Introduction
The financial statements of an organization are prepared based on certain fundamental accounting assumptions. These assumptions may not be specifically stated, but their use and acceptance are assumed.
As per ICAI Accounting Standard (AS) 1- Disclosure of Accounting Policies[1], one of the assumptions is the going concern which means that the company intends to continue its business and is able to do so for foreseeable future. The status of going concern is significant because if the company is going concern it has to follow the generally accepted Accounting Standard. If the financial statements are not prepared in accordance with going concern, specific disclosure is required.
General purpose financial statements are prepared on a going concern basis, unless management either intends to liquidate the entity or to cease operations, or has no realistic alternative but to do so. This assumption of going concern is addressed annually by management and the external auditors. The external auditor certifies that under all conditions, the company will be able to meet its obligations to all its stakeholders and will function without the threat of liquidation for the foreseeable future, usually regarded as at least within 12 months.
Further, as per Auditing Standard SA -570 (Going Concern)[2],the external auditor while addressing the going concern, has the responsibility to obtain sufficient appropriate audit evidence about the appropriateness of management’s use of going concern assumption in the preparation and presentation of financial statement. The external auditor generally takes into consideration the following parameters while addressing Going concern.
(a) Financial events like the financial position, ability to pay creditors, compliance with loan agreements or the statutory dues, negative operating cash flow, Adverse key financial ratio, inability to obtain financing for new product development / other essential investments or
(b) Operating events like loss of key personnel without replacement, loss of major markets, labor difficulties, shortage of important supplies etc.
(c) Other events like noncompliance with statutory requirements, pending legal or regulatory proceedings, changes in law or regulations or Government policies.
While Auditing Standard SA -570 covers the issues that a company faces on a day to day basis, it doesn’t address the various risks related to disruption of business operations temporarily or permanently due to unforeseen events of natural calamities, terrorist attacks. These will typically lead to the companies being, not able to maintain critical customer service, loss of market share, erosion in brand equity, failure to meet the regulatory requirements or business control failure, inability of the business to continue for a long period post the disaster.
This is all the more critical, since Indian economy is primarily a service oriented one, with service industries contributing 59 % to the overall gross domestic product. For example, a telecom company not being able to deliver customer service, in case of fire, would lead to loss of customer satisfaction and erosion of customer base. Effectively, it means that the telecom company is not able to perform as a going concern. However, the external auditor is not presently obligated to make a detailed check for these events under the present Auditing Standard SA – 570.
Importance of risk assessment and continuity management
Let us consider two companies A & B are hit by major disaster. Company A has made preparations for running its core operations for a limited period of time by implementing Business continuity planning while the other company B neglected such preparations, suffers damages and forced to file bankruptcy. Both the companies may be certified as per Going Concern by the external auditor; however one company is affected by disaster while the other is not. Company A due to its better preparedness, is able to serve its customer within a accepted period post the disaster, thereby being able to maximize its brand equity, increased customer satisfaction and also able to capture customers of company B, who are affected due to company’s B’s inability to serve them.
So the one of the important question for the external auditor to look for answer is: Is the company prepared to respond positively without affect its business operations,in case of a power cut, a computer virus attack, equipment failure, theft, flooding, accidental damage, ï¬ï¿½re, regional disruptions such as earthquakes, national security incidents or international events like terrorism and pandemics? The answer to this question should guide the external auditor while certifying the organization as a “Going Concern”.
For every company to be able to deliver its obligations from going concern perspective, it is important for them to perform the basic process of the identification, assessment, and prioritization of risks. This should be followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Finally the company should undertake proactive planning process that ensures critical services or products is delivered during a disruption.
These include:
a. Plans, measures and arrangements to ensure the continuous delivery of critical services and products, which permits the organization to recover its facility, data and assets.
b. Identification of necessary resources to support business continuity, including personnel, information, equipment, financial allocations, legal counsel, infrastructure protection and accommodations.
Having a detailed risk analysis process that goes into building business continuity plans actually helps the business units know their business in more depth. By determining inputs/outputs, dependencies, etc., there can be efficiencies gained through application of improved processes. It also leads to more detailed understanding of what activities the business is involved in and it helps control the direction, and maintains focus on business objectives. It also improves the operations of the organization by identifying areas of inefficiency or risk. During the project where the BCP is elaborated, upgraded or review, the company usually goes through a process-analysis event. It usually allows the company to identify opportunity areas or projects, where they are directly related to the BCP (such as an alternate head office or ‘war room’, that can be used as a capacitation centre to reduce costs) or indirect (such as identifying better Internet connections to treasury department that usually pays on Internet portals).The greatest advantage is that an ‘as it is’ analysis is required.
Going concern and continuity management
Valuation of assets and liabilities are on the basis of “going concern”. The financial statements are prepared assuming the organization will continue. If not, the assets will have to be valued in a different method. If an organization does not have detailed risk assessment done including BCP, this should change the accounting, perhaps with a considerable risk factor. However, this check is ignored at large during accounting and is normally accounted on the basis that the organization will continue. Consideration of various risk elements including the risk of continuity will be positive if an effective BCP arrangement exists. It must be ensured that the company must have business continuity processes, or at least be able to show that they do have processes related to the financial reporting functions. The management can perhaps extend this assessment to other critical business functions and IT assets at a later date.
The external auditor needs to have the requisite information (detailed risk analysis) as well as steps taken by management to address such risks while performing opinion on the going concern assumption.
Does clause 49 of listing agreement on Corporate Governance mandates an enterprise – wide business continuity process in relation to risk management & minimization procedure? In our opinion, the answer is NO, although the companies may use business continuity management on a broader scale. Although clause 49 makes no explicit mention of a business continuity requirement, internal controls focusing on the availability and completeness of financial reporting process are specifically addressed.
Relevance of continuity management in Indian context
Over the last decade, India has made huge progress, and now is well accepted as an emerging global powerhouse. In the early days of this revolution Indian organizations competed on price, and later on quality. In the increasingly risky global environment, Indian organizations now need to compete on risk, and convince their overseas customers that they are “safe” organizations to deal with – that they deliver as per their commitments and service levels, and will not let down their customers, come what may.
India’s large service industry accounts for 58% of the country’s GDP and the industries that accounts for 27.6% of the GDP include textiles, chemicals, food processing, petroleum, Information Technology (IT) enabled services, software and so on. The business services that constitute IT, IT enabled services and business process outsourcing, are among the fastest growing sectors contributing a large share to the total output of services. Higher targets for growth can be achieved if service continuity can be assured.
With the inherent and unique support interdependencies to manage, success of a service industry depends on meeting one of the key expectations of on time / every-time delivery; failure of meeting this expectation can lead to significant impact on business growth and organizational reputation. Therefore the overall objective of ensuring timely and sustained delivery of services can be achieved through effective continuity planning that considers preventive measures to avoid failure and recovery measures to manage them in time; and since it relates to the business, Continuity Planning is the key to service continuity and sustained growth.
The attack on the Taj Hotel in 26/11 and various other terrorist attacks coupled with natural calamities in India completely changed the perception of business continuity planning. The need was felt of continuous availability of operations as an absolute necessity for customer satisfaction and brand protection in case of service industry.
Let’s take the example of the banking industry in India. The sheer nature of banking business requires a robust plan to provide resilience and effectively deal with disasters, impacting the continuity of transacting its business. Therefore, while certifying a bank for Going-concern, it’s important to consider the risk management and continuity management system implemented. Much of the commercial activity thatwe see today is dependent on banks. Banks, in turn, have turned to increasingly complex technology and business models to deliver the services expected in this age of boundary-less commerce. Sophisticated and interconnected Automated Teller Machine (ATM) networks, Tele-banking, Core Banking Solutions and Internet Banking Solutions for seamless customer access are but some of technologies currently deployed. Add to this, the ever expanding branch network to provide banking services in semi-urban and rural areas in India. With this background in mind, it is indeed worrying to imagine a scenario where a disaster may render a bank inoperative for an extended period of time. The floods in Mumbai brought to fore one such concern for banks. Bank ATM terminals are typically located on the ground floor of premises with the backup power generator being located in the basement. The unprecedented floods of July 2005 made all such ATMs non-functional. In such crisis situations, lack of access to financial resources could have severe repercussions. Without these resources, organizations and individuals would find it daunting to take measures to
recover from the disaster. This would compound the already difficult situation being faced and could lead to anarchy and situations like run on banks. In keeping with the theme of continuous availability of banking operations, the BASEL committee on banking supervision (BCBS)[3]released a publication which provides that all banks should have in place contingency and continuity plans to ensure that they could continue to operate on an on-going basis and limit losses in the event of a severe business disruption.
Increasingly government services are getting privatized in India. Let’s take the example of electricity distribution in Delhi. Electricity is the backbone of each industrialized society and economy. Power outage has been mentioned as one of the most experienced and perceived risks by various types of businesses and organizations. Production loss, data loss, damage to equipment and loss of lighting are the most significant sources for inconveniences caused by the power outages. A blackout of a few hours or even several days would have a significant impact on our daily life and the entire economy. The July 2012 India blackout was the largest power outage in history, occurring as two separate events on 30 July 2012 and 31 July 2012. The outage affected over 620 million people, about 9% of the world population, or half of India's population, spread across 22 states in Northern, Eastern, and Northeast India. An estimated 32 Giga-watts of generating capacity was taken offline in the outage.
More than 300 million people, about 25% of India's population, were without power. Railways and some airports were shut down until 08:00. The busiest airport in North India, Delhi Airport, was able to remain open, because it switched to back-up power in 15 seconds. The outage caused "chaos" for Monday morning rush hour, as passenger trains were shut down and traffic signals were non-operational. Trains stalled for three to five hours. Several hospitals reported interruptions in health services, while others relied on back-up generators. Water treatment plants were shut down for several hours, and millions were unable to draw water from wells powered by electric pumps.
If a systematic continuity management process, for example, through Business continuity management process (BCP), was implemented, it is reasonable to assume that it would have taken much lesser time to get critical services working.
Post the privatization of Delhi’s power sector and unbundling of the Delhi Vidyut Board in July 2002, the business of power distribution was transferred to BSES Yamuna Power Limited (BYPL) and BSES Rajdhani Power Limited (BRPL). Though both BYPL and BRPL are certified as Going Concern by the external auditors, none of them have certified Business Continuity Systems implemented. In case of any disaster in Delhi, these electricity distribution services rendered by these companies will be severely affected, thereby impacting other businesses dependent on them as well as the life of general public.
Conclusion
For emerging superpower like India whose economy is majorly dependent on service industry, it’s important for auditors to fully confident about a company’s ability and preparedness to withstand a disaster, before certifying it as a Going Concern. The companies must have business continuity processes, or at least be able to show that they do have processes related to their financial reporting function. The management can perhaps extend this assessment to other critical business functions and IT assets at a later date.
The degree to which management addresses business continuity is their decision, with the ultimate decision focusing on the boundaries of financial reporting process. External auditors who have knowledge of business continuity & potential risk may influence the management in this regard.
Source:
[1] Refer paragraph 10 of Accounting Standard -1 Disclosure of Accounting Policies
[2] Refer paragraph 6 of Audit & Review Standard SA 570 – Going Concern
[3] BASEL Committee on Banking Publication.
By: Mr. Bodhisatya Sarker
Mrs.CA.Amrita Chattopadhyay