Forensic Audits: When full disclosure is not better transparency
SEBI’s decision to amend the SEBI (Listing Obligations and Disclosure Requirements) Regulation 2020 (SEBI LODR) to compel disclosure on forensic audit surprised both companies and investors. The regulation requires companies to disclose, on the stock exchanges, forensic audits at the time of initiation, and file the forensic audit report along with management comments once the audit has been completed.
The requirement for disclosure related to forensic audit or “by whatever name called” allows a wide scope for the definition. This width in definition may have been inserted to stop companies from circumventing the disclosure by renaming the investigation. Even so, it is unclear who will define if the investigation being undertaken is ‘forensic’ in nature. Forensic auditors are unlikely to take on that responsibility and companies will resist to the extent possible to avoid premature disclosure of an investigation. In leaving such wide room in the definition, SEBI has burdened itself with deciding whether an audit is forensic or not, opening a flank for litigation.
The regulation, in its current form, has damaging implications for capital markets – both in the long-term and the short-term. It will likely create a false market and create potential for ‘weaponization’ by short sellers. Investors are likely to make Type 1 and Type 2 errors – smelling smoke where there is no fire, or missing a real fire in the information overload. Short-sellers can can either use the whistle blower mechanism to compel a forensic audit which will likely need to be disclosed, or use the existing disclosures to create a mountain out of a molehill. Public opinion can be swayed, causing reputation damage that may result in lowering of the stock price and distraction for the company’s board and its management.
The announcement at the time of initiation will compromise the forensic audit process and the disclosure requirements will increase litigation risks. Forensic audit reports contain confidential and sensitive information – companies will be exposing employees and the company’s secrets by divulging this information. Supporters of the forensic audit may lose the romance of becoming the next Deep Throat (or Karamchand).
Disclosure of the forensic audit report opens the company to both class-action suits and nuisance suits. Until now, companies put out a summary of findings of forensic investigations on the stock exchange – this allowed the companies to keep the audit report confidential. Doing so allowed action to be taken against errant employees, but protected companies from third-party lawsuits based on the findings of the forensic audit. Once the entire forensic audit report is filed with the stock exchanges, the document loses confidentiality and privilege. As a result, the company and its board can be sued by stakeholders for the findings of the forensic audit report, even though the audit was instituted by the board to find and fix a problem.
All-in-all, the disclosure regulations are likely to make boards reticent in instituting forensic audits. Forensic audits are routinely undertaken by managements themselves to test for the integrity of their systems – this may be a function of internal information or a regular system check. If the company is expected to disclose the initiation of the audit and the entire audit report (once the audit is completed), the boards are likely to pre-empt the outcome and debate intensely before instituting the audit. This is sub-optimal: companies becoming circumspect in implementing self-checks cannot be in the long-term interest of markets.
A month has passed since the regulation has come into effect and there are no disclosures on initiation of forensic audits, save one audit ordered by RBI at Srei Infrastructure Finance Limited. If well-governed companies with strong boards are to continue to do what they do, they are likely spending a considerable amount of time with lawyers drafting engagement letters for forensic auditors to undertake ‘not-forensic audits’ or formulating the narrowest definition of forensic audit, to avoid disclosure upon initiation. This is a waste of time and energy, more so when boards, in wanting to institute forensic audits, are doing the right thing.
The way forward:
SEBI needs to revisit the disclosure requirements on initiation of the forensic audit, since it will compromise the forensic audit process.
SEBI needs to define the term ‘forensic audit (by whatever name called)’. The disclosures should apply only to those audits that are material to investors’ decision making, which by itself will bring in materiality thresholds. Non-financial audits – for example those related to code of conduct violations, or POSH complaints against middle managers – should be left out of the disclosure requirements.
Companies should be allowed to redact confidential and sensitive information from the forensic audit report before filing these with the stock exchanges. Alternatively, SEBI needs to allow boards to file only the summary of findings.
The intent of the regulation is right – there needs to be disclosures around forensic audits. But the current regulations open the market to higher stock price volatility and increases the risks for boards and companies. In the longer run, boards will likely hesitate before instituting a forensic audit. Both these issues are not in the interest of developing India’s capital markets. SEBI needs to publish contours of the disclosure requirements, to reduce chaos and enable better transparency.
To read the blog, please click here