Back

Forensic Auditing*

A.N. Chatterji
SAI - India

*    This article draws heavily on the paper presented on the same subject by the SAI of the United Kingdom at the last conference of Commonwealth Auditors General

Definition

Forensic auditing could be defined as the application of auditing skills to situations that have legal consequences.

Background

In a global review conducted by Ernst & Young, on the question of auditors' responsibility, in 1996, the finding was:

"Over seven out of ten of the respondents believed that auditors should have the responsibility to detect substantial fraud. Of these eight out of ten believe that this should be part of their normal audit and not by special one-off reviews."

The main theme of the last (XVI) INCOSAI, at Montevideo, in 1998, was "The role of SAI's in Preventing and Detecting Fraud and Corruption". Yet, on the basis of responses received from individual SAI's to a survey conducted in preparation for the Congress, it emerged that:

"SAI's generally agree that the primary responsibility for the prevention of corruption rests with the administrative authorities, the police and other investigative institutions, and cannot be counted among the main tasks of SAI's ".

On this matter however a related finding was that:

"Also most of the SAI's make clear that they see their main goal more in preventing corruption than in the field of actually detecting such illegal activities."

INTOSAI Auditing Standards, adopted by INCOSAI XV at Cairo in 1995, while stipulating standards of 'due care' provide:

"Auditors need to be alert for situations, control weaknesses, inadequacies in record keeping, errors and unusual transactions or results which could be indicative of fraud, improper or unlawful expenditure, unauthorised operations, waste, inefficiency or lack of probity." (General Standards, Chapter II, para 90).

We are faced with the inescapable conclusion that there is a difference between what is expected of auditors and what auditors acknowledge as being their role in relation to fraud and corruption, the so called 'expectation gap'. In the Indian context, discussions with members of Parliament, the Press and even civil servants in the executive arm of Government show the existence of such an expectation gap. Even though no formal survey on this aspect has been carried out, it may be advisable to address the issue with a view to identifying, and to the extent possible, defining our positions on the several issues that are involved. It is in this context that the we need to view the adoption and use of Forensic Auditing.

Applications of Forensic Audit

An obvious example of forensic auditing is the investigation of a fraud or presumptive fraud with a view to gathering evidence that could be presented in a court of law. However, there is an increasing use of auditing skills to prevent fraud by identifying and rectifying situations which could lead to frauds being perpetrated (i.e. risks). It might be useful, therefore, to discuss forensic auditing as being either ’Reactive’ or ‘Proactive ‘.

Proactive forensic auditing

Forensic auditing in this sense could be viewed from different aspects depending on its application, some of which are discussed below:

Statutory Audit

INTOSAI auditing standards prescribe that internal controls should be studied and evaluated in respect of safeguarding assets and resources when performing regularity and financial audits, and in respect of assisting management in complying with laws and regulations when performing compliance audits.

(Field Standards, Chapter III, para 142)

Forensic audit methodologies can be used to obtain a more detailed understanding of the entity and its activities to identify areas of risk both in determining the direction of the audit and in expressing an opinion.

Regulatory Compliance

Government Departments/Agencies could themselves use the techniques of Forensic auditing to assess compliance with regulations governing payments of grants /subsidies. Performance auditors could also use these techniques while auditing such governmental programs. To a large extent we in SAI India have applied such techniques in some of our major audits of large government programs such as ‘ Integrated Child Development Scheme’, Public Distribution Scheme (for foodgrains), to Customs duty drawbacks and export subsidies.

Diagnostic Tool

Forensic auditing can be used either by management or by auditors to carry out general reviews of activities to highlight risks arising either out of fraud or from any other source with the purpose of initiating focussed reviews of particular areas, targeting specific threats to the organisation.

Investigation of allegations

Complaints, allegations in the Press or in Parliament, anonymous tips from employees or others could all in their separate ways require to be adequately addressed by investigation. The techniques of forensic auditing are useful in such cases. This is being cited as proactive because it is widely felt that the existence of a system of investigation in such cases is a significant deterrent to fraud and corruption.

Reactive Forensic Auditing

The objective in case of reactive forensic audit is to investigate cases of suspected fraud so as to prove or disprove the suspicions, and if the suspicions are proven, to identify the persons involved, support the findings by evidence and to present the evidence in an acceptable format in any subsequent disciplinary or criminal proceedings.

In such cases it is important to keep in view the following:

Issues for consideration

Our audits are carried out and reported within a framework which assumes that the top echelons of management both at the political and civil service levels are responsive to the need for good governance and accountability, and therefore would act upon the audit findings which indicate that there was cause for concern in the adequacy and implementation of internal controls, and inevitably institute enquiries into instances indicative of mala fide action on the part of officials. In consequence our role has been limited to conducting audits on certain percentages of sampling applied in an uniform manner across departments, with only isolated examples of focused audit reviews conducted by SAI India as in the case of Value Based Advance Licensing Scheme (for import of raw materials by exporters) or Voluntary Disclosure of Income Scheme (for income tax defaulters).In both cases however, as also as in the Animal Husbandry case of the Govt. Of Bihar, it was established that there were clear indications of mala fide at senior levels of government and hence far from the inititiation of any systematic enquiries into audit findings, attempts were to debunk the findings presented in the audit report.

The position of SAI India is that audit against criteria of probity and compliance in themselves throw up instances of administrative actions that are not in conformity with prescribed standards, and that without the mandate to seek third party evidence, either oral or documentary, it is not possible to prove criminal mala fide. Excepting for a very few SAI’s, it is also the case in almost all other countries that there are other agencies responsible for investigating fraud and corruption. Our focus therefore could be more upon planning and executing our audits with much greater emphasis on forensic auditing and reporting such findings in a manner that places the onus for further investigation very clearly on the executive.

Some of the areas that could be considered are:

Our audits could be planned to cover only a selected sample of offices based on an analytical review of accounts and results of past audits instead of a blanket coverage of all spending offices.

Unless otherwise stipulated, audit should concentrate on regularity, probity and compliance issues. Performance related issues could be dealt with in specific performance reviews. The role of the controlling officer, the head of department and the administrative secretary of the concerned ministry in financial administration are usually specified in the financial codes, manuals, rules and orders of government. Their actual discharge of such prescribed duties could be examined and the implementation of prescribed controls evaluated.

Significant failures in the application of prescribed controls and dereliction of administrative duties particularly in the areas of monitoring and stock verification at all levels, and the implications involved, could be clearly brought out in a specific chapter of our Reports.

The rules for requisitioning records by the investigative agencies should be clearly understood by the staff and middle level management in our offices as well as in those of the investigative agencies. These issues could be addressed by joint seminars and inviting speakers to respective training institutions. The need for a set of orders laying down the prescribed procedures in an easily comprehensible manner, and circulating these widely could be considered.

There is a need to provide clear and binding instructions about the manner in which audit staff are required to provide information to the investigative agencies. Faced with the possibility of being questioned in a manner akin to that employed for suspects, audit staff may resent, and hence avoid, being involved in criminal proceedings. While the possibility of auditors conniving in fraud has to be kept in view, it is necessary to ensure that unless there is prima facie evidence to this effect, the auditor must be a part of the investigative team.

The advent of large scale use of computers in processing not only accounting information but also several other transactions with direct financial implications poses a challenge to forensic auditing because large volumes are processed in a short time. Connectivity through internet, WAN or EDI allows dispersed data input, processing and storage. The proliferation of platforms and software makes it possible to perpetrate frauds in new ways. A thorough knowledge of IT and the engagement of highly skilled professionals is therefore essential if Forensic auditing is to have any meaning. Apart from this the cyber laws are very new and there is, as yet, no clear case law on various matters, this is all the more reason to insist upon great clarity in understanding IT based operations and the evaluation of risks involved. At the same time the ease with which data can be sorted, analysed and compared makes it much easier to identify suspect transactions either singly or as a group of similar or related ones, thus greatly facilitating forensic auditing. The availability of archived data and the ease of access also could assist forensic auditing. Data matching and data mining techniques offer excellent opportunities.

It is necessary to provide formal instruction in fraud awareness, investigation and reporting. The planning of overall audit coverage and individual audits on the basis of risk analyses carried in accordance with existing global ‘best practice’ could be included in the curriculum for all management levels. Arguably, forensic auditing without a thorough knowledge of IT as outlined above would be meaningless, and this would have to be borne in mind while devising curricula.

Conclusion

There is no gainsaying the fact that our audits as currently executed and reported do bring out in a wealth of detail, instances of individual or systematic fraud and corruption. There is, however, a need to provide a comprehensive framework involving the use of Forensic auditing methodology, particularly in the areas of audit planning and execution, and for a uniform reporting practice that would very explicitly spell out the implications of control failures including failure of senior management in implementing prescribed controls.

This could over a period of time assuage public concern about the existence of systematic audit operations addressed specifically to unearth fraud and corruption.