Key Considerations for Internal Investigations in India Following Recent Regulatory Circular to Indian Auditors
The Situation: On June 26, 2023, the National Financial Reporting Authority of India ("NFRA") issued a circular reminding statutory auditors in India of their obligation under Indian law to report to the Indian Central Government any instances in which an auditor has "reason to believe" that a fraud of one crore rupees or more (approximately $120,000) has been committed "against the company by its officers or employees." The circular instructs auditors to exercise their "professional skepticism while evaluating fraud," notes that their determination "need not be influenced by [a] legal opinion provided by the Company or its Management," and cautions auditors about potential consequences for failing to comply with their obligations.
The Result: While the full effects of the NFRA circular remain to be seen, the circular seems likely to cause statutory auditors of Indian businesses—including businesses owned by international parent companies—to expand the depth and breadth of their audits and reporting obligations. For instance, auditors may be more likely to seek and independently evaluate information about any suspected fraud in order to determine whether they have "reason to believe" that a fraud meeting the threshold has occurred. Notably, fraud is defined broadly by Indian law and has been understood in this context to include corruption, bribery, money laundering, and embezzlement. If the auditor has reason to believe that a fraud occurred, then the auditor is obligated to disclose that information to the Indian Central Government.
Looking Ahead: International companies should expect a shift in how Indian statutory auditors request, evaluate, and potentially disclose information regarding suspected fraud committed against audited companies. As a result, international companies may want to reexamine how they review, evaluate, and investigate allegations of fraud in India, and how they interact with statutory auditors regarding those allegations and any resulting internal investigations.
On June 26, 2023, the NFRA issued a circular entitled "Statutory Auditors' Responsibilities in relation to Fraud in a Company." In the circular, the NFRA notes that that Indian auditors "are not fulfilling their statutory responsibilities relating to reporting of fraud as mandated [by the Indian] Companies Act." Consequently, the circular reminds statutory auditors that Indian law places "mandatory reporting obligations to report fraud and/or suspected fraud to the Central Government and the Board/Audit Committee." In particular, if a statutory auditor "observe[s] suspicious activities, transactions, or operating circumstances in a company that indicate reasons to believe that an offense of fraud is being or has been committed against the company by its officers or employees" (emphasis in original), then the auditor must report the matter to the board or audit committee and also, if the fraud involves or is expected to involve one crore or more, to the Indian Central Government. This disclosure obligation applies "even in allegations where the statutory auditor is not the first person to identify the fraud/suspected fraud." And, when evaluating any such allegations, the auditor should exercise its "professional skepticism" and "need not be influenced by [a] legal opinion provided by the Company or its Management." Finally, the NFRA circular reminds auditors that the Companies Act "contains consequences for auditors if they have acted … in fraudulent manner or abetted or colluded in any fraud by, or in relation to, the company or its officers or directors," including imposing liability on the auditors.
The NFRA's issuance of the circular is significant for auditors, audited entities, and international corporate parent companies. As essentially a series of reminders of preexisting obligations, as well as a definitive statement on the broad scope of these obligations, the circular suggests that auditor compliance has not been to the NFRA's satisfaction and that it is now doubling down with renewed enforcement vigor, including through the express threat of auditor liability. Further, these obligations (and potential liability) on Indian statutory auditors likely will affect how audit professionals and firms request, evaluate, and potentially disclose relevant cases of suspected (or substantiated) fraud. As a result, international companies might want to revisit their procedures for conducting internal investigations in India.
In this Commentary, we highlight eight considerations for international companies when conducting investigations into fraud allegations in India, with the provisions of the circular and the underlying Companies Act in mind.
First, it is important for companies and their Indian statutory auditors to have a shared understanding of the auditors' obligations specified in the circular, and as a consequence of any other relevant legal guidance and their own organizational practices. Most fundamentally, the company and the auditor should ensure that, at the outset of the audit, they understand what allegations or facts might reasonably be regarded as a "fraud" that "is being or has been committed against the company by its officers or employees" and thus trigger the auditor's disclosure obligation. Relatedly, the company and the auditor might be well served to discuss whether the auditor believes it is obligated to disclose facts concerning a fraud that was detected and remediated by the company during the audit period.
Second, Indian statutory auditors might now require more fulsome information related to alleged or suspected fraudulent activity during the audit period, which raises the question of what information the company (or its international parent company) should or can appropriately provide in response to such requests. For example, auditors might ask companies to disclose allegations of "fraud" regardless of whether those allegations have been (or could be) substantiated, and may pursue any and all information that is developed in an internal investigation being conducted by the company and/or its international parent company. This may lead to companies disclosing more allegations and instances of fraud, regardless of the credibility of any single allegation, and in circumstances in which reasonable minds could differ as to whether a fraud of one crore rupees or more was committed. This is in addition to existing auditor obligations to evaluate all "whistle-blower complaints"—whether related to fraud or not—under the Companies (Auditor's Report) Order, 2020, issued by India's Ministry of Commerce pursuant to the Companies Act, 2013. All of this could result in companies having to conduct more thorough, time-consuming, and costly investigations into fraud (and other) allegations in order to meet not only their own internal policies, but their auditors' as well.
Third and relatedly, the NFRA's stated threshold fraud amount—one crore rupees—is, as of the time of this Commentary, equivalent to roughly $120,000. That is not a particularly high threshold for many companies (and likely would fall short of being quantitatively "material" for financial reporting purposes), particularly for large, international companies that do business in India. Given that comparatively low threshold for triggering the statutory auditor's obligations under the circular, Indian companies (and their international parent companies) may incur more time and money to fully investigate relevant allegations, regardless of whether they are credible or not.
Fourth, when corporate counsel is conducting a confidential internal investigation into alleged misconduct, the sharing of investigative information with third parties often raises concerns related to potential waiver of the attorney-client privilege. The expected response of statutory auditors to the NFRA's circular may heighten this concern in particular cases—and not simply because auditors can generally be expected to request more information from companies relating to internal investigations. For example, the potentially more adversarial position of an Indian auditor may make it more difficult for the company (or its international parent) to assert work-product protection over otherwise protected information that is shared with an Indian auditor. See, e.g., United States v. Deloitte, LLP, 610 F.3d 129 (D.C. Cir. 2010) (upholding assertion of work-product protection for three documents in the files of an outside independent tax auditor).
Fifth, while statutory auditors' evaluation of a suspected fraud might have previously awaited the outcome of a company's investigation, the mandatory obligations articulated in the circular might now compel an Indian statutory auditor to take steps to independently evaluate (i.e., investigate themselves) those allegations. A separate investigation would require effective coordination between the investigative teams, and might lead to potentially inconsistent (or even contradictory) findings and observations about the same facts and circumstances.
Sixth, and as discussed above, if the auditor concludes that it has "reason to believe" that a fraud of one crore rupees or more occurred, the auditor must report the matter to the Indian Central Government. As part of this obligation, the auditor is to report the matter to the board or audit committee of the company (within two days of knowledge of the fraud) to seek a response from the company (voluntary, but due within 45 days), and thereafter forward the auditor's report to the Central Government, along with any response from the company. Depending on the facts and circumstances, the auditor's disclosure could predate any disclosure being contemplated by the company (and/or its parent company outside India). Beyond timing, the auditor's disclosure might be inconsistent with the facts as viewed by the company and/or its international parent, including with respect to whether or not the evidence supports a conclusion that fraud was committed and, if so, whether it was "against the company." The content of any response to the auditor can serve as an important opportunity to present the company's views, albeit in a compressed time period. In this context, to minimize the attendant risks, the company and/or its international parent company might accelerate (or even require) disclosure of the matter to Indian and/or governmental authorities in the United States or elsewhere, and seek to ensure that any disclosures are accompanied by all facts and other information necessary to a complete understanding of the matter.
Seventh, an auditor's report of fraud to the Central Government increases the likelihood (and/or could accelerate the timing) of inquiries from Indian government agencies directed to the company and corporate personnel involved. With respect to an international corporation, and depending on the degree of cooperation between the Central Government and other agencies inside and outside of India (including the U.S. Department of Justice, the U.S. Securities and Exchange Commission, and the UK Serious Fraud Office), the company and/or its international parent company might receive inquiries sooner than otherwise contemplated (if at all). And, depending on the subject of the auditor's report, those inquiries might be broader (or different in other respects) than they otherwise would have been.
And eighth, if a well-constructed and executed internal investigation does not find evidence sufficient to substantiate an allegation of fraud, the company should support that conclusion in clear terms with a description of the investigative scope and approach, and a robust explanation for how and why the conclusion was reached, remaining careful to protect and preserve applicable legal privileges. This should help instill confidence in the company's assessment and make it less likely that the auditor will seek to challenge it and proceed to disclose the matter to the Central Government.
Jones Day does not practice or advise on issues of Indian law, but frequently serves as counsel in India-related matters, including international disputes and investigations.
Five Key Takeaways
- The NFRA circular requires statutory auditors in India to independently review and potentially report to the Indian Central Government any facts or allegations that cause the auditor to reasonably believe that a fraud has been committed against a company by its officers or employees. This disclosure obligation is triggered at a relatively low threshold amount of one crore rupees (currently approximately $120,000).
- Companies doing business in India (and any international parent companies) are likely to experience a shift in how Indian statutory auditors request and evaluate information regarding suspected fraud against an audited company (which could include allegations of bribery, corruption, and embezzlement). Among other things, auditors may require more fulsome information regarding suspected fraud, which raises the question of what information the audited company (and/or its international parent company) should or can provide to the auditor in response, recognizing that the auditor might disclose that information to the Indian Central Government.
- Companies should seek to ensure that they understand the auditor's obligations and related practices, including how the auditor will determine if it reasonably believes that a fraud has been committed, the categories of allegations (or facts) that would trigger the auditor's disclosure obligation, and whether the auditors intend to disclose to Indian authorities information relating to allegations of fraud where it has not been determined that a fraud was committed or where potential fraudulent conduct was investigated and remediated by the company.
- A statutory auditor's decision to disclose information relating to a suspected fraud could impact the affected company's decision (or that of the international parent) whether to disclose the same information to relevant governmental authorities. Any such disclosures (whether by the auditor or the company) also may increase the likelihood that the audited company—or its international parent company—receives inquiries from Indian or other governmental agencies.
- When relevant allegations of fraud are raised against a company, the company is well served by appropriately investigating the allegations and advising key stakeholders (and other interested parties) as to the investigation. If such an investigation conducted by the audited company (or its international parent company) finds insufficient evidence to substantiate an allegation of fraud, that conclusion should be supported in clear terms with a description of the investigative scope and approach, and a robust explanation for how and why the conclusion was reached, remaining careful to protect and preserve applicable legal privileges.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.