The Importance of IS Audit: Lessons Learned from the Evergrande Crisis

The Evergrande Group, founded in 1996, was China's second most prominent property developer. However, In March 2024, the China Securities Regulatory Commission alleged that the Evergrande Group had artificially inflated its sales by US$79 billion during the two years leading up to its collapse. This occurred despite the financial statements being audited by PricewaterhouseCoopers (PwC), a globally renowned audit firm.¹ According to an anonymous letter released in April 2024, the internal control measures implemented by PwC were insufficient, thereby contributing to the Evergrande Crisis. Subsequently, on 19 April 2024, the Accounting and Financial Reporting Council (AFRC) published a press release stating their obligation to launch an investigation. This action by the AFRC aims to uphold public confidence in the integrity of the accounting profession.²

The Evergrande Group scandal, wherein the company allegedly inflated its sales by US$79 billion despite audits by PwC, underscores the critical importance of robust IS audits. Effective IS audits are essential to ensure the integrity of financial reporting and internal controls, prevent fraudulent activities, and maintain public trust in the accounting profession. The crisis highlights the necessity for audit firms to implement comprehensive and stringent internal control measures, as failures in these areas can lead to significant financial risk and undermine confidence in financial markets.

The Anonymous Letter

In April 2024, an anonymous letter titled “Who Dragged PwC into the Fire Pit of Evergrande” emerged, alleging the involvement of leaders from PwC Mainland China and Hong Kong in unethical conduct.³ According to the letter, these individuals should be held accountable for the Evergrande Crisis. Moreover, the letter claimed that PwC Mainland China and Hong Kong’s “auditing failure” concerning the Evergrande Group was linked to senior partners who purportedly evaded investigations by regulatory authorities in Hong Kong and the United States. They allegedly argued that Evergrande's audit working papers were confidential as they were located within Mainland China's jurisdiction.⁴

Effective IS audits are essential to ensure the integrity of financial reporting and internal controls, prevent fraudulent activities, and maintain public trust in the accounting profession.

However, PwC Mainland China and Hong Kong have categorically denied these allegations and stated their intention to reserve the right to take legal action in response.⁵

In response to the anonymous letter and the resulting uncertainty in Hong Kong's capital markets, the AFRC, which serves as the financial reporting regulator in Hong Kong, issued a press release on 19 April 2024. The AFRC stated its obligation to launch an investigation to uphold public confidence in the integrity of the accounting profession. Furthermore, the AFRC emphasized its willingness to take appropriate legal action against any firms or individuals if deemed necessary.

This event underscores the criticality of robust regulatory frameworks that can swiftly address and rectify lapses in enterprise governance and auditing standards. It is crucial to explore recommendations for how regulatory authorities and enterprises can enhance their operational protocols and ethical guidelines to prevent similar incidents, thereby strengthening investor confidence and maintaining the integrity of financial markets.

Recommendations

Several key lessons can be derived from this event. The AFRC’s press release highlighted specific potential failure points pertaining to the Evergrande Group engagement and PwC’s internal control that demand attention from all audit firms. The AFRC emphasized the following areas:⁶

Effective Quality Control

Effective quality control is crucial to audit firms, as audit firms represent the public interest while issuing audited financial statements. To establish and maintain quality control, professional firms should establish standard procedures for quality control and educate employees in how to follow such procedures.

Adequate Audit Procedures

During the preparation of audited financial statements, engagement teams must ensure that the related audit procedures sufficiently address the identified risk and assertions. From the perspective of IS audit, testing IT general controls (ITGCs), IT application controls (ITACs), and data analytics serve as robust tools to assess the reliability of the financial information provided by the client, and the effectiveness of clients’ internal control environments.

The testing procedures, testing attributes, and rationale should be meticulously documented in the working papers for review by senior engagement members. For example, there is a consistent concern regarding the sample size calculation formula, as it can significantly influence the conclusions drawn. IS auditors must diligently consider the calculation method to ensure that the sample size effectively reflects the IT control environment. It is important to recognize that different industries entail varying business risks and internal control risks, thereby necessitating customized calculation formulas rather than a universal approach.

Professional Behaviour

IS auditors must exercise caution and refrain from conducting hasty and superficial testing, even when faced with imminent deadlines. Such diligence is paramount as it directly influences the credibility of the audit opinion. Financial auditors rely heavily on the opinion rendered by IS auditors to guide their subsequent audit procedures on the financial statements. Therefore, the thoroughness and reliability of the IS auditors' testing significantly impact the overall effectiveness and integrity of the auditing process.

Beyond the Evergrande Crisis and the AFRC

In the realm of IS audit, cybersecurity professionals find themselves at a pivotal juncture. It is essential to contemplate how professionals can elevate effectiveness in executing IS audit engagements. Several recommendations offer guidance in this regard:

1. Culture

Audit firms should establish an environment that encourages IS auditors to maintain professional judgment and independence while participating in IS audit engagements.

For instance, audit firms should provide IS auditors with the necessary resources, tools, and support to perform their work independently and effectively. This includes access to relevant Computer Assisted Audit Techniques (CAATs) and identical templates for ITGCs and ITACs. Additionally, auditors should have a channel to seek guidance or raise concerns if they encounter situations that may compromise their independence or professional judgment.

Moreover, audit firms should also conduct regular performance evaluations of IS auditors, considering their adherence to professional ethics, independence, and professional judgment. Feedback provided during these evaluations can help auditors understand how they are meeting expectations and identify areas for improvement.

It is essential to foster a culture where employees feel empowered to report any irregularities, such as potential illicit transactions or benefits exchanged between the firm and its clients. This can be facilitated through a whistleblowing program and issues can be escalated to senior management if necessary. When irregular activities are reported, the firm should promptly investigate these issues. It should also make every effort to protect the whistleblowers’ interests while adhering to established policies and procedures.

2. Continuous Training and Education

Many emerging technologies are now being implemented in the business world, surpassing imagination. For instance, cutting-edge technologies such as quantum computing, quantum cryptanalytics, and fog computing, are all used in organizations today.

It is recommended that firms encourage employees to maintain an open-minded attitude toward new technologies and stay up to date with the latest versions of international standards related to these technologies. The firm should prioritize training employees on prevailing international and local frameworks and standards. This is particularly important when offering compliance testing services and certification services.

3. Staff Quality and Competence

Enterprises should also prioritize the quality and competence of their staff. When providing compliance services to clients, it is unsuitable for engagement team members without relevant credentials, such as Certified Information Systems Auditor^® (CISA^®), COBIT^®, or Certified Information Systems Security Professional (CISSP), to access the IT and internal control environments. Otherwise, questions may arise regarding the reliability of the assessment.

In addition, it is also recommended that enterprises pay attention to employees’ continuing professional education (CPE) hours, ensuring that they are sufficient to maintain their membership within professional bodies’ member registers. Organizations should conduct annual reviews of their employees’ certifications and qualifications, verifying their alignment with the registries of professional organizations. If an employee’s professional membership lapses, it could raise questions about their ability to carry out their duties effectively.

4. Sufficient Time for the Assessment

While offering certification services, the enterprise must provide ample time for the engagement team members. This allows for a thorough evaluation of the client’s IT and internal control environments. This measure is vital in upholding the assessment’s quality and ensuring a fair and accurate representation of the client’s IT landscape.

Moreover, it is recommended that the quality control team also has sufficient time to review the relevant working papers. This allows team members to identify areas that may require additional testing to ensure the reliability of the results. Giving ample time for this review process enhances the overall quality control measures and contributes to the reliability and accuracy of the audit findings.

Conclusion

From the IS audit perspective and per the International Financial Reporting Standards (IFRS),⁷ it is apparent that the audit firm and PwC may have encountered deficiencies regarding quality control and inadequate audit procedures. However, it is important to note that the results are pending the AFRC’s continued investigation.

More importantly, the Evergrande scandal and the lessons learned present a great opportunity for learning beyond the audit industry. For enterprises across industries, it is a time to take proactive steps to establish an effective internal control environment, motivate employees to report irregular activities, enhance employees’ capacity through education and training, and allocate sufficient time for employees to deliver high-quality services. By embarking on these strategic initiatives, enterprises have the potential to not only enhance their long-term viability, but also make a significant contribution to the overall advancement of the IT sector.

Endnotes

¹ Yuke, X.; “PWC Refutes China Evergrande Fraud Allegations Made in Anonymous Letter,” South China Morning Post, 16 April 2024
² Accounting and Financial Reporting Council (AFRC) “AFRC Acts on PricewaterhouseCoopers Whistle-Blower Allegations,” 19 April 2024
³ Wilson, N.; “PWC Pushes Back on Claims Partners Ignored Alleged $117.8bn Evergrande Fraud,” Lawyers Weekly, April 22, 2024
⁴ Ibid.
⁵ Ibid.
⁶ Ibid.
⁷ International Financial Reporting Standards (IFRS), IFRS Accounting Standards Navigator

Rui Feng Isaac Lee

Is an associate from BDO Hong Kong, who specializes in Information Systems Audit. He is not only a Fellow of the Royal Society of Arts but also a certified Financial Modeling & Valuation Analyst. Furthermore, he has obtained a certificate in Cloud Security Knowledge and has passed the CISA^® exam. He completed his bachelor’s degree in accountancy from the City University of Hong Kong in 2022.