The outcome of a recent probe into the shocking embezzlement at the IT firm, is proof that despite regular affirmations, India Inc has neglected elementary monitoring practices

Last week, The Hindu BusinessLine front-paged a report "Embezzlement at Wipro; Probe blames lack of internal controls" (17 November 2010). The matter involved an employee who had been working in the controllership division of the company's finance department for about three years till the theft was discovered in December last year. The employee is believed to have embezzled about $4 million by stealing a password and transferring money from one of Wipro's bank accounts.

The BusinessLine reported that an independent legal counsel appointed by the IT major to look into the matter had found that lack of internal controls in the company had led to the embezzlement committed between November 2006 and December 2009. The external counsel was engaged on the advice of the US Securities and Exchange Commission (US SEC).

Based on the finding of the legal counsel, Wipro suggested that if corrections were to be carried out to the published annual financial results, in view of the "mis-statements identified during the probe" together with other "uncorrected audit adjustments", profit-after-tax for 2009-10 would have been higher by 2.1% or approximately Rs92 crores.

Wipro is reported to have informed the US SEC that its audit panel has concluded that mistakes were committed in accounting entries and that they were also not supported by any documents. Weaknesses identified related to sharing of online banking access passwords and Wipro's internal accounting system passwords by certain employees within the finance and accounting departments, including those responsible for external financial reporting,

The company admitted there was lack of effective controls over recording of journal entries, including inadequate documentation which resulted in ineffective controls over bank reconciliation statements, exchange rate fluctuation accounts, outstanding liabilities accounts, and lack of timely and adequate reconciliation and review of period and end reinstatement of foreign currency inter-company and unit balances including the recording of appropriate adjustments. There was also insufficient segregation of duties with respect to recording and initiating banking payments.

Wipro conceded in its disclosure to the US SEC, "We and our independent registered public accounting firm also identified the lack of internal controls that gave rise to the embezzlement and the financial statement mis-statements as material weaknesses in internal control over financial reporting."

The amount of Rs92 crores may not be considered "material" in routine audit parlance in a multi-crore company such as Wipro, to warrant reporting "extra-ordinary transactions" in the annual accounts, either by way of a note on the accounts, or qualifications from auditors, or a mention in corporate governance. But a reference in small print about an inquiry would not serve the same purpose.

This is a clear-cut case of a very carefully thought out, long-drawn fraud that certainly is not the handiwork of a solitary employee-player, but the result of active connivance of more than a number of employees working in collusion at every level in the organization, who breached the company's internal control system by taking advantage of the lacunae or the lack of monitoring. The embezzlement did not happen in a single financial year, but was spread out over a period of three years, and should not have escaped the attention of auditors if it was committed by an individual.

It is not surprising that the theft was carried out by tampering with known and common fraud-prone areas of reconciliation of bank accounts as well as relatively less operated/scrutinized accounts like outstanding liabilities, exchange rate fluctuations, inter-unit and company balances. Note that the company mentions "lack of timely and adequate reconciliation and review of period and end reinstatement of foreign currency, inter-company and unit balances including recording of appropriate adjustments." It also says that "segregation of duties with respect to recording and initiating banking payments was found insufficient". How does one account for the absence of built-in checks and controls that are an essential requirement for any enterprise, large or small? If at all well-documented procedures and practices were in place, where did these fail?

The disclosure of "material weaknesses in the internal controls" is a frank admission of the absence or disregard for monitoring through an elementary internal control system with appropriate accounting care and standard operating procedures, such as duly laid down authorisation levels, insistence of appropriate supports for accounting entries (like the journal entries that are recorded by debiting one account and crediting another), and mandatory periodic segregation as well as rotation of duties. This happened despite the solemn affirmations to the contrary contained in the certification of the CFO/CEOs and Corporate Governance Report, as also in internal and statutory audit reports that have, year-after-year declared the existence of internal control systems. This instance may be just the tip of the iceberg, with more than a few such frauds likely to be discovered, that's if they have not been suppressed already by company managements, to protect their lily-white images even after the whistle is blown!

Take the declaration by Ratan Tata recently that he did not want to go to bed thinking he had to pay a bribe, while Rahul Bajaj states that every industrialist pays bribes. Which begs the question, where are these payments accounted, or how do they remain unaccounted? Though the amounts may not compare with the unimaginable figures being estimated in the 2G spectrum allocation scam, it is an endemic malaise. Is there any regulator who will look into this? Will it be the Institute of Chartered Accountants of India that will look into the internal and statutory audits, or the ministry for corporate affairs and/or the Securities and Exchange Board of India for violations of corporate governance, or will they remain mere listing requirement checklists to be ticked before sign-off?

(The writer is a chartered accountant and is based in Mumbai.)