Key Considerations for Internal Investigations in India Following Recent Regulatory Circular to Indian Auditors

On June 26, 2023, the NFRA issued a circular entitled "Statutory Auditors' Responsibilities in relation to Fraud in a Company." In the circular, the NFRA notes that that Indian auditors "are not fulfilling their statutory responsibilities relating to reporting of fraud as mandated [by the Indian] Companies Act." Consequently, the circular reminds statutory auditors that Indian law places "mandatory reporting obligations to report fraud and/or suspected fraud to the Central Government and the Board/Audit Committee." In particular, if a statutory auditor "observe[s] suspicious activities, transactions, or operating circumstances in a company that indicate reasons to believe that an offense of fraud is being or has been committed against the company by its officers or employees" (emphasis in original), then the auditor must report the matter to the board or audit committee and also, if the fraud involves or is expected to involve one crore or more, to the Indian Central Government. This disclosure obligation applies "even in allegations where the statutory auditor is not the first person to identify the fraud/suspected fraud." And, when evaluating any such allegations, the auditor should exercise its "professional skepticism" and "need not be influenced by [a] legal opinion provided by the Company or its Management." Finally, the NFRA circular reminds auditors that the Companies Act "contains consequences for auditors if they have acted … in fraudulent manner or abetted or colluded in any fraud by, or in relation to, the company or its officers or directors," including imposing liability on the auditors.

The NFRA's issuance of the circular is significant for auditors, audited entities, and international corporate parent companies. As essentially a series of reminders of preexisting obligations, as well as a definitive statement on the broad scope of these obligations, the circular suggests that auditor compliance has not been to the NFRA's satisfaction and that it is now doubling down with renewed enforcement vigor, including through the express threat of auditor liability. Further, these obligations (and potential liability) on Indian statutory auditors likely will affect how audit professionals and firms request, evaluate, and potentially disclose relevant cases of suspected (or substantiated) fraud. As a result, international companies might want to revisit their procedures for conducting internal investigations in India. 

In this Commentary, we highlight eight considerations for international companies when conducting investigations into fraud allegations in India, with the provisions of the circular and the underlying Companies Act in mind. 

First, it is important for companies and their Indian statutory auditors to have a shared understanding of the auditors' obligations specified in the circular, and as a consequence of any other relevant legal guidance and their own organizational practices. Most fundamentally, the company and the auditor should ensure that, at the outset of the audit, they understand what allegations or facts might reasonably be regarded as a "fraud" that "is being or has been committed against the company by its officers or employees" and thus trigger the auditor's disclosure obligation. Relatedly, the company and the auditor might be well served to discuss whether the auditor believes it is obligated to disclose facts concerning a fraud that was detected and remediated by the company during the audit period. 

Second, Indian statutory auditors might now require more fulsome information related to alleged or suspected fraudulent activity during the audit period, which raises the question of what information the company (or its international parent company) should or can appropriately provide in response to such requests. For example, auditors might ask companies to disclose allegations of "fraud" regardless of whether those allegations have been (or could be) substantiated, and may pursue any and all information that is developed in an internal investigation being conducted by the company and/or its international parent company. This may lead to companies disclosing more allegations and instances of fraud, regardless of the credibility of any single allegation, and in circumstances in which reasonable minds could differ as to whether a fraud of one crore rupees or more was committed. This is in addition to existing auditor obligations to evaluate all "whistle-blower complaints"—whether related to fraud or not—under the Companies (Auditor's Report) Order, 2020, issued by India's Ministry of Commerce pursuant to the Companies Act, 2013. All of this could result in companies having to conduct more thorough, time-consuming, and costly investigations into fraud (and other) allegations in order to meet not only their own internal policies, but their auditors' as well.

Third and relatedly, the NFRA's stated threshold fraud amount—one crore rupees—is, as of the time of this Commentary, equivalent to roughly $120,000. That is not a particularly high threshold for many companies (and likely would fall short of being quantitatively "material" for financial reporting purposes), particularly for large, international companies that do business in India. Given that comparatively low threshold for triggering the statutory auditor's obligations under the circular, Indian companies (and their international parent companies) may incur more time and money to fully investigate relevant allegations, regardless of whether they are credible or not.

Fourth, when corporate counsel is conducting a confidential internal investigation into alleged misconduct, the sharing of investigative information with third parties often raises concerns related to potential waiver of the attorney-client privilege. The expected response of statutory auditors to the NFRA's circular may heighten this concern in particular cases—and not simply because auditors can generally be expected to request more information from companies relating to internal investigations. For example, the potentially more adversarial position of an Indian auditor may make it more difficult for the company (or its international parent) to assert work-product protection over otherwise protected information that is shared with an Indian auditor. See, e.g., United States v. Deloitte, LLP, 610 F.3d 129 (D.C. Cir. 2010) (upholding assertion of work-product protection for three documents in the files of an outside independent tax auditor). 

Fifth, while statutory auditors' evaluation of a suspected fraud might have previously awaited the outcome of a company's investigation, the mandatory obligations articulated in the circular might now compel an Indian statutory auditor to take steps to independently evaluate (i.e., investigate themselves) those allegations. A separate investigation would require effective coordination between the investigative teams, and might lead to potentially inconsistent (or even contradictory) findings and observations about the same facts and circumstances. 

Sixth, and as discussed above, if the auditor concludes that it has "reason to believe" that a fraud of one crore rupees or more occurred, the auditor must report the matter to the Indian Central Government. As part of this obligation, the auditor is to report the matter to the board or audit committee of the company (within two days of knowledge of the fraud) to seek a response from the company (voluntary, but due within 45 days), and thereafter forward the auditor's report to the Central Government, along with any response from the company. Depending on the facts and circumstances, the auditor's disclosure could predate any disclosure being contemplated by the company (and/or its parent company outside India). Beyond timing, the auditor's disclosure might be inconsistent with the facts as viewed by the company and/or its international parent, including with respect to whether or not the evidence supports a conclusion that fraud was committed and, if so, whether it was "against the company." The content of any response to the auditor can serve as an important opportunity to present the company's views, albeit in a compressed time period. In this context, to minimize the attendant risks, the company and/or its international parent company might accelerate (or even require) disclosure of the matter to Indian and/or governmental authorities in the United States or elsewhere, and seek to ensure that any disclosures are accompanied by all facts and other information necessary to a complete understanding of the matter.

Seventh, an auditor's report of fraud to the Central Government increases the likelihood (and/or could accelerate the timing) of inquiries from Indian government agencies directed to the company and corporate personnel involved. With respect to an international corporation, and depending on the degree of cooperation between the Central Government and other agencies inside and outside of India (including the U.S. Department of Justice, the U.S. Securities and Exchange Commission, and the UK Serious Fraud Office), the company and/or its international parent company might receive inquiries sooner than otherwise contemplated (if at all). And, depending on the subject of the auditor's report, those inquiries might be broader (or different in other respects) than they otherwise would have been.

And eighth, if a well-constructed and executed internal investigation does not find evidence sufficient to substantiate an allegation of fraud, the company should support that conclusion in clear terms with a description of the investigative scope and approach, and a robust explanation for how and why the conclusion was reached, remaining careful to protect and preserve applicable legal privileges. This should help instill confidence in the company's assessment and make it less likely that the auditor will seek to challenge it and proceed to disclose the matter to the Central Government.

Jones Day does not practice or advise on issues of Indian law, but frequently serves as counsel in India-related matters, including international disputes and investigations.