Introduction to corporate fraud: obligations of board, audit committee and senior management
Introduction – ‘fraud’ under Indian law
Fraud is a legal concept that is often easier to understand than to define. There are no exhaustive criteria that circumscribe fraud under Indian law. As an example, while the Indian Penal Code, 1860 provides that ‘a person is said to do a thing fraudulently if he does that thing with intent to defraud but not otherwise’; the Indian Contract Act, 1872 sets out certain matters that would be considered to be fraud, affecting the validity of the contract. Fraud under Indian jurisprudence has evolved in a very broad sense as a part of tort, civil and criminal jurisprudence.
Corporate fraud under Companies Act, 1956
The Companies Act, 1956 (which was the predecessor legislation to the Companies Act, 2013) did not define fraud. It did prescribe penal consequences for fraudulent conduct in several instances, including:
- penalty for fraudulently inducing persons to invest money in shares or debentures of a company;
- fraudulent persons could be restrained from managing companies; and
- liability for fraudulent preference in a winding up process.
The Companies Act, 1956 also provided for certain confirmations and disclosures under the board’s report and auditors report – the current position as regards these confirmations and disclosures is covered in the discussion under the Companies Act below.
Corporate fraud under Companies Act, 2013
The term ‘fraud’ is defined in section 447 of the Companies Act, 2013 (Companies Act) as below:
‘fraud’ in relation to affairs of a company or any body corporate, includes any act, omission, concealment of any fact or abuse of position committed by any person or any other person with the connivance in any manner, with intent to deceive, to gain undue advantage from, or to injure the interests of, the company or its shareholders or its creditors or any other person, whether or not there is any wrongful gain or wrongful loss.
‘Wrongful gain’ means the gain by unlawful means of property to which the person gaining is not legally entitled. ‘Wrongful loss’ means the loss by unlawful means of property to which the person losing is legally entitled.
They key elements of this definition are:
- the matter must relate to affairs of the company;
- it may be in the nature of an act, omission, concealment of fact or abuse of position (inclusive definition); and
- there has to be an intent to deceive, gain undue advantage or injure the interests of company, shareholders, creditors or any other person.
However, fraud under section 447 does not require that there be a wrongful gain or wrongful loss.
The Companies Act designates certain matters to be punishable as fraud under section 447 – for example, as per section 448, except where the Companies Act otherwise provides, if in any return, report, certificate, financial statement, prospectus, statement or other document required by, or for, the purposes of any of the provisions of the Companies Act or the rules made thereunder, any person makes a statement that is false in any material particulars, knowing it to be false or that omits any material fact, knowing it to be material, such person shall be liable under section 447.
There is paucity of case law interpreting fraud under the Companies Act (given its recent vintage). However, given that punishment for fraud (involving an amount of 1 million rupees or more) under section 447 involves a minimum imprisonment for six months in addition to a penalty of at least the amount involved in the fraud (and additional consequences, like fraud under the Companies Act being a scheduled offence under the Prevention of Money Laundering Act, 2002), it can be argued that, despite the exhaustive definition, every wrongdoing ought not to be considered as fraud.
As an example, there ought to be a clear distinction between fraud (as defined in the Companies Act) and failure to meet a duty of care (or negligence per se). Additional nuances would vary depending on facts of each case.
Putting in place systems and processes for prevention and detection of fraud is an important part of the role of board of directors, audit committee and senior management.
- Directors (as a part of the directors’ responsibility statement forming part of the board’s report to be provided annually to shareholders under the Companies Act) are required to state several matters that relate (directly or indirectly) to fraud.1
- The role of the audit committee under the Securities and Exchange Board of India (SEBI) (Listing Obligations and Disclosure Requirements) Regulations, 2015 (SEBI LODR Regulations) includes the following:
reviewing the findings of any internal investigations by the internal auditors into matters where there is suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the board
- Additionally, the certification to be provided by chief executive officer and chief financial officer to the board of directors of a listed company under the SEBI LODR Regulations includes the disclosures relating to fraud.2
Reporting and related obligations and relevant considerations
Companies Act, SEBI LODR Regulations and contractual commitments
Typically, knowledge of a potential fraud arises in one (or more) of the following ways:
- Complaint by a whistleblower: this is typically addressed by either (one or more of) the board of directors, audit committee (or to the chairman or specific members of the audit committee), senior management, compliance officer or legal department – and, in several instances, is made through the designated whistleblower mechanism that companies have (in case of several subsidiaries of multinational corporations, results in the complaint reaching the ultimate parent’s headquarters outside India).
- In the course of an internal audit.
- In the course of audit (by statutory auditors).
- Investigation (by a regulatory authority).
These are not exhaustive in nature and there are other methods as to how fraud is discovered – for example, research analyst reports (for listed companies) and complaints by competitors.
Self-reporting obligations relating to fraud under the Companies Act and SEBI LODR Regulations are the following.
- The report issued by statutory auditors to the company’s shareholders (which is a public document) is required to disclose frauds (irrespective of who discovered them) – the (statutory) auditors, under Companies (Auditors Report) Order Rules, 2016, under clause 3(x) are required to report occurrence of fraud as a part of their audit report. 
- Fraud other than those referred to below are required to be disclosed in the board’s report (which is also a public document).
- Under the SEBI LODR Regulations, occurrence of any of the following is required to be disclosed to stock exchanges (which is disseminated to the public) as soon as reasonably possible (and not later than 24 hours from occurrence):
- any fraud or default by a promoter or key managerial personnel of the listed entity (or arrest of promoter or key managerial personnel) – the same is deemed to be a material event, triggering disclosure obligations; and
- fraud and defaults by directors (other than key managerial personnel) or employees of the listed entity, if the same is considered to be material.
The SEBI LODR Regulations have a prescriptive disclosure regime, and provide for a detailed set of disclosures, both at the time of initial disclosure and pursuant to subsequent developments.4 It may be noted that one of the prescribed disclosures to the stock exchanges is corrective actions – corrective action and remediation is also an important element of disclosure to auditors (as elaborated below).
Additionally, there are contractual obligations and commitments that could mandate disclosure of any fraud (or of any underlying acts or omissions constituting the fraud) – examples are joint venture contracts, lender contracts, key supplier contracts and contracts with government agencies. A common example of disclosures required is that certain kinds of fraud (especially improper payments) form a part of pre-qualification criteria in integrity pacts (usually) forming part of contracts executed with government authorities.
Fraud – self-reporting to auditors, reporting by auditors and related matters
Self-reporting to auditors
The question of required disclosure to the statutory auditors is covered broadly under the following:
- disclosures required pursuant to the management representation letter (MRL) provided to auditors as a part of the audit exercise;
- disclosures pursuant to the directors’ responsibility statement; and
- proactive disclosure concerning fraud.
Often, in instances where the details of the allegations are received by the ultimate holding company (as a part of a global whistle-blowing program) and where these are investigated by the holding company and its advisors (without the involvement of local management), the manner and timing of disclosure to the local management and auditors is an important consideration.
Management representation letters
Statutory auditors in India typically require extensive disclosures to be made to them on matters related to a company and its financial position pursuant to issuance of one or more management representation letters (MRLs) by companies. These MRLs are typically signed by senior management (usually the managing director or chief executive officer and the chief financial officer). An MRL is relied upon for finalising audited accounts that would need to be approved by the board of directors of the company. Several confirmations contained therein are typically those required by Indian accounting standards. Compliance with Indian accounting standards is a legal requirement. Typical MRLs (especially those provided by larger Indian auditors) have extensive disclosures required relating to fraud – including actual fraud on or by the company, suspected or alleged fraud including any fraud reported during the year (whether through internal or external sources) and all details in relation thereto.
Directors’ responsibility statement
Disclosures arising out of the directors’ responsibility statement are detailed earlier. Directors and relevant signatories are liable to prosecution for incorrect statements made by them in the accounts or in the director’s responsibility statement (which would include those flowing into the accounts based on any incorrect statement in the MRL).
Proactive disclosures to auditors
Pursuant to section 143(12)5 of the Companies Act, if the statutory auditors of a company, in the course of the performance of their duties as an auditor, have a reason to believe that an offence of fraud has been committed in (or against) the company by its officers or employees individually exceeding an amount of 10 million rupees, then the statutory auditors are required to report the same to the central government, subject to the conditions set out below.
However, pursuant to a guidance note issued by the Institute of Chartered Accountants of India (the Guidance Note),
- the auditor is required to apply professional scepticism as to whether the fraud was indeed identified or detected in all aspects through the whistleblower mechanism; and
- the auditor is required to review the steps taken by the management or those charged with governance with respect to the reported instance of suspected fraud. If the auditor is not satisfied with such steps, he or she should state the reasons for his or her dissatisfaction in writing and request the management or those charged with governance to perform additional procedures to enable the auditor to satisfy himself or herself that the matter has been appropriately addressed. If the management or those charged with governance fail to undertake appropriate additional procedures within 45 days of his or her request, the auditor would need to evaluate if he or she should report the matter to the central government.
Note that once the statutory auditors are informed of the issue, they would typically seek full details of the allegations received and investigation done, including the investigation reports and other relevant documents. Statutory auditors generally involve colleagues from their forensic team to undertake this assessment and provide inputs to the audit team.
The Guidance Note also includes guidance on other matters, which would be relevant in specific matters (eg, whether an auditor of a holding company would need to report to the central government in case of a fraud in a subsidiary).
Reporting by auditors
If the auditors believe that they need to report the fraud, the reporting would happen in Form ADT-4 – which broadly covers the following disclosures relating to the fraud:
- address of the office or location where the suspected offence is being committed;
- full details of the suspected offence involving fraud;
- particulars of the officers or employees who are suspected to be involved in the commission of the offence (if any) with their names, designation, permanent account numbers and director’s identification numbers (if they are directors);
- period during which suspected fraud had occurred;
- basis on which fraud is suspected;
- estimated amount involved in the fraud; and
- other relevant details, including communication with the company as mandated under the relevant rules (and referred to above).
Any intimation to the central government would typically be investigated by the Serious Frauds Investigation Office (SFIO). The SFIO, however, is an investigating agency, with the prosecution and legal proceedings (if any) before the relevant authorities following due legal process. As per a recent newspaper report dated 1 July 2019,7 79 investigations have been assigned to the SFIO in the past three years wherein 594 companies were involved – and as per data on the SFIO website,8 it has completed investigations into 87 cases in 2016–17.
An act (or omission) that constitutes fraud under the Companies Act could also trigger penal consequences under other statutes – a typical example is whether expenses claimed in past tax returns have been appropriately claimed. Another example is where such fraud would constitute an offence that is mandatorily reportable under the provisions of section 39 of the Code of Criminal Procedure, 1973.
There are some statutes that provide for leniency in case of self-disclosures (or voluntary disclosures), although such examples are sparse under Indian law – needless to say, such disclosures should ideally be a part of an overall strategy taking into account potential implications under the Companies Act, listing-related obligations (if the entity is listed) and other relevant statutes, pursuant to an appropriately conducted and robust investigation.
Prevention of Corruption Act, 1988
In the event the fraud involves improper payments, the same would also attract the penal provisions of Prevention of Corruption Act, 1988 (PCA). The PCA provides that any commercial organisation (which includes companies) shall be punishable with a fine, if any person associated with such commercial organisation9 gives or promises to give any undue advantage to a public servant intending to obtain or retain business for such commercial organisation, or to obtain or retain an advantage in the conduct of business for such commercial organisation. However, the PCA provides that such organisation can raise a defence that it had in place adequate procedures in accordance with prescribed guidelines to prevent persons associated with it from undertaking such conduct.
In the event that an offence is committed by a commercial organisation under the PCA, and such offence is proved in court to have been committed with the consent or connivance of such director, manager, secretary or other officer of the organisation, such director, manager, secretary or other such officer shall also be guilty of the offence and shall be punishable with imprisonment ranging between three years to seven years and also liable to a fine.
PCA also has provisions for matters relating to attachment and confiscation of money or property procured by way of an offence under the PCA.
There are other provisions of the PCA that would apply to directors (eg, abetment of offences), which also carry liability for imprisonment ranging between three years to seven years.
Further, a subsequent conviction following the first conviction under PCA is punishable with imprisonment ranging between five years to 10 years and also with a fine.
Prevention of Money Laundering Act, 2002
The Prevention of Money-Laundering Act, 2002 (PMLA) seeks to prevent money laundering and to provide for confiscation of property derived from or involved in money laundering. The offence of money laundering relates to ‘proceeds of crime’ (including, inter alia, its concealment, possession, acquisition or use), and ‘proceeds of crime’ are defined as property derived or obtained, directly or indirectly, by any person as a result of criminal activities relating to a ‘scheduled offence’ (or the value of such property). Fraud under the Companies Act, 2013 and offences by commercial organisations under the POCA (as set out above) are prescribed as ‘scheduled offences’ under the PMLA.
In the case of contraventions of provisions of the PMLA by a company, every person who, at the time the contravention was committed, was in charge of, and was responsible to the company, for the conduct of its business (as well as the company), shall be held liable for such offence, unless such person proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.
If it is established that such contravention took place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of any company, such director, manager, secretary or other officer shall also be held liable for the contravention, and shall be liable to punishment by way of imprisonment ranging between three and seven years and with fine.
The PMLA also has provisions for being liable to survey and search and seizure proceedings (including freezing of property), the ability for authorities to provisionally attach and confiscate the ‘proceeds of crime’ and pre-conviction arrest.
 Relevant provisions are reproduced below:
- ‘in the preparation of the annual accounts, the applicable accounting standards had been followed along with proper explanation relating to material departures’;
- ‘directors had taken proper and sufficient care for the maintenance of adequate accounting records in accordance with the provisions of this Act for safeguarding the assets of the company and for preventing and detecting fraud and other irregularities’;
- ‘the directors had devised proper systems to ensure compliance with the provisions of all applicable laws and that such systems were adequate and operating effectively’; and
- in case of listed companies, the directors’ responsibility statement is also required to state ‘the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.’
The term ‘internal financial controls’ in the above-referred provisions ‘means the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information’.
 Relevant portions are reproduced below
- ‘there are, to the best of their knowledge and belief, no transactions entered into by the listed entity during the year which are fraudulent, illegal or violative of the listed entity’s code of conduct’; and
- ‘they have indicated to the auditors and the Audit committee . . . instances of significant fraud of which they have become aware and the involvement therein, if any, of the management or an employee having a significant role in the listed entity’s internal control system over financial reporting’.
 The relevant language reads as below: ‘whether any fraud by the company or any fraud on the Company by its officers or employees has been noticed or reported during the year; If yes, the nature and the amount involved is to be indicated’.
 Disclosures prescribed under sub-clause (c)(i) above are reproduced below – similar set of disclosures are also required to be made under sub-clause (c)(ii):
At the time of unearthing of fraud or occurrence of the default / arrest:
a) nature of fraud/default/arrest;
b) estimated impact on the listed entity;
c) time of occurrence;
d) person(s) involved;
e) estimated amount involved (if any);
f) whether such fraud/default/arrest has been reported to appropriate authorities.
6.2. Subsequently intimate the stock exchange(s) further details regarding the fraud/default/arrest including:
a) actual amount involved in the fraud /default (if any);
b) actual impact of such fraud /default on the listed entity and its financials; and
c) corrective measures taken by the listed entity on account of such fraud/default.
 Section 143(12) of the Companies Act reads as follows:
12) Notwithstanding anything contained in this section, if an auditor of a company in the course of the performance of his duties as auditor, has reason to believe that an offence of fraud involving such amount or amounts as may be prescribed, is being or has been committed in the company by its officers or employees, the auditor shall report the matter to the Central Government within such time and in such manner as may be prescribed;
Provided that in case of a fraud involving lesser than the specified amount, the auditor shall report the matter to the audit committee constituted under section 177 or to the Board in other cases within such time and in such manner as may be prescribed:
Provided further that the companies, whose auditors have reported frauds under this sub-section to the audit committee or the Board but not reported to the Central Government, shall disclose the details about such frauds in the Board’s report in such manner as may be prescribed
 Guidance Note on Reporting of Fraud under section 143(12) of the Companies Act, 2013 (revised 2016).
 Under the PCA, the capacity in which the person performs services for or on behalf of the culpable commercial organisation shall not matter (irrespective of whether such person is an employee or agent or subsidiary of such commercial organisation). Further, all relevant circumstances (and not merely the nature of the relationship between such person and the organisation), are to be considered in order to determine whether such person performs services for or on behalf of the commercial organisation.