We have seen Companies like Satyam and Sahara getting bankrupted and the common man who invested in these “company shares” have lost their money relying on their falsified reports of their profits. Once these cases become public, our judicial system sent the culprits to JAIL and washed their hands. But nobody thought of common man’s hard earned money which they invested in hope of some gain.
The similar cases when happened in US in year 2000 (before Satyam and Sahara cases) when the debacle of ENRON and World bank happened, US government taken action immediately and in less than two years (in 2002) they came up with SOX Regulation (Sarbanes Oxley Act) and full framework of assessment of Companies Financials and their IT Infrastructure and mandatory annual attestation through RPAF’s (registered Practitioner Auditing Firms) registered by PCAOB ( Public company Accounting Oversight Board) . This all was done to safeguard the common man’s interest so they can invest in company’s shares without fear and such cases should not repeat.
In SOX Regulation, equal emphasis is given to IT Assessments in addition to financial records assessments because of the reason that In lack of appropriate security controls on financial systems , integrity of the financial records could be compromised by any person ( inside or outside of the organization ) with malicious intent .
The organizations are regularly guided to design the controls in line with the SoX standard requirements primarily on the access control, Change Controls and Operations side. This ToD is vetted by the RPAF’s to see that every SOX requirement has been well covered. Once the test of design (ToD) is accepted by RPAF’s than organization must set up a regular process of checking the effectiveness (ToE) of the controls. During the year, RPAF’s does the audit these controls and come up with their findings or observations which need to be mitigated within the defined time lines. By the end of financial year, Based on the Compliance state, RFAF send their report on recommendation/ rejection for Sox Attestation for the Organization to PCAOB.
Now come back to India again, it’s been more than 7 years when the Satyam declared themselves bankrupted, We were happy, sending the owner to Jail and waited for another similar case happening. Sahara debacle happened in 2014, Our Judicial system Sent Sahara Owner to Jail but even this time there is no efforts being done to prevent these cases to happen in future.
We could not deny the fact that there may be many Indian companies which are still manipulating their financial records to show high profits and grabbing the shareholders money. One fine day when the company would get bankrupted, People will find themselves looted again.
Our IT Act 2000 have not been amended since it was created. Our country is in urgent need to either build a regulation like SOX or strengthen existing IT act 2000 which appropriately defines the framework for Financial and relevant IT Assessment and mandatory attestations.
Authored by Deepak Ghai
TCS Enterprise Security and Risk Management