Setting the platform ready for Digital Forensic in future for Corporate Social Responsibility Programs under Indian Companies Act, 2013

1. CORPORATE SOCIAL RESPONSIBILITYCORPORATE SOCIAL RESPONSIBILITY
(CSR) UNDER SECTION 135 OF(CSR) UNDER SECTION 135 OF
COMPANIES ACT 2013 – DIGITALCOMPANIES ACT 2013 – DIGITAL
FORENSICSFORENSICS
Loyola College,Loyola College, -- Sundar A. Rodriguez M.Com.,FCA.,DISA.,CFSA(USA).,Sundar A. Rodriguez M.Com.,FCA.,DISA.,CFSA(USA).,
ChennaiChennai Research Scholar, Commerce DepartmentResearch Scholar, Commerce Department
- Dr. T. Joseph M.Com., M.Phil., MBA.,PhD.,- Dr. T. Joseph M.Com., M.Phil., MBA.,PhD.,
Associate Profession, Commerce DepartmentAssociate Profession, Commerce Department

2. CORPORATE SOCIAL RESPONSIBILITYCORPORATE SOCIAL RESPONSIBILITY
CSR is “theCSR is “the responsibilityresponsibility of enterprises forof enterprises for their impacts on societytheir impacts on society”.”.
To completely meet their social responsibility, enterprises “should have in place aTo completely meet their social responsibility, enterprises “should have in place a
process toprocess to integrate social, environmental, ethical human rights and consumerintegrate social, environmental, ethical human rights and consumer
concernsconcerns into theirinto their business operationsbusiness operations andand core strategycore strategy in close collaborationin close collaboration
with their stakeholders” .with their stakeholders” .
Ref: (http://ec.europa.eu/enterprise/policies/sustainable-Ref: (http://ec.europa.eu/enterprise/policies/sustainable-business/corporate-social-business/corporate-social-
responsibility/index_ en.htm)responsibility/index_ en.htm)

3. CSR – DEFINITION IN COMPANIES ACT 2013CSR – DEFINITION IN COMPANIES ACT 2013
SECTION 135SECTION 135
1)1)Every company having aEvery company having a net worthnet worth of rupees five hundred crore or moreof rupees five hundred crore or more (100 million $(100 million $
or more),or more), or aor a turnoverturnover of rupees one thousand crore or moreof rupees one thousand crore or more (200 million $ or more)(200 million $ or more) ,,
oror a net profita net profit of rupees five crore or moreof rupees five crore or more (1 million $ or more)(1 million $ or more) during any financialduring any financial
year shall constitute a Corporate Social Responsibility Committee of the Board consisting ofyear shall constitute a Corporate Social Responsibility Committee of the Board consisting of
three or more directors, out of which at least one director shall be an independentthree or more directors, out of which at least one director shall be an independent
director;director;

4. AMOUNT TO BE SPENT FOR CSRAMOUNT TO BE SPENT FOR CSR
Section 135 (5)Section 135 (5)
The Board of every company covered under CSR shall ensure for every financialThe Board of every company covered under CSR shall ensure for every financial
year that:year that:
At least 2% of averageAt least 2% of average net profitsnet profits of the company made during 3 immediatelyof the company made during 3 immediately
preceding financial yearspreceding financial years is spent on CSR.is spent on CSR.
This spending to be made in pursuance of its laid CSR Policy.This spending to be made in pursuance of its laid CSR Policy.

5. TOP CSR SPENDERSTOP CSR SPENDERS

6. IMPLEMENTATION OF CSRIMPLEMENTATION OF CSR
• Corporates can do it on its own with a separate section or department within itsCorporates can do it on its own with a separate section or department within its
existing frameworkexisting framework
• Through other entity formed for the said purpose by the corporatesThrough other entity formed for the said purpose by the corporates
• Tie up with an existing Non-Governmental-Organizations (NGOs)Tie up with an existing Non-Governmental-Organizations (NGOs)

7. MARRIAGE OF CONVENIENCEMARRIAGE OF CONVENIENCE
• Corporates:Corporates: NGOsNGOs
• Profit DrivenProfit Driven Not for profitNot for profit
• Has clear cut security policyHas clear cut security policy Open endedOpen ended
• Well aware of the digital impactWell aware of the digital impact Does not care muchDoes not care much
• Wishing to have its secret a secretWishing to have its secret a secret Open book policyOpen book policy
• Defined stakeholdersDefined stakeholders Whole society is its stakeholdersWhole society is its stakeholders
• Governed by corporate and taxationGoverned by corporate and taxation Impact of FCRA etc.Impact of FCRA etc.

8. OBJECTIVESOBJECTIVES
The major objectives of the study are:
(1)To study the factors affecting the implementing the Corporate Social Responsibility
(CSR) from fraud perspective,
(2)(2) To ascertain ways and means to properly identify the red flags of fraud; especially in
a digitized scenario;
(3)(3) To find ways to leave out a digital trail for the activities so that if needed at a later
stage it would be easier to do forensic analysis, and
(4)(4) To give suggestions to the policy makers like Government and other stakeholders
like implementing agencies, oversight agencies like auditors including the C & A. G and
police/judicial officials.

9. METHODOLOGYMETHODOLOGY
This is based on the Conceptual Research concept, mainly
because the impact of the CSR on fraud would only be known
at the end of this financial year and there is no primary data as
of now, and this is done relying on the secondary data and
review of the literature including the appropriate standards
and policies on accounting issued both at national and
international level.

10. DIFFERENCES FROM DIFFERENTDIFFERENCES FROM DIFFERENT
PERSPECTIVESPERSPECTIVES
• AccountingAccounting
• LegalLegal
• GovernanceGovernance
• StandardsStandards
• AwarenessAwareness
• FunctioningFunctioning
• OthersOthers

11. NGO – RED FLAGSNGO – RED FLAGS
• Non segregation of dutiesNon segregation of duties
• Cross fundingCross funding
• Concentration of powerConcentration of power
• Dual ownership of programsDual ownership of programs
• Networking of NGOsNetworking of NGOs
• Impact of Community Based organizations (CBOs)Impact of Community Based organizations (CBOs)
• Impact of activismImpact of activism

12. DIGITAL COMPLEXITIES - NGOSDIGITAL COMPLEXITIES - NGOS
• The data source for the activities are not confined to the data generated by NGOThe data source for the activities are not confined to the data generated by NGO
• Multiple stakeholders generating and accessing dataMultiple stakeholders generating and accessing data
• Open book approachOpen book approach
• Linking of activity report with financial data – string matching complexitiesLinking of activity report with financial data – string matching complexities
• Possibility of NGO database being used as Botnet, and NGOs and CBOs being zombies.Possibility of NGO database being used as Botnet, and NGOs and CBOs being zombies.
• No clear security policyNo clear security policy
• Access control issuesAccess control issues
• Use of multiple applicationsUse of multiple applications
• Licensing issuesLicensing issues
• Geographical distribution – in accessible areasGeographical distribution – in accessible areas

13. CORPORATES – STEPS TO BE TAKEN TOCORPORATES – STEPS TO BE TAKEN TO
SAFEGUARD ITSELFSAFEGUARD ITSELF
• Data ownership – Tripartite agreement – Accessing DataData ownership – Tripartite agreement – Accessing Data
• Third party role – clear definition – ISP, foreign funding agencies, Network, CBOThird party role – clear definition – ISP, foreign funding agencies, Network, CBO
• Email back up, issues with ISPs, Mail system providerEmail back up, issues with ISPs, Mail system provider
• Deciding on framework for forensics – Computer forensic InvestigationDeciding on framework for forensics – Computer forensic Investigation
Methodology propounded by Kruse and Heiser, United States of America’sMethodology propounded by Kruse and Heiser, United States of America’s
Department of Justice model, one developed by the Digital Forensics ResearchDepartment of Justice model, one developed by the Digital Forensics Research
Working Group, framework proposed by Reith and the last – model proposed byWorking Group, framework proposed by Reith and the last – model proposed by
Ciardhuain.Ciardhuain.

14. FORENSIC TOOLKIT AND CSRFORENSIC TOOLKIT AND CSR
• File viewersFile viewers
• Uncompressing filesUncompressing files
• Graphically displaying directory structuresGraphically displaying directory structures
• Identifying known filesIdentifying known files
• Performing string searches and pattern matchesPerforming string searches and pattern matches
• Accessing file metadataAccessing file metadata
• Impact of assurance framework – COBIT, NIST Special publication 800-53, ISO 17799, ITIL,Impact of assurance framework – COBIT, NIST Special publication 800-53, ISO 17799, ITIL,
Capability Maturity Model Integration (CMMI), Project Management body of Knowledge (PMBOK)Capability Maturity Model Integration (CMMI), Project Management body of Knowledge (PMBOK)
• Framework for cloud computing (CSA Security Matrix Jericho Forum Self Assessment scheme etc.)Framework for cloud computing (CSA Security Matrix Jericho Forum Self Assessment scheme etc.)

15. CLOUD COMPUTING – FORENSIC TOOLSCLOUD COMPUTING – FORENSIC TOOLS
• Network forensic analysis tools (NFT)Network forensic analysis tools (NFT)
• This includes:This includes:
• Packet sniffersPacket sniffers
• Protocol analysersProtocol analysers
• Security Even Management (SEM)Security Even Management (SEM)

16. SUGGESTION FOR POLICY MAKERS ANDSUGGESTION FOR POLICY MAKERS AND
OVERSIGHT BODIESOVERSIGHT BODIES
• Applicability of International Accounting Standards be made mandatoryApplicability of International Accounting Standards be made mandatory
• Specific guidance from MCASpecific guidance from MCA
• Clarity on reportingClarity on reporting
• ICAI to come up with guidance notesICAI to come up with guidance notes
• System audit of NGOs be made mandatorySystem audit of NGOs be made mandatory
• TRAI can come up with special guidelines for the CSPs to have common protocol or framework for cloud computingTRAI can come up with special guidelines for the CSPs to have common protocol or framework for cloud computing
• Law enforcement agencies be given proper training for understanding the “developmental sector’s terminology andLaw enforcement agencies be given proper training for understanding the “developmental sector’s terminology and
jargons, and to understand the complexities with specific reference to reporting for compliance purposes, oversee thatjargons, and to understand the complexities with specific reference to reporting for compliance purposes, oversee that
NGO does not send classified information unwittingly to foreign sources.NGO does not send classified information unwittingly to foreign sources.
• Use of NGO as frontal organization for fraud including cross-border crime, organized crimes, sham for transfer of blackUse of NGO as frontal organization for fraud including cross-border crime, organized crimes, sham for transfer of black
money.money.

17. MAJOR FINDINGSMAJOR FINDINGS
• CSR as a mandatory one is of recent origin. However, the impact due to its size in terms of
value is mind boggling. Further the reach of the CSR activities is going to affect the very
fabric of the society as a whole. This parallel populist schemes that attracts the attention
of all the stakeholders concerned, makes it more prone to further scrutiny from all
angles; and for that the digital forensics could be of use. However, this could be achieved
with the clear understanding of not only those who are involved in the digital forensic,
but also other law enforcement authorities to have a clear understanding of the concepts
and functioning of the not for profit organizations, including community based
organizations. They should also be aware of other legal provisions which are applicable
only to NGO, for example Foreign Contribution (Regulation) Act etc. Not only that the
relevant guidelines and procedures should be put in place in the Companies Act, as to
how the oversight mechanism in the digitized world has to take place in case of CSR
program.
• This opens a wide new area of challenge for the digital forensics to reorient themselves
to understand how the NGO functions and how it had evolved itself, and what would be
the effect of the merging of dichotomy of ideas – corporates with NGOs.

18. RECOMMENDATIONRECOMMENDATION
• The oversight mechanism should be given appropriate guidelines, based on the
approved and/or suggested standards and guidelines for the accounting and reporting of
the CSR activities, to enable them to discharge their function more efficiently and
effectively. If that is not done the very spirit of the law which spurred the formulation of
CSR would be defeated.
• If the oversight mechanism finds something amiss then they have to fall back on digital
forensics to back up their apprehensions, and for that the digital forensics should be
ready to face the challenge that is posed by the CSR which is of very recent origin, and
would evolve as the time goes on and with the changes made in the rules and regulations
governing it not only from the corporate perspective but also from the NGO perspective.
• Different stakeholders in the CSR program would be invariably affected due to the usage
of cloud computing or such other mechanism which provides for seamless transmission of
data insofar as it pertains to CSR program, and that increases the risk of vulnerability and
for that forensic tools and strategy should be used not only when anything goes wrong
but also as a deterrent and to safeguard one’s own interest.

19. QUESTIONSQUESTIONS

20. THANKSTHANKS