CORPORATE SOCIAL RESPONSIBILITY CORPORATE SOCIAL RESPONSIBILITY (CSR) UNDER SECTION 135 OF (CSR) UNDER SECTION 135 OF

COMPANIES ACT 2013 – DIGITAL COMPANIES ACT 2013 – DIGITAL FORENSICSFORENSICS

Loyola College, Loyola College, - - Sundar A. Rodriguez M.Com.,FCA.,DISA.,CFSA(USA).,Sundar A. Rodriguez M.Com.,FCA.,DISA.,CFSA(USA).,

ChennaiChennai Research Scholar, Commerce DepartmentResearch Scholar, Commerce Department

- Dr. T. Joseph M.Com., M.Phil., MBA.,PhD.,- Dr. T. Joseph M.Com., M.Phil., MBA.,PhD.,

Associate Profession, Commerce DepartmentAssociate Profession, Commerce Department

CORPORATE SOCIAL RESPONSIBILITYCORPORATE SOCIAL RESPONSIBILITY

CSR is “the CSR is “the responsibilityresponsibility of enterprises for of enterprises for their impacts on societytheir impacts on society”. ”.

To completely meet their social responsibility, enterprises “should have in place a To completely meet their social responsibility, enterprises “should have in place a

process to process to integrate social, environmental, ethical human rights and consumer integrate social, environmental, ethical human rights and consumer concerns concerns into their into their business operations business operations and and core strategy core strategy in close collaboration in close collaboration

with their stakeholders” . with their stakeholders” .

Ref: (http://ec.europa.eu/enterprise/policies/sustainable-Ref: (http://ec.europa.eu/enterprise/policies/sustainable-business/corporate-social-business/corporate-social-

responsibility/index_ en.htm)responsibility/index_ en.htm)

CSR – DEFINITION IN COMPANIES ACT 2013CSR – DEFINITION IN COMPANIES ACT 2013

SECTION 135SECTION 135

1)1)Every company having a Every company having a net worth net worth of rupees five hundred crore or more of rupees five hundred crore or more (100 million $ (100 million $

or more), or more), or a or a turnoverturnover of rupees one thousand crore or more of rupees one thousand crore or more (200 million $ or more) (200 million $ or more) , ,

or or a net profit a net profit of rupees five crore or more of rupees five crore or more (1 million $ or more) (1 million $ or more) during any financial during any financial

year shall constitute a Corporate Social Responsibility Committee of the Board consisting of year shall constitute a Corporate Social Responsibility Committee of the Board consisting of

three or more directors, out of which at least one director shall be an independent three or more directors, out of which at least one director shall be an independent

director;director;

AMOUNT TO BE SPENT FOR CSRAMOUNT TO BE SPENT FOR CSR

Section 135 (5) Section 135 (5)

The Board of every company covered under CSR shall ensure for every financial The Board of every company covered under CSR shall ensure for every financial

year that:year that:

At least 2% of average At least 2% of average net profits net profits of the company made during 3 immediately of the company made during 3 immediately

preceding financial yearspreceding financial years is spent on CSR. is spent on CSR.

This spending to be made in pursuance of its laid CSR Policy.This spending to be made in pursuance of its laid CSR Policy.

TOP CSR SPENDERSTOP CSR SPENDERS

IMPLEMENTATION OF CSRIMPLEMENTATION OF CSR

• Corporates can do it on its own with a separate section or department within its Corporates can do it on its own with a separate section or department within its

existing frameworkexisting framework

• Through other entity formed for the said purpose by the corporatesThrough other entity formed for the said purpose by the corporates

• Tie up with an existing Non-Governmental-Organizations (NGOs)Tie up with an existing Non-Governmental-Organizations (NGOs)

MARRIAGE OF CONVENIENCEMARRIAGE OF CONVENIENCE

• Corporates:Corporates: NGOsNGOs

• Profit DrivenProfit Driven Not for profitNot for profit

• Has clear cut security policy Has clear cut security policy Open endedOpen ended

• Well aware of the digital impactWell aware of the digital impact Does not care muchDoes not care much

• Wishing to have its secret a secretWishing to have its secret a secret Open book policyOpen book policy

• Defined stakeholdersDefined stakeholders Whole society is its stakeholdersWhole society is its stakeholders

• Governed by corporate and taxationGoverned by corporate and taxation Impact of FCRA etc.Impact of FCRA etc.

OBJECTIVESOBJECTIVES

The major objectives of the study are:

(1)To study the factors affecting the implementing the Corporate Social Responsibility (CSR) from fraud perspective,

(2)(2) To ascertain ways and means to properly identify the red flags of fraud; especially in a digitized scenario;

(3)(3) To find ways to leave out a digital trail for the activities so that if needed at a later stage it would be easier to do forensic analysis, and

(4)(4) To give suggestions to the policy makers like Government and other stakeholders like implementing agencies, oversight agencies like auditors including the C & A. G and police/judicial officials.

METHODOLOGYMETHODOLOGY

This is based on the Conceptual Research concept, mainly because the impact of the CSR on fraud would only be known at the end of this financial year and there is no primary data as of now, and this is done relying on the secondary data and review of the literature including the appropriate standards and policies on accounting issued both at national and international level.

DIFFERENCES FROM DIFFERENT DIFFERENCES FROM DIFFERENT PERSPECTIVESPERSPECTIVES

• AccountingAccounting

• LegalLegal

• GovernanceGovernance

• StandardsStandards

• AwarenessAwareness

• FunctioningFunctioning

• OthersOthers

NGO – RED FLAGSNGO – RED FLAGS

• Non segregation of dutiesNon segregation of duties

• Cross fundingCross funding

• Concentration of powerConcentration of power

• Dual ownership of programsDual ownership of programs

• Networking of NGOsNetworking of NGOs

• Impact of Community Based organizations (CBOs)Impact of Community Based organizations (CBOs)

• Impact of activismImpact of activism

DIGITAL COMPLEXITIES - NGOSDIGITAL COMPLEXITIES - NGOS• The data source for the activities are not confined to the data generated by NGOThe data source for the activities are not confined to the data generated by NGO

• Multiple stakeholders generating and accessing dataMultiple stakeholders generating and accessing data

• Open book approachOpen book approach

• Linking of activity report with financial data – string matching complexitiesLinking of activity report with financial data – string matching complexities

• Possibility of NGO database being used as Botnet, and NGOs and CBOs being zombies.Possibility of NGO database being used as Botnet, and NGOs and CBOs being zombies.

• No clear security policyNo clear security policy

• Access control issuesAccess control issues

• Use of multiple applicationsUse of multiple applications

• Licensing issuesLicensing issues

• Geographical distribution – in accessible areas Geographical distribution – in accessible areas

CORPORATES – STEPS TO BE TAKEN TO CORPORATES – STEPS TO BE TAKEN TO SAFEGUARD ITSELFSAFEGUARD ITSELF

• Data ownership – Tripartite agreement – Accessing DataData ownership – Tripartite agreement – Accessing Data

• Third party role – clear definition – ISP, foreign funding agencies, Network, CBOThird party role – clear definition – ISP, foreign funding agencies, Network, CBO

• Email back up, issues with ISPs, Mail system providerEmail back up, issues with ISPs, Mail system provider

• Deciding on framework for forensics – Computer forensic Investigation Deciding on framework for forensics – Computer forensic Investigation

Methodology propounded by Kruse and Heiser, United States of America’s Methodology propounded by Kruse and Heiser, United States of America’s

Department of Justice model, one developed by the Digital Forensics Research Department of Justice model, one developed by the Digital Forensics Research

Working Group, framework proposed by Reith and the last – model proposed by Working Group, framework proposed by Reith and the last – model proposed by

Ciardhuain.Ciardhuain.

FORENSIC TOOLKIT AND CSRFORENSIC TOOLKIT AND CSR

• File viewersFile viewers

• Uncompressing filesUncompressing files

• Graphically displaying directory structuresGraphically displaying directory structures

• Identifying known filesIdentifying known files

• Performing string searches and pattern matchesPerforming string searches and pattern matches

• Accessing file metadataAccessing file metadata

• Impact of assurance framework – COBIT, NIST Special publication 800-53, ISO 17799, ITIL, Impact of assurance framework – COBIT, NIST Special publication 800-53, ISO 17799, ITIL, Capability Maturity Model Integration (CMMI), Project Management body of Knowledge (PMBOK)Capability Maturity Model Integration (CMMI), Project Management body of Knowledge (PMBOK)

• Framework for cloud computing (CSA Security Matrix Jericho Forum Self Assessment scheme etc.)Framework for cloud computing (CSA Security Matrix Jericho Forum Self Assessment scheme etc.)

CLOUD COMPUTING – FORENSIC TOOLSCLOUD COMPUTING – FORENSIC TOOLS

• Network forensic analysis tools (NFT)Network forensic analysis tools (NFT)

• This includes:This includes:

• Packet sniffersPacket sniffers

• Protocol analysersProtocol analysers

• Security Even Management (SEM)Security Even Management (SEM)

SUGGESTION FOR POLICY MAKERS AND SUGGESTION FOR POLICY MAKERS AND OVERSIGHT BODIESOVERSIGHT BODIES

• Applicability of International Accounting Standards be made mandatoryApplicability of International Accounting Standards be made mandatory

• Specific guidance from MCASpecific guidance from MCA

• Clarity on reportingClarity on reporting

• ICAI to come up with guidance notesICAI to come up with guidance notes

• System audit of NGOs be made mandatorySystem audit of NGOs be made mandatory

• TRAI can come up with special guidelines for the CSPs to have common protocol or framework for cloud computingTRAI can come up with special guidelines for the CSPs to have common protocol or framework for cloud computing

• Law enforcement agencies be given proper training for understanding the “developmental sector’s terminology and Law enforcement agencies be given proper training for understanding the “developmental sector’s terminology and jargons, and to understand the complexities with specific reference to reporting for compliance purposes, oversee that jargons, and to understand the complexities with specific reference to reporting for compliance purposes, oversee that NGO does not send classified information unwittingly to foreign sources.NGO does not send classified information unwittingly to foreign sources.

• Use of NGO as frontal organization for fraud including cross-border crime, organized crimes, sham for transfer of black Use of NGO as frontal organization for fraud including cross-border crime, organized crimes, sham for transfer of black money.money.

MAJOR FINDINGSMAJOR FINDINGS

• CSR as a mandatory one is of recent origin. However, the impact due to its size in terms of value is mind boggling. Further the reach of the CSR activities is going to affect the very fabric of the society as a whole. This parallel populist schemes that attracts the attention of all the stakeholders concerned, makes it more prone to further scrutiny from all angles; and for that the digital forensics could be of use. However, this could be achieved with the clear understanding of not only those who are involved in the digital forensic, but also other law enforcement authorities to have a clear understanding of the concepts and functioning of the not for profit organizations, including community based organizations. They should also be aware of other legal provisions which are applicable only to NGO, for example Foreign Contribution (Regulation) Act etc. Not only that the relevant guidelines and procedures should be put in place in the Companies Act, as to how the oversight mechanism in the digitized world has to take place in case of CSR program.

• This opens a wide new area of challenge for the digital forensics to reorient themselves to understand how the NGO functions and how it had evolved itself, and what would be the effect of the merging of dichotomy of ideas – corporates with NGOs.

RECOMMENDATIONRECOMMENDATION• The oversight mechanism should be given appropriate guidelines, based on the

approved and/or suggested standards and guidelines for the accounting and reporting of the CSR activities, to enable them to discharge their function more efficiently and effectively. If that is not done the very spirit of the law which spurred the formulation of CSR would be defeated.

• If the oversight mechanism finds something amiss then they have to fall back on digital forensics to back up their apprehensions, and for that the digital forensics should be ready to face the challenge that is posed by the CSR which is of very recent origin, and would evolve as the time goes on and with the changes made in the rules and regulations governing it not only from the corporate perspective but also from the NGO perspective.

• Different stakeholders in the CSR program would be invariably affected due to the usage of cloud computing or such other mechanism which provides for seamless transmission of data insofar as it pertains to CSR program, and that increases the risk of vulnerability and for that forensic tools and strategy should be used not only when anything goes wrong but also as a deterrent and to safeguard one’s own interest.

QUESTIONSQUESTIONS

THANKSTHANKS