Module - 5 Protection of Information Assets Chapter 5 Network Security Controls

Wireless Security reats and Risk Mitigation

Wireless networking presents many advantages like network con guration and recon guration is easier, faster, and less expensive. However, wireless technology also creates new threats and alters the existing information security risk pro le.
For example, because communication takes place "through the air" using radio frequencies, the risk of interception is greater than with wired networks. If the message is not encrypted, or encrypted with a weak algorithm, the attacker can
intercept and read it. Wireless network has numerous vulnerabilities such as:

Ad-hoc networks: Non-traditional networks: MAC spoo ng: Man-in-the-middle attacks: Accidental association: Denial of service:
Ad-hoc networks are Non-traditional networks such as e MAC address is hard-coded on a attacker secretly intercepts When a user turns on a computer and it latches on to a It is an attempt to make a
de ned as peer-to peer personal network Bluetooth devices are network interface card (NIC) and cannot the electronic messages going wireless access point from a neighbouring organisation’s machine not available to
networks between not safe from cracking and should be be changed. However, there are tools between the sender and the overlapping network, the user may not even know that its intended user. Wireless
wireless computers that regarded as a security risk. Even barcode which can make an operating system receiver and then capture, this has occurred. However, it is a security breach in that network provides numerous
do not have an access readers, handheld PDAs, and wireless believe that the NIC has a MAC address insert and modify messages proprietary organisation information is exposed and now opportunities to increase
point in between them. printers and copiers should be secured. different that it’s real MAC address. during message transmission there could exist a link from one organisation to the other. productivity and manage costs.

Encryption: Signal-hiding techniques: Anti-virus and anti-spyware soware: Default passwords: MAC address:
e best method e easiest options include: Turning off the service set identi er (SSID) broadcasting Computers on a wireless network need Wireless routers generally come with standard Wireless routers usually
for protecting the by wireless access points and reducing signal strength to the lowest level that still the same protections as any computer default password that allows you to set up and have a mechanism
con dentiality of provides requisite coverage. More effective, but also more costly methods for connected to the Internet. Install anti- operate the router. ese default passwords are to allow only devices
information transmitted reducing or hiding signals include: using directional antennas to constrain signal virus and anti-spyware soware, and also available on the web. Default passwords with particular MAC
over wireless networks is to emanations within desired areas of coverage or using signal emanation-shielding keep them up-to-date. If your rewall should be changed immediately aer its addresses access to the
encrypt all wireless traffic. techniques, also referred to as TEMPEST to block emanation of wireless signals. was shipped in the “off ” mode, turn it on. installation. network.
Endpoint Security
Methodology of protecting the corporate network when accessed via remote devices such as laptops or other wireless and mobile devices. Usually, endpoint security is a security system that consists of security soware, located on a centrally
managed and accessible server or gateway within the network, in addition to client soware being installed on each of the endpoints (or devices). While endpoint security soware differs by vendor, you can expect most soware offerings to
provide antivirus, antispyware, personal rewall and also a host intrusion prevention system.
Voice-over IP Security Controls
Voice-over IP VOIP Security: Following are the VoIP security:
Methodology for delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such Encryption:
as the Internet. Other terms commonly associated with VoIP are IP telephony, Internet telephony, voice over broadband Means of preserving the con dentiality of transmitted signals.
(VoBB) and broadband telephony. e term Internet telephony speci cally refers to the provisioning of communications
services (voice, fax, SMS, voice-messaging) over the public Internet, rather than via the public switched telephone Physical security:
network (PSTN). e digital information is packetized and transmission occurs as Internet Protocol (IP) Even if encryption is used, physical access to VoIP servers and gateways

Security reats to VOIP Anti-virus and rewalls:

VoIP systems rely on a data network, which means security weaknesses and the types of attacks associated with any Computers which use soware for VoIP connections should be protected with a personal rewall
data network are possible. But for VoIP, voice is converted into IP packets that may travel through many network access Segregation of voice and data segments:
points. erefore the data is exposed to many more possible points of attack that could be used for interception by Maintain quality of service (QoS), scalability, manageability, and security, voice and data should be separated
intruders. Most of the VoIP traffic over the Internet is not encrypted, so this traffic is exposed to the hackers. Hackers can using different logical networks as far as possible. Segmenting IP voice from a traditional IP data network
intercept the communication or shut down the voice services by ooding servers (supporting VoIP) with bogus traffic. greatly enhances the mitigation of VoIP attacks.

84 www.prokhata.com
CA Rajat Agrawal
 Chapter 5 Network Security Controls Module - 5 Protection of Information Assets
Vulnerability Assessment and Penetration Testing
Used by organizations to evaluate the effectiveness of information security implementation. As its name implies, penetration testing is a series of activities undertaken to identify and exploit security vulnerabilities. A penetration test is
performed by team of experts. is team simulates attack using similar tools and techniques used by hackers.
Penetration Testing Scope Types of Penetration Testing Risks Associated with Penetration
e scope of a penetration testing is to determine whether Testing
an organization’s security vulnerabilities can be exploited Application security testing: Penetration test team may fail to
and its systems compromised. Penetration testing can have Many organizations offer access to core business functionality through web-based applications. is type of access introduces identify signi cant vulnerabilities;
a number of secondary objectives, including testing the new security vulnerabilities. e objective of application security testing is to evaluate the controls over the application and its Misunderstandings and mis-
security incident identi cation and response capability of process ow. Areas of evaluation may include the application’s usage of encryption to protect the con dentiality and integrity communications may inadvertently
the organization of information, how users are authenticated, integrity of the Internet user’s session with the host application, and use of cookies trigger events or responses that may not
Penetration Testing Strategies Denial of service (DoS) testing: have been anticipated or planned for
e goal of DoS testing is to evaluate the system’s susceptibility to attacks that will render it inoperable so that it will “deny external experts perform penetration
External testing: service,” that is, drop or deny legitimate access attempts. testing, it is necessary to enforce non-
Refers to attacks on the organization’s network disclosure agreement
perimeter using procedures performed from outside War dialing:
the organization’s systems as they are visible to hacker. Systematically calling a range of telephone numbers in an attempt to identify modems, remote access devices and maintenance
is can be a Blind test where testing expert has been connections of computers. Once a modem or other access device has been identi ed, analysis and exploitation techniques are
provided with limited information. performed to assess whether this connection can be used to penetrate the organization’s information systems network.
Organisation Network Maintenance
Internal testing: connections of
Internal testing is performed from within the Telephone no. to identify
computers analysis
organization’s technology environment. Remote Maintenance and exploitation to
Hacker Modem
Access Device connections of computers penetrate techniques
Targeted testing:
Oen referred to as the “lights-turned-on” approach Wireless network penetration testing:
involves both the organization’s IT team and the Sometimes referred to as “war-driving,” hackers have become pro cient in identifying wireless networks simply by “driving”
penetration testing team being aware of the testing or walking around office buildings with their wireless network equipment. e goal of wireless network testing is to identify
activities. Test is focused more on the technical setting. security gaps or aws in the design, implementation or operation of the organization’s wireless network.
A targeted test typically takes less time and effort to Social engineering:
complete than blind testing, but may not provide as •Oen used in conjunction with blind and double blind testing, this refers to techniques using social interaction
complete a picture security vulnerabilities and response •Posing
Posing as a representative of the IT department’s help desk
capabilities of the organization. •Posing
Posing as an employee and gaining physical access to restricted areas.
•Intercepting mail, courier packages.
Monitoring Controls Auditing Network Security Controls
Most controls implemented for network generates lot of logs related to activities • Locating logical access paths by reviewing network diagrams
as per rule set. ere are various tools available in market that helps organizations • Recognizing logical access threats, risks and exposures
in collecting these logs, co-relating them based on possible use cases and generate • Evaluating logical network security policies and practices
alerts for important logs. ese tools are known as Security Incident and event • Evaluate network event logging and monitoring
management (SIEM) tools. Organizations use these tools and establish a security • Evaluating effectiveness of logical access security with respect to network security components such as:
operations center (SOC) to monitor these logs, analyse alerts and record incidents • Firewalls and ltering routers - architecture, con guration setting as per rewall security policy, port services, anti-virus con guration, reporting and
and events to be responded. Broad Objectives of SOC are: management controls
• Detect attacks and malware • Intrusion detection systems - architecture, con guration, interface with other security applications, reporting and management controls
• Enhance incident response capability • Virtual private networks - architecture, devices, protocol, encryption process integration with rewall security, change management
• Detect Advanced persistent threats • Security protocols - selection of appropriate protocol, seamless security integration of protocols between devices running different protocols
• Compliance requirements • Encryption - selection of appropriate encryption methods to various application processes
• Middleware controls -with respect to identi cation, authentication and authorization, management of components and middleware change management.

www.prokhata.com 85
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 1 Arti cial Intelligence

CHAPTER 1:
ARTIFICIAL INTELLIGENCE
Arti cial Intelligence
Simulate human capabilities, based on predetermined set of rules.
Machine Learning :
Use of computing resources that have the ability to learn,
Traditional acquire and apply knowledge and skills. Arti cial Intelligence
DATA ese system that can modify its behaviour on the DATA
Computer Output Rules basis of experience also known as cognitive systems. Computer Program Rules
Program Rules Output Rules

A Neural Network Deep learning Cognitive computing Computer vision Natural language processing (NLP)
Machine learning made up of Uses huge neural networks with many layers of e ultimate goal is for a machine to Relies on pattern recognition and deep learning Ability of computers to analyze,
interconnected units that processes processing units, taking advantage of advances in simulate human processes through the When machines can process, analyze and understand and generate human language,
information by responding to inputs, computing power and improved training techniques ability to interpret images and speech – understand images, they can capture images or including speech. It allows humans to
relaying information between each unit. to learn complex patterns in large amounts of data. and then speak coherently in response. videos in real time and interpret their surroundings. communicate with computers.

Deep Learning
Translation Machine Learning Why AI is important?
Predictive Analytics
Classi cation & Clustering Natural Language Processing (NPL) • AI automates repetitive learning
Speech to text • adds intelligence to existing products
Information Extraction Speech ARTIFICIAL
Text to Speech • analyzes more and deeper data using neural networks
Export System INTELLIGENCE • Achieves incredible accuracy through deep neural networks
Accounting Knowledge Required
Planing Scheduling & Optimization AI • Gets the most out of data.
Robotics • When algorithms are self-learning, the data itself can become intellectual
Image Recognition property.
Vision
Machine Vision
Types of AI

AI: Based on Capabilities AI: Based on functionality

Weak AI or Narrow AI: Reactive Machines eory of Mind

• Able to perform a dedicated task with intelligence. • Most basic types of Arti cial Intelligence systems. • Understand the human emotions, people, beliefs, and be able to interact socially
• Cannot perform beyond its eld or limitations, as it is only trained for one speci c task. • Do not store information like humans.
General AI: • Focus on current scenarios and react as per • Still not developed
• Perform any intellectual task with efficiency like a human. possible best action. Self-Awareness
• No such system exist. Limited Memory • Future of Arti cial Intelligence
Super AI: • Can store past experiences. • Will have their own consciousness, sentiments, and selfawareness
• Level of Intelligence which could surpass human intelligence. • Can use stored data for a limited time period only. • Smarter than human mind.
• A hypothetical concept. • Best example : Self-driving cars • Hypothetical concept.

AI Platforms AI and Speech Recognition

• IBM – Watson Analytics • Amazon – AWS AI Services Technology that can recognize spoken words, which can then be converted to text. A subset of speech recognition is voice recognition, which is the technology
• Google – Deep Mind – Tensor Flow • Facebook – FB Learner Flow for identifying a person based on their voice.
• Microso – Cognitive Services

86 www.prokhata.com
CA Rajat Agrawal
 Chapter 1 Arti cial Intelligence Module - 6 Emerging Technologies
Problem Types & Analytic Techniques used in AI
Type Description Example Technique
Classi cation Categorize new inputs as belonging to one of a set of identifying whether an image contains a specigic type object Dog or Cat? Convolutional Neutral Network ,Logistics Regression
categories.
Continuous Estimate the next numeric value in a sequence. Prediction particularly when it is appied to time series data E.g. forecasting the sales for a product, Feed forward Netural Networks Linear regression
Estimation based on a set of input data such as previous sales gures, consumer sentiment, and weather.
Clustering Individual data instances have a set of common or Creaing a set of consumer segments based on data about individual consumers, including K-means, Affinity propagation
similar characteristics. demographics, perferences, and buyer behavior.
Anomaly Determine whether speci c inputs are out of e Fraud detection Money Laundering Support Vector Machines, K-Nearest neighbors, Neural
Detection ordinary. Networks
Recommendations Systems that provide recommendations, based on a set Suggest the product to buy for a customer, based on the buying patterns of similar individuals, Collaborative ltering
of training data. and the observed behavior of the speci c person E.g. Net ix, Amazon

Advantages of AI Disadvantages of AI

Error Reduction: High Cost:

Helps us in reducing the error and enhances the chance of reaching accuracy applied in various studies such as exploration of space. Creation of arti cial intelligence requires huge costs, repair and maintenance also require
Difficult Exploration: huge costs. ey have soware programs, which need frequent up gradation
Arti cial intelligence and the science of robotics can be put to use in mining and other fuel exploration processes overcome the human No Replicating Humans:
limitations. Machines do not have any emotions and moral values. ey perform what is programmed
Daily Application: and cannot make the judgment of right or wrong.
Computed methods for automated reasoning, learning and perception have become a common phenomenon in our everyday lives. No Improvement with Experience:
Digital Assistants: Unlike humans, arti cial intelligence cannot be improved with experience. Machines are
Saving the need for human resources. Emotions are associated with moods that can cloud judgment and affect human efficiency. is unable to alter their responses to changing environments.
is completely ruled out for machine intelligence.
No Original Creativity:
Repetitive Jobs: ey are no match to the power of thinking that the human brain has or even the originality
Repetitive jobs, which are monotonous in nature, can be carried out with the help of machine intelligence. Machines can be put to to of a creative mind. e inherent intuitive abilities of the human brain cannot be replicated.
carry out dangerous tasks.
Unemployment:
No Breaks:
Replacement of humans with machines can lead to large-scale unemployment.
Machines, unlike humans, do not require frequent breaks and refreshments.

Examples in Finance
Pattern Recognition in Banking
• E.g. customer’s salary account in a bank • Burst in Withdrawals - Number of Transactions
• Multiple credits in account other than salary credit • Burst in Deposits - Amount
• Sizeable increase in Cash to Non-Cash Transaction Ratio - large cash deposits and cash withdrawals • Burst in Withdrawals - Amount
• Many transactions with a few related accounts • Unusual applications for Demand Dras against cash.
• Burst in Deposits - Number of Transactions • Transactions that are too high or low in value in relation to customer’s pro le

Use Cases
AI in nance: JPMorgan Chase: Wells Fargo: Plantation:
AI is disrupting the nancial industry through personal nance A Contract Intelligence (COiN) platform utilizing Natural Language Processing has been Uses an AI-driven chatbot through Recently AI was used in accurate
apps like Mint,Turbo Tax, which collect personal data and provide launched. e platform processes legal documents and extracts essential data from them. the Facebook Messenger platform drone-based planting in mass-
nancial advice. IBM Watson is being used for home buying, and By using machine learning, the platform could review 12,000 commercial credit agreements to communicate with users and scale using seedpods at a much
soware now handles a signi cant portion of trading on Wall Street. in just a few hours instead of the typical 360,000 man-hours required for manual review. provide assistance with passwords and lower cost for the purpose of re-
accounts. greening the planet.

www.prokhata.com 87
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 1 Arti cial Intelligence
Impact on Audit
• For all organizations, audit should include AI in its risk assessment and also consider using AI in its risk-based audit plan. • AI must be dealt with, disciplined methods to evaluate and improve the effectiveness of risk management,
• To avoid impairment to both independence and objectivity, auditor should not be responsible for implementation of AI processes, control and governance process.
policies and procedures. • Fraud Investigator can use Arti cial Intelligence in detecting the fraud. While statistical & data analysis is
• Auditor should provide assurance on management of risks related to the reliability of the underlying algorithms and the data on used to detect fraud passively, arti cial intelligence detects fraud actively and directly besides improving
which the algorithms are based. speed of processing.
Scenarios wherein Arti cial intelligence techniques can be used for fraud management:
Data mining Expert system Machine learning and pattern recognition Neural network
To classify, cluster and segment the data and also Store all the human expertise Machine learning can also be unsupervised and be used to learn and Fraud detection system is totally based on the human brain working
automatically nd associations and rules in the data, and then using stored human establish baseline behavioural pro les for various entities and further used inherent nature of neural networks includes the ability to learn and
which may point towards interesting patterns of fraud. intelligence to detect fraud. to nd meaningful anomalies related to fraud or any other transactions. ability to capture and represent complex input/output relationship.
Risks and Chanllenges
Risks of AI Challenges for AI
AI is Unsustainable: Computing is not that Advanced: Probability:
Computer chips have rare earth materials like Selenium Machine Learning and deep learning techniques require a series of calculations to Probability that is the mathematical uncertainty behind AI predictions still remains
increased mining of these materials is irreversibly damaging make very quickly as an unclear region for organizations.
our environment. Fewer people support: Data Privacy and security:
Lesser Jobs: AI does not have enough use cases few organizations interested in putting money into Machine learning systems depend on the data, which is oen sensitive and personal
Businesses prefer machines instead of humans to increase the development of AI-based products. in nature. Due to this systematic learning, these ML systems can become prone to
their pro tability, thus reducing the jobs that are available Creating Trust: data breach and identity the.
for the human workforce. People don’t feel comfortable when they don’t understand how the decision was Algorithm bias:
made. AI has not been able to create trust among people. Bad data is oen associated with, ethnic, communal, gender or racial biases. If the
A threat to Humanity: One Track Minds: bias hidden in the algorithms, which take crucial decisions, goes unrecognized, could
Biggest risk associated with AI is that machines would gain AI implementations are highly specialized. It is built just to perform a single task and lead to unethical and unfair results.
sentience and turn against humans in case they go rogue. keep AIs need to be trained just to make sure that their solutions do not cause other Data Scarcity:
issues. Datasets that are applicable to AI applications to learn are really rare.
Governance and Controls
AI governance establishes accountability and oversight, helps to ensure that those responsible have the necessary skills and expertise to effectively monitor and helps to ensure the organizations values are re ected in its AI activities.
Professional Opportunities
• Provides CAs with the opportunity to automate and de-skill time-consuming and repetitive work and focus on higher value work, so that they can consolidate their role as advisers on nance and business.
• CAs possess the domain knowledge and experience to create the relevant learning algorithms for identifying patterns in Finance and Audit.
• CAs should work closely with AI programmers to convert their functional ideas into reality.
• e profession can exploit technology and potentially change the scope of what it means to be a CA. e CFO of the future will need to know as much about technology as they do about nancial management.
Note:-

88 www.prokhata.com
CA Rajat Agrawal
 Chapter 2: Blockchain Module - 6 Emerging Technologies
CHAPTER 2:
BLOCKCHAIN
Block chain refers to the transparent, thrustless, and publicly accessible ledger that allows us to securely transfer the ownership of units
of value using public key encryption and proof of work methods.
e technology uses decentralized consensus to maintain the network, which means it is not centrally controlled by a bank, corporation,
or government. In fact, the larger the network grows and becomes increasingly decentralized, the more secure it becomes.
At its most basic level, blockchain is literally just a chain of blocks, but not in the traditional sense of those words. When we say the 1 2 3
words “block” and “chain” in this context, we are actually talking about digital information (the “block”) stored in a public database
(the “chain”).
Evolution of Blockchain
In 2008, Satoshi Nakamoto published a paper describing a peer-to-peer electronic cash system, which became the basis for Bitcoin. Hash 1Z8F Hash 6BQ1 Hash 3H4Q
Cryptocurrencies use cryptography to secure transactions and eliminate the need for a centralized entity. An open-source program Previous Hash 0000 Previous Hash 1Z8F Previous Hash 6BQ1
implementing the Bitcoin protocol was released shortly aer, and anyone can join the network by installing it. e cryptocurrency has Data->Hash->Hash Of the Previous Block
since gained popularity.
Technologies at Make Blockchain Possible

Peer-to-peer network (distributed ledger)— Public key infrastructure (blockchain addresses)— Hash function (miner)—
Node is connected to all other nodes and is not reliant on Technology uses both asymmetric and symmetric encryption to ensure secure transactions. Public Key Used to guarantee records are not changed, ensuring the
any central authority. e ledger is “synced” to all nodes Infrastructure (PKI) generates a pair of keys (public and private) for identifying parties and maintaining the integrity of the entire system. takes an input of variable
and becomes public. Nodes trust adjacent nodes, but verify integrity of transactions. e public key is distributed freely, while the private key is kept by the key owner and length and creates a xed-length output known as a message
transactions before recording them (trust, but verify). (P2P) used to decrypt messages and sign them. Parties create private keys to secure their wallet and public keys to submit digest. is is a one-way process, meaning that original
networks are easy to manage, but slow and susceptible to transaction requests. Wallets can be online, soware-based, in a secured drive, or paper-based. input cannot be recreated from the message digest.
attack (such as a denial-ofservice [DoS] attack).
Principles of block chain
Advantages and Desadvantages of Block Chain
Distributed Database: Peer-to-Peer Transmission: Transparency: Irreversibility of Records: Computational Logic:
Pros Each party on a block Communication occurs directly Every transaction and Records cannot be altered, Block chain transactions can be tied to
• Cost reductions by eliminating third-party chain has access to the between peers instead through a its associated value are because they are linked to computational logic and in essence programmed.
veri cation entire database and its central node. Each node stores & visible to anyone with every transaction record So, users can set up algorithms and rules that
• Decentralization makes it harder to tamper with complete history. forwards information to other nodes. access to the system. that came before them automatically trigger transactions between nodes.
• Transactions are secure and efficient
• Transparent technology Examples in Finance
Cons
• Signi cant technology cost associated with mining Payments and reconciliations: Issuance, ownership and transfer of nancial information: Clearing and settlement latency:
bitcoin Transactions can occur directly between two parties A blockchain-based securities market allows traders to buy On the blockchain, the entire lifecycle of a
• Low transactions per second on frictionless P2P basis. e blockchain technology’s or sell stocks directly on exchanges or directly to other market trade, including its execution, clearing and
• History of use in illicit activities application has the potential to reduce risk, transaction costs participants in a P2P manner without the intermediary’s settlement can occur at a trade level, lowering
• Susceptibility to being hacked. and to improve speed, efficiency and transparency. services provided by a broker or clearing house. post-trade latency and reducing counterparty.

Use Cases
Barclays adopted blockchain technology for enhanced security Blockchain technology helps manufacturers track goods, deliveries, and production activities in supply DHL, a global logistics leader, is working with Accenture
and transparency in their transaction processes. ey encrypted chain management, providing transparency to consumers. Projects like Ambrosus and Vechain focus on to integrate blockchain technology with the pharmaceutical
and managed the rst trade documentation on a blockchain food safety and product authenticity, allowing consumers to con rm the source and quality of goods they industry. Transparency, accurate data, security and trust are
network, saving signi cant time and money. purchase. absolute musts for the pharmaceutical sector.

www.prokhata.com 89
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 2: Blockchain
Impact on Audit Risks and Challenges Governance and Controls Professional Opportunities
Blockchain technology could be used to streamline Vendor Risks: Governance Framework: Assist in evaluating the functional design:
nancial reporting and audit processes. Each audit Most organizations lack the required technical skills e enterprise has an adequate governance As Chartered Accountants we could assist in
begins with different information and schedules and expertise to design and deploy a blockchain- framework to provide oversight for blockchain analysing the business requirement and decide if
that require an auditor to invest signi cant time based system and implement smart contracts technology. the case is t for blockchain platform.
when planning an audit. completely in-house. Management Oversight: Evaluation of Proof of Concept:
In a blockchain, the auditor could have near real- Credential Security: Provides assurance that the enterprise’s strategic Before the solution is deployed a Prototype oen
time data access via read-only nodes on blockchains. A public Blockchain-based system, any individual objectives are not adversely affected by risk related known as Proof of Concept is prepared. Chartered
By giving auditors access to unalterable audit who has access to the private key of a given user, to blockchain technology Accountants could assist in evaluating / designing
evidence, the pace of nancial reporting and which enables him/her to “sign” transactions on the Proof of Concept. CA Could assist in designiing
Regulatory Risk:
auditing could be improved. the public ledger, will effectively become that user, evaluating Prototypes also known as Proof of
To ensure that the enterprise’s strategic objectives
While the audit process may become more because most current systems do not provide multi- are not adversely affected. concept.
continuous, auditors will still have to apply factor authentication. Assessment of Risks in Implementation:
professional judgment when analysing accounting Business Continuity:
Legal and Compliance: e enterprise business continuity plan Chartered Accountants may assist in assessment of
estimates and other judgments made by It is a new territory in all aspects without any legal risk before implementation of blockchain platform.
management in the preparation of nancial incorporates elements that address the effective
or compliance precedents to follow, which poses a operation of blockchain technology. Impact on Audit:
statements. Auditors will also need to evaluate and serious problem for manufacturers and services
test internal controls over the data integrity of all Vendor Management: Understanding the impact of blockchain on the
providers. accounting and audit profession is of paramount
sources of relevant nancial information. Ensure ongoing alignment between the enterprise’s
Data security and con dentiality: strategic objectives and blockchain solutions. importance for Chartered Accountants.
Smart Contracts and Oracles, which are embedded
into the blockchain, are new roles to take up. Checks It is feasible that hackers may be able to obtain the Audit of Smart Contracts and Oracle:
Secure key distribution and management
such as interface testing, events, which trigger keys to access the data on the disturbed ledger, Contracting parties may want to engage an
policies:
transactions into the blockchain, are areas where considering the users having multiple point of assurance provider to verify that smart contracts
Helps to manage cryptography functions,
the auditors may have to focus. access. are implemented with the correct business logic.
key access control, key rotation methods and
Another area for audit could be in the area of Scalability issues: validations of crypto algorithms’ implementation.
"service audit", where an auditor can give assurance Relating to the size of blockchain ledger that
Secure APIs and Integrations:
on the conformity of controls in place. might lead to centralization as it's grown over time
ird-party remittances, E-KYC and smart
and required some record management which is
contracting applications are integrated with
casting a shadow over the future of the blockchain
blockchain platform. APIs exposed to third
technology.
parties should not reveal any sensitive data to
Interoperability between block chains: adversaries. APIs and its integrations should
ere are new blockchain networks showing handle authentications, payload security, and
up, which lead to new chains that offer different session management.
speeds, network processing, usecases. Blockchain
interoperability aims to improve information
sharing across diverse blockchain networks.
ese cross-chain services improve blockchain
interoperability and also make them more practical
for daily usage
Processing power and time:
Required to perform encryption algorithms for all
the objects involved in Blockchain -based ecosystem
are very diverse and comprised of devices that have
very different computing capabilities, and not all of
them will be capable of running the same encryption
algorithms at the desired speed.
Storage will be a hurdle:
Ledger has to be stored on the nodes themselves,and
the ledger will increase in size as time passes. at
is beyond the capabilities of a wide range of smart
devices such as sensors, which have very low storage
capacity.

90 www.prokhata.com
CA Rajat Agrawal
 Chapter 3: Cloud Computing Module - 6 Emerging Technologies
CHAPTER 3:
CLOUD COMPUTING
Cloud is a set of resources, such as, processors and memory, which are put in a big pool. Cloud computing is using a remote server hosted on internet to store ,manage & process data rather than local server or a personal computer As per
the requirement, cloud assigns resources to the client, who then connects them over the network.

Features / Characteristics Advantages of Cloud Computing Dis-Advantages of Cloud Computing

• Resource Pooling provider Cost Efficiency Internet Connectivity:
abstracts resources and collects Most cost-efficient method to maintain and upgrade. More productivity is achieved with fewer systems Cloud Platforms require Internet Connectivity almost all the times and is difficult to operate
them into a pool, portions of and hence cost per unit of project under certain regions. If the Internet is lost, then access to data and applications are also lost.
which can be allocated to different Reduce spending on technology infrastructure Technical Issues:
consumers. Minimal upfront spending and pay as you go is technology is always prone to outages and other technical issues. Even the best cloud
• On-demand self-service, i.e., Unlimited Storage service providers run into this kind of trouble, in spite of keeping up high standards of
consumers manage their resources Storing information in the cloud gives us almost unlimited storage capacity with an option to scale maintenance.
themselves, without having to talk Backup & Recovery Security in the Cloud:
to a human administrator. e same is relatively much easier than storing the same on a physical device Surrendering all the company’s sensitive information to a thirdparty cloud service provider
• Resources on cloud are available Automatic Soware Integration could potentially put the company to great risk.
Prone to Attack:
over a network no direct physical Soware integration is usually something that occurs automatically and be customized with great ease.
Storing information in the cloud could make the company vulnerable to external hack
access. Easy Access to Information and Globalize the workforce
attacks and threats. Nothing on the Internet is completely secure and hence, there is always
• Rapid elasticity allows consumers Access the information from anywhere
the lurking possibility of stealth of sensitive data.
to expand or contract the Reduce Capital costs
Availability:
resources. No need to spend huge money on hardware, soware etc.
Depending on vendor, customers may face restrictions on availability of applications, OS etc.
• Measured service meters is Quick Deployment Interoperability:
provided to ensure that consumers e entire system can be fully functional in a matter of a few minute depending upon technology Ability of two or more applications to support a business need to work together is an issue
only use what they are allotted, Less Personnel training and minimize maintenance and licensing soware as all applications may not reside with single cloud vendor or two vendors having different
and, if necessary, to charge them Fewer people to do more work application may not co-operate.
for it. Improved Flexibility and effective monitoring of projects
Quick changes possible
Service Models of Cloud Computing
•Cloud
Cloud computing is a model that enables the Private Cloud Infrastructure as a service Platform as a Service Soware as a Service
end users to access the shared pool of resources Application Application Application Application
such as computer, network, storage, database and Soware as Data Data Data Data
SaaS
application as an ondemand service without the Service OS OS OS OS
need to buy or own it. Platform as
PaaS Virtualization Virtualization Virtualization Virtualization
•
e services are provided and managed by the Service
service provider, reducing the management effort Servers Servers Servers Servers
Infrastructure
from the end user side. IaaS Storage Storage Storage Storage
as Service
Networking Networking Networking Networking

Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Soware as a Service (SaaS)

• Iaas provides resources such as memory, storage, • Deliver a computing platform including operating system, • Provides ability to the end users to access an application over the Internet that is hosted and managed by the cloud
processing power etc. programming language execution environment, database, service provider.
• Changes the computing from a physical infrastructure to and web server • End users are exempted from managing or controlling an application the development platform, and the
a virtual infrastructure. • App developers can develop and run their soware underlying infrastructure.
• e users need not maintain the physical servers rather solutions on a cloud platform without the cost and • Delivered as an on-demand service over the Internet, there is no need to install the soware to the end-user’s
they need to use virtual machines as per their requirement. complexity of acquiring hardware /soware devices.
• Examples of IaaS Amazon Web Services (AWS), Google • For example- Google AppEngine, Windows Azure • Provides users to access large variety of applications over Internet that are hosted on service provider’s infrastructure
Compute Engine, OpenStack and Eucalyptus. Compute etc • E.g. Google Drive / Docs, online photo editing soware

www.prokhata.com 91
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 3: Cloud Computing
Cloud Computing Deployment Models
Private Cloud Public Cloud Hybrid Cloud Community Cloud
• Resides within the boundaries of an organization and is • Can be used by the general public • Combination of public, private and • exclusive use by a speci c community of consumers from
used exclusively for the organization’s bene ts • Administrated by third parties or vendors over the community cloud. organizations that have shared concerns
• Built primarily by IT departments within enterprises Internet • Normally a vendor has a private cloud • owned, managed, and operated by one or more of the
• Optimize utilization of infrastructure resources • e services are offered on pay-per-use basis and forms a partnership with public cloud organizations in the community, a third party or some
• Can either be Managed by • Business models like SaaS (Soware-as-a-Service) and provider or vice versa combination of them
• Private to the organization and managed by the single other service models are also provided Characteristics of Hybrid Cloud • may exist on or off premises
organization (On-Premise Private Cloud) Public Cloud-Characteristics Scalable: • suitable for organizations that cannot afford a private cloud
• Can be managed by third party (Outsourced Private Highly Scalable: • e hybrid cloud has the property and cannot rely on the public cloud either
Cloud) • e resources in the public cloud are large in number of public cloud with a private cloud Characteristics of Community Cloud
Private Cloud-Characteristics and the service providers make sure that all requests environment and as the public cloud Collaborative and Distributive Maintenance:
Secure are granted. is scalable. • no single company has full control over the whole cloud.
• Deployed and managed by the organization itself Affordable: Partially Secure: • Usually distributive and hence better cooperation
• Least probability of data being leaked out of the cloud. • Offered to the public on a pay-as-you-go basis; • e private cloud is considered as provides better results.
Central Control: • User has to pay only for what he or she is using secured and public cloud has high risk Partially Secure:
• Managed by the organization itself, Less Secure: of security breach. • possibility that the data may be leaked from one
• No need for the organization to rely on anybody other • Offered by a third party & they may have full control Stringent SLAs: organization to another, though it is safe from the
than operations. over the cloud, depending upon the service model. • Overall, the SLAs are more stringent external world.
Weak Service Level Agreements (SLAs): Highly Available: than the private cloud and might be as Cost Effective:
• SLAs are agreements between the user and the service • Anybody from any part of the world can access the per the public cloud service providers. • As the complete cloud is being shared by several
provider public cloud with proper Complex Cloud Management: organizations or community, not only the responsibility
• Formal SLAs do not exist or are weak as it is between Stringent SLAs: • Cloud management is complex as gets shared; the community cloud becomes cost effective
the organization and user of the same organization. • SLAs strictly and violations are not avoided it involves more than one type of too.
• High availability and good service may or may not be Advantages deployment models and also the Advantages of Community Clouds are as follows:
available and is dependent upon SLAs. • Widely used at affordable costs number of users is high. • Establishing a low-cost private cloud.
Advantages • Deliver highly scalable and reliable applications Advantages • Collaborative work on the cloud.
• Improve average server utilization • No need for establishing infrastructure for setting up • Highly scalable and gives the power of • Sharing of responsibilities among the organizations.
• Reduces costs and maintaining the cloud. both private and public clouds. • better security than the public cloud.
• Higher Security & Privacy of User • Strict SLAs are followed. • Provides better security than the Limitation
• Higher automations possible • ere is no limit for the number of users public cloud. • Autonomy of the organization is lost
Limitation Limitations Limitation • some of the security features are not as good as the
• Invest in buying, building and managing the clouds • Security • Security features are not as good as the private cloud
independently • Organizational autonomy are not possible. private cloud and complex to manage • Not suitable in the cases where there is no collaboration.

Security Frameworks in Cloud Impact on Audit and auditors

A security framework is a coordinated system of tools and behaviours in order to monitor data and transactions that are Cloud computing is transforming business IT services, but it also poses signi cant risks that need to be planned
extended to where data utilization occurs, thereby providing end-toend security. e bene ts of security frameworks are to for. e following are few of the additional areas of review for auditors:
protect vital processes and the systems that provide those operations. • Does the organization’s strategy for the cloud link to the overall business strategy?
e leading frameworks and guidelines to meet regulatory requirements are as follows:- • Are the audit teams knowledgeable about the differences in cloud computing services and do they apply the right
•Cyber
Cyber Security Framework (NIST, 2013, 2014; SANS, 2016). approach to deliver effective audit coverage?
•Control
Control Objectives for Information and Related Technology (COBIT 2019). • Is there a clear understanding of the difference between the organization and the cloud, and where the technology
•Statement
Statement on Standards for Attestation Engagements 18 (SSAE 18) reports include SOC 1, boundary starts and stops?
•Financial
Financial reporting; SOC 2, IT controls; and SOC 3, attestation. • What is the IT General Controls on the Cloud enforced by the organization?
•Cloud
Cloud Security Alliance (CSA) provides comprehensive guidance on how to establish a secure baseline for cloud operations. • Have there been any independent audits / review of the Cloud environment?
CSA maintains the Security, Trust and Assurance Registry (STAR) cloud provider registry (CSA, 2015). • Are there periodical audits performed by the Cloud Service Provider and how are the high-risk issues dealt with?
•General Data Protection Regulation (GDPR) lays down rules relating to the protection of natural persons with regard to • Is the existing audit risk assessment process exible enough to differentiate between the ranges of cloud services
the processing of personal data and rules relating to the free that might be used?
•movement of personal data. • How does the audit work complement the wider supplier assessments that are considering both third- and
•ISO/IEC 17788:2014 provides an overview of cloud computing along with a set of terms and de nitions and is applicable fourth-party risks?
to all types of organizations. • Has sufficient explanation been provided to key internal parties, including directors and the audit committee, to
•ISO/IEC 27017:2015: Information technology — Security techniques — Code of practice for information security controls highlight the business reasoning or impact of cloud provision?
based on ISO/IEC 27002 for cloud services.

92 www.prokhata.com
CA Rajat Agrawal
 Chapter 3: Cloud Computing Module - 6 Emerging Technologies
Risks and Challenges
Identity and Access Management Data
Financial • Data segregation and isolation
• User access provisioning
and Vendor Regulatory • Information security and data privacy requiements
• Deprovisining
Management • malicious insider
• Super user access
Financial and Vendor Management Operational
•Under-estimated start-up costs Identity • Service reliability and uptime
•Exit costs or penalties and access Dimensions Data • Disaster recovery
•Management Overhead management of Risk • SLA customization and enforcement
•Run-away variable costs • Control over quality
Regulatory Technology
Technology Operational • Evolving technology
• Compexity to ensure compluance
• Lack of industry standards and certi cation for cloud providers • Cross-vendor compatibility and integration
• Records management/records retention • Customization limitations
• Lack of visibility into service procer operations and ability to monitor r compliance • Technology choice and proprietary lock-in
Governance and Controls
Governance, generically, may be de ned as an agreed-upon set of policies and standards, which is:
• Based on a risk assessment and an-agreed upon framework,
• Inclusive of audit, measurement, and reporting procedures, as well as enforcement ofpolicies and standards.
• In a multi-enterprise or multi-deployment cloud environment, participants agree to promote and establish joint expectations for security and service levels. Governance will also de ne the process for any response to a breach of protocol,
and the set of decision makers who are responsible for mitigation and communication.
In addition to above, Cloud computing has certain speci c risks:

1. Governance of Cloud Computing Services: 3. IT Risk Management: 5. Legal Compliance: 7. Certi cations:
Governance functions are established to ensure A process to manage IT risk exists and is e service provider and customer establish bilateral agreements and procedures to Service provider security
effective and sustainable management processes that integrated into the organization’s overall ensure contractual obligations are satis ed, and these obligations address the compliance assurance is provided through
result in transparency of business decisions, clear lines ERM framework. IT risk management requirements of both the customer and service provider. Legal issues relating to ISO 27001 Certi cation.
of responsibility, information security in alignment metrics are available for the information functional, jurisdictional and contractual requirements are addressed to protect both
with regulatory and customer organization standards, security function to manage risk within the parties, and these issues are documented, approved and monitored. e use of cloud
and accountability. risk appetite of the data owner. computing should not invalidate or violate any customer compliance requirements.
2. Enterprise Risk Management: 4. ird-party Management: 6. Right to Audit: 8. Service Transition Planning:
Risk management practices are implemented to e customer recognizes the outsourced relationship e right to audit is clearly de ned and satis es the Planning for the migration of data, such as meta data and
evaluate inherent risk within the cloud computing with the service provider. e customer understands its assurance requirements of the customer’s board of access, is essential to reducing operational and nancial risk
model, identify appropriate control mechanisms and responsibilities for controls, and the service provider has directors, audit charter, external auditors and any at the end of the contract. e transition of services should be
ensure that residual risk is within acceptable levels. provided assurances of sustainability of those controls. regulators having jurisdiction over the customer. considered at the beginning of contract negotiations.
Professional Opportunities
Cloud computing provides a host of opportunities. A few of them are detailed below:
(a) Assessment with respect to costs and bene ts on migration to cloud versus in-housetools (d) Consulting with respect to the migration from traditional facilities to cloud based infrastructure.
(b) Cloud based solution Implementation for clients (e) Training to the user staff as regards the operating of these facilities;
(c) Assessment on the model of cloud to be deployed and the variants for the same. (f) IT audit of these facilities

www.prokhata.com 93
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 4: Data Analytics
CHAPTER 4:
DATA ANALYSTICS
• Data Analytics is de ned as the science of examining raw and unprocessed data with the intention of drawing conclusions from the information thus derived.
• It involves a series of processes and techniques designed to take the initial data sanitizing the data, removing any irregular or distorting elements and transforming it into a form appropriate for analysis so as to facilitate decision-making.
• In simple terms, data analytics refers to the science of examining raw data with the purpose of drawing conclusions about that information.
• From an accountant’s perspective Data Analytics is a generic term for Computer Assisted Audit Tools and Techniques (CAATTs) and covers the collection of tools, techniques and best practices to access and analyse digital data.
• Data Analytics empowers auditors to use technology to audit digital data thereby giving access to 100% of the data and to analyse data to infer insights from information.
• Data Analytics enables auditors to optimise audit time and add value.
ere are two types of professionals in the eld of Data Analytics.

Data Scientist Data Analyst

• Whose focus is on use of various statistical techniques to data. He/ she is involved in developing • Whose focus is on drawing insights from data from a business perspective. He/she is a business domain expert who uses simple/
intelligent applications, which help users to draw inference from data. easily available features of MS Excel, application soware, querying tools, utilities or data analytics to access, analyze and interrogate
• Developing functionality using memory power and speed of technology, to access and analyse massive data.
amounts of data is the job of data scientist. • What query is to be run on what data and how to draw inference as applicable to real life situations is the job of CAs/Data Analysts.
Common Terminologies Used in Data Analytics
1. Data Warehouse 2. Data Marts 3. Business Intelligence (BI)
It is electronic storage of large amount of data collected from varied sources to provide meaningful ese are the subsets of Data Warehouse used by speci c business It encompasses a variety of data analysis tools & applications
business insights. It is separate from Transactional databases. It is also known as Decision Support groups like HR, Finance, Sales, Inventory, Procurement & that access the data within Data Warehouse and creates
Database or Executive Information System. It has three components: Resourcing. ey are much smaller than Data Warehouses and reports & dashboards used in decision making
• Data sources from operational systems such as ERP, CRM, SCM, Excel usually controlled by a speci c department.
• Data Staging Area when data is cleaned and ordered 4. Database 5. Data Lake 6. Data Science
• Data Access Area where data is warehoused & presented It is generally used to capture It is a central storage for all kinds of structured, semi structured or It is a combination of
Example and store data from a single unstructured raw datacollected from multiple sources even outside three skills: Statistical/
Airlines use it to analyse route pro tability, Retail chains use it for tracking customer buying patterns, source, such as an invoice of company’s operational systems. erefore, it is not a good t for Mathematical, Coding
Banking uses it to analyse the performance of its product. Data Warehouse is an architecture and Big transactional system. Databases average business analytics but used as a playground by Data Scientists & Domain/Business
Data is a technology to handle huge data. If an organization wants to know what is going on in its aren’t designed to run across & other data experts as it allows more types of data analytics. It can knowledge.
operations or next year planning based on current year performance data etc – it is preferable to choose very large data sets. be used for text searches, machine learning & real-time analytics.
data warehousing as it needs reliable data.
Cognitive Analytics: Proactive action and recognizing patterns using Big Data and AI

1. Descriptive Analytics: 2. Diagnostic Analytics: 3. Predictive Analytics: 4. Prescriptive analytics: 5. Cognitive Analytics: Proactive action and recognizing patterns using Big Data and AI.
Provides insight based on past Examines the cause of past Assist in understanding the Analytics assist in identifying
Descriptive Prescriptive Predictive Cognitive
information. It is used in the result and is used in variance future and provide foresight by the best option to choose to
•What Happend? •How to make it •What could •What to do why &
report generation, providing analysis and interactive identifying pattern in historical achieve the desired outcome
•Why did it happen? Happen? Happen? how?
basic editor function along dashboards to examine the data. It can be used to predict an through optimization
with the horizontal and vertical causes of past outcome. accounts receivable balanceand techniques and machine Historical data helps Forecast futre per- Proactive action and
analysis of nancial statement. collection period for each learning. Prescriptive understand past per- Analysis that suggest fomance events and recognising patterns
customer and to develop Analytics is used in identi ng fomance & for root a prescribed action results using big data
models with indicators that actions to reduce the couse analysis
prevent control failures. collection period of accounts Tools Used Tools Used Tools Used Tools Used
receivable and to optimize the •Standard Reports •Business Intelligence •Forecasting •AI
use of payable discounts. •Adhoc Queries •Heuristic mechods •Predictive Mod- •Machine Learning
•Statistical Analyysus •Optimization etc. eling •Neural Networks
•Graphics etc. •Deep Learning
•Pattern Recognition

94 www.prokhata.com
CA Rajat Agrawal
 Chapter 4: Data Analytics Module - 6 Emerging Technologies
Data Analytics Functions

Sn Type of Function Description Where to Apply

1 Column Statistic Displays column wise statistics of all numeric data and numeric, date and character columns. Tp Pro le and analyse data at a Macro Level
2 Identify Duplicates & Gaps Identify Duplicates in a series of data or displays all successive numeric numbers with de ned intervals. Identify Duplicate POs, Duplicate Vendor Payments, Duplicate Vendors, Payments
without descriptions
3 Same-Same Different Identify Duplicates in a series of data which have certain elds which are common and certain elds which are Identify Duplicates based on same GSTN, different location, name etc
different.
4 Pareto Displays items in two separate tabs of 80:20
5 ABC Analysis Displays items in three separate categories as per the same percentage given for each category. Pro ling Payments into High, Medium & Low
6 Quadrant/Pattern Analysis Displays items in four quadrants as per the speci c same percentage given for each category.
7 Relative Size Displays the variation between highest value and 2nd highest value (in terms of difference and proportion). Deriving vendor ratio of highest and 2nd highest bill and check ratios beyond a
Factor (RSF) "x%"
8 Max Variance Factor (MVF) Displays the variation between highest and lowest value (in terms of difference and proportion). Deriving vendor ratio of highest and least bill and check ratios beyond a "x%"
9 Benford Law Displays variance in patterns of numeric data based on Benford Law for rst digit beginning with 1 to 9. Identify Payments which fall as an exception to Benford's Law
It states that lists of numbers from many real-life sources of data are distributed in a speci c and non-uniform way.
Number 1 appears about 30% of the time. Subsequently the number 2 occurs
less frequently, number 3, number 4, all the way down to 9 which occurs less than once in twenty
10 Authentication Check Compare & Verify if the amounts processed are within the limits and approval hierarchy. Verify Segregation of Duties, instances of exceeding limits
11 Pivot Table / MIS Summarizes data by sorting, averaging, or summing and grouping the raw data MIS can summarise by criteria such Summarise and reporting payments based on de ned rules
as day, day of the week, month etc.
12 Outliers Displays instances of transactions beyond "x" times the average, mean, standard deviation etc Identify Payments beyond "x" times the average, standard deviation etc.
13 Sounds Like/ Identify vendors with similar names, which sound same based on the phonetics Identify duplicate / fake Vendors created
Soundex/Fuzzy Match
14 Aging Analysis Computes difference of selected two date columns & strati es on speci ed intervals for computed date difference. Identify cases of payments made beyond a speci ed date
15 Trendlines Displays trendline as per different rules con gured using sparklines or chart.
16 3-Way Matching Displays records aer joining data from up to three worksheets based on common/ uncommon column values. Identify cases of mismatch between PO, RR and Payment
17 Analytical Review Displays the difference between values of two numeric columns in number and in percentage. Analyse the quantitative and other related information
18 Back-Dated Entries Identify back-dated entries, duplicates/gaps based on selected numeric/alphanumeric eld related to date eld based Identify instances of prior period payments and other related checks

19 Beneish MScore e Beneish model is a statistical model that uses nancial ratios calculated with accounting data of a speci c Identify exceptions to the Benish Score and analyse further
company in order to check if it is likely that the reported earnings of the company have been manipulated
20 Identify Outliers by Masks Displays records that do not match a de ned mask where 'C' represents characters and 'N' represents numbers. Identify transactions which do not follow a speci c pattern.
21 Sampling Perform Sampling by Outliers, Characters, Numeric, Risk weightage, statistics, quadrants, clusters, interval Sample based on exceptions to test the controls and perform substantive procedures
22 Splitting Vouchers Multiple vouchers raised on same date or similar dates having cumulatively are higher than the approval limit
23 Rounding off Identify high value and round sum vouchers
24 Weekend Payments Identify entries / payments made on weekends Identify policy exceptions
25 Vouchers with Blank Identifying vouchers of different elds
Reference and Narrations which are blank

www.prokhata.com 95
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 4: Data Analytics
Steps involved in applying Analytics on Data

Curate / Cleansing the Data Pro le the Data Analyze the Data Investigate Document
It refers to transforming data in It refers to the act of analyzing It refers to examining the data in detail to discover It refers to observing or querying the data in detail. is involves It refers to automatically
standard structure to be usable for data the data contents to get an essential features by breaking data into speci c systematic examination of data by making a detailed inquiry or documenting functions
analytics as required. is includes overall perspective data. is components by grouping, identifying and reviewing search to discover facts and insights to be arrive at a conclusion. performed using data analytics
speci c functions for cleaning data helps in validating data at speci c features. is includes functions for is includes functions for advanced analysis such as Pareto, ABC, soware. is includes
by removing speci c characters, a macro level and assessing identifying gaps/duplicates, unique, outliers, format, Quadrant, Cluster, MIS, Statistical, querying data; consolidate/ collate functions such as rerun,
transforming data, deleting speci c whether data is correct and and changes between two sets of data, sampling, data, Relative Size Factor, Benford Law and relating, comparing and refresh, audit log, indexing, etc.
data and transposing data. complete. ltering, split data and fuzzy match. joining les based on speci c criteria.

Examples of Data Analytics soware and Testing tools Advance tools for Analytics
e value of Data Analytics is in what it brings through its effective implementation. Data Analytics can be
performed using various types of soware such as: Hadoop Python programming
MS Excel: Open source cloud computing platform allows storage & Very powerful, open source and exible programming
Spreadsheet soware of Microso has various features useful for auditors. processing of massive amount of data language that is easy to learn, use and has powerful
General Audit Soware: R programming libraries for data manipulation, management and analysis.
Add-in for MS Excel with speci c CAAT functions. Examples include eCAAT, Power BI (limited features) Open source programming language soware that provides Matlab
General Audit Soware: data scientists with a variety of features of analyzing data. Its simplest syntax is easy to learn and resembles C or C++
Data Analysis Soware with speci c CAAT functions. Examples include eCAAT, Tableau, Knime, IDEA, Julia
ACL etc. New programming language that can ll the gaps with respect to improving visualization and libraries for data analytics.
Application Soware:
Standard and Ad-hoc Reporting and Query features available or speci c functionalities designed for
auditors. Example Audit modules in certain applications / ERP have a few Data Analytics features.
Specialized Audit Soware:
Audit soware designed to work in speci c soware.
Examples in Finance

BFSI Compliance and Regulation

Banks and nancial services rms use analytics to differentiate fraudulent transactions from legitimate business transactions. By applying Financial services rms operate under a heavy regulatory framework, which requires signi cant
analytics and machine learning, they can de ne normal activity based on a customer’s history and distinguish it from unusual behaviour levels of monitoring and reporting and requires deal monitoring and documentation of the details
indicating fraud. e analysis systems suggest immediate actions, such as blocking irregular transactions, which stops fraud before it occurs of every trade. is data is used for trade surveillance that recognizes abnormal trading patterns.
and improves pro tability.
Use Cases
Uber uses big data extensively to maintain a database of drivers and customers, calculate the best routes and estimate travel time based on traffic and weather conditions. e company also uses data science to determine surge pricing, which
adjusts prices based on demand for rides.

Impact on Audit
Audit rms, both big and small, use data analytics to improve audit quality and add value to their clients. ey may either create their own data analytics platforms or acquire off-the-shelf packages. ese tools use visual methods to present
data, allowing auditors to identify trends and correlations. By extracting and manipulating client data, auditors can better understand the client's information and identify risks. Data analytics tools can turn all the data into pre-structured
presentations and generate audit programs tailored to client-speci c risks or provide data directly into computerized audit procedures. Using data analytics for assurance requires an understanding of business processes and relevant techniques
to speci c areas of control to identify conformances, deviations, exceptions, and variances in the digital data being audited.
Financial Statement Assertions can be evaluated by auditors by using data analytics on the relevant digital data. For example, nancial data can be evaluated for:

Completeness: Accuracy: Validity: Authorization: Segregation of duties: Compliance: Cut off:

Whether all transactions and Whether all transactions are Whether only valid Whether only appropriately Whether controls regarding appropriate Whether all applicable Whether only the transactions
the resulting information are processed accurately and as transactions are processed, authorized transactions have segregation of duties and responsibilities compliances are complied for the period which they
complete. intended and the resulting and the resulting information been processed. as de ned by management are working as with, within the required belong are accounted.
information is accurate. is valid. envisaged. timeframe.

96 www.prokhata.com
CA Rajat Agrawal
 Chapter 4: Data Analytics Module - 6 Emerging Technologies
Risks and Challenges
• 1. e introduction of data • 2. Data privacy and • 3. Completeness and integrity - • 4. Compatibility issues • 5. Train the Audit staff may not • 7. e data obtained must be held for
analytics for audit rms isn’t con dentiality -e copying e extracted client data may not be with client systems be competent to understand the several years in a form which can be retested.
without challenges to overcome. and storage of client data risks guaranteed specialists are oen required may render standard exact nature of the data and output As large volumes will be required rms may
At present there is no speci c breach. is data could be to perform the extraction and there may tests ineffective if data to draw appropriate conclusions, need to invest in hardware to support such
regulation or guidance which misused by the rms or illegal be limitations to the data extraction is not available in the training will need to be provided storage or outsource data storage which
covers all the uses of data analytics access obtained if the rm’s data where either the rm does not have expected formats which can be expensive compounds the risk of lost data or privacy
within an audit and this results security is weak or hacked which the appropriate tools or understanding • 6. Insufficient or inappropriate evidence retained on le due issues.
in difficulty establishing quality may result in serious legal and of the client data to ensure that all data to failure to understand or document the procedures and inputs • 8. An expectation gap among stakeholders
guidelines. Other issues which can reputational consequences is collected. is may especially be the fully. For example, a screen shot on le of the results of an audit who think that because the auditor is testing
arise with the introduction of data case where multiple data systems are procedure performed by the data analytic tool may not record 100% of transactions in a speci c area, the
analytics as an audit tool include: used by a client. the input conditions and detail of the testing. client’s data must be 100% correct.
Professional Opportunities
Organizations in industries across the world are shiing their strategies because of data. Google, Net ix or Amazon, for example. With a data driven approach in mind, companies are looking to hire people to manage their data and uncover
the value and meaning behind the information they are collecting. As such, data-driven career opportunities and careers in data analytics abound for people with data analysis skills.
Chartered Accountants having a domain expertise in the eld of nance, audit, taxes and compliance should now equip themselves with these tools and skill sets. is will enable them to audit digital data with ease, save time and provide value
added services to clients. Since Analytics is utilized in varied elds, there are numerous job titles which are coming into picture:
• Analytics Business Consultant
• Analytics Architect / Engineer
• Business Intelligence and Analytics Consultant
• Metrics and Analytics Specialist
• Preparation of MIS and Dashboards including Visualization Solutions
• Monitor tracking of Key Performance Indicators (KPIs) and Key Result Areas (KRAs).

Note:-

www.prokhata.com 97
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 5 Internet of ings
CHAPTER 5:
INTERNET OF THINGS
e Internet of ings, or IoT,, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identi ers (UIDs) and the ability to transfer data over a network
without requiring human-to-human or human-to-computer interaction.
How it works?
An IoT ecosystem consists of web-enabled smart devices that use embedded processors, sensors and communication hardware to collect, send and act on data they acquire from their environments. IoT devices, share the data collected
through sensors by connecting to an IoT gateway or other edge device. From these devices the data is either sent to the cloud to be analysed or analysed locally. Sometimes, these devices communicate with other related devices and act on
the information they get from one another. e devices do most of the work without human intervention, although people can interact with the devices for instance, to set them up, give them instructions or access the data. e connectivity,
networking and communication protocols used with these web-enabled devices largely depend on the speci c IoT applications deployed.

Ecample of an IoT system Bene ts of IoT

e internet of things offers a number of bene ts to organizations, enabling them to:
Collect Data Collate and transfer data Analyze data, take action
• Monitor their overall business processes;
IoT Device User interface • Improve the customer experience;
(e.g. Sensor) (e.g. smartphone human-machine • Save time and money;
Communication Analytics of busness application • Enhance employee productivity;
IoT hub or • Integrate and adapt business models;
hardware (e.g. customer relationship
IoT Gateway • Make better business decisions; and
(e.g. antenna) manaement ERP)
• Generate more revenue.
Embedded Processors IoT encourages companies to rethink the ways they approach their businesses, industries and markets and gives them the
Back-end systems
(e.g. microcontroller) tools to improve their business strategies.
Advantages of IoT

1. Improved business insight and customer 2. Efficiency and productivity gains 3. Asset tracking and waste 4. Cost and downtime reductions 5. Newer business models
experience Ford is using body-tracking technology in a special reduction One of the bene ts of these new insights is e IoT offers companies the opportunity
Companies use IoT to gain insights into their suit for its workers at a plant in Spain to make data- Closely linked to efficiency oen a reduction in operational expenditure to gain insights into their customers and
business operations and improve the customer driven changes to its vehicle production processes, and productivity is the drive and downtime. For example, the rapid their product usage, leading to more
experience. is helps them ful ll customer needs making them safer and more efficient. e technology to reduce waste, to which IoT emergence of digital twin technology - digital efficient and productive processes. It also
better. For example, IoT in a shopping environment tracks workers' movements to design less physically tracking is integral. e more models of physical assets built from real-time allows companies to move towards new
reduces friction in the buying experience and stressful workstations. Ford is enabling data-driven IoT components in a business data, either in pure data form or as exportable revenue streams by offering subscription-
improves inventory control and supply chain changes to its vehicle production processes, making operation, the more it stands to 3D representations - is a key competitive based services that utilize the connected
management. is is done by gathering data about them safer and more efficient. bene t from IoT implementation. differentiator in industrial IoT applications. nature of their products.
popular products and cross-selling opportunities.
Examples in Finance

Inventory Tracking and Management Fraud prevention Optimized capacity management

IoT inventions can help you in tracking and Fraud prevention is a primary concern for nancial institutions, which constantly invest Banks constantly aim to expand their network of offices and ATMs, while managing the
managing inventory by giving you automatically in andseek new ways of curbing misuse of their offerings. Major nancial corporations existing units with maximum efficiency. Using IoT enabled monitoring to track the
controlled options. IoT soware and devices can have already successfully implemented AI based anti-fraud systems. With fraud prevention number of customer units per day, the average queue time can be measured to determine
be installed in your storage units and warehouses, having such a high priority, IoT will be a de nite game changer in this area. the optimal number of personnel and counters at each branch. Decisions regarding new
which can help in managing inventory changes Misuse of debit/credit cards can be prevented by having IoT enabled security systems branches can also be made easier by using the distribution data of customers with respect
while your personnel can invest their time in more at points of use, such as ATMs, which have more personal and secure methods of to location. e same can be done to optimize the number and location of cash dispensing
cognitively demanding tasks. authorization. machines based on usage.

98 www.prokhata.com
CA Rajat Agrawal
 Chapter 5 Internet of ings Module - 6 Emerging Technologies
Use Cases
DeTect
DeTect Technologies is an IoT start-up that offers asset integrity
management solutions, including pipeline condition monitoring
and structural health monitoring for hard-to-reach assets. eir
technology helps reduce productivity losses due to breaches and is
used by several Fortune 500 companies.
TagBox
TagBox uses IoT to create sustainable and reliable cold chains, offering
comprehensive solutions for real-time visibility of the entire chain,
helping reduce product spoilage, meet compliance requirements, cut
energy costs, prevent the and pilferage, and optimize transportation
costs.

IoT and Smart Cities

e IoT plays a crucial role in the development of smart cities, which use ICT
to address urbanization challenges such as traffic, waste management, and
energy consumption. e concept of a smart city involves the convergence
of ICT, energy technologies, and environmental considerations in urban
and residential environments.
Few Bene ts of IoT in creating Smart Cities
•Better Management of traffic and reduced congestion on roads
•Improved crime detection and surveillance
•Reduction in pollution
•Savings in Power and electricity
•Improvised safety for citizens
•Increased efficiency in parking
•Better waste and sewage management

Impact on Audit
IoT based automation and intelligent systems can ensure that the presence of personnel is detected and their physical appearance checked for ensuring the safety measures have been taken care by the worker, every check conducted leaves an
audit trail and if there are exceptions found and alarms raised with evidences. Also, if the situation got corrected the issue or alarm raised could get closed. No longer there may be a need for any such evidences of compliance as the compliance
is ensured automatically.
Yes, IoT assisted accounting has the potential to provide CAs with real-time access to transactional data and increase the IoT makes it easier for organizations to keep tabs on their resources, in relation to Inventory and Assets, and
effectiveness of continuous auditing processes. It can also help with risk evaluation and quick issue assessment and remediation, that has direct implications for the accountants who are responsible for overseeing the budget and its relation
leading to real-time management for businesses and CAs. is can ultimately lead to more efficient and effective accounting to assets.
practices. IoT also helps in reducing time lapse between an event and its recording for more timely decision making and
Quality will hardly need any sample checks as all the items will go through a compulsory test. Every item would have its own facilitating assessment of process-driven activities.
set of quality requirements embedded and would reach out to instruments which can verify a speci c parameter; thus, each end With IoT in place, there would be more data, more action, more observation, and reduction of immediate
product would have its size veri ed by a machine, based on the speci cations embedded. direct human impact.
e documentation is one thing that may be solved on its own since the work ow or process maps which would be used Technologies such as Drone can help gathering evidences to support assertions and perform audit
for automation themselves are good enough documentation. Also, the need for documentation now gets reduced from much faster and in fact in real time. is could be used for physical veri cation of inventory, assessing
instructional purposes since it is the IoT data, which drives the processes. the mines and quarries etc.
www.prokhata.com 99
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 5 Internet of ings
Risk and Challenges

Soware update and patches Hardware Lifespan Security and privacy issues
e time for a patch to be released may be longer than the typical cycle for non-IoT devices (if a patch is released at IoT devices have their own life cycle, oen with IoT promises to provide unprecedented and ubiquitous
all). Enterprises as well as individual consumers can review an IoT vendor’s website to determine frequency of patches built-in obsolescence. Components like non- access to the devices that make up everything from assembly
and compare the schedule against vulnerability dates using a Common Vulnerabilities and Exposures database. is replaceable batteries in IoT devices require life cycle lines, health and wellness devices, and transportation
comparison can provide a level of assurance that third-party soware developers have adequate policies regarding planning and asset-management processes speci c systems to weather sensors. Unfettered access to that much
vulnerability assessment and patching. to IoT. data poses major security and privacy challenges, including:
Insufficient authentication/ Lack of transport level Insecure web/mobile interface Default credentials Lack of secure code Privacy concerns
authorization encryption most IoT-based solutions have a web/mobile interface for most devices practices Many devices used in healthcare collect personal
a huge number of users and most devices fail to encrypt device management or for consumption of aggregated and sensors are services and business information, creating privacy risks as they collect
devices rely on weak and simple data that are being transferred, data. is web interface is found to be prone to the Open con gured to use the logic would be developed and aggregate data. e regular purchase of different
passwords and authorizations. even when the devices are Web Application Security Project (OWASP) Top 10 default username/ without adhering to foods, for example, could reveal a buyer's religion
Many devices accept passwords using the Internet. vulnerabilities, such as poor session management, weak passwords. secure coding practices. or health information. is is one of the privacy
such as “1234.” credentials and cross-site scripting vulnerabilities. challenges associated with IoT in healthcare.
Challenges Governance and Controls
ere are many challenges facing the implementation of IoT. e scale of IoT application IoT solutions are complex. e integration of connected devices and IT services poses major challenges in networking, communication, data volume,
services is large, covers different domains and involves multiple ownership entities. real-time data analysis, and security. IoT solutions involve many different technologies and require complex development cycles, including signi cant
ere is a need for a trust framework to enable users of the system to have con dence testing and ongoing monitoring. To overcome these challenges, IT organizations must:
that the information and services are being exchanged in a secure environment. • Develop a comprehensive technical strategy to address the complexity
•Insecure web interface • Insecure cloud interface • Develop a reference architecture for their IoT solution
•Insufficient authentication/authorization • Insecure mobile interface • Develop required skills to design, develop, and deploy the solution
•Insecure network services • Insufficient security con gurability • De ne your IoT governance processes and policies
•Lack of transport encryption • Insecure soware/ rmware IoT solution governance can be viewed as the application of business governance, IT governance, and enterprise architecture (EA) governance. In
•Privacy concerns • Poor physical security effect, IoT governance is an extension to IT governance, where IoT governance is speci cally focused on the lifecycle of IoT devices, data managed by
the IoT solution, and IoT applications in an organization’s IT landscape. IoT governance de nes the changes to IT governance to ensure the concepts
and principles for its distributed architecture are managed appropriately and are able to deliver on the stated business goals.
Professional Opportunies
IoT will bring CAs new opportunities for client service in the areas of business process design and data analysis. Clients will need CAs to help set up accounting and recording systems, such as dashboards that aggregate data received from the
IoT. CAs may also be hired to provide opinions on the security of the IoT. Consumers and industry want assurance that information and systems will be private. When the IoT takes off, CAs will be asked to give their professional opinions on
the systems that third parties rely on, unlike today where we are only asked for assurance in special circumstances.

Note:-

100 www.prokhata.com
CA Rajat Agrawal
 Chapter 6 Robotic Process Automation Module - 6 Emerging Technologies
CHAPTER 6:
ROBOTIC PROCESS AUTOMATION
Robotic process automation is the term used for soware tool that automates human activities that are manual, rule-based and repetitive. ey work by replicating the actions of a human interacting with soware applications to perform tasks
such as data entry, process standard transactions. It is a computer coded soware, programs that perform repeated tasks based on rules de ned, and can work across functions and applications. Example: A process of reviewing the approved
time sheet and raising the invoice in the ERP to the appropriate client and sending an email to the client and following up as a part of receivable management could be automated as the process is standardised and reasonably repetitive..

RPA is Computer-Coded Soware ✔ ✘ RPA is Not Walking, Talking Auto-bots A few of the key objective of implementing RPA are as follows:
RPA is Programs that replace humans performing repetitive rules- based tasks ✔ ✘ RPA is Not Physically existing machines processing paper • Improve accuracy • Skill upgradation of personnel
• Reduction of monotonous work • Cost saving
RPA is Program ✔ ✘ RPA is Not Arti cial intelligence or voice recognition and reply soware
• Higher efficiency • Improve customer experience
Examples in Finance Use Cases, ICICI Bank
Banks are using RPA soware robots to handle the entire RPA soware robots can provide signi cant bene ts RPA is being utilized for KYC Using robotic process automation (RPA), the bank’s operations
credit card application process, including gathering required to e-commerce websites and logistics companies by authentication and updating customer, department deployed 200 robotics soware programs. e
documents, credit and background checks, decision making, automating activities such as fetching data from provider vendor, and employee documentation. development helped the ICICI Bank to process around 10 lakh
and card issuance. e process is highly systematic and can be databases and tracking shipments for delivery through is results in faster processing, error- transactions per day. Today, the RPA is helping to process more
easily managed by the robots. GPS, without the need for human intervention. free results, and increased efficiency. than 2 million transactions daily.
Impact on Audit Risks and Challenges: Robotic Process Automation like all technology and innovation initiatives come with disruption and risks associated.
e following are the areas where auditors should concentrate:
• Free up capacity to focus on higher priorities RPA strategy risks: Tool selection risks: Launch/project risks: Operational/execution risks:
• Enhance ability to add valuable insight RPA can drive innovation ere is a risk of RPA-washing in the market To mitigate the risks of a failed RPA project launch, Operational risks can arise if
• Need to develop new testing approaches and competitiveness, but due to hype, where vendors overstate their organizations need to prevent technical and organizations do not establish a clear
• Consider for changes to internal audit staffing model businesses may fail to fully automation capabilities. Some may only nancial failures. Adopting RPA in departments operating model when deploying RPA
• Need to understand technology realize its potential due to offer screen-scraping which can lead to high with high headcounts just to generate more & can lead to confusion over roles-
• Opportunity to in uence control design wrong goals, expectations, maintenance and errors. Companies need to savings can fail due to the large load of changing responsibilities between humans and
• Potential to increase audit efficiency or under-resourcing. carefully choose the right tools for their needs. processes and exception handling. bots
RPA Challenges

Shortage of skilled resources Lack of proper team structure Unable to automate end-to-end cases Vaguely de ned business continuity plans
•
e demand for RPA is increasing, but there is a shortage of Lack of knowledge about processes and Some processes require integration with Organizations may have unrealistic expectations about RPA projects
skilled resources in the market sharing of resources between multiple machine learning and OCR engines, but these requiring little to no maintenance, but in reality, they do require maintenance
•Experienced
Experienced RPA professionals expect high salaries, which projects can pose risks in achieving set technologies can be costly and may not always for identifying new scenarios and issues in production environments,
may not be nancially viable for some companies. milestones. meet business expectations. de ning execution schedules, and mitigation plans during failures.
Governance and Controls
A governance structure that de nes roles and responsibilities for automation activities will help deliver successful RPA initiatives. Key elements include:

Ownership Deployment framework Operational risk/ data security Enterprise management RPA Vision/roadmap
involve legal, risk, IT and other teams calibrate production and development create a cross-functional team to communicate the bene ts: RPA helps to eliminate repetitive, non- create a center of excellence (COE) early in the
that are involved in the process due environments to ensure smooth RPA clear temporary backlogs in case value- adding tasks so employees can make greater impact in their journey to accelerate adoption of RPA across
to automated. It includes process- deployment. Ensure IT is aware of of bot failure and maintain people roles. Involve HR to support employee’s up-skilling, which increases the enterprise. Set deadlines for achieving
speci c subject matter expert (SMEs) RPA, enabled processes. Ensure change in critical processes for error free employee morale and improve productivity. Employees should be intelligent automation to leverage the full
for insight in the process nuances. management process is in place. delivery. prepared to work along with the soware robots. value of automation.
Professional Opportunities
Many exciting new jobs will be created by RPA as automation will require a new type of skill set. e creation of new types of job opportunities will outweigh the displaced jobs. is research validates the con dence in the creation of new
types of industries requiring new kinds of functions and skills.
e McKinsey Global Institute estimated in its December 2017 reports that by 2030, automation will drive between 75 and 375 million people to reskill themselves and switch occupations. Robotic Process Automation (RPA) is not replacing
accountants but evolving their role and augmenting their effectiveness through automation. It is a progressive, positive, and necessary shi that is creating the digital workspace for accounting and nance professionals to focus on the greatest
value they can provide to their organisation.

www.prokhata.com 101
CA Rajat Agrawal
 ALL INDIA RANKERS FORM PROKHATA

TOPPERS FORM PROKHATA

JOIN OUR COMMUNITY OF TECHNO AUDITORS

H
Follow this Strategy Tested by Thousands of CA Members including All India Rankers

2 Steps Formula

Video Lecture Online Quiz

CONTACT US
www.prokhata.com
[email protected]
+91 8319130080