byoffice_adminConsultingNo Comments

Why Digitization, Risk Assessment and IT Audit?

Background

Earlier, computers were merely used for storing records. But now, they have become a backbone of the decision-making process of a business. We know that the use of technology has made business more efficient. Yet, we cannot undermine the fact that the associated risks have also evolved with the evolution of technology. This emphasizes the need to implement internal controls in the IT infrastructure of business to avoid/mitigate/reduce/accept risks. Normally, people focus on human-prone manual risks. But they tend to ignore the IT infrastructure level risks, some of which even a person with limited knowledge can exploit.

This article discusses wide array of subjects including some practical scenarios of fraud in an IT infrastructure, influence of COVID-19 towards digitization, importance of risk assessment and IT System’s Audit. The language of the article is kept simple for general audience to relate and understand.

Scenarios

Let us assume different scenarios wherein a fraudster, say Mr. Fraud, could try and circumvent the IT infrastructure. We will also discuss a potential solution that an entity could implement to counter Mr. Fraud’s notorious intentions.

Assume Mr. Fraud has recently joined the purchase department of Victim Company. He, out of his old die-hard habits, decides to fiddles around with the existing IT controls.

#

Attempts

Potential Solutions

1

Mr. Fraud realises that he is able to access the vendor master. Also, he is able to create and modify records in the vendor master. Mr. Fraud creates a fictitious vendor ‘The Fraud Enterprises’ in the system.

Restrict access of vendor master to authorized personnel only.

Segregate duties of people based on access to create/modify a vendor.

Additionally, implement a maker-checker control whereby another person has to approve the vendor. A maker-checker control is a control where a different person has to approve a transaction performed by one person to process.

2

Let’s assume a case where Mr. Fraud could not create a vendor but was able to create a purchase order for ‘The Fraud Enterprises’. The system allowed creating purchase orders for suppliers not defined in the vendor master.

Restrict purchases, receipts and invoices to suppliers defined in the vendor master and for goods and services defined in the item master.

Additionally, restrict creating/modifying purchase orders for value of goods and services above the rates defined in the item master.

3

Mr. Fraud makes an under the table deal with a supplier – Mr. Opportunist and creates a fictitious purchase order in his name.

Restrict access of transactions to create/modify purchase orders to authorized personnel only.

4

Mr. Fraud performs a fictitious inventory receipt from Mr. Opportunist.

Map Goods Receipt transactions with open Purchase Orders to restrict over-receipt of goods.

Segregate duties of people who have access to create/modify Purchase Orders and people who have access to create/modify Inventory Receipts.

Define an upper tolerance limit for restricting receipt of goods above a certain level from the quantity mentioned in the respective purchase order.

5

Mr. Fraud books a fictitious purchase invoice from Mr. Opportunist.

Map Purchase Invoice transactions with un-booked goods receipts and open Purchase Orders to restrict over invoicing at quantity and amount level.

Segregate duties of people who have access to create/modify Purchase Orders, people who have access to create/modify Inventory Receipts and people who have access to create/modify Invoices.

6

Mr. Fraud books a fictitious purchase invoice from Mr. Opportunist and makes a payment order.

Restrict access of payment orders to authorized personnel only.

Segregate duties of people with access to create/modify invoice and people with access to create/modify payment orders.

Additionally, implement a maker-checker control where another person has to approve the payment order.

The above instances are simply illustrative and the scope of the fraud and controls are extremely broad. We have just seen the tip of the giant iceberg hidden underneath the sea.

The controls discussed in the above illustrations are known as application controls. It includes completeness and validity checks, identification, authentication, authorization, input controls, and forensic controls, among others.

Impact of COVID-19 pandemic

The situation created by the COVID-19 pandemic has been an eye-opener for many business entities. And, by now, they must have realized the importance of digitization. It is time for people who were averse of technology to embrace it but with caution. A strong IT Infrastructure is definitely a roadmap to a very successful future. A question which everyone should ponder is – What is your strategy during the crisis, right after the crisis and for the new normal?

Need of the hour

Embracing new technology is the roadmap to transform business models, drive growth and improve efficiency. The business processes and controls, though efficient and effective today, may be completely obsolete tomorrow.

Yet, we must also realize the risks which come along with digitization, as discussed earlier. But, one can avoid many risks simply by implementing commonly known best-practices. To survive and thrive, learning from the past while looking at the future should form the base of risk management. The risk assessment should include all categories of risk and should be enterprise-wide. Additionally, in light of the face past change of technology, one must update the controls regularly as well.

Conclusion

It has become incumbent for business to ensure security of their IT infrastructures and ensure the confidentiality, integrity and availability of the application and its associated data.

This has increased the importance of IT System’s Audit. The role of an IT auditor is unknown to most but it impacts the lives of all. It adds security, reliability and accuracy to the IT infrastructure of the business. The role of an IT auditor is extremely dynamic which includes identifying the weakness in the IT infrastructure and creating an action plans to prevent the threats before they materialize.

The need for audit of Information Systems can be highlighted as under:

  • High Cost of Incorrect Decision Making: Management and operational controls taken by managers involve detection, investigations and correction of the processes. An independent third-party review can ensure accurate data to make quality decisions.
  • High Cost of Computer Error: In a computerized enterprise environment where many critical business processes are performed through the use of systems, an error in data has a huge potential of disruption.
  • High Cost of Uncontrolled Evolution of Technology: Use of technology and reliability of complex computer systems cannot be guaranteed and the consequences of using unreliable systems can be destructive.
  • High Cost of Technology Abuse: Unauthorized access to systems, unauthorized physical access to facilities and unauthorized copies of sensitive data can lead to destruction of assets (hardware, software, data, information etc.).        

The key benefits of IT Audit can be classified as under:

  • Enhanced security of data: It provides the business an opportunity to improve or strengthen poorly designed or ineffective controls.
  • Reduced IT Related Risks: It reduces, if not mitigates, the risks of confidentiality, integrity and availability of IT processes and data due to timely assessment.
  • Enhanced IT Governance: Compliance with Laws and regulations by the business and its stakeholders should be inherently built in the IT infrastructure. It provides a business an evaluation of how much is it synchronized with law.

Conducting a risk assessment more frequently, ideally on a continuous basis, will go a long way to avoid, reduce or mitigate risks. An IT Auditor can bring the required subject-matter knowledge and business insights to provide an objective assessment of the current state and offer guidance on developing an efficient and effective internal process.

To prepare for tomorrow is not something which can be done overnight but is a journey. Digitization, or should we say Machine over Man, is likely going to be the new normal. Are we ready?

Let’s connect to discuss more.

byoffice_adminGSTNo Comments

E-Invoice Eco-System of India: A perspective of the Ideal World Scenario

Introduction

The GST council approved introduction of E-invoice System in a phased manner for business to business (B2B) invoices from 1st January, 2020 on voluntary basis. As of now, the mandatory requirement for E-invoicing for registered persons whose aggregate turnover in a financial year exceeds INR 100 crores shall now apply from 01st October, 2020 vide Notification No. 13/2020– Central Tax dated 23rd March, 2020. Also, the requirement for capturing dynamic QR code for registered persons whose aggregate turnover in a financial year exceeds INR 500 crores while making supplies to unregistered persons shall now apply from 01st October, 2020 vide Notification No. 14/2020– Central Tax dated 23rd March, 2020.

However, there are many confusions prevailing over this topic and many words have become simply jargons. I aim to simplify the understanding of e-invoice in layman terms. This will enable the readers to understand how the system works and what will happen if you choose to adopt it.

What is E-invoice?

There are many confusions/queries with respect to the operations of E-invoice System. Many are of the belief that E-invoicing will eliminate the use of their accounting softwares / ERP. Let us put all such notions to rest.

In simple terms, E-invoice means a standard set of fields which is uploaded on Invoice Registration Portal (IRP). The details which are available on a regular invoice will be uploaded to IRP. The process is very similar to data being uploaded for filing of GSTR 1.

However, there is a slight difference. In this system, a method has been introduced where an invoice is converted into a data with a common standard which can be read by anyone in the GST ecosystem.

The IRP will validate the data uploaded by the user and on successful validation, will generate a unique Invoice Registration Number (IRN) / Hash. The IRN will be generated by a hashing algorithm which will always remain unique for each invoice. Alternatively, the IRN can be generated by the accounting software/ERP using the hashing algorithm. The invoice will be digitally signed and a QR code for the same will be generated with the following parameters:

  • GSTIN of the supplier
  • GSTIN of the Recipient
  • Invoice number as given by Supplier
  • Date of invoice
  • Invoice value
  • Number of line items
  • HSN code of the line item having highest taxable value
  • Unique IRN / Hash

This will enable the invoice to be read by any handheld or other device with the functionality of reading QR codes.

What is IRN?

IRN is generated by the E-invoice system using a hash generation algorithm. For every document submitted on the E-invoice System, a unique 64 character IRN shall be generated. This will be unique for each invoice.

How does it impact the common user of the accounting software / ERP?

It does not at all. The invoices generated by you will remain same. The procedure would be performed by the accounting software / ERP probably in the background where the software will upload the details of the invoice to the IRP in scheduled batches.

World-wide implementation of E-invoicing (2018)

E-invoicing for B2B transactions is mandatory in the following countries:

  • Belarus
  • Brazil
  • Chile
  • Costa Rico
  • Indonesia
  • Mongolia
  • Rwanda
  • Turkey
  • Ukraine
  • Uruguay

Though E-invoicing is not mandatory but is allowed in the following countries:

  • Albania
  • Angola
  • Australia
  • Austria
  • Belgium
  • Botswana
  • Bulgaria
  • China (mainland)
  • Croatia
  • Curacao
  • Cyprus
  • Czech Republic
  • Denmark
  • El Salvador
  • Estonia
  • Finland
  • France
  • Germany
  • Guam
  • Hong Kong
  • Iceland
  • Ireland
  • Isle of Man
  • Israel
  • Italy
  • Kazakhstan
  • Korea
  • Latvia
  • Lithuania
  • Luxembourg
  • Macedonia
  • Malta
  • Moldova
  • Namibia
  • Netherlands
  • New Zealand
  • Norway
  • Pakistan
  • Papua New Guinea
  • Philippines
  • Poland
  • Portugal
  • Romania
  • Russia
  • Senegal
  • Serbia
  • Singapore
  • Slovakia
  • Slovenia
  • South Africa
  • Spain
  • Sri Lanka
  • Sweden
  • Switzerland
  • Taiwan
  • Uganda
  • United Kingdom
  • Vietnam

This signifies that India has decided to take a leap and be in line with global methodologies. However, we must understand that not many countries have made E-invoicing compulsory.

An implication can be drawn from this that challenges are also being faced by more developed countries than ours. Another drawn implication would be that the countries do not feel the need to do so. Whatsoever the case may be, we cannot ignore the benefits and challenges in adopting e-invoicing.

Why should we adopt E-invoicing?

  • Since the outward supplies will be uploaded by the accounting software/ERP regularly and automatically, the time and effort of filing monthly / quarterly returns will be reduced considerably.
  • Since the suppliers upload their invoices regularly, the reconciliation process will be seamless or near-seamless. The data of the suppliers can be downloaded by the accounting software/ERP as and when they are uploaded and the entries pertaining to the inward supplies can be entered automatically on the basis of certain pre-defined set of rules.
  • One standard structure of the invoice will be followed throughout.
  • Regular reconciliation will reduce the possibilities of fake invoices.
  • E-invoicing will reduce printing of papers making it an eco-friendly measure.
  • Near real-time availability of information will ensure better accounting.
  • Automatic data will be transferred to the E-way bill system which will reduce time and effort.
  • Manual errors will be reduced if data is uploaded automatically by the system.

Along with the benefits provided to users, this will also strengthen the detective controls adopted by the GST departments where they will be able to detect fraudsters on the basis of irregular patterns.

Challenges in implementing E-invoicing

India is still developing and technology is yet to reach the masses. There are many businessmen in the MSME sector who are still generating invoices manually using invoice books. They provide the copy of the invoices to their tax consultants or tax return preparers for filing GST returns. Not everyone is equipped with the requisite infrastructure.

The E-invoice system cannot function to its full strength until and unless all the tax payers become part of the system.

Additionally, many accounting softwares/ERPs do not follow the standard system development life cycle (SDLC) and are prone to bugs. If the system improperly integrated and the exceptions are poorly handled, there exists likelihood of information not being completely uploaded to IRP. This will compromise the availability aspect and can prove a hurdle in successful implementation.

The invoices might not be synchronized during downtime of IRP, if any. Though, duplication of invoices have been controlled by the use of IRN/hash, there always remains the possibility of invoices being skipped for upload due to any error or incorrect behaviour of the accounting software/ERP or the IRP.

Also, with every structural update by the IRP team, the users will be required to update their accounting softwares/ERPs in order to be in sync with the E-invoice system. The users will have to ensure that they receive constant support from the accounting software/ERP provider.

Are we ready?

The GST council has implemented E-way bill in a phased manner. Speaking about readiness, we will never be completely ready considering the dynamics of India. Radical decisions will have to be implemented in a structured, systematic and phased manner.

During any implementation phase, resistance is always felt. It will be very important for the GST council to implement it in a manner that does not excessively impact the dynamics of business in the country but also does not excessively delay the implementation.

It is very important for the taxpayers to welcome the benefits of the system with open hands despite facing hurdles during the implementation phase. Keeping long term benefit in mind, the taxpayers should prepare, update and change with the system.

The law is definitely moving very fast. It’s time for the people to keep up with the pace and move along.

However, I would also like to emphasize that along with the tax payers, the authorities should also be provided apt infrastructure in order to retrieve the necessary data on demand. This will ensure minimum interactions between the authorities and tax payers and will not create further hurdles in the process.

The Ideal World Scenario

Let us assume a scenario where everyone has adopted E-invoicing and it is being used on near real-time basis. This scenario will enable:

  • Near real-time automatic verification of accounts between suppliers and customers.
  • Issuing fake invoices will be reduced considerably.
  • The origin of the accounts can be tracked along with the chain of invoices.
  • The business can set pre-conditions where automatic entry of inward supply transactions can be triggered on meeting of certain conditions.
  • The cost and efforts of compliance will be significantly reduced.
  • The speed and efficiency will be increased significantly along with significant decrease in manual human errors.

Have suggestions or feedback? Let’s connect to discuss more!

byoffice_adminConsultingNo Comments

Guide for Professionals: Setup Work from Home IT Infrastructure in 15 minutes

To fight this COVID-19 situation, we all are in this together (but from a distance). Social distancing has proven to be the most effective measure.

I organized this webinar to share my knowledge on the ways to setup Work from Home infrastructure for professionals like Chartered Accountants with conventional IT infrastructure in their office.

The techniques which I shared were extremely basic through which you could setup within 15 minutes. By this video, I intended to show you how can a team work on data simultaneously while being at their residence.

By doing this, we not only will fight with this pandemic situation by isolation but also continue our operations with about full efficiency.

There are three parts of this video:

  1. Setting up a cloud service to collaboratively work with your team from remote locations
  2. Setting up unattended access on a remote computer using a third party application
  3. Setting up a remote Amazon Lightsail Windows Server

Dropbox Registration Link: https://db.tt/W1WgGyvL

byoffice_adminGSTNo Comments

You may not require to avail GST registration if your turnover does not exceed ₹40 lacs

NOTIFICATION NO. 10/2019 – CENTRAL TAX dated March 07, 2019

This notification prescribes the category of persons who are exempted from obtaining registration under the Act w. e. f. April 01, 2019.

Applicability:

Any person who is:

  • Engaged in exclusive supply of goods

and

  • Whose aggregate turnover in the financial year does not exceed ₹40 lacs.

Exceptions:

  • The persons who are required to compulsorily register u/s 24 of the Act.
  • The persons who are engaged in making supplies of the goods under the tariff
    • 2105 00 00: Ice cream and other edible ice, whether or not containing cocoa.
    • 2106 90 20: Pan Masala
    • 24: All goods i.e. Tobacco and manufactured tobacco substitutes
  • The persons engaged in making intrastate supplies in the states of
    • Arunachal Pradesh
    • Manipur
    • Meghalaya
    • Mizoram
    • Nagaland
    • Puducherry
    • Sikkim
    • Telangana
    • Tripura
    • Uttarakhand
  • The persons who exercise the option of voluntary registration u/s 25(3) of the Act.

It is crucial to note that this notification applies to person who are in exclusive supply of goods and does not involve in any supply of service of any magnitude.

In a nutshell, a person making intra-state supply of goods exclusively and is not required to register compulsorily or not engaged in making supplies of specified goods or not engaged in making supplies in specified states are exempted from obtaining registration under the Act if the aggregate turnover in a financial year does not exceed ₹40 lacs.

1 2