Archive for the ‘Internal Controls’ Category

Satyam – where was audit?

In Audit, Finance, Internal Controls on January 8, 2009 at 2:13 am

Ho Ho Ho! Madoff in December-2008 and just after we get past Christmas and New Year, we have Satyam Computers, the Indian #4 software company overstating profits and I repeat my humble question – where was audit?

In a company of that size there should be a decent presence of Internal Audit. Even if they were a non-existent entity, they still had their external auditors PricewaterhouseCoopers (PWC). What is their explanation for the mess at Satyam? Rs.5000+ Crores is in audit terms “material” enough to catch the eye of any decent auditor. I can’t wait to hear a decent explanation from PWC of how and why they missed such a big padding of numbers.

What does Satyam’s CFO have to say to this? Does he think he is responsible?

The regulators and shareholders should take an in-depth look into this and bring the management and the external auditors of the firm to justice.

PS:  For those wondering what is audit and why I am talking about it, read about the different types of auditors and their roles here.


What the hell is audit?

In Audit, Finance, Internal Controls on January 8, 2009 at 1:47 am

Most people would like to think of Audit as a bunch of freaks sitting in a corner room and having a pesssimistic view of the world. Nice description, thank you. Your’s truly is also an auditor and guess what I could not disagree with you more, ‘cos I think I am a cool auditor :-), and that’s why I am blogging about audit!

Let me give you an analogy and explain audit through that:

Audit is a control function whose responsibility is to ensure that issues and problems in a company are addressed appropriately keeping the best interests of the shareholders and keeping in line with the law.

Think of audit like having a personal navigator in your car that keeps talking (giving feedback) all time and tells you if you are going in the right direction, are you running too fast or too slow, eggs to stop at the traffic lights so that the traffic cop (analogous to regulators) won’t catch for breaking the law, make the right turns so you get to the destination correctly etc. So, the audit function is effectively a friend of the company’s management.

Like the traffic regulations and police are there to ensure that you drive carefully so that you are safe and so are the other drivers, pedestrians, so also do audit keep the interest of the shareholders, board of directors, employees etc.

Simply put, Audit is a function that provides the shareholders and management comfort that the company is running in a controlled manner. And that the CEO or other people under him are not doing crazy things to boost their earnings, or people are not skipping steps only to be exposing the firm to regulators (like SEC, FSA, MAS etc.).

Sophisticated investors, if not the retail investors, should be well versed in the role of audit before making an investment. This goes both for Public and Private companies, as well as for all categories of “investors”. Speculators on the other hand do not care about the internal controls or reliability of numbers before they invest. They mostly operate based on short-term events, market sentiments and other opportunities to make a quick buck. So, we will leave speculators and day traders out of this conversation.

I would like to briefly describe auditing entity types and their roles so after this you should feel like a PhD when some body asks you next time “What the hell is audit?”.

There are 3 types of auditing entities for a properly organized industry like a Securities firm.

  1. Internal Audit – they are paid for by the firm, but in theory report to the Audit Committee, which reports to the CEO and the Board of Directors. Since the Board of Directors represent the interest of the shareholder, the Internal Audit should in essence be quite independent of the business management namely the CEO and his reporting lines. As a result they should be independent enough to report and escalate issues that could be sensitive and impact the business management’s reputation, pay check or any such factors.
  2. External Audit – They are also called the accounting firms, because most of  the time they look at and certify the numbers of the firm. (Numbers meaning, the Balance Sheet, Cash Flow Statement and the Income Statement). The external audit company like (PWC, KPMG, Deloitte or Ernst & Young) reviews a company’s numbers, but they cannot do that until they review the internal controls of the firm that make the numbers happen. They give an opinion of which generally takes the form “We did not find any major issues that are relevant to the financial statements of the firm”. Wording that is definitive but yet vague, but one that is accepted by the Securities and Exchange Commission (SEC) and other regulators.
  3. Regulators – The regulators are SEC in the USA, Financial Services Agency (FSA) in UK and similar other countries. They are the overall body that “regulates” the financial industry and the listed or unlisted companies.

How they all come together in the normal course of operations?

Business management is responsible to run the daily operation of a company. From time to time, Internal Audit reviews certain  internal controls and processes of the firm, and issues “Audit reports” to the company’s management when certain controls are in the firm are not up to the mark, or failure in performing in certain functions could be detrimental to the cause of the company, the shareholders, potential violation of laws etc.,.

The External audit has to review the financial statements of the company before the same can be presented to the regulators or public as official numbers. This is also major step for acheiving Sarbannes Oxley section 404 (SOX 404) compliance on a yearly basis.

The Regulators check on a company’s controls on a cyclical basis and can review the company from front-to-back, review the functions of the audit department and also review the audit reports.

The work of external audit firms gets reviewed by a industry regulatory body like the Public Company Accounting Oversight Board (PCAOB) for adherence to set of guidelines. Such a quality check ensures that external audit firms who get paid by a company’s management (on behalf of the board of directors) to certify its financial statement does not unfairly certify the financial statements to the detriment of the share holders.

So there is a check, on a check, on a check, like a pyramid, where the company management is at the bottom and the Government (the regulators) is at the peak. The multiple levels of checks are designed to mitigate the risk of something like Enron blowing up in our faces.

Well, I still end the primer on audit here and add more if there are any questions or comments. So, the floor open to you.

Madoff – where was audit?

In Audit, Finance, Internal Controls on December 16, 2008 at 6:45 am

First of all, for those wondering about my name – I am Madhav. Not Madoff ! Some might find the pronounciation similar, but I am different guy!!!! Now that’s off my chest and  I feel better 🙂 

The first and the foremost thing I always ask when something big goes wrong about a company is- “Where was audit?”.

Definition and roles of audit – easy read for the layman.

I am not going to conjecture what happened, as it is a only evolving story. But in a nut shell, the hedge fund is a poorly regulated industry. Much of that could probably be attributed to the fact that most of the people or companies handing in their(?) cash did not think twice about the role of audit before dropping the cash on the table. They probably assumed that Madoff’s name and reputation was enough to convince them and their investors of the wise decision they had made.

Boring as it is to most people, audit should be seen as a key and critical part of investing. I am not going to waste my breath arguing that the hedge funds should be regulated…forgive me for being blunt, but without proper regulation one could equate hedge funds to a Swiss bank, giving you much a higher rate of interest right in the heart of the US.

Audit is the heart and soul of controls in a well organized company. The internal audit would have the mandate and the power to identify issues before they can happen, when they happen, or after they happen, report it to the management so that appropriate actions can be taken to prevent them from recurring. Do hedge funds have internal audit department? Did Madoff’s security firm have an internal audit department?

All securities firms registered with the SEC have financial statements that are certified by external auditors. Do hedge have financial statements that should be certified by external auditors? When Enron went down, they took Arthur Anderson, their external auditing firm, down with them. That is a deterrent to the external auditors from colluding with the management.

Do hedge funds have to adhere to the SOX 404 standard? By putting their name against the SOX 404 document, the management of the company (CEO, CFO and COO) would certify that the financial statements were accurate as far as they knew, and if the regulators proved otherwise, they might find themselves in a dark prison. So, they would stand to loose a lot and so would be (at least to some extent) deterred from wrong-doing.

Does SEC regulate and audit the hedge fund industry? No? Well, then who does? Do you think if they have sums like $50 billion invested in them, they should be regulated? Should there be a baseline amount after which some mandatory controls apply irrespective of the industry?

Normally when a “transaction” like a substantial investment is to be made by a big firm (like investment bank, retail bank), there typically will be a committee which has to approve such an invesment. Additionally these committee participants will include key management personnel and also senior representatives from Internal Audit, Compliance and Legal. Did the companies now reporting an exposure to Madoff, have such internal committees that reviewed an approved the investment risks before the cheque was signed?

In conclusion, audit is a critical component of controls in a well managed company. An absence of the same in a industry of this nature (like hedge funds) with billions invested in it, raises the question, why does not the Government want this industry to be regulated? Will the investors who have burnt their fingers now push for regulations in the hedge fund sector? Or, the rich and mighty investors have their way and shrug this off as a bad judgement and continue to invest in other hedge funds as long as their investment grow unquestioned?

Disclaimer: The author is an auditor by profession and values his role in the company and also the society.