What SEBI’s new forensic audit rules mean

In a press release dated September 29, 2020 (PR No. 52/2020), market regulator Securities and Exchange Board of India (SEBI) shared some of the decisions taken at its board meeting. One of these decisions, item no. VI, was about mandatory disclosures of forensic audit and other fact-finding initiatives undertaken by listed entities (irrespective of the materiality involved or company size). Details including the name of the entity initiating the activity and the reasons would need to be disclosed alongside the final forensic audit report (listing findings and any management comments). Forensic audits initiated by regulatory authorities and enforcement agencies may be exempt from the disclosure requirement. Although the SEBI’s intention behind seeking these disclosures is to address the gaps in availability of information on forensic audits of listed entities, organisations may see these requirements as onerous and damaging to their reputation.

Historically, forensic audit and other fact-finding exercises have been undertaken by Indian organisations involving matters of all sizes, irrespective of materiality. However, disclosures were only made when the suspected amounts were material to a company’s operations. For instance, the Ministry of Company Affairs in 2015, prescribed a threshold of ₹1 crore (as the estimated fraud value) for the case to be reported to the central government. In contrast, the current mandate may discourage companies to initiate forensic audits of small matters (such as employee expense reimbursement fraud), fearing adverse publicity and market sentiments.

However, the SEBI mandate can provide an impetus to Indian organisations to focus on investing in fraud prevention mechanisms to detect red flags early on. This, in turn, can reduce the need for undertaking a full-fledged forensic audit and consequently limit disclosure obligations. Some considerations to effectively strengthen fraud prevention frameworks are listed below:

1. Review anti-fraud policies: These policies are usually included as part of the Code of Conduct, the Gifts and Entertainment policy, and the Anti-Bribery and Corruption policy. Depending on business nature, these policies need to be detailed in order to cover emerging avenues for fraud and outline the protocol to report suspicions.

2. Strengthen anti-fraud controls through periodic evaluation and strategic investments: In our view, most organisations tend to review their anti-fraud controls once a year. Given the current volatility in the business landscape, these controls need to be reviewed more frequently to identify red flags and take corrective actions, if required. To effectively detect red flags, organisations must invest in technology that can enable forensic data analysis at a transactional level. Further, adequate due diligence must be undertaken while dealing with third parties. Given the constraints posed on supply chains in current times, efficient and effective controls must be put in place to validate vendors and business partners.

3. Build an effective whistle-blowing mechanism: Globally, most frauds are detected through whistle-blower complaints. The Companies Act, 2013 mandates organisations of a certain size to have a whistle-blowing mechanism in place. However, in our experience, such a mechanism tends to be approached with a tick-in-the box mentality and its effectiveness can be questionable. In our view, the SEBI mandate provides an opportunity for organisations to make their whistle-blower mechanisms effective. This can be done by providing multiple channels to report concerns, allowing for anonymous complaints from employees and third parties, and ensuring confidentiality around complaints received and addressed. Further, companies can consider complaints received and document the rationale for not initiating an investigation, thereby, complying with the disclosure obligation.

4. Conduct regular awareness programmes on fraud and its impact: Employees are often the first line of defence against fraud in any organisation. Yet in our experience, most employees lack the awareness to recognise the signs of fraud or understand the implications of indulging in malpractice. To change this, organisations need to undertake regular awareness sessions on key fraud schemes, and reiterate employees’ obligation in identifying and reporting suspicions.

5. Fortify the response to fraud: Historically, companies have shied away from reporting or disclosing their responses to fraudulent incidents because of the fear of negative publicity and loss of reputation. The absence of comprehensive guidelines around reporting fraud has further contributed to this sentiment. In our experience, responding to fraud, including disclosures, can provide organisations an opportunity to effectively present their side of the story and minimise the reputational damage. Organisations may consider preparing a qualitative report detailing the fraud’s impact, its detection mechanism, and the corrective action taken to prevent future incidents. Such a report can provide a holistic picture of the fraud risk management efforts, limit any reputational damage, and stand up to adverse scrutiny.

We believe that the SEBI mandate needs to be seen as a measure to build confidence amongst organisations. This can help them understand fraud patterns and identify vulnerabilities in key business functions. Globally, similar mandates have pushed organisations towards adopting mature fraud risk management practices. These include disclosures pertaining to the US Sarbanes-Oxley Act of 2002, The US Bank Secrecy Act of 1970, and the Anti-Kickback Enforcement Act of 1986. By mandating forensic audit disclosures, the SEBI is pushing for greater accountability from listed entities and a demonstration of mature fraud risk management practices.

Views are personal. Bedi (left) is partner and leader–Forensic, Financial Advisory, Deloitte India; Goel is partner, Financial Advisory, Deloitte India.