Auditing Auditors: Making Bloodhounds of Watchdogs

New rules are comingto improve auditor independence and hold them accountable for their work. As watchdogs, auditors are required to see all, hear all and tell all, and the capital market regulator wants to make sure they do. Also, the audit profession will no longer be allowed to self-regulate.

Last June, seven audit firms in the USA were fined by accounting regulator Public Company Accounting Oversight Board for preparing statements for brokerage firms and then auditing them. They were barred from taking on new brokerage clients. The audit firms were faulted for breaking already stringent conflict of interest rules.

In some cases, some of the auditors were warned but they chose to carry-on anyway. The regulator there is tough on these matters because conflicts of interest could leave auditors too close to their clients and jeopardize their ability to conduct tough, impartial audits.

Auditors must be independent. Auditors are also supposed to be bloodhounds; when they pick up a suspicious scent they strain on the leash until they find the source of that scent. In Sri Lanka, the audit profession will soon be shaken up. Because of closed-doors self-regulation, the audit profession here have a reputation for being watchdogs who see what they want, hear what they want and bark when they want. The capital market regulator is determined to make bloodhounds out of the lot in a broader exercise to restore credibility and governance in the financial system.

The Securities and Exchange Commission of Sri Lanka (SEC) is introducing new laws governing the country’s audit profession. The commission is yet to decide what these specific laws would be but a few things are certain: the audit profession will no longer be able to regulate itself—monitoring and penalising functions will be entrusted to an external body; and auditors will be required to report instances of corporate non-compliance with accounting standards, regulations and laws uncovered during the course of an audit.

audit-story-image-3The profession is understandably unhappy about this, but the SEC believes they are necessary and forms part of a broader strategy to make the SEC compliant with standards for global regulators set out by the International Organisation for Securities Commissions (IOSCO).

The IOSCO is made up of regulators of 115 countries. Its current board represents the securities watchdogs of Australia, Belgium, Brazil, China, Egypt, France, Germany, Greece, Hong Kong, India, Italy, Japan, Kenya, Korea, Malaysia, Mexico, the Netherlands, Nigeria, Ontario, Pakistan, Peru, Quebec, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Thailand, Trinidad and Tobago, Turkey, United Kingdom and the United States.

Sri Lanka’s SEC wants to join this club. For it to do so, capital market laws and regulations of the country should reflect compliance with IOSCO standards covering the broader capital market and market intermediaries. The SEC wants to benchmark itself with the global trendsetter. The focus on auditors is incidental. “Being IOSCO compliant will give the signal that capital market regulations here are robust and on par with the regulatory changes that have taken place over the years. This will help us give investors the assurance they need on fairness and security of investments. This will help the capital market attract investments to give the market the breadth and the depth it needs,” Vajira Wijegunawardane, Director General of the SEC says.

“We do have our own laws and standards but these have never been reviewed. IOSCO standards have evolved as a result of the many financial crises that have taken place globally over the years where even auditors have played a role in these crises,” he says.

According to IOSCO, audit firm-on-firm peer reviews under self-regulation has failed and countries have responded by passing new laws to create auditor oversight bodies independent of the accounting profession, with strengthened powers for rulemaking, inspection and disciplinary authority.

Wijegunawardane says Sri Lanka’s self-regulation of auditors is proving to be ineffectual because the monitoring and penalising, if they do, take place behind closed doors.

Because of closed-doors self regulation, the audit profession here has a reputation for being watchdogs who see what they want, hear what they want and bark when they want

In ancient Greece lots were drawn to appoint 10 Logistae from among the people to a board of control of state finances. Judges, military leaders, ambassadors, priests and anyone entrusted with public funds were audited by the Logistae. They were assisted by Euthuni, who did the actual investigations and reported to the Logistae.

Fraud, corruption and negligence relating to the management of state finances in the ancient Greek states had different penalties: ten times the amount discovered to be stolen, ten times the amount of the bribe, and nine months to pay back losses arisen due to negligence, failing which the penalty was doubled.

The word auditor is derived from the latin word to ‘hear’ and the term was first used to identify the person whose role it was to uncover fraud and ensure state revenue and expenditure were accounted for when Britain’s Henry I (1100-1135) instituted the Exchequer, or treasury.

The audit profession has evolved over the centuries but the spate of corporate fraud and financial crises over the last three decades brought rapid changes to auditor responsibilities and liabilities, subjecting them to complex and stringent regulations and laws.

Worldwide, key laws such as the Sarbanes-Oxley Act of the US and Ramsay report of Australia, have increasingly implicated auditors in several ways as noted by accounting and auditing professor Phelomena Leung:“(i) The role of auditors is expected  to converge: refocusing on the public interest, redefining audit relationship, ensuring integrity of financial reports, separation of non-audit function and other advisory services; (ii) The audit methods revert to basics i.e. risk attention, fraud awareness, objectivity and independence, and (iii) increase attention on the needs of financial statement users”.

IOSCO, whose standards the SEC wants to follow, in response developed three principles governing auditors: auditors must be independent and seem to be so. The second is that auditors must be reviewed by an external oversight body that is independent of the profession. The third is that disciplinary matters must be handled by this oversight body and not the professional body. The auditing and accounting profession is self-regulated by the Institute of Chartered Accountants of Sri Lanka (CA Sri Lanka), which was set up by an Act of Parliament in 1959. It sets out the standards that apply to how financial reports are prepared and presented and provides professional qualifications and training on applying these standards. The institute also exercises oversight over the professional conduct of its members, establishing governance and ethical codes with powers to investigate and penalise.

audit-story-imageThe Institute has over the years, benchmarked itself against some of the best in its field. It hosted the International Federation of Accountants (IFAC) global conference in Colombo. The institute holds the presidencies of the South Asia Federation of Accountants and Confederation of Asia and Pacific Accountants. But the problem is that the institute’s oversight mechanisms are non-transparent. As a result its critics, even from within the profession, accuse the institute of being an old boys club.

The SEC Director General Wijegunawardane says the self-governing powers of CA Sri Lanka will be taken away from them when the new rules are finalised and passed in Parliament as amendments to the SEC Act by the end of 2016. The power to monitor and discipline auditors will be given over to the Sri Lanka Accounting and Auditing Standards Monitoring Board (SLAASMB).

SLAASMB is a government body reporting to the Ministry of Finance and reviews audits of large public and private companies dealing with public funds or deemed strategically important to the economy and are too big to fail.

In a 2014 report seen by Echelon, SLAASMB found several lapses in 100 audits carried out by 40 firms. Four international audit firms carried out 44 of these audits and the 37 local audit firms carried out the balance 56. SLAASMB discovered deficiencies in 68 of these audits. Twenty seven audits could not support the audit opinions that were given. The board does some good work, but here again outcomes of investigations are not made public. Wijegunawardane says even the SLAASMB is ineffectual, failing to take action against errant or negligent auditors “because its governing board is dominated by members of CA Sri Lanka”. The SEC, which like SLAASMB, reports to the Ministry of Finance and has a seat on the SLAASMB board wants to change the laws giving it powers to appoint directors to the board. This is because IOSCO standards require the establishment of an oversight body independent of the audit profession.

South Africa and India are some of the countries that have set up external audit regulatory bodies outside of the profession and setting limits on the number of chartered accountants sitting on these boards.

According to IOSCO standards, auditors are also required to notify and report any non-compliance with laws and regulations they may come across during an audit to the regulators. The SEC wants to bring this whistleblowing function to the new laws it proposes to bring.

Arjuna Herath, the President of CA Sri Lanka, and a Partner at Ernest and Young Sri Lanka, says the institute does monitor and discipline auditors when and where necessary. “We have not made any of these public because that is how it has always been. But we are looking at changing this. As a start, we give the number of inquiries CA Sri Lanka had taken up and concluded in our quarterly journal, The Abacus. In future we will make the inquiries and their outcomes public. This is the direction in which we want to go because the credibility of the profession must be restored”.

Auditors are required to go into an audit with a sceptical frame of mind, asking questions from managers and employees, and prodding and probing for information both inside and outside the company

The SEC’s apparent focus on auditors is causing the profession some distress and creating an expectations gap. “This will undermine the reputation and credibility of the entire profession. This expectation deficit will lend to a trust deficit and would undermine the entire financial system,” CA Sri Lanka President Herath says.

He argues that the audit profession does not need new laws, but that the regulators must enforce existing laws and regulations instead.

SEC’s Director General Wijegunawardane says the SEC has a voluntary code for auditors to follow. “The problem with a voluntary code is it is easily ignored, so we want to bring in laws. There was a time the SEC was not doing anything about market manipulations, but now there is a will to change and bring credibility to the capital market. Reforms will start with us, but all market intermediaries will also be held accountable for the work they do. If an auditor issues an audit report, then we would expect that report to be accurate, not just an opinion”.

Auditors have always stood by the dictum that theirs was the task to give an opinion on whether or not a company’s financial statements gave a true and fair view and were only answerable to shareholders. But through the decades, several court cases in England had questioned this notion.

Laws established by English courts, called case law, are important for Sri Lanka because its commercial laws are based on English case law: what English judges rule in England can be applied to Sri Lanka. In several of these cases, auditor liability has been extended not only to the shareholder, but to anyone else who depends on the financial reports of a company. Auditors are required to go into an audit with a sceptical frame of mind, asking questions from managers and employees and prodding and probing for information both inside and outside the company. Auditors are required to probe deep. One English judge ruled that auditors were not watchdogs, as auditors thought of themselves, but are required to play the role of bloodhound, actively going after the wrong doers and getting to the bottom of fraud and corruption. Some recent cases involving auditors give a glimpse of the high standards expected of them in some countries.

An audit firm in the US, Arthur Anderson LLP was fined $7 million for not detecting overstated earnings of a company for several years. Another audit firm Price Waterhouse Coopers was fined $25 million for altering its report to please a client. Another firm, BDO was fined $1.5 million for issuing false and misleading unqualified audit reports. Deloitte was fined US$ 1 million for violating audit independence rules. Ernst and Young was fined US$2 million for not detecting a mistake in the accounts of a client it had served for 20 years. The
accounts were corrected but the auditors were held responsible for failing to approach the audit with a “sufficient level of professional scepticism”.

In England, Price Waterhouse Coopers was fined GBP1.4 million for failing to discover that billions of dollars had not been ring-fenced properlyat a bank. Ernst and Young was fined GBP1.2 million for falling short of professional standards after a company it was auditing went belly up. In Malaysia, an auditor was fined and imprisoned after a listed company he was auditing was found to be overstating profits. In Sri Lanka, we hardly ever hear of such cases.

“If auditors are not being sued and taken to task, it is not because we don’t have laws and regulations, but because our market has not progressed to this level,” CA Sri Lanka President Herath says. Sri Lanka has had its fair share of financial scandal: from outright fraud to mismanagement. Rarely have auditors been taken to task by the regulators, or questioned in courts about their having qualified that the accounts gave a true and fair view. There is a broader governance issue that needs to be addressed.

Public interest litigation activist Nihal Sri Ameresekere has seen it all. For decades, the trained accountant and auditor, has taken up major privatisation deals to courts over financial irregularities. He was a former chairman of the Public Enterprises Reform Committee and is currently the country representative for the International Association of Anti-corruption Authorities which was formed to support the United Nations Conventions Against Corruption. He has written 12 books documenting fraud and corruption in Sri Lanka.

“In my experience, politicians, bureaucrats, accountants, auditors, businessmen, professional bodies and lawyers have colluded to perpetrate fraud and corruption and impede justice. I am not afraid to say this, even judges are culpable. I have lost faith in the judiciary. Colombo is a big club and everyone who is anybody is in this club. This is the reality,” Ameresekere told Echelon.

In 2009, the Supreme Court overturned a deal where a state-run insurance company, Sri Lanka Insurance Corporation, had been sold to a private company for a deflated price, Rs6 billion. This is one of the several privatisation deals Ameresekere had challenged in courts. He says the CA Sri Lanka was notified of the role auditors in this case as far back as 2005, and the institute should have carried out its inquiry then.

The court had ruled that the transaction was illegal and that the auditors Price Waterhouse Coopers (PWC) and Ernst and Young (local firms of two of the four audit global audit giants, the other two being KPMG and Deloitte) had shown professional negligence and conflict of interest. A partner of PWC had been in the privatisation steering committee, which then hired PWC to conduct the deal. Ernst and Young was faulted for restating the accounts without disclosing it.

Since then, Ameresekere has been writing to CA Sri Lanka, the self regulatory body of the audit profession, to inquire about the outcome of its own inquiry into the conduct of the auditors. Six years, later, Ameresekere is still asking what CA Sri Lanka is up to. “I used to be angry that no inquiry was held and no one was taken to task, but now I am amused. Nothing will happen. They (CA Sri Lanka) are an old boys club,” he says.

CA Sri Lanka’s President Herath agrees the inquiry was held-up because various related court hearings were still being held. It is believed that one of the audit firms had sought a court order preventing the institute from carrying out the audit. “A member of the inquiring committee at the institute even told me he was intimidated and received death threats,” Ameresekere says.

“But we have re-started the inquiry and soon a judgement will be given on the professional conduct of these auditors. But it will not be made public, we are looking at changing our disclosure policy and in future we will do so because it is important to rebuild credibility,” he says.

Ameresekere believes auditors are not probing deep enough and that professional standards are low.

He says the auditors heading PWC and Ernst and Young were members of a close group of friends which met for an annual Christmas dinner. This group included Harry Jayawardena, Chairman of listed conglomerates Aitken Spence and Distilleries Company of Sri Lanka. Through these and other companies, Jayawardena holds controlling interests in a bank and insurance company. SLIC had been privatised to a company incorporated overseas by Jayawardena.

“This is why I said there is a club mentality,” Ameresekere says.

IOSCO standards on auditors require that the auditors be free from any influence or relationships with the entity that has been audited so that there is no impairment in their judgment and objectivity

Auditors earning high fees from additional services provided to a company may be inclined to give favourable audit reports. Or auditors sitting on a director board of company may be auditing the books of a rival company. To tackle these problems, regulators started drafting rules on conflict of interest to ensure auditors remained independent and not beholden to the companies they audit.

Gauging the prevalence of conflict of interest is not easy, but good governance activist Chandra Jayaratne says he is disturbed by what he sees. A former Chairman of the 170-year old Ceylon Chamber of Commerce, Jayaratne served on the boards of several public listed companies. He is an outspoken critic of the country’s public and private sector governance.

He has analysed the books and internal control structures at many banks and public companies and says governance structures are weak and auditors are prone to be short off the mark of what is expected of them. Rules around auditor independence and preventing conflict of interest are weakly enforced. Jayaratne says auditors are openly flouting conflict-of-interest laws with impunity. “There are many audit firms that provide other secretarial, consultancy or payroll services to the very companies they audit. This is in violation of conflict of interest rules and CA Sri Lanka has not done anything to stop this,” he charges.

He also says auditors sit in director boards while their firms audit the books of rival firms. “This is happening in banks. While audit firms are supposed to create Chinese walls to separate the two, who is monitoring them?” He also claims that auditors are not disclosing these relationships nor the fees they are earning apart from the audit fees. Jayaratne also claims some audit firms had prepared the prospectuses for shares and debenture issues. “While providing an assurance about solvency of a company they also prepare the marketing document, which is the prospectus”.

Companies appoint audit committees comprising members of the director board to set and monitor internal controls. They interact with the auditors to ensure auditors receive all the information they need. Jayaratne claims he knows of instances where the audit committees have asked to auditors to tone down their audit reports. He has also seen auditors issue the final audit report without completing the entire process.

Echelon could not verify any of these claims, but SEC Director General Wijegunawardane says the new laws are designed not only to prevent auditor conflict of interest, but “they will be seen to be independent, there will be clear prohibitions”.

IOSCO standards on auditors require that the auditors be free from any influence or relationships with the entity that has been audited so that there is no impairment in their judgment and objectivity. “Having professional standards governed by self-regulation has proved to be ineffective. We need specific provisions in the legal framework, for example preventing auditors from providing any consultancy services to companies they are auditing. Sometime auditors earn more from these services and consultancies than from audits, so there is room for conflict of interest,”Wijegunawardane says.

audit-story-image-2It will be wrong to assume that the new laws the SEC are formulating are a result of widespread bad auditing practices and poor self-regulation. In the absence of a transparent monitoring and disciplinary mechanism in CA Sri Lanka, the credibility of its self-regulatory role will always be questioned, as would the regulators for not enforcing laws and regulations.

“We want to restore the credibility of the country’s financial system, particularly the capital market, and this is why we want to adopt the IOSCO standards. Auditors are just one part of this. People will always argue that Sri Lanka already has laws or that the market here is not developed enough to adopt global regulatory standards, but we tell them that there is always room for improvement,” Wijegunawardane says.

Auditors play an important role upholding the credibility of the financial system, so improving standards and oversight can only help. But the regulators, the SEC and Central Bank, have been lax in enforcement and caught napping in the past. Restoring credibility and integrity must start in their great halls.