Guidance to Validate Internal Control Assertions in Indian Financial Reporting

108  Download (0)

Full text

(1)

Guidance to Validate

Internal Control

Assertions in Indian

Financial Reporting

(2)

TABLE OF CONTENTS

Acknowledgements ... 3

Section 1 – Executive Summary ... 4

Need for This publication ... 4

Objective Statement ... 5

Identified Stakeholders ... 5

An Introduction to This document ... 5

Benefits Derived From This Document ... 7

Approach to This publication ... 8

An Example of How to Read the Document ... 10

References for the Publication ... 17

Section 2 – Detailed Publication ... 18

Definitions ... 18

Chapter 1 - Governance and Risk Management in India – Regulatory Requirements to Comply With Indian Regulations ... 22

Governance ... 22

Risk Management... 24

Assurance ... 25

Information Technology Act, 2000 (as Amended by Information Technology Amendment Act, 2008) ... 27

Summary ... 28

Chapter 2: Introduction to COBIT 5 ... 29

Chapter 3 – How COBIT 5 Can Be Used to Comply With Governance ... 32

Stakeholder 1 – Board of Directors ... 38

Stakeholder 2 - Management ... 46

Stakeholder 3 – Auditor ... 77

Summary ... 92

Section 3 Checklists ... 92

Checklist 1 – General Checklist for Governance ... 93

Checklist 2 – General Checklist for Risk Management ... 94

Checklist 3 – General Checklist Audit and Assurance ... 94

Checklist 4 – Compliance With the Data Protection Areas of IT Act ... 95 Checklist 5 – Sample Checklist for the Auditor to Gain Assurance on the Controls That Are in Place to Protect Personally

(3)

ISACA

With more than 115,000 constituents in 180 countries, ISACA(www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) credentials. The association has more than 200 chapters worldwide.

Disclaimer

This book is not intended to, and does not, provide legal, technical or other advice on compliance or related matters. Every entity or individual using this book should seek expert technical, legal or other advice as appropriate to its respective needs and circumstances. ISACA, its office bearers, its advisors/consultants, the authors, the reviewers and other persons associated with the writing, reviewing, printing or publication of this book do not guarantee or warrant the accuracy, adequacy, completeness or suitability of the content of this publication and they hereby disclaim any and all responsibility or liability for damages incurred as a result of the content contained herein. They also hereby disclaim any responsibility or liability whatsoever for the

consequences of the use of this book by any person or entity. Courts in Cook County, state of Illinois, USA, alone shall have jurisdiction relating to any lawsuits pertaining to this book.

The opinions and views expressed in Guidance to Validate Internal Control Assertions in Indian Financial Reporting are solely those of the authors of this publication, as a practical application and implementation of COBIT 5 principles and good practices. The opinions and views of the authors do not necessarily reflect those of ISACA.

Reservation of Rights

© 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are solely permitted for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

This text uses relevant ISACA publications with permission.

ISACA

3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545

Fax: +1.847.253.1443 Email: info@isaca.org Web site: www.isaca.org

ISACA® and COBIT® are registered trademarks of ISACA.

Participate in the ISACA Knowledge Center: www.isaca.org/topic-India Follow ISACA on Twitter: https://twitter.com/ISACANews

Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ

(4)

ACKNOWLEDGMENTS

ISACA Wishes to Recognize: The ISACA India Task Force

Chairman, Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India Mr. Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CISSP, CSSLP, GSEC, GCIH, CBCP, MBCI, PMP, CCSK,

COBIT 5 Approved Trainer—Foundation, Advisor, ISACA’s India Task Force

Mr. Sunil Bakshi, CISA, CISM, CGEIT, CRISC, CISSP, PMP, CeHv6, ISO 27001:2005 LA, ISO 14001 LA, Freelance consultant and trainer, Pune, India

Mr. Anil Bhandari, CISA, CIA, DISA, AICWA, FCA, ANB Consulting Co., Mumbai, India Mr. Madhav Chablani, CISA, CISM, TippingEdge Consulting Pvt. Ltd, New Delhi, India Mr. Sandeep Godbole, CISA, CISM, CGEIT, Syntel, Pune, India

Mr. Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt, Ltd., Hyderabad, India Mr. Vaibhav Patkar, CISA, CISM, CRISC, CGEIT, Sutherland, Mumbai, India Mr. Vittal Raj, CISA, CISM, CGEIT, Kumar and Raj, Chennai, India

Mr. Raghavendra Rao Hulgeri, CISA, Oracle Financial Services Software Ltd., Bangalore, India

Project Coordinator and Advisor

Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India

Content Development Team

Mr. Anand Prakash Jangid CISA, CISM, CFE, ACA, Quadrisk Advisors, Bangalore, India Mr. Rajiv Gupta CISA, CFE, ACA, Coca-Cola India

Ms. Vishakha Chhawchharia CISA, ACA, Quadrisk Advisors, Bangalore, India Mr. Amarnath Daga CISA, ACA, Quadrisk Advisors, Bangalore, India Mr. Bharath Rao B CeHv8, Quadrisk Advisors, Bangalore, India Mr. Anish Jain ACA, Quadrisk Advisors, Bangalore, India Ms. Shefalika Sahu ACA, Quadrisk Advisors, Bangalore, India Mr. Firoz Attarwala ACA, Quadrisk Advisors, Bangalore, India

Expert Reviewers

Mr. Abdul Rafeq, CISA, CGEIT, CIA, FCA, A. Rafeq and Associates, India

Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India

Mr. Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CISSP, CSSLP, GSEC, GCIH, CBCP, MBCI, PMP, CCSK, COBIT 5 Approved Trainer—Foundation, Advisor, ISACA’s India Task Force

Mr. Sunil Bakshi, CISA, CISM, CGEIT, CRISC, CISSP, PMP, CeHv6, ISO 27001:2005 LA, ISO 14001 LA, Freelance consultant and trainer, Pune, India

Mr. Madhav Chablani, CISA, CISM, TippingEdge Consulting Pvt. Ltd, New Delhi, India Mr. Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt, Ltd., Hyderabad, India Mr. Vittal Raj, CISA, CISM, CGEIT, Kumar and Raj, Chennai, India

Mr. Shrikant Patil Mr. Shashikant Shirahatti

(5)

SECTION 1 – EXECUTIVE SUMMARY

NEED FOR THIS PUBLICATION

As a part of "Management's Responsibility for Financial Statements", executive management of Indian companies assert to their stakeholders the relevance of "the design, implementation and maintenance of internal controls" for the preparation and presentation of financial statements that need to give a true and fair view of financial position on a particular date and performance for the relevant period. Financial statements need to be devoid of any material misstatements, whether due to fraud or error. This responsibility is an onerous one.

Under Section 211 (7) of the Indian Companies Act, 1956, in the event that a company fails to take all reasonable steps to secure compliance, the willful negligence may be punishable with imprisonment for a term which may extend up to six months or a fine which may extend to ten thousand rupees or with both imprisonment and a fine. The new Companies Act, 2013 has not only emphasized the above requirements, but also has upped the ante in increasing a number of corporate governance and risk management requirements.

This publication is aimed at solving the problems of C-level executives of various Indian enterprises signing financial statements and committing to assertions on internal controls. This publication guides the board, management and auditors in complying with the corporate governance and internal control requirements arising out of Clause 49 of the Listing Agreement of the Securities and Exchange Board of India (SEBI) and the new Companies Act, 2013 in using ISACA’s COBIT 5 framework. With the changing times, there also is a need for greater accountability of companies to their shareholders and customers. A need for governance arises from the separation of management from ownership. For a firm success, companies need to concentrate on both economic and social aspects. Companies needs to be fair with producers, shareholders, customers, etc., and have various responsibilities toward employees, and communities. Companies need to serve their responsibilities in all aspects.

There are several important issues in governance and they play a great role. All the issues are inter-related and interdependent with each other. Each of the issues connected with governance has different priorities in each of the corporate bodies.

The issues are:

1. Value-based corporate culture 2. Holistic view

3. Compliance with laws

4. Disclosure, transparency, and accountability 5. Governance and human resource management 6. Innovation

Corporate scandals, internally or at other companies, have shed light on the need to manage strategically in an effort to avoid such catastrophes that often leave executives unemployed. Many executives believe that risks are higher than ever before. However, they are unsure about how to manage them; therefore, many executives are welcoming risk management plans and infrastructures. Finally, companies have learned that managing risk correctly can lead to increased shareholder value.

Companies are hoping to shift from a simple control process to a value creation process using an enterprisewide approach. The concept of governance hinges on total transparency, integrity and accountability of management and the board of directors. The importance of governance along with efficient risk management lies in its contribution both to business prosperity and to accountability.

(6)

OBJECTIVE STATEMENT

This publication is aimed at solving the problems of C-level executives of various Indian enterprises signing financial statements and committing to assertions on internal controls. This publication guides the board, management and auditors in complying with the corporate governance and internal control requirements arising out of Clause 49 of the Listing Agreement of the Securities and Exchange Board of India (SEBI) and the new Companies Act, 2013 in using ISACA’s COBIT 5 framework.

IDENTIFIED STAKEHOLDERS

This publication is targeted at the following audience, as their roles play the most crucial role in developing, maintaining and evaluating governance. COBIT® 5 is a business framework for the governance and management of enterprise IT, and hence their roles are restricted to the areas in which IT Information is present.

• Board of directors • Management

o Chief executive officer (CEO) o Chief financial officer (CFO) o Chief information officer (CIO) o Chief risk officer (CRO)

o Chief information security officer (CISO) • Auditors (external and internal)

AN INTRODUCTION TO THIS DOCUMENT

Today, there is a growing dialogue among stakeholders about governance and how it should evolve to cope with the increasingly dynamic and global nature of capital markets. This dialogue is taking place against a background of legislative and regulatory change. There has been a significant increase in the scope of audit and other internal control and risk management along with increased public scrutiny.

It is only with dialogue and active participation of all stakeholders that the appropriate balance can be reached between: • Strengthened central controls and fast local responsiveness

• Effective risk management and the enduring need for innovation

• The costs of compliance with the new governance regulation and the value it brings The following factors disrupt the normal operations of the company.

Internal Factors

The Board of Directors/Management

The board advises the company’s CEO, who runs the daily operations, and reviews the quality of recommendations the CEO receives from others in corporate management.

Some board members may be employees or family members (most often from the extended family of the company’s founder). Other board members may be affiliated with the company through a banking relationship, a law company retained by the company, or someone who represents a customer or supplier. Such members may be subject to potential conflicts of interest that cause them to act in ways not necessarily in the shareholders’ best interests. This has led some observers to argue that boards should be composed primarily of independent directors and different individuals should hold the CEO and board chairperson positions.

(7)

Internal Controls

Well-designed systems generate information that poses a reduced threat of material misstatements. However, simply having systems in place—even if they are properly engineered and constructed—is not sufficient to guarantee both the effectiveness of the required actions and the reliability of the collected data. Thus, extra procedures are built into every system by management to help ensure that every operation is performed as intended and the resulting financial data are reliable. Internal controls over financial reporting is a formal system of checks and balances, monitored by management and the board of directors and reviewed by the outside auditor. To be efficient and effective, these systems must be carefully designed and maintained. They need to keep company assets secure at a minimum cost. In addition, appropriate record keeping is a required aspect of virtually every system.

Anti-takeover Defenses

A company’s management and board may employ defenses to gain leverage in negotiating with a potential suitor or to solidify current management’s position within the company.

Corporate Culture and Values

While internal systems and controls are important, good governance also results when the employee culture is instilled with appropriate core values and behaviors. Setting the right tone and direction comes from the board of directors and senior management and their willingness to behave in a manner consistent with what they demand from other employees.

Impact Due to Internal Factors

One can conclude that if the company’s internal controls are not aligned for achieving governance, the company can face serious repercussions regarding integrity and professionalism of the company, which in turn affects the goodwill of the company. Internal controls help the company to achieve long-term stability. If there is chaos in the company, loss of shareholder faith and loss of money would be inevitable.

External Factors

Federal and state legislation, the court system, regulators, institutional activists and the corporate takeover market all play an important role in maintaining good governance practices.

Institutional Activists

Pension funds, hedge funds, private equity investors and mutual funds have become increasingly influential institutions that can affect the policies of companies in which they invest. There is growing evidence that institutional activism, in combination with merger and acquisition activity, has become an important factor in disciplining underperforming managers.

Amalgamations and Acquisitions

Changes in corporate control can occur because of a hostile (i.e., bids contested by the target’s board and management) or friendly takeover of a target company or because of a proxy contest initiated by dissident shareholders. When a company’s internal mechanisms that govern management control are relatively weak, the corporate takeover market seems to act as a “court of last resort” to discipline inappropriate management behavior. Strong internal governance mechanisms, by contrast, lessen the role of the takeover threat as a disciplinary factor. Moreover, the disciplining effect of a takeover threat on a company’s management can be reinforced when it is paired with a large shareholding by an institutional investor.

Impact Due to External Factors

After establishing an ideal internal control environment for achieving governance, it is crucial that the company maintains the same. External factors also affect the company’s governance. Thus, events like accounting frauds, cyberattacks, social engineering attacks and market instability would be unavoidable if governance is not implemented correctly. Any changes in legal, compliance, statutory, etc., areas has to be fulfilled by the company to sustain itself in the market and grow accordingly.

(8)

This publication is aimed at giving guidance in developing, maintaining and evaluating the governance that arises out of the governance, risk management and information security regulatory requirements from the Companies Act, 2013, Clause 49 and the Information Technology Act, 2008 (as amended).

BENEFITS DERIVED FROM THIS DOCUMENT

Using this guidance note results in a number of easier governance and enterprise risk management (ERM) solutions to the enterprise and in a number of enterprise benefits, such as:

• Reduced complexity and increased cost-effectiveness due to improved and easier integration of governance and risk management compliances, best practices, etc.

• Increased user satisfaction with governance arrangements and outcomes • Improved integration of governance and ERM in the enterprise

• Informed risk decisions and risk awareness

• Reduced (impact of) costs of noncompliance of governance and ERM • Improved management of costs related to the governance and ERM • Better understanding of governance, ERM and internal controls • Enhanced support for innovation and competitiveness

(9)

Regulations of Companies Act, 2013 and Clause 49

Regulations related to governance and risk

management and data privacy were identified.

Stakeholders were identified.

Stakeholder Needs Identification

Questions are given from COBIT.

Questions are selected based on the regulation that is

applicable to the stakeholder.

Enterprise Goals Identification

Respective enterprise goals are selected for stakeholder

needs.

IT Goals Identification

Enterprise goals are converted to relevant IT goals

according to the mapping that is given in the annexure

of the COBIT 5 framework.

Process Enablers & Management

Practices

Process enablers and practices from COBIT are selected

and applied in the relevant section.

APPROACH TO THIS PUBLICATION

This publication was prepared in keeping with the following:

The COBIT enablers are tailored for compliance of governance requirements, enterprise risk management (ERM) and data security requirements based on the previous chart. Section two of this publication is divided into three chapters. The first chapter gives a broad view of the following:

(10)

• Regulation requirements are captured in detail with respect to each identified stakeholder of the Companies Act, 2013, Clause 49 and Information Technology Act, 2008, covering areas of governance, risk management, assurance and data security.

• Relevant practices are suggested by COBIT 5 that can be implemented to comply with these areas.

Chapter 2 gives an idea of the COBIT 5 framework and the COBIT 5 methodology through its principles and enablers.

Chapter 3 gives the relevant guidance for compliance to the listed regulations, keeping the stakeholders in mind, by using COBIT 5. This chapter has segregated the requirements that were applicable for each stakeholder, respectively, and the respective COBIT enabler usage to meet the stakeholder requirements is explained. Therefore, it is crucial that the previous chart be kept in mind while going through the document.

Stakeholders are expected to follow these steps in order to bring value to their company:

Chapter 1

Regulatory requirements from the Companies Act, 2013, Clause 49 and Information Technology Act, 2008 Governance, risk management,

assurance and security

Chapter 2

Introduction to COBIT 5 Principles and enablers

Chapter 3

Stakeholder segregation RACI charts for the role of the

stakeholder in an activity

COBIT 5 recommended practices for each stakeholder

(11)

AN EXAMPLE OF HOW TO READ THE DOCUMENT

Risk management compliance is to be performed by the company.

Step 1 – Identify the regulation with which the user needs to comply (from chapter 1).

Section Reference Regulatory Requirement

Companies Act, 2013 Section 134, Clause 3(n)

There shall be attached to statements laid before a company in general meeting, a report by its board of directors, which shall include a statement indicating development and implementation of a risk management policy for the company including

identification of elements of risk, if any, which in the opinion of the board may threaten the existence of the company.

How this document will be

useful: Provides guidance by mapping to COBIT 5 processes management practices as identified for the various stakeholders in chapter 3 EDM03, APO12 and their relevant

Step 2 – Determine the stakeholders that are affected. Classify them as primary and secondary.

Primary stakeholder identified—Board of Directors

Secondary stakeholder Identified—Management

Step 3 – Identify the required processes of COBIT that need to be incorporated in order to comply with the selected regulation from the “How this document will be useful” row.

Identified processes – EDM03, APO12

Step 1 - Identify the regulation with which the company needs to comply (from chapter 1).

Step 2 - Determine the stakeholders that are affected. Classify them as primary and secondary.

Step 3 - Identify the required processes of COBIT that need to be incorporated in order to comply with the selected regulation from the “How this document will be useful” row.

Step 4 - Locate the processes under the respective stakeholder (in chapter 3) and identify the role of the stakeholder in the RACI (Responsible, Accountable, Consulted, Informed) chart that has been provided.

Step 5 - Incorporate the activities that are described in detail under the respective stakeholder in the RACI chart (in chapter 3).

(12)

Step 4 – Locate the processes under the respective stakeholder (in chapter 3) and identify the role of the stakeholder in the RACI chart (Responsible, Accountable, Consulted, Informed) that has been provided.

RACI Chart – Board of Directors

Governance Practice Board

EDM03.01 Evaluate risk management. A

EDM03.02 Direct risk management. A

EDM03.03 Monitor risk management. A

RACI Chart - Management

Management Practice Ch ief E xe cu tiv e O ffi cer Ch ie f F in an ci al O ffi ce r Ch ief I nfo rma tio n S ec ur ity O ffi cer Ch ief R isk O ffi cer Ch ief I nfo rma tio n O ffi cer

APO12.01 Collect data. I R R A

APO12.02 Analyze risk. I C R A

APO12.03 Maintain a risk profile. I C A R

APO12.04 Articulate risk. I C R A

APO12.05 Define a risk management action portfolio. I C A R

APO12.06 Respond to risk. I R R A

Step 5 – Incorporate the activities that are described in detail under the respective stakeholder in the RACI chart (in chapter 3).

Board of Directors –

1. EDM03.01 Evaluate risk management.

Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise. Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is identified and managed.

(13)

ACTIVITY DETAILED ACTIVITIES

1. Determine the level of IT-related risk that the enterprise is willing to take to meet its risk objectives.

2. Evaluate and approve proposed IT risk tolerance thresholds against the enterprise’s acceptable risk and opportunity levels.

3. Determine the extent of alignment of the IT risk strategy to enterprise risk strategy.

4. Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made.

5. Determine that IT use is subject to appropriate risk assessment and evaluation, as described in relevant international and national standards.

6. Evaluate risk management activities to ensure alignment with the enterprise’s capacity for IT-related loss and leadership’s tolerance of it.

The board needs to actively take part in the risk evaluation process of the enterprise, which also includes the IT-related risks, and, in assessing the risk, define a risk tolerance threshold for acceptable risks and opportunity levels. The board needs to evaluate the risk factors before taking decisions on strategies to ensure that impact of risk has been factored.

The board should evaluate the risk management activities and regularly define the enterprise’s capacity for loss and the tolerance limits.

2. EDM03.02 Direct risk management.

Direct the establishment of risk management practices to provide reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.

ACTIVITY DETAILED ACTIVITIES

1. Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk,

opportunity and potential business impacts.

2. Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and operations.

3. Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action plans.

4. Direct implementation of the appropriate

mechanisms to respond quickly to changing risk and report immediately to appropriate levels of

management, supported by agreed-on principles of escalation (what to report, when, where and how).

5. Direct that risk, opportunities, issues and concerns may be identified and reported by anyone at any time. Risk should be managed in accordance with published policies and procedures and escalated to the relevant decision makers.

6. Identify key goals and metrics of risk governance and management processes to be monitored, and approve the approaches, methods, techniques and processes for capturing and reporting the

measurement information.

The board needs to actively take part in promoting a culture where opportunities, risks and their impacts are proactively identified.

The board should ensure that there is integration within the risk strategies for IT and the enterprise and there are no conflicts.

The board should direct the development of risk

communication plans and action plans to all levels of the enterprise, which shall ensure timely responses to a changing risk environment.

The board should encourage reporting of incidents by any level of management in a timely manner and direct handling of incidents according to the defined policies and

(14)

3. EDM03.03 Monitor risk management.

Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be identified, tracked and reported for remediation.

ACTIVITY DETAILED ACTIVITIES

1. Monitor the extent to which the risk profile is managed within the risk appetite thresholds.

2. Monitor key goals and metrics of risk governance and management processes against targets, analyze the cause of any deviations, and initiate remedial actions to address the underlying causes.

3. Enable key stakeholders’ review of the enterprise’s progress towards identified goals.

The board needs to monitor the extent to which the risk profile is managed and whether the profile is within the thresholds of risk appetite.

The board should ensure that deviations of the processes against the defined targets are analyzed and corrective action needed is taken.

Management -

1. APO12.01 Collect data.

Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting.

ACTIVITIES DETAILED ACTIVITIES

1. Establish and maintain a method for the collection, classification and analysis of IT risk-related data, accommodating multiple types of events, multiple categories of IT risk and multiple risk factors.

2. Record relevant data on the enterprise’s internal and external operating environment that could play a significant role in the management of IT risk.

3. Survey and analyze the historical IT risk data and loss experience from externally available data and trends, industry peers through industry-based event logs, databases, and industry agreements for common event disclosure.

4. Record data on risk events that have caused or may cause impacts to IT benefit/value enablement, IT program and project delivery, and/or IT operations and service delivery. Capture relevant data from related issues, incidents, problems and investigations.

5. For similar classes of events, organize the collected data and highlight contributing factors. Determine common contributing factors across multiple events.

6. Determine the specific conditions that existed or were absent when risk events occurred and the way the conditions affected event frequency and loss magnitude.

7. Perform periodic event and risk factor analysis to identify new or emerging risk issues and to gain an understanding of the associated internal and external

Management needs to establish and maintain a method for collection, classification and analysis of risk-related data, which accommodates multiple events, categories of risk and risk factors.

Management can record relevant data on the enterprise internal and external operating environment that would play a significant role in management of risk.

There can be a survey and analysis of historical risk data and loss experience from externally available trends, industry peers through event logs, databases and agreements for common event disclosures.

The risk events that have caused or potentially cause impact to IT value benefits, programs and project delivery should be captured. In addition, data from incidents, problems and investigation can be recorded.

Management needs to determine the specific conditions that existed or were absent when risk events occurred and the way they affect event frequency and loss magnitude. Management should perform periodic event and risk factor analysis to identify new/emerging risk issues and gain an understanding of associated risk factors.

(15)

2. APO12.02 Analyze risk.

Develop useful information to support risk decisions that take into account the business relevance of risk factors.

ACTIVIES DETAILED ACTIVITIES

1. Define the appropriate breadth and depth of risk analysis efforts, considering all risk factors and the business criticality of assets. Set the risk analysis scope after performing a cost-benefit analysis.

2. Build and regularly update IT risk scenarios, including compound scenarios of cascading and/or coincidental threat types, and develop expectations for specific control activities, capabilities to detect and other response measures.

3. Estimate the frequency and magnitude of loss or gain associated with IT risk scenarios. Take into account all applicable risk factors, evaluate known operational controls and estimate residual risk levels.

4. Compare residual risk to acceptable risk tolerance and identify exposures that may require a risk response.

5. Analyze cost-benefit of potential risk response options such as avoid, reduce/mitigate, transfer/share, and accept and exploit/seize. Propose the optimal risk response.

6. Specify high-level requirements for projects or programs that will implement the selected risk responses. Identify requirements and expectations for appropriate key controls for risk mitigation responses.

7. Validate the risk analysis results before using them in decision making, confirming that the analysis aligns with enterprise requirements and verifying that

estimations were properly calibrated and scrutinized for bias.

Management needs to define the appropriate breadth and depth of risk and criticality of assets, and set the risk scope after performing a cost-benefit analysis.

Management needs to build and regularly update the risk scenarios, including compound scenarios of

cascading/coincidental threat types and development expectations for specific control activities, capabilities to detect and other response measures.

Management needs to estimate the frequency and

magnitude of loss or gain associated with risk scenarios. The applicable risk factors need to be taken into account and management needs to evaluate operational controls and estimate residual risk levels.

There needs to be a comparison between residual risk to acceptable risk tolerance and risk exposure needs to be identified, which will require responses.

Management needs to conduct a cost-benefit analysis of potential risk response options such as avoid, reduce, transfer and accept.

Management should specify high-level requirements for programs that will implement the risk responses.

Management should identify requirements for key controls. Management needs to validate the risk analysis results before using them for decision making, confirm whether risk aligns with enterprise requirements and verify that

estimations were calibrated.

3. APO12.03 Maintain a risk profile.

Maintain an inventory of known risk and risk attributes (including expected frequency, potential impact and responses) and of related resources, capabilities and current control activities.

ACTIVITIES MANAGEMENT’S ROLE

1. Inventory business processes, including supporting personnel, applications, infrastructure, facilities, critical manual records, vendors, suppliers and outsourcers, and document the dependency on IT service

management processes and IT infrastructure resources.

Management can take an inventory of business processes, applications, infrastructure, facilities, critical manual records, vendors, etc., and document the dependency on IT service management processes and IT infrastructure resources.

(16)

2. Determine and agree on which IT services and IT infrastructure resources are essential to sustain the operation of business processes. Analyze dependencies and identify weak links.

3. Aggregate current risk scenarios by category, business line and functional area.

4. On a regular basis, capture all risk profile information and consolidate it into an aggregated risk profile.

5. Based on all risk profile data, define a set of risk indicators that allow the quick identification and monitoring of current risk and risk trends.

6. Capture information on IT risk events that have materialized, for inclusion in the IT risk profile of the enterprise.

Further, management should determine and agree on which IT services and infrastructure resources are essential to sustain the operation of business processes. Analyze dependencies and weak links.

Management needs to aggregate current risk scenarios by categories, business lines and functional areas.

On a regular basis, management should capture risk profile information and consolidate it into aggregated risk profiles. Based on the profiles, management needs to define a set of risk indicators that allow quick identification and monitoring of current risk trends.

Capture the information on risk events that have materialized for inclusion in profiles of the enterprise.

4. APO12.04 Articulate risk.

Provide information on the current state of IT-related exposures and opportunities in a timely manner to all required stakeholders for appropriate response.

ACTIVITIES DETAILED ACTIVITIES

1. Report the results of risk analysis to all affected stakeholders in terms and formats useful to support enterprise decisions. Wherever possible, include probabilities and ranges of loss or gain along with confidence levels that enable management to balance risk-return.

2. Provide decision makers with an understanding of worst-case and most-probable scenarios, due diligence exposures, and significant reputation, legal or

regulatory considerations.

3. Report the current risk profile to all stakeholders, including effectiveness of the risk management process, control effectiveness, gaps, inconsistencies,

redundancies, remediation status, and their impacts on the risk profile.

4. Review the results of objective third-party assessments, internal audit and quality assurance reviews, and map them to the risk profile. Review identified gaps and exposures to determine the need for additional risk analysis.

Management needs to report the results of risk analysis to all affected stakeholders in terms of formats supporting decision making. Wherever possible, include probabilities and range of loss or gain with confidence levels to balance risk and return.

Management can provide to the decision makers an understanding of worst case and most probable scenarios, due diligence exposures and reputation, legal or regulatory consideration.

The report on current risk profile includes effectiveness of the risk management process, control effectiveness, gaps, inconsistencies, etc., and their impact on risk profile to the stakeholders.

Management should review the results of third-party assessments, internal audits and quality assurance (QA) reviews, and map them to the risk profiles.

(17)

5. APO12.05 Define a risk management action portfolio.

Manage opportunities to reduce risk to an acceptable level as a portfolio.

ACTIVITIES DETAILED ACTIVITIES

1. Maintain an inventory of control activities that are in place to manage risk and that enable risk to be taken in line with risk appetite and tolerance. Classify control activities and map them to specific IT risk statements and aggregations of IT risk.

2. Determine whether each organizational entity monitors risk and accepts accountability for operating within its individual and portfolio tolerance levels.

3. Define a balanced set of project proposals designed to reduce risk and/or projects that enable strategic enterprise opportunities, considering cost and benefits, effect on current risk profile and regulations.

Management needs to make an inventory of control activities that are in place to manage risk and that enable risk to be taken in line with appetite and tolerance. The control activities should be classified and mapped to specific risk statements and aggregations of risk.

Management needs to determine that risk and accountability for operating within individual and portfolio tolerance levels are monitored.

Management defines a balanced set of project proposals which are designed to reduce risk and/or projects that enable strategic opportunities considering the cost-benefit analysis.

6. APO12.06 Respond to risk.

Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events.

ACTIVITIES DETAILED ACTIVITIES

1. Prepare, maintain and test plans that document the specific steps to take when a risk event may cause a significant operational or development incident with serious business impact. Ensure that plans include pathways of escalation across the enterprise.

2. Categorize incidents, and compare actual exposures against risk tolerance thresholds. Communicate business impacts to decision makers as part of reporting, and update the risk profile.

3. Apply the appropriate response plan to minimize the impact when risk incidents occur.

4. Examine past adverse events/losses, missed

opportunities, and determine root causes. Communicate root cause, additional risk response requirements and process improvements to appropriate decision makers and ensure that the cause, response requirements and process improvement are included in risk governance processes.

Management needs to prepare, maintain and test plans that document specific steps to take when a risk event may cause a significant operational or development incident with serious impact on the business. Further, ensure that plans include escalations across the enterprise.

There needs to be a categorization of incidents and a comparison of actual exposures against risk thresholds and communication to decision makers as a part of reporting and updating risk profiles.

Management should apply plans to minimize the impact when risk incidents occur, to examine the past adverse event and missed opportunities, and to determine root causes.

Communicate the root causes, risk response requirements and process improvements to decision makers.

(18)

REFERENCES FOR THE PUBLICATION

• Companies Act, 2013

• Clause 49 of the Listing Agreement of SEBI

• Information Technology Act, 2000 (as Amended by IT Amendment Act, 2008) • COBIT 5 framework

COBIT® 5: Enabling Processes

COBIT® 5 Implementation

COBIT® 5 for Risk

COBIT® 5 for Assurance

Securing Sensitive Personal Data or Information Under India’s IT Act Using COBIT® 5

COBIT® 5: Enabling Information

COBIT® 5 for Information Security

(19)

SECTION 2 – DETAILED PUBLICATION

Section 2 is the core section of this publication. Section 2 consists of the guidance note for compliance of governance and risk management in India using COBIT 5. It is divided into three chapters. Chapter 1 describes all the regulations that are relevant to be complied with in order to have the minimum required governance and ERM. Chapter 2 gives a brief introduction of the COBIT 5 framework and its five principles and its seven enablers. Chapter 3 gives a detailed explanation of how COBIT 5 can be used to comply with the regulations that have been identified in chapter 1 for each stakeholder that has been identified in the scope of this publication.

DEFINITIONS

The following terms are defined according to their respective acts. The same meaning should be used while interpreting this document.

Sr. No. Term Definition

1 Board of Directors In relation to a company, the collective body of the directors of the company

2 Independent Director An independent director referred to in sub-section (6) of section 149, i.e., a director other than a managing director or a whole-time director or a nominee director

a) in the opinion of the Board, a person of integrity who possesses relevant expertise and experience

(b) (i) person who is or was not a promoter of the company or its holdings, subsidiary or associate company

(b) (ii) person who is not related to promoters or directors in the company, its holdings, subsidiary or associate company

(c) person who has or had no pecuniary relationship with the company, its holdings, subsidiary or associate company, or their promoters, or directors, during the two immediately preceding financial years or during the current financial year

(d) person, none of whose relatives has or had a pecuniary relationship or transaction with the company, its holdings, subsidiary or associate company, or their promoters, or directors, amounting to two percent or more of its gross turnover or total income or fifty lakh rupees or such higher amount as may be prescribed, whichever is lower, during the two

(20)

Sr. No. Term Definition

(e) person who, neither himself nor any of his relatives—

(i) holds or has held the position of key managerial personnel or is or has been an employee of the company or its holdings, subsidiary or associate company in any of the three financial years immediately preceding the financial year in which he is proposed to be appointed

(ii) is or has been an employee or proprietor or a partner, in any of the three financial years immediately preceding the financial year in which he is proposed to be appointed, of:

(A) a firm of auditors or company secretaries in practice or cost auditors of the company or its holdings, subsidiary or associate company; or

(B) any legal or a consulting firm that has or had any transaction with the company, its holdings, subsidiary or associate company amounting to ten percent. or more of the gross turnover of such firm

(iii) holds together with his relatives two percent. or more of the total voting power of the company or

(iv) is a chief executive or director, by whatever name called, of any nonprofit organization that receives twenty-five percent or more of its receipts from the company, any of its promoters, directors or its holdings, subsidiary or associate company or that holds two percent. or more of the total voting power of the company or

(f) who possesses such other qualifications as may be prescribed

3 Key Managerial Personnel In relation to a company:

(i) the CEO or the managing director or the manager

(ii) the company secretary

(iii) the whole-time director

(iv) the chief financial officer; and

(21)

Sr. No. Term Definition

4 Sensitive Personal Data Personal information that relates to passwords; financial information such as bank account or credit card or debit card or other payment instrument details; physical, psychological and mental health condition; sexual orientation; medical records and history, biometric information

5 Body Corporate Any company, including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. The term is not restricted to a body corporate established in India. It refers to an

organization that collects, stores or processes sensitive data on behalf of a body corporate (data processor).

8 Identity Theft A form of stealing someone's identity in which someone pretends to be someone else by assuming that person's identity, usually as a method to gain access to resources. This process is also called personation.

9 Cyberterrorism Threats to the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by:

(i) denying or causing the denial of access to any person authorized to access a computer resource; or

(ii) attempting to penetrate or access a computer resource without authorization or exceeding authorized access; or

(iii) introducing or causing to introduce any computer contaminant. By means of such conduct, causes or is likely to cause death or injuries to persons or damage to or destruction of property or disruptions or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70.

10 Intermediary Any person who on behalf of another person stores or transmits a message or provides any service with respect to that message

11 Computer resources Computer, communication device, computer system, computer network, data, computer database or software

1 Internal Control Process/methods designed by management or other personnel to ensure the integrity of financial and accounting information meet operational and profitable targets and transmit management policies throughout the organization. Basic policies related to internal controls were created to ensure suitable business practices.

2 Audit Committee An operating committee of a company's board of directors that is in charge of overseeing financial reporting and disclosure. They are also responsible for overseeing all internal and external audit functions of a company.

(22)

Sr. No. Term Definition

3 Whistleblower Anyone who has and reports insider knowledge of illegal activities occurring in an organization. Whistleblowers can be employees, suppliers,

contractors, clients or any individual who somehow becomes aware of illegal activities taking place in a business, either through witnessing the behavior or being told about it. In other words, a person who informs on a person or organization regarded as engaging in an unlawful or immoral activity.

(23)

CHAPTER 1 - GOVERNANCE AND RISK MANAGEMENT IN INDIA – REGULATORY REQUIREMENTS TO

COMPLY WITH THE INDIAN REGULATIONS

This chapter present information on the enactments, and it provides the scope and objectives of this guidance note using COBIT 5. Detailed explanation of the COBIT 5 guidance has been explained in chapter 3 with respect to each stakeholder. Companies Act, 2013 and Clause 49 have been concentrated to a great extent. Because this is also the digital era, importance is also given to the Information Technology Act, 2000 (as amended by IT Amendment Act, 2008) with respect to the data privacy and penalty laws in India.

All of the respective regulations have been identified and explained for every stakeholder in the scope of this publication with reference to the governance, risk management, assurance and privacy regulations.

GOVERNANCE

Governance regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table.

Section Reference Regulatory Requirement

Companies Act, 2013 Section – 149, Schedule – IV

The Company and independent directors shall abide by the provision specified in Schedule IV, which includes the roles and functions of independent directors, i.e.:

• To help in bringing an independent judgment to bear on the board’s deliberations on risk management issues

• To satisfy themselves on the integrity of financial information, those financial controls, and that the systems of risk management are robust and defensible

How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO12, and their relevant management practices as identified for the various stakeholders in chapter 3

Companies Act, 2013 Section – 177, Clause – 4(vii)

Every audit committee shall act in accordance with the terms of reference specified in writing by the board, which shall inter alia include evaluation of internal financial controls and risk management systems.

How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, APO01, BAI01, BAI02, DSS06, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section – IV, Clause – (c)

The company shall lay down procedures to inform board members about the risk assessment and minimization procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined risk management framework.

How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, APO01, APO02, APO12, BAI01, BAI02 DSS06, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section – IV, Clause – (f)

As part of the directors’ report or as an addition thereto, a Management Discussion and Analysis report should form part of the Annual Report to the shareholders. This Management Discussion and Analysis report should include discussion on risks and concerns within the limits set by the company’s competitive position.

How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO01, APO12, BAI01, BAI02,BAI06, BAI07, DSS01, DSS06 and their relevant management practices as identified

(24)

Section Reference Regulatory Requirement

for the various stakeholders in chapter 3

Companies Act, 2013 Section – 138 (1)

Such class or classes of companies as may be prescribed shall be required to appoint an internal auditor, who shall be either a chartered accountant or a cost accountant, or such other professional as may be decided by the board to conduct internal audit of the functions and activities of the company.

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Companies Act, 2013 Section – 143, Clause 3€

The auditor’s report shall also state whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls.

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Companies Act, 2013 Section – 177 (4)

Every audit committee shall act in accordance with the terms of reference specified in writing by the board which shall, inter alia, include:

Review and monitor of the auditor’s independence and performance, and the effectiveness of the audit process.

Evaluation of internal financial controls and risk management systems

How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section – II, Clause – (d), (e)

The role of the audit committee shall include the following:

a) Reviewing, with management, performance of statutory and internal auditors,

adequacy of the internal control systems

b) Reviewing the adequacy of internal audit function, if any, including the structure of the internal audit department, staffing and seniority of the official heading the department, reporting structure coverage and frequency of internal audit

c) Discussion with internal auditors of any significant findings and follow up

d) Reviewing the findings of any internal investigations by the internal auditors into matters where there is suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the board

e) Management discussion and analysis of financial condition and results of operations

f) Management letters/letters of internal control weaknesses issued by the statutory auditors.

g) Internal audit reports relating to internal control weaknesses

How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

(25)

RISK MANAGEMENT

Risk management regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table.

Section Reference Regulatory Requirement

Companies Act, 2013 Section - 134, Clause - 3(n)

There shall be attached to statements laid before a company in general meeting, a report by its board of directors, which shall include a statement indicating development and implementation of a risk management policy for the company, including identification of elements of risk, if any, which in the opinion of the board may threaten the existence of the company.

How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO12 and their relevant management practices as identified for the various stakeholders in chapter 3

Companies Act, 2013

Section - 149 (8), Schedule – IV

The independent director shall help in bringing an independent judgment to bear on the board’s deliberations on risk management resources and satisfy themselves that financial controls and the systems of risk management are robust and defensible.

How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM04, EDM03, APO12, DSS06 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section - IV, Clause – c

The company shall lay down procedures to inform board members about the risk

assessment and minimization procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined framework.

How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM05, APO12, DSS06, MEA01, MEA02, MEA03, DSS01 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section - IV, Clause – f

Management Discussion and Analysis report should include discussion on risks and concerns as well as internal control systems and their adequacy within the limits set by the company’s competitive position.

How this document will be useful Provides guidance by mapping to COBIT 5 processes APO12, MEA02 and their relevant management practices as identified for the various stakeholders in chapter 3

(26)

ASSURANCE

Assurance regulatory requirements for the auditor stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table.

Section Reference Regulatory Requirement

Companies Act, 2013 Section - 134, Clause - 3(n)

Every audit committee shall act in accordance with the terms of reference specified in writing by the board, which shall include evaluation of internal financial controls and risk management systems.

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Companies Act, 2013 Section - 138 (1)

Prescribed classes of companies shall be required to appoint an internal auditor, who is an assurance professional (auditor) decided by the board to conduct internal audit of the functions and activities of the company.

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Companies Act, 2013 Section - 143 (3), clause – i

The auditor’s report shall state that whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls.

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section - II, Clause - d (6)

The role of the audit committee shall include reviewing, with management, the performance of statutory and internal auditors, and adequacy of the internal control systems.

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section - II, Clause - d (7)

The role of the audit committee shall include reviewing the adequacy of internal audit function, if any, including the structure of the internal audit department, staffing and seniority of the official heading the department, reporting structure coverage and frequency of internal audit.

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section - II, Clause - d (9)

The role of the audit committee shall include reviewing the findings of any internal investigations by the internal auditors into matters where there is suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the board.

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section - II, Clause - d (12)

The role of the audit committee shall include reviewing the functioning of the whistle-blower mechanism, in case the same is prevailing.

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

(27)

Section Reference Regulatory Requirement

Section - II, Clause - e (1)

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section - II, Clause - e (3)

The audit committee shall mandatorily review the management letters / letters of internal control weaknesses issued by the statutory auditors.

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section - II, Clause - e (4)

The audit committee shall mandatorily review the internal audit reports relating to internal control weaknesses.

How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3

Clause 49

Section - VII, Clause - 1

The company shall obtain a certificate from either the auditors or practicing company secretaries regarding compliance of conditions of governance as stipulated in this clause and annex the certificate with the directors’ report, which is sent annually to all the shareholders of the company.

(28)

INFORMATION TECHNOLOGY ACT, 2000 (AS AMENDED BY INFORMATION TECHNOLOGY AMENDMENT

ACT, 2008)

Data privacy and penalty regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table.

Section Reference Regulatory Requirement

Section 43A The obligation to protect sensitive personal data applies to every entity (body corporate) that:

• Possesses, deals with or handles any sensitive personal data or information (SPDI)

• In a computer resource that it owns, controls or operates

How this document will be useful Provides guidance by mapping to COBIT 5 processes APO013, MEA02, MEA03, DSS02, DSS05 and their relevant management practices as identified for the various stakeholders in chapter 3

Section 43A Where an entity that is obliged to maintain security of sensitive personal data is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such entity would be liable to pay damages by way of compensation to the person so affected.

How this document will be useful Provides guidance by mapping to COBIT 5 processes APO013, MEA02, MEA03, DSS02, DSS05 and their relevant management practices as identified for the various stakeholders in chapter 3

Section 43A Body corporate to provide policy for privacy and disclosure of information.

The body corporate or any person who on behalf of the body corporate collects, receives, possesses, stores, deals or handles information of provider of information, shall provide a privacy policy for handling of or dealing in personal information, including sensitive personal data or information, and ensure that the policy is available for view by such providers of information who have provided such information under lawful contract. How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03 and their relevant

management practices as identified for the various stakeholders in chapter 3

Section 66E Punishment for violation for privacy :

Anybody being guilty of intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with a fine not exceeding two lakh rupees, or with both imprisonment and a fine.

How this document will be useful N/A

Section 66A Any person who sends, by means of a computer resource or a communication device: a) any information that is grossly offensive or has menacing character; or

b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes use of such computer resource or a communication device, c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages (Inserted vide ITAA 2008)

(29)

Section Reference Regulatory Requirement

Section 66B Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the resource or device to be stolen, shall be punished with imprisonment of either description for a term, which may extend to three years or with a fine, which may extend to rupees one lakh or with both imprisonment and a fine.

How this document will be useful N/A

Section 66C Whoever fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to a fine which may extend to rupees one lakh.

How this document will be useful N/A

Section 66D Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term, which may extend to three years and shall also be liable to a fine, which may extend to one lakh rupees.

How this document will be useful N/A

Section 67C (1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the central government may prescribe. (2) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with imprisonment for a term which may extend to three years and shall also be liable to a fine

How this document will be useful N/A

SUMMARY

There is great effort being made in India to achieve efficient governance and risk management. Governance and risk

management are regulated by the Companies Act, 2013 and Clause 49. Data that are generated have to be preserved, keeping in mind Confidentiality and Privacy perspectives. Privacy of the data is regulated by the Information Technology Act, 2000 (as amended in 2008).

(30)

CHAPTER 2: INTRODUCTION TO COBIT 5

Executive Summary

According to COBIT 5, information is the currency of the 21st century enterprise. Information, and the technology that supports it, can drive success, but it also raises challenging governance and management issues. This section explains the need for using the approach and latest thinking provided by globally recognized framework COBIT 5 as a benchmark for reviewing and

implementing governance and management of enterprise IT. It explains the principles and enablers of COBIT 5 and how it can be an effective tool to help enterprises to simplify complex issues, deliver trust and value, manage risk, reduce potential public embarrassment, protect intellectual property, and maximize opportunities.

COBIT 5 helps enterprises to manage IT-related risk and ensures compliance, continuity, security and privacy. COBIT 5 enables clear policy development and good practice for IT management, including increased business user satisfaction. The key advantage of using a generic framework such as COBIT 5 is that it is useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.

Five Principles of COBIT 5

Source: COBIT 5, ISACA, USA, 2012, figure 2

COBIT 5 simplifies governance challenges with just five principles. The five key principles for governance and management of enterprise IT in COBTI 5 taken together enable the enterprise to build an effective governance and management framework that optimizes information and technology investment and use for the benefit of stakeholders.

Principles 1: Meeting Stakeholder Needs: Enterprises exist to create value for their stakeholders by maintaining a balance between the realization of benefits and the optimization of risk and use of resources. COBIT 5 provides all of the required processes and other enablers to support business value creation using IT. Because every enterprise has different objectives, an enterprise can customize COBIT 5 to suit its own context through the goals cascade, translating high-level enterprise goals into manageable specific, IT-related goals and mapping these to specific processed and practices.

The COBIT 5 goals cascade is the mechanism to translate stakeholder needs to specific, actionable and customized enterprise goals—IT-related goals and enabler goals.

Figure

Updating...

References

Related subjects :
Outline : Auditor