The Reserve Bank of India’s spate of new measures on auditor appointment(1) allude that the RBI is worried about audit quality.
Having taken the flak for a series of bank and NBFC failures, there has been a steady but rising groundswell of opinion questioning the regulatory oversight that the RBI has provided: be it the failures themselves, to how banks undertake their asset quality review and report divergences, or the recent spate of regulatory violations by private sector banks that have raised questions on the strength of their processes and risk management.
The RBI’s concerns are valid, but the new measures are unlikely to improve overall audit quality.
The RBI has focused on two broad aspects of audit quality through these current regulations — strengthening auditor independence and ensuring auditor experience in banking and financial services (see Table 1 below). From an intent perspective, these regulations are in the right direction; and yet they are neither necessary nor sufficient to achieve the desired outcome.
Key Notes (for the entire list of notes, please refer to the RBI guidelines):
- There should be at least one-year continuous association of partners with the firm as on the date of empanelment (for PSBs)/ shortlisting (for other Entities) for considering them as full-time partners. Further, for appointment as statutory auditors of all banks and NBFCs with asset size above Rs. 10 bn, at least two partners of the firm shall have continuous association with the firm for at least 10 years.
- For banks, audit experience shall mean experience of the audit firm as Statutory Central/Branch Auditor of commercial banks (excluding RRBs)/ All-India Financial Institution (AIFI). For UCBs and NBFCs, audit experience shall mean experience of the audit firm as Statutory Central/Branch Auditor of Commercial Banks (excluding RRBs)/ UCBs/NBFCs/ AIFIs. In case of merger and demerger of audit firms, merger effect will be given after 2 years of merger while demerger will be effected immediately for this purpose.
- The auditors for banks and NBFCs with asset size above Rs. 10 bn should preferably have capability and experience in deploying Computer Assisted Audit Tools and Techniques (CAATTs) and Generalized Audit Software (GAS), commensurate with the degree/ complexity of computer environment of the Entities where the accounting and business data reside in order to achieve audit objectives.
Auditor rotation is considered a global best practice: it provides comfort to stakeholders that auditors and managements will not have sufficient time to cosy up to each other. Yet, aligning the tenure for private sector banks and the NBFCs to three years, from the current four-year term and five-year terms respectively is unlikely to enhance auditor objectivity(2). The three-year tenures seen in public sector banks (PSBs) have not instilled investor confidence.
Auditors need time to fully understand a company’s systems, processes, documentation methods, and technology. Because of this, the Companies Act 2013 had set an auditor term for five years — this being the timeline within which the audit experience will bear fruit. The RBI would be better placed in aligning the auditor tenure to a five-year term.
The RBI regulations further mandate joint audits based on size thresholds (see Table 2 below). The opinion regarding joint audits is polarised — while the audit industry bodies and their representatives believe this measure will bolster audit quality, not everyone is convinced. The Punjab National Bank had five joint auditors at the time of the Nirav Modi scam — and yet transactions were entered into SWIFT outside the books. Because the roles and responsibilities are separated across the joint auditors, the joint auditors do not provide oversight on each other — and therefore, its function in improving audit quality is limited.
The RBI seems to be intent on increasing the pool size of the audit firms that can audit banks and the NBFCs, through the implementation of a standardised six-year cooling period between audits(2) coupled with limiting the number of bank and NBFC audits that can be undertaken(3) by an audit firm. The RBI has approved just over 60 audit firms, which are auditing the financial statements of public sector banks — and the current regulations will likely expand the list of approved audit firms. Yet investors have demonstrated faith in only a handful of audit firms, while simultaneously asking if there are enough audit firms of legitimate size and experience to audit financial services businesses. It is not clear if the regulator has done the homework.
The RBI has rightly argued for independence of auditors — but its regulations miss the woods for the trees. The regulations do not address revenue dependence, which is the one key variable that shoulders auditor objectivity. Client and fee concentration risks for audit firms are determinants of their malleability. Rather than the cooling period and the cessation of non-audit services one year before and after the audit period, the RBI must mandate audit committees and audit firms to publish the degree of revenue dependence as a measure of auditor independence.
The RBI’s new regulations will have the most impact on the private sector banks and the NBFCs, and large audit firms. The private sector banks and the NBFCs tend to have one audit firm — not joint auditors. While one can argue that the larger audit firms, despite their size and international affiliations, have not measured up, the solution cannot be to disperse the assurance function across many firms. The experience of the PSBs does not provide comfort that this is the solution.
Financial services regularly need to raise capital for growth, and therefore, investor confidence is paramount. If investors start questioning audit quality, the impact on the economy will be deleterious.
(1): The regulations apply to commercial banks (excluding regional rural banks), primary (urban) co-operative banks, and non-banking finance companies (including housing finance companies). For the purpose of simplicity, this article refers to this entire group as ‘banks and NBFCs’.
(2): Private sector banks were allowed an auditor tenure of four years with a six-year cooling period. Private sector banks were allowed an auditor tenure of three years, with a cooling period of three-years. NBFCs operated under the Companies Act 2013, under which auditors can be appointed for a maximum of two-terms of fives each, followed by a three-year cooling period.(3):
The regulations limit one audit firm to concurrently take up statutory audit of a maximum of four Commercial Banks (including not more than one PSB or one All India Financial Institution or RBI), eight UCBs and eight NBFCs during a particular year.