SEBI Bans PW From Auditing for Two YearsAction Comes in Aftermath of a Nine-Year-Old Scam
In the wake of a 9-year-old, $1.12 billion (U.S.) Satyam Computer Services' accounting scandal, The Securities and Exchange Board of India, which regulates the securities market, has banned all the firms in the PriceWaterhouse network from auditing listed companies for two years. PriceWaterhouse is the India unit of Pricewaterhouse Coopers that served as Satyam's auditor.
See Also: Why CASBs Matter to Cloud Security
In a 108-page report, SEBI says PW had neglected to check "glaring anomalies" in the financial details Satyam Computer Services reported and did not comply with auditing standards.
In an email response, PW says: "We are disappointed with the findings of the SEBI investigations and the adjudication order. The SEBI order relates to a fraud that took place nearly a decade ago in which we played no part and had no knowledge of. As we have said since 2009, there has been no intentional wrongdoing by PW firms in the unprecedented management perpetrated fraud at Satyam, nor have we seen any material evidence to the contrary. We believe that the order is also not in line with the directions of the Hon'ble Bombay High Court order of 2010 and so we are confident of getting a stay before this order becomes effective".
The Bombay High Court in 2010 had ruled that no punishment can be issue against PW if it's a matter of only some omission without proof of connivance and intent to fraud.
About Satyam Scam
The Satyam fraud surfaced in January 2009 when B. Ramalinga Raju, who was then chairman of the company, admitted in a letter to the company's board and stock exchanges to have inflated revenue and profit over several years in an accounting fraud to the tune of $1.12 billion, making it India's biggest accounting scam.
The company allegedly inflated revenue and fabricated invoices to show a healthy balance sheet of the company. At that time, PWC was Satyam's auditor.
Ban on IT Audit?
SEBI's order includes the following:
- "Listed companies and intermediaries registered with SEBI shall not engage any audit firm forming part of the PW Network, for issuing any certificate with respect to compliance of statutory obligations which SEBI is competent to administer and enforce, under various laws for a period of two years."
- "This order shall come into force with immediate effect. For removal of operational difficulties, this order will not impact audit assignments relating to the financial year 2017-18 undertaken by the firms forming part of the PW network."
The order doesn't clearly mention whether the scope of the order extends to IT auditing as well. An email was sent to SEBI for clarification but ISMG did not receive any response.
Some security experts, however, tell Information Security Media group that PW likely will not be able to carry out statutory IT audits required by the law. "Firms can still carry out internal audits. But I am not too sure whether they will undertake the risk," says Prashant Mali, Bombay High Court Lawyer & Cyber Security Expert .
"As I understand, the order says that PW and related entities cannot do any audit for SEBI regulated entities (means listed companies). Any audit includes IT audit also, as per my understanding," says Rakesh Goyal, managing director at Sysman Computer, a CERT-In empaneled auditing firm.
Bold move by SEBI. This is what a regulator is supposed to do. Tough action wherever there is an evidence of malfeasance and not when genuine business acts/decisions go wrong. This is key in ensuring stability and maintaining the credibility of the market #SEBI https://t.co/40C0VwMyBX— Athar Aamir Khan (@AtharAamirKhan) January 11, 2018
An Opportunity for Government
Some local audit firms contacted by ISMG see the move as an opportunity to improve the country's auditing standards, especially in the wake of Aadhaar breaches.
"SEBI's decision has come out way too late. Nevertheless, it should be help in bringing up the auditing standards in India. Nobody should get away with a bad audit, and government should get a cue from this and review its UIDAI auditor," says a manager of an auditing firm who asked not to be named.
Dinesh Bareja, a cybersecurity specialist who's COO at Open Security Alliance, says government should make public the names of UIDAI auditors and punish them for what he labels as shoddy work. "Every now and then some Aadhaar data ... gets breached. Shouldn't government also take some strict action against those auditors?"