Global and Indian organizations have been under intense regulatory scrutiny on account of potential lapses in compliance or corporate governance, and an influx of fraud, bribery and corruption cases. Enforcement action has stepped with regulators such the US Department of Justice (DOJ) and Securities and Exchange Commission (SEC), UK’s Serious Fraud Office and Financial Services Authority, European Anti-Fraud Office and the Securities and Exchange Board of India (SEBI) taking the lead through prosecutions and fines. EY’s 15th Global Fraud Survey found that despite regulators and law enforcement agencies around the world imposing more than US$11b of financial penalties since 2012, 38% of global executives still believe bribery and corrupt practices remain prevalent in business.
Enhancing disclosure levels in India
Over the last one year, SEBI has taken a number of steps to enhance transparency, protect shareholder interests, address corporate governance gaps, non-disclosure and other concerns in listed companies. Some of these include tighter insider trading norms, bifurcation of Chairman and CEO/MD roles, greater scrutiny of financial statements as well as cracking the whip on shell companies and delisting errant companies.
According to India’s Companies (Amendment) Act 2015, auditors (statutory, cost accountants or branch auditors) of an organization have to flag an (actual or alleged) incident of fraud perpetrated by its officers or employee to either the audit committee or board or the central government (if the value of fraud is INR one crore and above). If a fraud has really occurred, the details need to be listed in the board’s report with the description, amount, people involved and remedial action taken.
As per Schedule IV to Companies Act, 2013, independent directors need to report concerns about misconduct, unethical behaviour, fraud or non-compliance with the organization’s code of conduct or code of ethics.
The revised clause 49 of the Listing Agreement mandates the audit committee to review the findings of any investigation conducted by internal auditors wherein the fraud or misappropriation is of “material nature” and subsequently report it to the board.
The impact of fraud in listed companies can have far reaching consequences. News reports show that close to one third of the Nifty companies received over 3500 whistle-blowing complaints last year, a rise from the year before which stood at about 3100 complaints. While this does give an overall sense of awareness and vigilance in corporate India, the fraud reporting pattern and transparency in disclosure needs to enhance as it is not really commensurate with these numbers.
EY Forensic conducted an analysis of 26 listed companies that have disclosed cases of fraud or unethical conduct. Key observations include:
- Employee fraud continues to be the major risk reported by organizations. Some of the common types included misappropriation of the organization’s funds, embezzlement of assets and cash, and collusion with third parties or vendors.
- Disclosures were made by organizations across multiple sectors but incidents from the banking and financial services (BFS) sector were prominent. Regulators have taken note of the continued turmoil in the BFS space – the Reserve Bank of India has mandated reporting of fraud cases between INR 25 to 50 crores to the Central Bureau of Investigation’s Banking Security and Fraud Cell. The Central Vigilance Commission has directed CBI’s Anti-Corruption Branch handle (with evident staff involvement) cases and the Economic Offences Wing (employee involvement not evident) wherein the reported fraud is between INR 3 to 25 crores.
- In a majority of cases, fraud, malpractice or unethical behaviour came to light after the organization had either carried out an investigation or someone had blown the whistle
- Many organizations took action against the accused employee which included termination, police complaint, or even criminal or legal action. However, in a majority of cases, the action taken was not specified. This shows that India Inc. is still wary of prosecutions and legal tangles, and would rather just dismiss the perpetrator’s services.
- Loss arising from the fraud ranged from INR 10 million to in some cases, INR 100 million
- In a majority of cases, only a partial amount was recovered and companies made a provision for the same. In a majority of cases, no disclosure was made on the amount of recovery.
- After the fraud was unearthed, many organizations conducted an investigation which was either done by forensic or third party experts, or by the police or law enforcement agencies. However, here too, a majority did not specify the type of investigation that was conducted.
Ethical dilemma for internal auditors
Incidentally, the amended provisions for reporting fraud under Companies Act or under the revised Listing Agreement do not cover the role of internal auditors in reporting frauds.
Internal auditors covered under Section 138 are not specified as persons who are required to report under Section 143(12). Further, Section 143(12) includes only fraud by officers or employees of the company and does not include fraud by third parties such as vendors and customers.
Internal auditors tend to face a dilemma when it comes to reporting incidents of fraud due to lack of clear guidelines as well as incoherent provisions. Some of the questions that may cross their minds include,
- When should they report the fraud and to whom?
- Should they report directly to the audit committee/board or they should report first to the CEO/management?
- Should they report all instances of fraud irrespective of value and nature of fraud? For example, should an expense claim inflated by INR 1000 by an employee be reported?
Instituting a Fraud Risk Management Policy
As a global best practice, companies should draft and adopt a formal Fraud Risk Management Policy. The policy, in addition to capturing the definition of frauds, roles and responsibilities for their prevention, detection and investigation, must also cover the reporting process based on materiality and other considerations. For example, frauds below a certain threshold can be reported to the management, followed by a summary being presented to the audit committee on a quarterly basis. However, if the matter involves a senior management employee then the same is to be reported to the audit committee irrespective of value.
The future of (self) reporting
The global fraud and corruption reporting landscape is relatively much more mature as compared to India. In the last two years, the DOJ announced several programs to encourage self-reporting – the Foreign Corrupt Practices Act (FCPA) Pilot Program and FCPA Corporate Entitlement Policy provide a set of incentives for self-disclosure of violations. Singapore has a number of self reporting regulations and guidance under Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act and the Competition Act.
India Inc. is still evolving with respect to mandatory disclosures to be made to the regulators or exchanges. From a fraud reporting standpoint, there is still tremendous ground to cover before organizations, particularly listed entities turn truly proactive across the industry to report incidents of corporate or individual misconduct. Ethics and transparency are key elements here. It is only after that India Inc. can see the possibility of a shift from mandatory reporting to self-reporting, and augment shareholder, brand and monetary value.