“Auditor is a Watchdog,
Not a Bloodhound”
But How Far Does That Defence Go?

Every CA student in India has heard it — often in their first year. In the landmark English case of In Re Kingston Cotton Mill Co. (No. 2) [1896] 2 Ch 279, Lord Justice Lopes laid down what became one of the most quoted and most misused sentences in audit jurisprudence: “An auditor is not bound to be a detective, or, as was said, to approach his work with suspicion or with a foregone conclusion that there is something wrong. He is a watchdog, but not a bloodhound.” For 130 years, this sentence has been cited by auditors, their counsel, and occasionally by courts, as a bulwark against liability whenever an audit failed to detect fraud.

Then came SEBI’s interim order of June 3, 2026, against Rajesh Exports Limited. The order referred the matter to the National Financial Reporting Authority (NFRA) to examine the conduct of the company’s statutory auditors. The implicit question in that referral is the explicit question of this post: in a case where 99.80% of revenues attributed to overseas subsidiaries cannot be verified, where a forensic auditor was denied access to basic accounting systems, and where subsidiary standalone filings showed revenues less than 0.5% of what the parent reported — can an auditor still invoke the Kingston Cotton Mill defence and walk away?

The answer, as we will see, is considerably more complicated — and considerably less comfortable for the profession — than the classroom formulation suggests.

The Kingston Cotton Mill case arose from a company whose manager, Thomas Sherratt, had systematically overstated the value of cotton stock over several years. When the company collapsed, shareholders sued the auditor. Lord Justice Lopes acquitted the auditor on the reasoning that he had relied on the manager’s certificates, a trusted servant of the company, and was not required to personally verify the stock.

Three elements of this statement deserve close reading. First, the protection was conditional. It required that the auditor take reasonable care. Second, it was premised on the assumption that there was nothing to arouse suspicion. Third — and this is critical — the judgment was given in 1896, before any statute governed the preparation, audit, or filing of accounts. There was no Companies Act framework, no auditing standards, and no regulatory body. The judgment was the courts’ attempt to define duties in a vacuum.

Today, that vacuum does not exist. India has the Companies Act, 2013. It has 37 Standards on Auditing issued by the ICAI and made mandatory by statute. It has NFRA exercising oversight over auditors of listed companies. The landscape within which the Kingston Cotton Mill defence is being invoked is entirely different from the one in which it was born.

In December 2020, NFRA Chairman R. Sridharan made a statement that deserves to be read by every practising CA in India. Speaking at an ICAI Western India Regional Council event, he said: “We need to forget the watchdog and not bloodhound description.” He described the phrase as a “serious misconception” that needed to be “exorcised from our minds.” He was not speaking philosophically. He was speaking with the authority of the statutory body created by the Companies Act, 2013, to oversee auditors of listed and public interest entities.

His reasoning was precise. The Kingston Cotton Mill judgment was given when there were no statutes requiring the preparation, auditing, or filing of accounts. The Companies Act, 2013, has changed all of that fundamentally. Section 143 of the Act casts specific, non-delegable duties on the auditor. SA 240 — The Auditor’s Responsibilities Relating to Fraud — mandates professional skepticism as an ongoing, non-negotiable attitude throughout the audit. These are not suggestions. They are statutory and quasi-statutory obligations.

Lord Denning had, in fact, already begun this evolution in 1958. In Fomento (Sterling Area) Ltd. v Selsdon Fountain Pen Co. Ltd., he held that an auditor must come to his work with “an enquiring mind — not suspicious of dishonesty — but suspecting that someone may have made a mistake somewhere and that a check must be made to ensure that there has been none.” The enquiring mind standard was a significant upgrade from the passive watchdog. What SA 240 now requires goes further still.

SA 240, issued by the ICAI and applicable for all financial statement audits from April 1, 2009, is the governing standard on fraud. Let us be precise about what it requires — and then apply those requirements to the specific facts alleged in the Rajesh Exports case.

SA 240 requires the auditor to maintain professional skepticism throughout the audit, which it defines as including “ongoing questioning of whether the information and audit evidence obtained suggests that a material misstatement due to fraud may exist.” It requires the auditor to perform specific risk assessment procedures to identify fraud risk factors. And critically, it distinguishes between two types of fraud risk — fraudulent financial reporting and misappropriation of assets — and requires tailored audit responses to each.

The matrix above is not rhetorical. These are the exact questions NFRA will be required to answer when it examines the statutory auditors of Rajesh Exports. The profession needs to understand that NFRA is not looking for proof that the auditor was complicit. It is asking whether the auditor’s documented procedures were adequate — whether professional skepticism was not just declared in the audit report’s boilerplate but actually exercised and evidenced in the working papers.

It is instructive to look at how Indian courts and SEBI have treated auditor liability in the two most comparable cases — Satyam Computers (2009) and the more recent Deloitte Haskins v. Union of India (Delhi High Court, 2023).

In the Satyam case, PwC India signed off on financial statements where cash and bank balances were overstated by over ₹3,300 crore. SEBI, in January 2018, banned PwC network firms from auditing listed companies for two years. PwC challenged this before the Securities Appellate Tribunal (SAT), which partially upheld PwC’s position, holding that a blanket ban was disproportionate. The Supreme Court, in November 2019, stayed SAT’s observations and restored SEBI’s authority to take action against auditors of listed companies. The final position, therefore, is that SEBI does have jurisdiction over auditors of listed entities — and that jurisdiction can be used to debar.

The Deloitte ruling has profound implications for any auditor who plans to invoke the watchdog defence before NFRA. The court’s holding on vicarious liability means that even a senior partner who had no direct involvement in the specific audit work can be held accountable for a partner’s failures. The Kingston Cotton Mill defence, rooted in the idea that an individual auditor cannot be expected to catch every fraud, becomes even more difficult to sustain when the firm as a whole is subject to vicarious liability for its partners’ omissions.

There is a second important thread from the Satyam proceedings. In the US class action against PwC (filed in the Southern District of New York), the complaint documented that “PwC India failed to obtain sufficient competent evidential matter” and “did not understand Satyam’s accounting processes.” These failures — not obtaining sufficient evidence, not understanding the client’s operations — are precisely the failures that SA 500 and SA 315 are designed to prevent. They are not about catching ingenious fraud. They are about basic audit procedure. The watchdog defence was never meant to excuse basic procedural failures.

With the legal and standards framework established, let us apply it directly to the specific facts alleged in SEBI’s interim order. We propose five tests that NFRA will likely apply when it examines the statutory auditors of REL. These are not tests we have invented. They flow directly from SA 240, SA 500, SA 315, and Section 143 of the Companies Act.

Test 1: Was the revenue anomaly visible and documented? The consolidated revenues of REL attributed to overseas subsidiaries were, on SEBI’s analysis, 200 times what Valcambi’s standalone filings showed. Any auditor reviewing the consolidation would have encountered this disparity. The question NFRA will ask is: was this anomaly identified, documented in the working papers, and subjected to a specific risk assessment procedure? If the answer is no — if the auditor simply accepted the consolidation without questioning the underlying basis — that is not a watchdog failure. It is a failure of basic consolidation audit procedure under SA 600.

Test 2: Was professional skepticism about management override exercised? SEBI’s order records that overseas subsidiaries were “exclusively handled” by promoter Rajesh Mehta, with no board oversight. This is a significant red flag under SA 240’s management override framework. SA 240 specifically requires auditors to presume the risk of management override of controls exists in every audit and to design specific procedures to address it. Did the auditors document how they addressed this risk?

Test 3: Was revenue recognition presumed a fraud risk? SA 240 (Para 32) creates a rebuttable presumption that revenue recognition is an area of fraud risk. For this presumption to be rebutted, the auditor must document specific reasons. In a company where virtually all revenue flows through opaque overseas entities, rebutting the revenue recognition fraud risk presumption would require extraordinary justification. Was any such justification documented?

Test 4: Was the denial of ERP access properly escalated? BDO, the forensic auditor appointed by SEBI, was denied access to REL’s ERP systems and books. If the statutory auditor — who precedes BDO and operates in a routine annual audit cycle — similarly faced access limitations, what was done about it? SA 500 requires that when the auditor cannot obtain sufficient appropriate audit evidence, they must modify the audit opinion. A qualified, adverse, or disclaimer opinion is the professional response to a denial of access. Was any such modification ever made to the audit reports for the five years in question?

Test 5: Was the fraud reporting obligation under Section 143(12) triggered? This is the most direct statutory question. If the auditor, at any point during the five years from FY2020-21 to FY2024-25, had “reason to believe” that a fraud above ₹1 crore was occurring — and the revenue disparity, if visible, would arguably satisfy that threshold — then a mandatory report to the Central Government was required within 60 days. Was any such report ever filed?

It would be intellectually lazy to end this analysis by pointing fingers at individual auditors. The Rajesh Exports case, if NFRA’s findings confirm SEBI’s prima facie observations, will represent the third major Indian corporate scandal — after Satyam and IL&FS — where statutory auditors failed to detect significant misrepresentations over multiple years. A pattern of this frequency is not an individual failing. It is a systemic one.

Three structural problems deserve attention. First, the self-regulatory model that governed Indian audit quality for decades has been acknowledged as defective. As the Delhi HC noted in Deloitte, the ICAI’s own disciplinary committee found only 15 members guilty of significant violations out of 1,972 cases investigated. The creation of NFRA was a direct legislative response to this weakness. But NFRA’s powers are only as useful as its enforcement will — and the REL referral may be its most important test yet.

Second, the audit fee-to-revenue ratio in India remains a persistent problem. When a company with consolidated revenues of ₹2.81 lakh crore in a single year pays its statutory auditors a fee that is a negligible fraction of that revenue, the incentive and resource structures for a thorough audit are fundamentally distorted. A watchdog paid a watchman’s wages does not have the resources to investigate a sophisticated multi-jurisdiction revenue structure.

Third, the overseas subsidiary disclosure gap — which we examine in depth in Series Post 06 on LODR regulations — meant that the auditor was working with consolidated accounts that included subsidiary revenues they had limited direct access to verify. SA 600 (Using the Work of a Component Auditor) governs this scenario. Whether the principal auditor discharged those obligations adequately is a question NFRA must address.