done?

Deloitte should have simply rejected this and asked for RBI-attested minutes of the whole meeting or it should not have given any respect to this document.

How does an auditor then proceed sans that information? 

So, that’s not information. I cannot claim that you agreed to something unless you have confirmed. So, typically if RBI’s thoughts were important, RBI could have communicated in writing subsequently. The RBI thought that probably it was very clear that the company was making a very unusual request and RBI never thought that it was so important for them to respond to. So maybe RBI did not think it was necessary to reply to every letter sent by these people. This is another thing.

So, I think the engagement quality control, which is very important—two things here, one is the engagement acceptance stage, that’s at the time of taking the audit. Subsequently, after taking the audit, the entire audit was supposed to be reviewed by someone else, not the engagement partner.

I think there’s a problem here. Technically a junior partner could be an engagement quality control reviewer. But a junior partner for his/her career advancement will look on the senior partner. There’s no way that the junior partner is going to say that you didn’t do this at all. Now, how to solve this problem, I don’t know. But this is something which cannot be done at all. Either senior partners don’t do any engagement at all and then they only do engagement quality control review, which would be very legitimate because they have worked for so many years so probably they know exactly what to look for with their experience and maturity. Maybe they should do eventually become engagement quality control reviewers. So, this I found to be another problematic thing here.

And if you see the AQR, you get the impression that there was a lot of form here but there was no substance in the audit, because it seemed to be only a case of box-ticking done by them. So, I get the impression that they just wanted to make sure that all the boxes are ticked. Now, whether something was actually done or not (is the question). So, that is the overall sense.

Where does this go from here on because NFRA has said that it will consider taking disciplinary action against the partners involved in this audit or even the entire firm if it finds sustained quality loss.

AQR itself cannot become straightaway a basis for NFRA to take disciplinary action. So, they have to start disciplinary proceedings. The AQR will be extremely valuable material for NFRA to take action, but then they will have to take action and initiate proceedings against each of the chartered accountants, partners and non-partners, all of the ones involved in this. So, (they will) start proceedings against them and also possibly against the firm itself because if NFRA comes to the conclusion that there has been a firm-level failure, then they also have to act against (those involved)…

This action could be a monetary penalty, or it could be a ban on their services?

The section (in company law) provides for a financial penalty that is multiple times the fees they got. It also provides for banning them from doing audit work.

As you looked through this order, it’s an extensive order that runs into more than 150 pages. What did you make of this very first AQR the NFRA has done? This is a regulator in its nascency, just born a few months ago, tasked with a fairly big task that has not yet been done. Earlier in India all audit review was usually done by the ICAI, if at all.

So, what did you make of the quality of the order, the process followed by the NFRA? For instance, I know they started the entire process in February, they had multiple conversations with Deloitte and many of the partners there so as to give the firm and the partners a chance for representation. They finally came out with the AQR in December, so that’s a fairly long period they spent in inspecting all of this. What was your assessment of the robustness of this AQR?

I think this AQR has been written extremely well. Work has been done well, it also has been documented very well. NFRA has given the audit firm opportunities to respond at every stage. So, they sent them a questionnaire first, then they got a response to the questionnaire. Based on the questionnaire, they wrote a draft AQR and then with that draft they gave a reply and then they took a position on this and based on the response from the audit firm. So, I think the due process has been followed.

And (what about) the substance of the order?

The substance of the order is very good because I think they have identified key issues. I am absolutely certain there are many more points which the NFRA would have come across. What you see here are the major issues. There would be a whole lot probably of what you would think of as matters that NFRA thought wouldn’t deserve to be mentioned in this order, which probably would still (warrant being mentioned).

And their assessment of these major issues, their interpretation of laws, their interpretation standards, you found a high degree of professionalism and robustness in that as well?

They have been very fair to the firm. There was no attempt on their part to fix the firm. So, they gave the firm a reasonable chance to explain and they have also given their response to the firm’s interpretation. It’s not like a one-sided order, they have listened to them, they have responded and have given the firm every chance to respond. So, it has gone through a couple of rounds before they came with this order. I think they have gone through a proper process.

I also, in fact, want to congratulate the NFRA, because this is a body which has taken over the ICAI’s disciplinary function. So, I think a lot of people would be watching with anxiety, maybe they would want NFRA to trip. People like us want NFRA to succeed because we think this is a body which has really come into existence because of the failures of the previous arrangements. I am sure they would have kept this at the back of their minds. They wouldn’t just want to issue an order.

The audit firm can appeal against the order to the NCLAT and go all the way to the Supreme Court. This being the first order, I am sure the NFRA has taken a lot of care to ensure that they have really put their best foot forward.