Need Tally
for Clients?

Contact Us! Here

  Tally Auditor

License (Renewal)
  Tally Gold

License Renewal

  Tally Silver

License Renewal
  Tally Silver

New Licence
  Tally Gold

New Licence
 
Open DEMAT Account with in 24 Hrs and start investing now!
« Professional Updates »
Open DEMAT Account in 24 hrs
  IMPORTANT ANNOUNCEMENT
 Extension of Last Date for Online Empanelment of Members to act as Observers for May/June 2024 Examinations up to 15th March 2024
 Empanelment of Members to act as Observers at the Examination Centres for the Chartered Accountants Examinations May/June 2024
 Guidance Note on Audit of Banks (2024 Edition)
 Issuance of SA 800 (Revised), SA 805 (Revised), SA 810 (Revised)
 Implementation Guide on Reporting on Audit Trail under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014 (Revised 2024 Edition) - (12-02-2024)
 Important Announcement for May-June 2024 CA Examinations
 Draft Bank Branch Auditors' Panel (MEF) for the year 2023-24
 Results of the Chartered Accountants Final and Intermediate Examinations held in November 2023 declared.
 Observations of the candidates on the question papers of CA Foundation examinations - December - 2023
 Inviting suggestions by way of Questionnaire for preparation of ICAI Vision 2049

DAAB of ICAI releases Digital Competency Maturity Model for Professional Accounting Firms - Version 2.0 and Implementation Guide
January, 15th 2020
DIGITAL COMPETENCY MATURITY
  MODEL FOR PROFESSIONAL
ACCOUNTING FIRMS - VERSION 2.0
  AND IMPLEMENTATION GUIDE




           Digital Accounting and Assurance Board
        The Institute of Chartered Accountants of India
© The Institute of Chartered Accountants of India

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted, in any form, or by any means, electronic mechanical, photocopying, recording, or
otherwise, without prior permission, in writing, from the publisher.




DISCLAIMER
The views expressed in this material are those of author(s). The Institute of Chartered Accountants
of India (ICAI) may not necessarily subscribe to the views expressed by the author(s).

The information in this material has been contributed by various authors based on their expertise
and research. While every effort have been made to keep the information cited in this material
error free, the Institute or its officers do not take the responsibility for any typographical or clerical
error which may have crept in while compiling the information provided in this material. There
are no warranties/claims for ready use of this material as this material is for educational purpose.
The information provided in this material are subject to changes in technology, business and
regulatory environment. Hence, members are advised to apply this using professional judgement.
All copyrights are acknowledged. Use of specific hardware/software in the material is not an
endorsement by ICAI.




First Edition             : December, 2019

Committee/Department: Digital Accounting and Assurance Board

Email                     :gdaab@icai.in

Website                   :www.icai.org

ISBN No                   : 978-81-8441-974-0

Published by : The Publication Department on behalf of the Institute of
 Chartered Accountants of India, ICAI Bhawan, Post Box No. 7100,
 Indraprastha Marg, New Delhi-110 002.




                                                    ii
Foreword
  Digital technologies continue to substantially affect the economies with several related implications.
Technology is like a multiplier and the combinational effects of emerging technologies, such as
blockchain, artificial intelligence, robotics process automation, cloud computing, etc., are accelerating
progress exponentially. Digital revolution brings with it its own set of challenges and one needs
to embrace the reverberations not as complexities but opportunities. Accounting profession must
embrace emerging technologies which will not only enable them to harness power of technology but
also play effective role as digital transformation catalysts.

   The Institute of Chartered Accountants of India (ICAI) through Digital Accounting and Assurance
Board (DAAB), has initiated a process of laying out a self- evaluation matrices for accounting
firms to gauge their relative maturity level as regards digital competency pertaining to Audit and
Accounting related functions being rendered by them. DCMM Version 1.0, issued in 2017, was widely
acknowledged at global level and now it has evolved into a more robust framework as DCMM Version
2.0. This newer version has taken into account the discipline specific categorization of accounting
firms and related technology adoption for achieving efficiency and productivity gains. It also includes
a new section on emerging technologies and also provides guidance on implementation of each of
the sections.

   I compliment CA. Manu Agrawal, Chairman, DAAB, CA. Dayaniwas Sharma, Vice-Chairman,
DAAB, and other members of the Board for taking the lead in developing DCMM Version 2.0 and
its Implementation Guide, which forms the foundation for building a strategy for up skilling, and
steering a steady course to maximize opportunities unfolding in the digital era.




CA. Prafulla P. Chhajed
President, ICAI


Place:  New Delhi
Date:  December 18, 2019




                                                   iii
iv
Foreword
  As the digital revolution continues to reshape economic landscape, the pace and magnitude of
technological changes are unprecedented. In any given area there are barriers and accelerators of
digital transformation. Investment in technology is a key driver of productivity in the accountancy
sector, and new age accountants should keep abreast on the benefits these technologies can deliver.
With domain knowledge and expertise in accounting, assurance, compliance and taxation, accountants
can be instrumental in implementation of technology enabled solutions. In this regard Small and
Medium Sized Practitioners (SMPs) should proactively embrace technology which includes effective
selection, implementation, and management of technologies, as well as training employees to use
software solutions.

  In 2017, The Institute of Chartered Accountants of India (ICAI) with its visionary mindset of digital
upgradation of the profession had released "Digital Competency Maturity Model for Professional
Accounting Firms (DCMM) Version 1.0". It is heartening to note that now DCMM Version 2.0
is being released which enhances and builds upon on the framework of DCMM Version 1.0. This
updated version includes a new section to encourage firms to embrace new technologies and also
provides discipline specific categorization based on firm's profile. Further, with a view to provide
accounting firms with guidance on implementation of various parameters DCMM Version 2.0 also
includes detailed Implementation Guide.

  I urge our members/ firms to use "Digital Competency Maturity Model (DCMM) for Professional
Accounting Firms ­ Version 2.0 and Implementation Guide" for assessing current digital competence
of their firms, and further use the guidance provided to build their firms competencies for digital
transformation journey of their own growth and of the profession at large.


CA. Atul Kumar Gupta
Vice President, ICAI


Place: New Delhi
Date:  December 18, 2019




                                                  v
vi
Preface
  This is an era of exponential changes powered by innovative combinations of emerging technologies
with unprecedented pace, scope and depth of impact. Governments and regulators across the globe
are recognizing the potential of emerging technologies for creating positive implications on almost
every aspect of sustainable development. The future of accounting profession will be largely impacted
by capability to visualize and harness the potential benefits of emerging technologies, and proactively
facilitating organizations to implement technology enabled solutions for delivering value added services.
   The Institute of Chartered Accountants of India has set up Digital Accounting and Assurance Board
(DAAB) as a thought leadership forum so as to address the accounting and auditing issues arising
out of impact of digitization to the business eco-system. DAAB has released "Digital Competency
Maturity Model for Professional Accounting Firms ­ Version 2.0 and Implementation Guide" which
enhances and builds upon on the framework of DCMM Version 1.0. It provides discipline specific
categorization ­ Audit, Tax and Compliances, Accounting and Support Function, Other Management
Consulting Services - for assessing digital competency with respect to level of automation. Apart from
earlier three sections, DCMM Version 2.0 includes a new section on "Adaptation of Advanced and
Emerging Technologies" for encouraging firms to embrace emerging technologies. The most useful
enhancement is that DCMM Version 2.0 includes detailed Implementation Guide to help accounting
firms with practical tips on moving to the next level of digital competency.
 At this juncture, we wish to place on record sincere gratitude to CA. Guru Prasad and CA. Narasimhan
Elangovan for taking time out of their pressing preoccupations and contributing in preparation of
DCMM Version 2.0.
  We would like to express our gratitude to CA. Prafulla P. Chhajed, President ICAI and
CA. Atul Kumar Gupta, Vice President, ICAI for their continuous support and encouragement to
the initiatives of the Board. We also wish to place on record our gratitude for the all Board members,
co-opted members and special invitees for providing their invaluable guidance and support to various
initiatives of the Board. I also wish to express my sincere appreciation for CA. Jyoti Singh, Secretary,
DAAB, for her technical inputs in finalizing this publication.
  We recommend the members/ firms to apply DCMM Version 2.0 by using automated tool for the
same available at ICAI website to assess current digital competence of their firms. We look forward
for your feedback/ responses which would assist us in developing new resources and tools to assist
members/ firms in scaling up and riding the tide of technology.

CA. Manu Agrawal                                                             CA. Dayaniwas Sharma
Chairman, DAAB                                                                 Vice-Chairman, DAAB

Place: New Delhi
Date:  December 18, 2019

                                                   vii
viii
INTRODUCTION
The Institute of Chartered Accountants of India
The Institute of Chartered Accountants of India (ICAI) is a statutory body established by an Act of
Parliament, viz., The Chartered Accountants Act, 1949 (Act No.XXXVIII of 1949) for regulating the
profession of Chartered Accountancy in the country. ICAI is the one amongst accountancy bodies in
the world, with a strong tradition of service to the Indian economy in public interest.
Over a period of time, ICAI has achieved recognition as a premier accounting body not only in the
country but also globally, for maintaining highest standards in technical, ethical areas and for sustaining
stringent examination and education standards. Since 1949, the Chartered Accountancy profession in
India has grown leaps and bounds in terms of
· Members and student base.
· Regulate the profession of Accountancy
· Education and Examination of Chartered Accountancy Course
· Continuing Professional Education of Members
· Conducting Post Qualification Courses
· Formulation of Accounting Standards
· Prescription of Standard Auditing Procedures
· Laying down of Ethical Standards
· Monitoring Quality through Peer Review
· Ensuring Standards of performance of Members
· Exercise Disciplinary Jurisdiction
· Financial Reporting Review
· Input on Policy matters to Government

Digital Accounting and Assurance Board of ICAI
ICAI has constituted "Digital Accounting and Assurance Board" (DAAB) for fostering a cohesive
global strategy on aspects related to digital accounting and assurance, through sharing of knowledge
and practices amongst the members. DAAB is endeavouring to identify, deliberate and highlight
on issues in accounting (including valuation) and assurance (including internal audit) issues in the
digital world.
DAAB is focusing on issues in accounting and assurance arising from the high pace of digitisation,
including use of artificial intelligence in audit, big data analytics in audit, relevance of sampling,
valuation of data as an asset, impairment testing of digital assets, insurance of data - valuation and
premium fixation, etc. The Board is taking up initiatives to develop knowledge base through position
papers and articles on issues relating to impact of technology on accounting and assurance.

                                                    ix
Composition of Digital Accounting
and Assurance Board 2019-20

     Council Members
     Chairman
     CA. Manu Agrawal
     Vice-Chairman
     CA. Dayaniwas Sharma
     CA. Prafulla Premsukh Chhajed, President (Ex-officio)
     CA. Atul Kumar Gupta, Vice-President (Ex-officio)
     CA. Anil Satyanarayan Bhandari
     CA. Tarun Jamnadas Ghia
     CA. Nihar Niranjan Jambusaria
     CA. Dheeraj Kumar Khandelwal
     CA. Aniket Sunil Talati
     CA. Rajendra Kumar P
     CA. M P Vijay Kumar
     CA. Sushil Kumar Goyal
     CA. Pramod Kumar Boob
     CA. Hans Raj Chugh
     CA. Sanjeev Kumar Singhal
     CA. Rajesh Sharma
     CA. Prakash Sharma
     Shri Sunil Kanoria

     Co-opted Members
     CA. Cotha S Srinivas
     CA. Shrikant Maheshwari
     CA. M R Vikram
     CA. Punit Mehta
     CA. Sunil Chandiramani
     CA. Rajkumar Kothari

     Special Invitees
     CA. Hemant Joshi
     CA. Arun Ahuja
     CA. Mohan Lal Kukreja
     CA. Nitesh Gupta
     CA. Tushar Mehta

     Secretary, DAAB
     CA. Jyoti Singh


                                        x
DCMM
Version 2.0
Introduction

Digitalization and technology have impacted the way our profession is perceived. These trends not just
demand a change in thought process but also a fundamental shift in the way professional accounting
firms are run. As newer digital technologies continue to emerge, accounting firms must anticipate
and gear up for the technological revolution. Digital Accounting and Assurance Board (DAAB) of
The Institute of Charted Accountants of India (ICAI) has taken up an initiative to assess the digital
competency of professional accounting firms and to guide them on how they could scale up and ride
the tide of technology.
"Digital Competency Maturity Model (DCMM) for Professional Accounting Firms ­ Version 1.0"
was released in 2017, and it provided a set of minimum requirements which the firms can evaluate on
a self-assessment basis, and build a strategy for up skilling, to leverage the opportunities which will
unfold in the digital era. DCMM Version 2.0 enhances and builds upon on the framework of DCMM
Version 1.0 in following ways -
(i)  Considering the fact that accounting firms are engaged in specialized areas, DCMM Version
 2.0 provides discipline specific categorization based on the firm's profile for assessing its digital
 competency with respect to level of automation.
(ii) DCMM Version 2.0 includes a new Section on "Adaptation of Advanced and Emerging
 Technologies", which encourages firms to embrace emerging technologies and get ready for the
 future digital landscape.
(iii) DCMM Version 2.0 includes detailed Implementation Guide to help accounting firms with
 practical tips on moving to the next level of digital competency. For each of the clauses, detailed
 implementation clues with suggestive options have been given.




Disclaimer
"Digital Competency Maturity Model (DCMM) for Professional Accounting Firms ­ Version 2.0 and
Implementation Guide" has to be used ONLY for self-evaluation by accounting firms of their digital
competency maturity level and taking steps to move up the maturity model.
The results of the self-evaluation conducted should NOT be published / displayed in any form / manner,
which may be deemed to be violation of Code of Ethics of the Institute of Chartered Accountants
of India".




                                                  xi
xii
DCMM
Version 2.0
Section Categorization

DCMM Version 2.0 comprises a questionnaire that enables firms to rate their current level of maturity
on digital competency, identify areas where competencies are strong or lacking, and then develop a road
map for achieving a higher level of maturity. DCMM Version 2.0 includes the following dimensions of
digital maturity organized into sections:
· Section A: Level of Automation of Firm's Internal Processes - This Section covers extent of usage
of IT by the firm for its own internal processes for example, billing, document management, client
relationship management, and staff attendance and work tracking, cyber security, compliance with
data protection regulation and social media presence.
· Section B: Availability of Qualified Resource Pool and Talent Development Relating to Digital
Competencies - This Section covers aspects like, attracting, retaining and developing staff with
requisite qualifications and skills.
· Section C1 (Discipline specific Categorisation ­ Audit): Level of Automation Relating to Audit
Processes and Nature of Audit Services being Rendered - This Section covers the level of automation
at client's end, access to automated audit tools, training of employees on audit tools, ability to handle
digital evidence, Information Technology Audits, etc.
· Section C2 (Discipline specific Categorisation ­ Tax and Compliances): Level of Automation
Relating To Tax & Compliance Processes And Nature Of Tax and Compliance Services Being
Rendered- This Section covers the level of automation at client's end, access to automated tax and
compliance tools, customisation of tax and compliance tools, training of employees on such specific
tools, etc.
· Section C3 (Discipline specific Categorisation ­ Accounting and support function): Level of
Automation Relating to Accounting Processes and Nature of Accounting Services being Rendered
- This Section covers the level of automation at client's end, access to automated accounting tools,
training of employees on client accounting tools, etc.
· Section C4 (Discipline specific Categorisation ­ Other Management Consulting Services):
Level of Automation Relating to Other Management Consulting Services being Rendered ­ This
Section covers the level of automation at client's end, access to automated miscellaneous tools, training
of employees on tools, management consultancy services, forecasts, M&A Advisory, consultancy
services, training activities, etc.
· Section D: Adaptation of Advanced and Emerging Technologies - This Section covers the extent
of adaptation of advanced and emerging technologies like, Advanced Excel, Use of Data Analytics,
Adoption of Robotic Process Automation, Artificial Intelligence, Social Media, etc.
In case an accounting firm is engaged in more than one type of service then applicability of Section
C1, C2, C3 and C4 should be checked individually. Further, if more than one discipline specific
categorisation is applicable, then firm should fill all the applicable Sections. In case a particular section
(C1, C2, C3 or C4) is not applicable to them, the firm can ignore the same and proceed with the
subsequent Section.



                                                    xiii
Firm Maturity Rating
Scores obtained in each of the respective Sections should be interpreted independently to determine
firm's maturity with respect to that particular Section.

  Section Reference             Max Score                                  Rating
                                                         Less than 46 Points         Level 1 Firm
       Section A                    169                = or >46 up to 92 Points      Level 2 Firm
                                                             >92 Points              Level 3 Firm
                                                         Less than 28 Points         Level 1 Firm
       Section B                     93                = or >28 up to 56 Points      Level 2 Firm
                                                             >56 Points              Level 3 Firm
                                                          Less than 9 Points         Level 1 Firm
   Section C1 ­ Audit                42                = or >9 up to 19 Points       Level 2 Firm
                                                             >19 Points              Level 3 Firm
                                                         Less than 10 Points         Level 1 Firm
     Section C2 ­
                                     33             = or > 10 up to 20 Points        Level 2 Firm
   Tax & Compliance
                                                             >20 Points              Level 3 Firm
                                                          Less than 6 Points         Level 1 Firm
      Section C3 ­
                                     21                = or >6 up to 13 Points       Level 2 Firm
      Accounting
                                                             >13 Points              Level 3 Firm
                                                         Less than 12 Points         Level 1 Firm
     Section C4 ­
     Management                      41                = or >12 up to 25 Points      Level 2 Firm
  Consultancy Services
                                                             >25 Points              Level 3 Firm
                                                         Less than 15 Points         Level 1 Firm
       Section D                     50                = or >15 up to 30 Points      Level 2 Firm
                                                             > 30 Points             Level 3 Firm

Interpreting the Results
· Level 1 Firm - indicates that the firm is in very nascent stages of adopting digital technologies but
will have to take immediate steps to upgrade its digital competency or will be left lagging behind.
· Level 2 Firm - indicates that the firm has made some progress in terms of adopting digital
technologies but will have to fine tune further to reach the highest level of digital competency.
· Level 3 Firm - indicates firms which have made significant adoption of digital technologies and
should focus on optimising it further to be in the forefront of use of emerging technologies like,
Artificial Intelligence and Blockchain.

                                                 xiv
Implementation Guide
Competency dimensions mentioned in each Sections are targeted to enable firms to assess their
current digital competency for moving to the next level. In order to assist professional accounting
firms to achieve various competency dimensions, DCMM Version 2.0 includes implementation guide
in the form of implementation clues. These clues are practical based and are a sort of handholding
for small and medium firms for adopting new technologies. The Implementation Clues given in this
guide are generic and are minimum requirements under each domain. The firm is, however, free to
adopt better practices. Further, names of some websites have been included as an example to help the
firms in adopting new technologies. These examples are only illustrative in nature and is not meant for
promoting/ recommending any particular website, and the list is based on market research conducted
by the authors while drafting the clues.
This Implementation Guide is prepared to assist the Professional Accounting Firms (Firms) in
implementation of the various digital initiatives and enhances their digital maturity competency. Prior
to using this guide, the accounting firm should have assessed their existing digital competency maturity
using the evaluation questionnaire available at ICAI website (www.icai.org).




                                                  xv
DCMM Road Map for Moving Up the
Next Level of Maturity
Step 1: Benchmarking                          Benchmark the current maturity level of the
                                              firm by completing the DCMM, and document
                                              list of specific aspects that the Firm is currently
                                              lacking, and which needs to be initiated to move
                                              the next level of Maturity model.


Step 2: Planning Initiatives                  Convert the initiative to be taken into an action
                                              plan- with timelines- quarterly/annual.


Step 3: Identifying resources                 Identify a small cross functional team to own
and execution plan                            the execution of the plan, with a leader and
                                              make the execution of the plan, an important
                                              part of the Key Result Areas/KPI of this team.
                                              Define accountability for reporting progress
                                              and challenges in implementation.


Step 4: Assessing progress and                Assess the progress by re-evaluating against
re-validation against the DCMM                the DCMM and re-visit the execution plan
                                              half-yearly.


Step 5: Perform a peer review/                The firm may on a voluntary basis perform
review by external firm, if necessary         a review by an external firm or a peer review
                                              and assess the position at periodical intervals.
                                              It is recommended to perform peer review on
                                              a regular basis by external firms or at the time
                                              when firm ascends to next level.




                                        xvi
Contents
DCMM Version 2.0 -- Introduction ................................................................................................. xi
DCMM Version 2.0 Section Categorization..................................................................................... xiii
DCMM Road Map for Moving Up the Next Level of Maturity................................................... xvi
Contents.................................................................................................................................................xvi
SECTION A
LEVEL OF AUTOMATION OF THE FIRM'S INTERNAL PROCESSES................... 1
1.1  Managing Digital Identity............................................................................................................. 1
1.2  Operational Process Automation................................................................................................ 4
1.3  Redundancy and Continuity.......................................................................................................13
1.4  Mobile Devices and Data Security............................................................................................ 14
1.5  Data Security.................................................................................................................................16
1.6  Electronic Payments....................................................................................................................19
1.7  Copyright and Licenses...............................................................................................................20
1.8  Digital Media for Communication............................................................................................ 21
1.9  Protecting Personal Data and Privacy....................................................................................... 23
1.10 Online scans for adverse content.............................................................................................. 25
1.11 Information Systems Related Audits/Reviews........................................................................ 26
1.12 Design of Application Level Controls..................................................................................... 27
1.13 External Validation/Certification.............................................................................................. 29
1.14 Custody of Digital Assets...........................................................................................................30
SECTION B
AVAILABILITY OF QUALIFIED RESOURCE POOL AND TALENT
DEVELOPMENT RELATING TO DIGITAL COMPETENCIES................................. 32
2. 1 Skilled resource for managing internal IT infra......................................................................... 32
2. 2 Training/skill of staff related to office automation................................................................. 34
2. 3 Qualification in technology...........................................................................................................35
2. 4 Digital Etiquette..............................................................................................................................36
2. 5 Protecting against digital threats.................................................................................................. 37
2.6 Content delivery through digital platforms................................................................................. 38
2.7 Access to knowledge base, content search online and evaluating content prior to use....... 40
2.8 Creative use of digital technologies.............................................................................................. 41


                                                                          xvii
SECTION C1
LEVEL OF AUTOMATION RELATING TO AUDIT PROCESSES AND
NATURE OF AUDIT SERVICES BEING RENDERED................................................... 42
3.1.1Carrying out Risk Assessment for the purpose of Audit Planning..................................... 42
3.1.2Use of Automated Audit Planning Software........................................................................... 43
3.1.3 Use of External Automated Audit Tools for Data Extraction,
      Sampling, Analytics, etc...............................................................................................................45
3.1.4 Use of in-built audit tools/capabilities in client-side applications like, ERPs.................... 49
SECTION C2
LEVEL OF AUTOMATION RELATING TO TAX AND COMPLIANCE
PROCESSES AND NATURE OF TAX AND COMPLIANCE SERVICES
BEING RENDERED.......................................................................................................................50
3.2.1 Carrying out Risk Assessment for the purpose of Tax Computation................................. 50
3.2.2 Use of Automated Taxation Planning Software...................................................................... 51
3.2.3 Use of External Automated Tax and Compliance Tools for Data Extraction,
      Sampling, Analytics, etc...............................................................................................................52
3.2.4 Use of in-built tax tools/capabilities in client-side applications like ERPs........................ 56
SECTION C3
LEVEL OF AUTOMATION RELATING TO ACCOUNTING AND SUPPORT
FUNCTION PROCESSES AND NATURE OF ACCOUNTING AND SUPPORT
FUNCTION SERVICES BEING RENDERED..................................................................... 57
3.3.1 Use of Automated Accounting Software................................................................................. 57
3.3.2 Use of External Automated Accounting Tools for Data Entry,
      Sampling, Analytics, etc...............................................................................................................58
3.3.3 Use of in-built accounting tools/capabilities in client-side applications like, ERPs......... 59
SECTION C4
LEVEL OF AUTOMATION RELATING TO MANAGEMENT CONSULTANCY
SERVICES PROCESSES AND NATURE OF MANAGEMENT CONSULTANCY
SERVICES BEING RENDERED................................................................................................ 61
3.4.1 Carrying out Risk Assessment for the purpose
      of Management Consultancy Services planning..................................................................... 61
3.4.2Use of Automated Software for rendering Management Consultancy Services............... 62
3.4.3 Use of External Automated Management Consultancy
      Services Tools for rendering various services.......................................................................... 64
3.4.4 Use of in-built tools/capabilities in client-side applications like ERPs............................... 69
SECTION D
ADAPTATION OF ADVANCED AND EMERGING TECHNOLOGIES................... 70
4.1  Use of Advanced and Emerging Technologies....................................................................... 70
4.2 Use of Advanced Technology and Communication Media.................................................. 74




                                                                     xviii
xix
SECTION A : LEVEL OF AUTOMATION OF THE FIRM'S
INTERNAL PROCESSES
This section covers aspects relating to what extent an accounting and audit firm has leveraged
Information Technology (IT) and related processes for its own operations ­ from automation of
attendance systems to cloud based data back-up, etc. It also addresses issues of data security of client's
sensitive data.

1.1 Managing Digital Identity
How to score your firm?
   Competency Dimension                                      Score/Point               Max Points
                                                            Awarding Basis
   1.1 Managing Digital Identity-
    The firm has registered:
   (i) Domain name:                                         For each Yes - 1 Point Maximum Points- 15
    (a) Does the firm have a Domain Name?                   For each No - 0 point
    (b) Has it been registered?
   (ii) Website
    (a) Does the firm have a website?
    (b) Is the website updated on a regular basis?
    (c) Is the website interactive and dynamic?
    (d) Can Employees and Articles Login?
    (e) Can Clients Login?
   (iii)Corporate domain ID for mails:
    (a) Does the firm have a corporate mail ID?
    (b) Is it available for all the office staff (excluding
           articles)?
    (c) Is it available for articles?
    (d) Are the mails stored in an external server?
    (e) Is there access to drive for sharing of large
           files/editable files?
   (iv)Social media presence:
    (a) Does the firm have Social Media Presence?
    (b) Does the firm answer to all the queries 
    posted on its page on a timely manner?
    (c) Is there a minimum of one update posted by
           the firm in a month?





                                                    1
Implementation Guide ­ Managing Digital Identity
(i) Domain Name
   Having firms or practice unit's domain name makes the entity look professional. If the entity
   publishes its website through an ISP or a Web hosting site, then there is a URL such as www.
   yourisp.com/-yourbusiness.This generic address does not inspire confidence in a client like a
   domain name (www.yourcompany.com) does.
   Implementation Clues
   · Select a domain name registrar.
   · Select a domain name - A domain name will be easy to remember, making firms website easy
     to find.
   · A domain name selected should have a better search engine ranking.
       (Note: Easy-to-Remember domain names will have a better search engine ranking)
   · Domain name should be registered in the name of the firm and not in the name of an
     individual.
   Below is the illustrative list of few websites through which domain name can be obtained and
   registered:
  Domain.com
  GoDaddy.com
  Bluehost.com
  HostGator.com
(ii)Website
   In the digital world, a website is now a necessity for a professional accounting firm. Without a
   website, there are chances of losing client and opportunities for a firm. The website is a way to
   showcase firm's expertise and professional service offerings. This would help the firm to obtain a
   digital footprint and give an identity. The web has a far wider reach to showcase a firm.
   Implementation Clues
   The following points will help in developing a good website ­
    A website should clearly portray firm's name.
  It is recommended to use conversational English.
    Makes it easy for visitors to contact the firm.
    Make firm's home page a to-the-point summary helping to build a powerful web presence.
    Website should be updated regularly to reflect the current circumstances.


                                                 2
   It shall be ensured that ICAI Code of Ethics is adhered to while developing website. Updated
   ICAI Code of Ethics is available on www.icai.org .
(iii) Corporate Domain ID for e-mails
   A website, a domain name and the right email addresses will help create a better digital presence
   of the firm, with following advantages -
   Provides Professionalism
   Better showcasing of the profession
   Online Security
   Privacy
   Garners confidence from the client
   Implementation Clues
   A firm or a Practice unit should use registered domain name for all the e-mail ids across the
   organization and ensure that all official communication is done through these email IDs only. This
   also helps the entity to have audit logs that records every activity related to communication along
   with firewall for e-mail filtering to prevent abuse or unauthorized use or disclosure of sensitive
   information. The domain name would be important, because with the advent of the Information
   Technology and Data Protection Laws, it is very important to distinguish between official mail id
   and personal mail id.
(iv) Social Media Presence
   Social media is a central part of any digital marketing initiative that a firm or practice unit can create,
   adhering to applicable ICAI, Code of Conduct. Social media can be used for brand awareness and
   primary way of conversing with client.
   Implementation Clues
 Social media profiles of a firm can be verified by the members of the firm and SMART Goals
 can be set for social media strategy that are Specific, Measurable, Achievable, Relevant and
 Time-bound.
   Identify firms' audience and engage by focusing on relationship building through focus on
   helping clients and customers.
   Stay active and regularly update the content or publish new posts. Designated official in firm
   should be responsible for posting any update and replying to any query raised.
   Use tools to monitor the firm's activity and results.
Illustrations
   Following are few illustrative activities through which a firm can develop its social media presence:
   Conduct webinars at regular intervals on recent amendments and changes.

                                                     3
   Twitter account would help to build personality of the organization you represent. This also
   would be a good tool to update clients of the constant changes in the law.
   LinkedIn account not only establishes firm's network, but it is also an important tool to impart
   educational series to firm's clients. It could be a communication tool to benefit the profession
   at large.
   Develop presence in Quora as it would enhance firm's professional image, it would also be a
   service to the corporate or business world.
   Glassdoor could be a good tool to engage with the prospective employees of the firm,
   and at the same time it is a platform where the employees could air their views about the
   firm. Anonymity also can be maintained. A good Glassdoor rating would help prospective
   employees to decide if they would like to join the firm.
   HR Engagement activities like, seminars, group sessions, office picnic, office events and such
   other aspects could be a good ground to find a place in the office Facebook page.
There should be separate social media presence for the firm and the individual. It would not be
advisable if the firm Facebook page is used to update family trips and vice versa.

1.2 Operational Process Automation
How to score your firm?
Competency Dimension                                    Score/Point            Actual Points
                                                       Awarding Basis         /Score Achieved
1.2 Operational Process Automation-
The firm uses automation for:
(i) Attendance System and Leave management
     system:                                          For each Yes - 1 Point Maximum Points- 40
 (a) Is there biometric/IP address tracking for For each No - 0 point
         attendance?
 (b) Is there a portal available for maintenance of
         attendance/daily work done?
 (c) Is there a leave policy?
 (d) Is there a HR & Employee Portal Software for
         applying/calculation of leaves?
(ii) Mobile device- laptops, PDAs, etc. tracking:
 (a) Are there Laptops, PDAs given to employees?
 (b) Are the assets been tagged before being
         allocated to an employee?
 (c) Is there a tracking of all the assets being done
         on a real time basis through a software?




                                                4
Competency Dimension                                             Score/Point      Actual Points
                                                                Awarding Basis   /Score Achieved
(iii)Internal communication- chats/instant messaging
     systems:
 (a) Is there an Internal Communication/instant
         messaging system available?
 (b) Is the system available for all employees of
         the firm?
(iv)Centralized file storage system/server:
 (a) Is there a centralized file storage system/
         server?
 (b) Are all the files being uploaded on the server
         on a regular basis?
 (c) Is back-up done for the files uploaded on
         system/server?
 (d) Is the data being stored in multiple location?
 (e) Is the data being uploaded on the server being
         checked/audited on a regular basis?
(v) Internal workflow and documentation are
     managed on a digital workflow management
     system and are there any digitized workflow tools:
 (a) Is there any workflow management process
         available for any process?
 (b) Are all the approvals done and available in the
         system?
 (c) Is there audit trail available in the system for
         future reference?
(vi)Electronic database pertaining to client's and
     services being rendered is maintained and updated:
 (a) Are documents of client services stored
         electronically or digitally?
 (b) Is the database being updated on real-time
         basis?
 (c) Is client approval done electronically? Does
         the client's database gets automatically updated
         after approval?
(vii)Office management tools like, HR tools, Grievance
     tools, Payroll tolls, digital library, ticket system for
     tech, ticketing system for HR, reimbursement
     process.



                                                        5
Competency Dimension                                          Score/Point      Actual Points
                                                             Awarding Basis   /Score Achieved
     (a) Are there Office management tools like, HR
         tools, Grievance tools, Payroll tolls, digital
         library, ticket system for tech, ticketing system
         for HR, reimbursement process?
 (b) Are tools accessible by all the employees
         including the articles?
 (c) Are all the tools subject to audit on a regular
         basis?
 (d) Are there HR Tools available for Interview
         Management and Performance Management?
 (e) Is the data being updated in the tools on a real
         time basis?
(viii)Customer Relationship Management (CRM)
     Tools:
 (a) Is there a CRM Software/CRM Tools available
         with the firm?
 (b) Is it interactive and dynamic?
 (c) Do potential/regular customers have access?
 (d) Is Client Data regularly updated?
(ix)SOPs and Internal Guidelines:
 (a) Are SOPs drafted and documented for all the
         processes of the firm?
 (b) Have the SOPs been approved and signed by
         Partner/s of the firm?
 (c) Are the SOPs available to all the employees,
         including articles, at any given point of time?
 (d) Are there regular checks in place to ensure
         that there are no deviations from the SOPs?
(x) Time sheet and work measurement tools:
 (a) Are there time sheets being made by the
         employees and articles on a periodic basis?
 (b) Are the time sheets being verified by the
         Partners/HR?
 (c) Are time sheets being co-related with
         attendance to verify for any deviations?
 (d) Are there any tools to measure the work of an
         employee effectively/efficiently?




                                                     6
Competency Dimension                                            Score/Point       Actual Points
                                                               Awarding Basis    /Score Achieved
(xi)Application for invoicing and receivable
    management:
 (a) Is there an application available for invoicing
       and receivable management?
 (b) Does the system gives report on debtor
       balance on periodic basis?
 (c) Is invoicing done through the application/
       software?

Implementation Guide ­ Operational Process Automation
(i) Attendance System and Leave management system
   Humans are prone to error, even if we provide them with supporting computational devices.
   Monitoring and managing attendance manually can be a time-consuming, laborious, and expensive
   affair. It takes time to process paper sheets and timecards, create schedules, authorize leave and
   overtime, and create payroll manually.
   Automated attendance and Leave management systems ensure accurate time records and minimize
   the inevitable and costly errors with manual data entry. This accurate data thereby helps to provide
   accurate performance and payroll data. It saves money by putting an end to inaccurate time
   reporting, buddy punching, absenteeism, tardiness, time abuse, and overpayment.
   Illustration on advantages of using attendance and leave management systems
   Using of tools like, GreytHR, PeopleSoft Absence Management, Cuckoo Tech and others can
   minimize inevitable and costly errors with manual data entry. With just a few clicks the management
   can generate accurate reports on hours worked, absences, overtime, get a monthly summary report
   for any of the data/groups within the firm or practice unit.
(ii)Mobile device- laptops, PDAs, etc. tracking
   Bring Your Own Device ("BYOD") security relates strongly to the end node problem, wherein a
   device is used to access both sensitive and risky networks. BYOD may result in data breaches like
   follows:
       If an employee uses a smartphone to access the firm's network and then loses that phone,
       untrusted parties could retrieve any unsecured data on the phone.
       When an employee leaves the firm, they do not have to give back the device, so firm's
       applications and other data may still be present on their device.
   Implementation Clues
   Firms or practice units need an efficient inventory management system that keeps track of which
   devices employees are using, where the device is located, whether it is being used, and what
   software it is equipped with GPS tracking, activity logging is some of the options that can be tried
   for device tracking.

                                                       7
    Some of the employee monitoring software are as follows:
        Teramind
        Actimo
        Current Ware, etc.
(iii)   Internal communication- chats/instant messaging systems
    Popular communicators like, MSN, ICQ, and Google Talk are not professional tools for contacts.
    They also increase loss of user productivity because of communications that are not related to the
    business environment.
    Implementation Clues
    Firms or Practice Units must implement intranet based Internal Communication tool. With the
    Internal Communicator, co-workers increase professional contact with one another in real time,
    without needing to move about. Firm can communicate with employees at the headquarters or at
    affiliated locations, traveling abroad, or those at suppliers. In addition, it can generate a permanent
    history of conversations among co-workers that can be audited.
    Some of the internal communication tools are as follows:
        Basecamp
        Staffbase
        Zoom Video Communications
    Jostle

        Blue Jeans
        Skype, etc.
(iv)Centralized file storage system/server
    The benefits of centralized storage are several folds. By keeping data in one place, it's easier to
    manage both the hardware and the data itself. That means closer control on data protection,
    version control and security. It means a single, consistent set of data. It also leads to better control
    of hardware configuration, capacity and performance, etc. Further, by focusing firm's efforts in
    one place, would lead to reduced expenditure and risk.
    Some of the cloud storage and file sharing providers are as follows:
        Dropbox Business
        Amazon
        Box for Business
        OneDrive by Microsoft
        Google Drive for Work, etc.

                                                     8
Illustration
   M/s. XYZ and Co, Chartered Accountants, started storing all the data in a centralized storage
   system. Due to this the entity was able to maximize data integrity and minimize data redundancy,
   there was easier data portability, database administration and several other advantages.
(v)Internal workflow and documentation are managed on a digital workflow management
   system and digitized workflow tools
   Workflow management system is a type of software that helps businesses to take control of their
   routine processes and help them manage better. It allows a firm or a practice unit to automate
   repetitive processes, follow up automatically on uncompleted tasks in the process, give an overall
   picture of the workflow along with performance metrics, etc.
   Implementation Clues
   Important features a firm or a practice unit may consider while selecting a Workflow Management
   System are as follows:
       Easy graphical modeling of processes;
       Access control based on participant responsibilities;
       Flexibility of workflow patterns;
       Option to pre-fill forms;
       Easy-to-Interpret visual representation of task status;
       Reporting features workflow management software should have notifications when and where
       firm needs them;
       Convenience of cloud hosting;
       KPI-Based reports and SLA status indicators.
   Some of the workflow management softwares are as follows:
       Kissflow
       Dapulse
       ProWork Flow
       Papilio
       CCH i Firm, etc.
   Human Resource (HR) Tools
   One area where technology in the form of HR automation tools is causing an instant impact is
   with HR automation. HR has been one huge manual machine for decades, but new technology
   means less papers, less forms, less files, and less people needed to do everything.
   Some of the HR tools are as follows -People Works, 247HRM, Pocket HRMS, etc.

                                                  9
   Further, employee feedback and evaluation should be done online through a portal [refer 1.8 (iii)].
   Firm should develop a portal of evaluation of performance of an employee so that the firm can
   track the activities and contribution of a particular employee and reward that employee in the right
   manner. It should also have a portal for employee's feedback because it would create a proper
   platform for the employees to inform the firm about their issues and requirements. Implementing
   suitable measures for such issues and requirements will create a good work environment.
(vi)Electronic database pertaining to clients
   An Electronic data management program begins with identifying core principles and collaborative
   activities that form the foundation for providing efficient, effective, and sustainable data.
   Following are the benefits of data management under their workflow management system:
       Data pertaining to clients and services is collected timely, accurate, relevant, and cost-effective.
       Data efforts are cost-efficient and purposeful, and they minimize redundancy and respondent
       burden.
       Data is used to inform, monitor, and continuously improve processes.
       Partnerships and collaboration with all stakeholders are cultivated to support common goals
       and objectives around data activities.
       Activities related to the collection and use of data is consistent with applicable confidentiality,
       privacy, and other applicable laws and regulations.
       Data activities adhere to appropriate guidance issued by the organization, its advisory bodies,
       and other relevant authorities.
(vii) Certain other tools that adds value to services rendered
   Following are some important tools to enhance firm's working:
   · Knowledge Management Tools
       Knowledge management is a systematic approach to capturing and making use of a firm
       or practice units' collective expertise to create value. The potential advantages of effective
       knowledge management are significant but, as with most processes, there are certain challenges
       to consider.
       Following are the benefits of knowledge management:
 Improved organizational agility.
 Better and faster decision making.
 Quicker problem-solving.
 Increased rate of innovation.
 Supported employee growth and development.
       Some of the knowledge management tools are Confluence, Astute Knowledge, ServiceNow
       Knowledge Management, etc.

                                                   10
   · Interview Management
       To save on hiring costs, firm needs a process that is efficient. This means both a streamlined
       hiring process and a process that leads to the right employee for the job. By clearly identifying
       the key job criteria in advance, interview planning helps to eliminate unnecessary steps and
       ensures that each stage of the process matches firm's business needs.
       Some of the Interview management tools are JazzHR, Interview Coordinator, Google forms,
       etc.
   · CRM Tools
       Customer Relationship Management (CRM) is the strongest and the most efficient approach
       in maintaining and creating relationships with customers. Customer relationship management
       is not only pure business but also ideates strong personal bonding within people. Development
       of this type of bonding drives the business to new levels of success.
   Implementations Clues
   · Create a CRM strategy and define your objective. A firm or a practice unit should be aware of
     following aspects before CRM tools:
 Why the customers require our services?
 How will the customers find my entity?
 What are the customers' expectations?
 Where is customer's information stored?
       These questions will help the entity to define a strategy to build relationships with clients,
       which will then help the firm to define its CRM objectives. CRM objectives are what entity
       wants to achieve through CRM system.
   · Following is an Illustrative list of CRM Objectives:
 Identify potential clients.
 Automate manual tasks in like, preparing quotes, tracking and sending follow-up emails,
 etc.
 Find out which services sell more.
 Engage with customers via social media to find out what they like or don't like about
 entities services.
   · Prioritize entities CRM objectives
       It would be difficult to achieve all CRM objective in one go. Hence, it is necessary for a firm
       or a practice unit to prioritize the objectives.

                                                  11
   · Define entities business processes
      What are the firms processes when interacting with the clients? For example, how does firm
      handles phone enquiries or requests for quotes? Processes are a way for the firm to deliver a
      consistent experience for the customers. The more consistent the firm is the more is the trust
      built.
   · Select the right CRM tool/system
      Now since the firm has identified the processes in the business the next step is to find the right
      CRM tools that can cater for these processes. Some of the CRM tools are Salesforce, Zoho,
      Hubspot, Agile CRM, etc.
   · SOPs and Internal Guidelines
      Ready-made SOPs make firms proven work processes portable. New employees at new
      locations can uphold firm's reputation by using the SOPs to replicate the products and services
      provided at firm's original place of business.
      Few benefits of SOPs and Internal guidelines are as follows:
 Minimizing Learning Downtime
 Ensuring Understanding of the Role
 Ensuring Consistency in the Performance of Duties.
          Illustrative list of few SOPs a firm may have is as follows:
 New client on boarding ­
          It is important for a firm to have SOPs that will help bring new clients into the fold. The
          first few interactions an incoming client has with the personnel of the firm will have a
          huge impression, so the clients should be handled carefully.
 Help Desk Manual ­
          Client will ask many questions and most of them will be repetitive in nature. A firm should
          create a SOP templates and decision trees that will enable the team to handle the most
          common questions quickly and calmly.
 Key Performance Indicator (KPI) Reports ­
          In order to make data-based decisions about future assignments, it's essential to have KPI
          reports in place. Tracking KPIs also gives a firm clear picture of where performance can
          be improved, and which elements of its business is thriving. Some of the common KPIs
          are member enrollment and drop-off rates, number of clients, etc.
 Application for invoicing and receivable management
          Invoicing can be one of the challenging book keeping tasks. Using an invoicing software
          would make such regular tasks very easy. It provides benefits such as, faster payments,
          savings in time and cost, reduces paperwork, easy accessibility, enhanced security, etc.






                                                 12
          Further, it is important for any firm to have a good accounts receivable management. It
          provides following benefits:
          · Improves cash position
          · Increase control over cash and working capital
          · Reduction in administrative costs
          · Reduces the sales to payment cycle
          Some of the invoicing and receivable management tools are Quickbooks, Slickpie, Quantum
          Invoicing, etc.

1.3 Redundancy and Continuity
How to score your firm?
   Competency Dimension                                       Point Awarding       Max Points
                                                                    Basis
   1.3 Redundancy and Continuity-                              For each Yes -   Maximum Points - 7
                                                                1 point each
   (i) Data back-up is automated process on the cloud/         For each No -
        off-line at a different location and same is tested        0 Point
        periodically:
    (a) Is all the data being uploaded on server on a
            daily/periodic basis?
    (b) Is the back-up data stored in multiple
            locations?
    (c) Is this process of backup automated?
    (d) Is backup of email taken regularly or at the
            time of leaving the organization?
   (ii) Redundancy of internet connection, back up
        connectivity:
    (a) Is there internet connection available for the
            employees in the firm?
    (b) Is the internet connection secured and has a
            high security password?
    (c) Are there multiple connections available in
            case of connectivity issues in one connection?

Implementation Guide ­ Redundancy and Continuity
(i) Automated data back-up and Periodical testing
      Data backup and data recovery are important parts of running a business. All computer systems
      are at risk of crashing, and human errors and disasters happen when least expected or are least
      prepared for them.

                                                      13
      Implementation Clues
      A Firm can refer following steps for implementing data backup strategy:
      · Assessing firm's backup needs;
      · Evaluating options to find the best backup strategy hardware backups/ software solutions/
        cloud services/ hybrid solutions, i.e., public private and hybrid clouds;
      · Budgeting (Cloud-based solutions are more affordable);
      · Select a Platform;
      · Select a Data Backup Vendor;
      · Create a Time table based implementation plan;
      · Create a Step-by-Step Recovery Plan;
      · Test the new backup system;
      · A firm should take back up of all its data even if the data is stored on cloud.
(ii)Internet Connection and Back up connectivity
      Internet helps businesses to grow, achieve goals and become successful in this competitive market.
      It is important for any business to have a consistent data connection. The internet connection
      that can be both reliable and consistent is a dedicated connection like, ethernet over fiber (leased
      line). However, as reliable as these connections are, sometimes they may fail making a backup data
      connection essential.

1.4 Mobile Devices and Data Security
How to score your firm?
   Competency Dimension                                                Point Awarding     Max Points
                                                                            Basis
   1.4 Mobile Devices and Data Security-                                For each Yes -     Maximum
                                                                           1 Point         Points - 9
   (i) Usage of Mobile Devices and Laptops:                             For each No -
        (a) Are secured through drive encryption?                          0 Point
        (b) Are there laptops/mobiles given to employees/articles
            for official use?
        (c) Are there any domain policies applied to the systems?
        (d) Is DLP (Data Leak Protection) being installed in all the
            systems?
   (ii) Has end point security been deployed:
        (a) Are all the systems secured through antivirus?
        (b) Are systems being updated with the latest security
            definitions?


                                                    14
Competency Dimension                                                  Point Awarding     Max Points
                                                                           Basis
(iii) Can remotely backed-up/ content wiped off in case of loss
      of device (MDM):
      (a) Is there any Mobile Device Management (MDM) policy
          available?
      (b) Can the systems be accessed remotely?
      (c) Are there any back-up solutions available in the systems?

Implementation Guide ­ Mobile Devices and Data Security
A firm should create a formal device policy that educates staff on security risks. But this isn't enough
to protect firm's data. A firm should have an effective mobile device management solution that can
provide the following benefits:
· Protect devices from unauthorized access by enforcing lock screen passcodes, installing mobile
  malware detection software, and setting up device-level encryption.
· If a device is lost or stolen, you can erase the data or lock the device until it is found.
· If an outside app is tainted by malicious code, it can tap data from other apps on the device,
  which jeopardizes the data. Application control lets you decide which apps to permit and which to
  blacklist or disable.
· Provides real-time visibility into your firm's mobile environment, including device status, user
  information, log-in attempts, and compliance with password policies.
Implementation Clues
· Devices must be configured with the standard configuration prior to use remotely.
· Devices must be configured to require a unique user login ID and password that meets complexity
  requirements.
· Devices must get automatically logged off after a period of time and portable devices should have
  a lower timeout.
· Devices will require documents to be written to the firm's server where possible. Firm should
  use appropriate technology tools to synchronize all device files with the network server and for
  routine backup.
· Devices configuration must have malicious software protection to be enabled with automatic live
  updates.
· Devices must be enabled for automatic updating of security patches.
· Devices must be configured with remote security controls that will remotely wipe the device
  upon loss or theft, scan for malware, provide GPS tracking, encrypt partitions and alert or block
  introduction of unauthorized SIM cards.
· Devices that use wireless communications including Bluetooth must be configured to always
  turn off the "Discoverable Mode" to ensure the device is not viewable by unauthorized persons.

                                                   15
    Alternatively, where "Discoverable Mode" is necessary for proper pairing, the user shall be trained
    to disable this mode when in public places where data and conversations can be discovered by
    nearby unauthorized individuals.
· Device users must be trained and periodically reminded to pair their devices with the pairing
  laptop in private locations, and not public locations. Users should be trained to recognize likely
  eavesdroppers who may be hacking, sniffing, or setting up malicious code.
· Device users are not allowed to change any setting or security rule on their devices without
  permission from the Security Official.
· Devices users must adhere to the acceptable user policy including not downloading software,
  introducing foreign media, and so forth.
· Devices, when in transit, must be carried in the user's immediate vicinity with appropriate covers
  or containers. Devices should not be left unattended.
· Flash drives and other media copying of data will only be used if password protection is enabled
  and the drive or media is encrypted and provided by the security official.
· All remote access to the networks or cloud-based applications shall be done with the use of a
  secure access like, VPN.
Illustration
M/s. XYZ and Co, Chartered Accountants, implemented policies relating to mobile devices and data
security. The policy contained the following:
· The devices must contain unique IDs and passwords meeting the complexity requirements.
· The devices should not be used to access unauthorized Wi-Fi.
· Documents and applications from unknown sources should not be downloaded and opened.
· Always update the devices with latest security patches.
The firm also took measures to implement software that can wipe off the entire data in case the
devices are lost and not traceable.

1.5 Data Security
How to score your firm?
 Competency Dimension                                               Point Awarding     Max Points
                                                                         Basis
 1.5 Data Security                                                   For each Yes -     Maximum
                                                                        1 Point         Points - 23
 (i) Critical communications are digitally secured:                  For each No -
     (a) Are critical communications digitally secured (either          0 Point
         through digital signatures or passwords/other mechanism)
     (b) Is there any password for all files that contain sensitive
         data?


                                                  16
Competency Dimension                                                   Point Awarding   Max Points
                                                                            Basis
(ii) Access to internet is restricted on need only basis and use
       of data cards is also routed through corporate firewalls:
       (a) Is the access to internet controlled through a firewall?
       (b) Is there a usage log available?
(iii) Firm has deployed end-point security on all desktops
       (including access control):
       (a) Are all the systems secured through antivirus?
       (b) Are systems being updated with the latest security
           definitions?
       (c) Is there domain login system available?
       (d) Is there domain login policy being applied to the
           system?
(iv) Business Continuity Plans and Disaster Recovery:
       (a) Is there any Business Continuity/Disaster Recovery
           plan?
       (b) Is there any back-up system available off-site?
       (c) Has the plan been regularly tested for effectiveness?
(v) BYOD policies:
       (a) Is there BYOD (Bring your own device) policy available
           in the firm?
       (b) Do these devices have any end point security applied
           to these systems?
(vi) Internet policy:
       (a) Is there policy for usage of internet (e.g., filtering of
           websites)?
       (b) Is there different usage policy for different users based
           on requirement?
(vii) Information Technology (IT) policy:
       (a) Is there an IT policy available for the firm?
       (b) Is the policy being read and acknowledged and regularly
           reiterated to the firm's employees?
       (c) Is there any audit trail available for the implementation
           and acceptance of the IT policy?
(viii) Password protocol or guidelines:
       (a) Is there any password policy?
       (b) Does the e-password need to be changed on a periodic
           basis?
       (c) Is there a two-step verification process available for
           access to mails?
(ix) In-house developed tools:
       (a) Are there any in house developed tools?
       (b) Are there any personnel's available who can develop
           such tools?

                                                    17
Implementation Guide ­ Data Security
(i) Critical communications are digitally secured
    Communication is vital. It is a critical component in effective dialogue, efficient management
    and for an organized infrastructure. Communication makes negotiations clear, enables smooth
    transfers of knowledge and ensures everyone in a team is working towards the same goal.
    Tips for securing communications:
    · Use strong passwords and don't re-use them. Good: (`34bGUI7&89@))' Bad: `12345 or
      Eddy1')
    · Provide firewall security for your internet connection.
    · Use multiple authentication methods like, password, security question, digital certificate, smart
      card, etc.
(ii)BYOD (Bring your own device) policy
    Some firms allow their employees to use their personal phones to conduct business. It's great for
    business to increase productivity and efficiency but it leaves businesses vulnerable to an attack
    since phones can be hacked and used to access firm's network. A BYOD policy will help to
    educate employees on the use of mobile technology and how to mitigate the risk of an attack.
(iii)   Information Technology (IT) Policy
    It is no understatement to say that IT is the key driver in any business. These days, virtually every
    business operates out of computers and Internet. Organizations should realize that proper usage
    of IT not only ensures data confidentiality but can also offer competitive advantages. An IT policy
    protects against threats and it also improves transparency and efficiency.
    Illustrative list of IT Policies
    · Inform all users on the acceptable use of technology ­ this policy would cover areas like,
      use of computer resources, responsibility of passwords, illegal copying, computer security,
      accessing of networks, etc.
    · Security awareness ­ The firm must consistently inform all users regarding the impact their
      actions can have on security and privacy. The number of computer security incidents and
      the resulting cost of business disruption and service restoration continue to escalate. The
      policy shall include a monthly security awareness newsletter covering latest threats, online or
      personnel training to all employees, most common threats a firm can encounter and measures
      to tackle the same.
    · Information Security ­ Firm must implement a policy for the enterprise data risk management.
      The policy must define the management, personnel and technology structure. The policy shall
      focus on system access control, information access, user id allotment for access to corporate
      information, password policy, etc.


                                                   18
(iv)Certain other points important from data security viewpoint:
     · Access to internet is restricted on need only basis and use of data cards is also routed through
       corporate firewalls.
     · Firm should deploy end-point security on all desktops (including access control).
     · Firm should develop an effective Internet Policy which can monitor the data usage and access
       to websites should be restricted.
     · Password guidelines should be implemented wherein the password should be changed periodically.
(v)Business Continuity Plans and Disaster Recovery
     The firm should have a policy in place in the event of disruption, outage or such other reasons
     due to which it is not able to perform its duties in the regular course. This could be caused
     by heavy power outage, internet failure, fire, natural disasters, etc. A business impact analysis is
     recommended to be performed.

1.6 Electronic Payments
How to score your firm?
   Competency Dimension                                             Point Awarding       Max Points
                                                                         Basis
   1.6 Electronic Payments
   Financial Transactions beyond a threshold are made through         Below 15% -         Maximum
   electronic means using Two Factor Authentication from                0 Points          Points - 3
   designated devices only.
   (i) Min of 15% and up to 40% of all payments are made              15%- 40% -
         through electronic means.                                      1 Point
   (ii) 40% to 75% of all payments are made through electronic       40% to 75% -
         means.                                                         2 Points
   (iii) Above 75% of all payments are made through electronic       Above 75% -
         means.                                                         3 Points
   Note: % is in terms of transaction volume in a financial year.

Implementation Guide - Electronic Payments
E-payment is very convenient compared to traditional payment methods such as, cash or cheque. Since
one can pay for services online at any time of day or night, from any part of the world. E-payment
also eliminates the security risks that come with handling cash money.
Following are the few advantages of electronic payments:
· Useful data at your fingertips which is not available if transacted with cash.
· No security risks.
· No wastage of time.
· Better track on payments.
· Reduced transaction costs.

                                                   19
Illustrative list of electronic payment options available --
· National Electronic Funds Transfer (NEFT) -- A NEFT transaction, or National Electronic
  Funds Transfer, allows an organization to carry out a one-to-one money transfer in the quickest
  possible time. For such a transfer, organization is just required to enter the bank details of the
  beneficiary and the IFSC code of the bank branch.
· Payments through mobile wallets like, Paytm -- Usage of e-wallets will provide advantages like,
  easy accessibility, simple to load money, quick transfer of funds, etc.
· Payments through UPI by using applications such as Google Pay, Phone Pe and others - The UPI
  is a payment mechanism which allows instant money transfer without the bank details. Instead of
  bank account number and IFSC code, the virtual payment address (VPA) is used to pay through
  the UPI.
Illustration
M/s. XYZ and Co, Chartered Accountants, is a firm which initially started with fewer employees and
clients. Hence, the entity used to process salary and vendor payments by issuing cheques. But, as the
size of the entity grew, it became difficult to keep track of payments being made. Hence, the firm
decided that going forward it will make all its salary and vendor payments using NEFT which enabled
timely payment and also enabled effective tracking of all payments.

1.7 Copyright and Licenses
How to score your firm?
 Competency Dimension                                               Point Awarding   Max Points
                                                                         Basis
 1.7 Copyright and Licenses
 (i) Software deployed are backed by appropriate licenses and       For each Yes -    Maximum
      inventory of licenses are maintained:                            1 Point        Points ­ 4
      (a) All software being used are appropriately licensed?       For each No -
      (b) Is there a list of licenses along with the expiry date       0 Point
          maintained?
 (ii) Policy on use of graphics available on the net (Copyright
      related issues):
      (a) Are there any downloads done from the website?
      (b) Is the policy on copyright being adhered to?

Implementation Guide ­ Copyright and Licenses
The Firm must acquire software licenses and must use the software and documentation only in
accordance with applicable license agreements. The software user should be aware of limitations
on use and reproduction described in the license agreement related to specific software, and to use
licensed software strictly in accordance with such limitations.


                                                               20
Implementation Clues
· A copy of the software license agreement should be kept with the software for easy reference.
· Ensure compliance with all provisions of the software agreement.
· All users of computer software should be aware of the terms and conditions.
· Professionals and skilled workers who provide information services and products to ensure that
  there is no copying or distribution of software and related documentation.
· Ensure that employees are made aware of copyright issues while downloading from website.
The firms will use devices like laptops, computers, mobiles, tablets and others; hence the firms should
ensure that licenses are acquired for all software installed on such devices like, MS Office, MS Word,
MS Excel, MS Word, MS PowerPoint, MS Outlook and others.
Illustration
M/s. XYZ and Co, Chartered Accountants, ensured that all the software purchased are genuine and
are backed by proper license agreements. The firm also has the practice of educating its employees
regularly on the don'ts of copyrights and licenses. The firm also regularly inspects all the devices of
the firm to verify if there are any software installed that are not genuine.

1.8 Digital Media for Communication
How to score your firm?
 Competency Dimension                                                  Point Awarding   Max Points
                                                                            Basis
 1.8 Digital Media for Communication
 (i) Internal employee portal is maintained with updated               For each Yes -   Maximum
      content relating to firm's audit programs, checklists, sample       1 Point       Points ­ 11
      representation letters, etc.
      (a) Is there an internal employee portal available?              For each No -
      (b) Is the portal accessible outside the office premises?           0 Point
      (c) All data/content relating to firm's audit programs,
          checklists, sample representation letters, trainings, etc.
          is available and updated on real time basis.
      (d) Is the access to the portal is through a login ID and
          password?
 (ii) E-newsletter is published to its employees and knowledge
      updates are available on portal:
      (a) Is there a periodic E-Newsletter and knowledge updates
          published and distributed among its employees?
      (b) Is there a repository available for the E-Newsletter and
          knowledge updates?
      (c) Can the repository be accessed by the employees
          including the articles at any given point of time?

                                                    21
Competency Dimension                                                 Point Awarding      Max Points
                                                                          Basis
(iii) Employee feedback and evaluation is done online through
      a portal:
      (a) Is employee feedback and evaluation taken on a periodic
          basis?
      (b) Is the portal accessible to all the employees including
          the articles at any given point of time?
(iv) Mail server is managed in-house/third party service
      provider with scheduled back-ups/vaulting options enabled
      to retain mails for defined period of time:
      (a) Is back-up of mails done?
      (b) Is there any specific period of time for mail retrieval?
Implementation Guide ­ Digital Media for Communication
Effective communication helps to ensure that all members of the organization are working
collaboratively towards a common goal. It develops a cohesive culture and empowers employees to
make the right decisions in line with the organizational goals. This in turn leads to greater efficiency
and productivity and improves customer service. These outputs are relevant to every organization, so
size really shouldn't matter in this respect.
Implementation Clues
(i) Internal employees' portal should be maintained with updated content relating to firm's audit
    programs, checklists, sample representation letters, etc. The employees of the firm will not be
    able to track the recent amendments in law with the ongoing assignments. Hence, the firm should
    maintain a portal wherein all the amendments, checklists, reports and representation letters relevant
    to such amendments are uploaded. By doing this the firm will be saving lot of time as each and
    every employee need not spend time in analyzing and interpreting the law.
(ii) E-newsletter should be published at periodical intervals which must contain recent amendments/
    updates and news about what is going on in the firm. The firm must take the initiative to publish
    newsletter at periodical intervals so that the members of the firm are updated with recent
    amendments. The responsibility of preparing the newsletter can be divided amongst various teams
    in the firm and the respective team can focus on preparing newsletters in their area of expertise.
    Along with this, the HR of the firm can also take an initiative to include few things about the
    activities of the firm like, recent seminar conducted by the firm, celebration of a festival in the
    office or other office events, etc.
(iii)Employee feedback and evaluation is done online through a portal ­ Refer HR Tools in Section
     1.2 "Operational Process Automation".
(iv)Mail server should be managed in-house/third party service provider with scheduled back-ups/
    vaulting options enabled to retain mails for defined period of time. It is important for any firm to
    maintain the audit data; hence it becomes important for a firm to maintain the mail server. The
    following are the benefits associated with it:

                                                   22
      · Full control over both the server and your e-mail
      · View logs for incoming and outgoing messages
      · View logs for connection and authorization attempts
If the prospect of managing own mail server is too daunting, the firm should consider using a third-
party mail service. For a fee, these services provider manage mail servers and take care of all hosting,
maintenance and troubleshooting tasks.

1.9  Protecting Personal Data and Privacy
How to score your firm?
   Competency Dimension                                                Point Awarding      Max Points
                                                                            Basis
   1.9 Protecting Personal Data and Privacy
   (i) Employee related personal information/HR data in For each Yes -                     Maximum
         electronic form is secured from unauthorized access:               1 Point        Points - 7
         (a) Is all employee related personal information/HR data For each No -
             in electronic form is secured from unauthorized access?        0 Point
         (b) Are all the systems having sensitive HR data being
             protected by passwords?
         (c) Are all data uploaded on portals encrypted?
   (ii) Social media checks are carried out on key employees as
         part of background checks including prior or existing
         relationship with clients:
         (a) Are social media background checks done on key
             employees?
         (b) Are their social media profiles monitored for verification
             of existing relationship with clients?
   (iii) Employees are sensitized on due care to be taken relating to
         sharing client specific information on a regular basis:
         (a) Employees, including articles, are sensitized and due
             care to be taken relating to sharing client specific
             information during induction.
         (b) Workshops/ Seminars conducted for employees
             including articles on handling of client sensitive data.
   (iv) Privacy Policy and the Terms of Use policy                      For each yes ­     Maximum
         (a) Does the firm have a Privacy policy?                        1 point each      marks - 6
         (b) Does the firm have a Term of Usage policy for usage          (for a & b)
             of data and assets under their control?                    4 points (for c)
         (c) Has the firm classified data into sensitive and non- For each no -
             sensitive data?                                                0 point


                                                      23
Implementation Guide ­ Protecting Personal Data and Privacy
Every Professional Accounting Firm would have the responsibility of maintaining confidentiality
of client data as well as employee data. Adequate data governance builds trust. It safeguards the
reputation of firm's business, establishing firm as a brand that people can trust with their data.
Implementation Clues:
Employee Data Protection ­
Employers need to process and maintain a broad range of personal data for employees and they do so
through the entire life cycle of the employment if not beyond, for example, during recruitment and on
boarding process, during the course of the employment relationship, and even after it ends.
The following points shall help a firm in protecting employee data:
· Use security software on devices to protect from the latest threats.
· Employees must be made aware not to open personal data or accounts on social media via
  unsecured Wi-Fi networks.
· Protect firms and employee accounts with powerful, unique passwords that contain a combination
  of at least 10 uppercase and lowercase letters, symbols, and numbers. These passwords should not
  be written down, not even in a password protected file, but assistance of good password manager
  should be taken.
· Sensitive HR data access should be given to authorized personnel only.
· Policies should be set up for sharing employee data.
Client data protection ­
Any firm would have to handle lots of client data and at the same time it is also important to maintain
confidentiality of the same. The following points will assist a firm in maintaining confidentiality of
client data:
· Audit the data protection practices ­ It is advisable not to wait for a data breach to take the security
  protocols seriously. An annual review of systems by an outside firm is a best practice for firms
  who regularly handle sensitive information. And, if the firm can make the clients aware that firm
  is doing this on an annual basis, it becomes additional value and security to the clients.
· Ensure that clients are aware about e-mail security - When an email is sent it stops in several
  locations (or servers) before it hits the inbox, so without encryption, hackers can intercept the
  email. This gives the firm an opportunity to develop a system that is secure for both firm and the
  clients.
· Physical security - If firm's computer network is secure, but the staff isn't careful about walking
  away from a computer with files open, those files are at risk. Physical security like, keeping locks
  on doors leading to any sensitive files, cable locks on computers to ensure they are locked to the
  desk, and keeping desks clean and tidy so that information can't be misplaced or picked up by the
  wrong hands are things a firm can do to avoid the theft of sensitive data.

                                                   24
1.10  Online scans for adverse content
How to score your firm?
Competency Dimension                                                  Point Awarding     Max Points
                                                                           Basis
1.10 Online scans for adverse content
(i) Does the firm carry out, either through a third party or on its   For each Yes -      Maximum
    own, scan of online content to track any adverse news about          1 Point          Points ­ 2
    the firm/it's employees?
    (a) Does the firm scans the online contents relating to the       For each No -
        firm on its own or by third party?                               0 Point
    (b) Is there an internal PR department which handles in case
        of any adverse publicity of the firm or its employees?
Implementation Guide - Online scans for adverse content
The modern business environment is not only of increasing sales and profitability, growth and
development; it is also about protecting brand image from external threats and adverse publicity. Any
brand has to be meticulously built up and it might take in-depth planning and nurturing for months, if
not years, for it to prosper fully. Hence, when a brand is under attack from competitors, the very image
and functions of the business drops drastically. It is one thing to have stagnant sales and profitability
in the normal course of business; it is another to have negative publicity and unwarranted attacks on
a brand affecting business stability.
Anything on the internet is going to stay there forever. Even if a tweet is deleted, that tweet could
still be seen and shared by millions of people before it is taken down. A message that goes viral could
propel a firm to new heights or crush it in a matter of hours. This is true whether a business owner or
executive writes his or her own tweets or has someone else writing them in his or her name.
If a firm is unprepared and launches its social media presence without proper planning, it could waste
valuable time and money. Some of the possible disadvantages of social media is as follows:
· Customer complaints and feedback are visible and open for scrutiny from the public.
· There may be increased usage of business and personal resources to manage and control social
  media campaign.
· There may be negative employee influence, internally and externally, to firm's business.
A firm should, therefore, implement the following to protect itself from external risk emanating from
social media:
· Firm must carry out, either through a third party or on its own, scan of online content to track any
  adverse news about the firm/it's employees. It is important for the firm to know what the society
  is speaking about the firm and its employees. Firms must regularly carry out checks on social media
  to understand the adverse publicity and should take measures to tackle the same. The firms must
  also scan the media for any adverse publicity related to employees to evaluate its effect on the firm.
· Firm can use social media monitoring tools for tracking posts related to itself. Some of the social
  media tools are as follows: Hootsuite, Social Mention, Sprout Social, TweetReach, etc.

                                                   25
1.11 Information Systems Related Audits/Reviews
How to score your firm?
Competency Dimension                                              Point Awarding       Max Points
                                                                       Basis
1.11 Information Systems Related Audits/ Reviews
Has the firm carried out audits relating to:                        For each yes -      Maximum
                                                                       1 point          points 3
(i) IT Security ­General Control Reviews                            For each no -
      (a) Are there IT Security - General Controls defined?            0 point
      (b) Are IT Controls verified on a periodic basis?
      (c) Are there controls in place to regularly update the
          patches?
(ii) Application Security Audits                                  For each Yes ­        Maximum
                                                                     4 Points           points ­ 4
      (a) Are there any Application Security and Vulnerability For each No -
          Audits performed?                                           0 Point
(iii) Technical reviews like, Vulnerability Assessments, Web For each yes a             Maximum
      Application security testing, etc.                          and b- 1 point,       points- 7
      (a) Do you have periodic check for vulnerability assessment   c- 5 points
          of digital data?
      (b) Are the systems up to date with security patches?
      (c) Has the firm obtained any external certifications like,
          ISO 27001, ISO 9001, etc.

Implementation Guide - Information Systems Related Audits/Reviews
Many firms are spending large amounts of money on Information Technology (IT) because they
recognize the tremendous benefits that IT can bring to their operations and services. However, they
need to ensure that their IT systems are reliable, secure and not vulnerable to computer attacks.
IT review is important because it gives assurance that the IT systems are adequately protected, provide
reliable information to users and are properly managed to achieve their intended benefits. IT review
could also help to reduce risks of data tampering, data loss or leakage, service disruption, and poor
management of IT systems.
Implementation Clues
· Mandate periodical team reporting- A firm has to schedule a compliance reporting meeting on a
  periodical basis. If meetings are conducted regularly then it ensures that issues are resolved at the
  earliest. It will be a valuable opportunity for team members to talk through any concerns, verify
  that current processes are working, plan for any upcoming compliance events, and discuss changes
  to compliance regulated services or environments.


                                                  26
· Develop an Internal Dashboard ­ Firm can develop a dashboard that maps each compliance regulation
  or framework to its controls, systems and processes that address them. It will be very helpful to
  have a single pane of glass view into everything firm is required to uphold.
· Leverage Automated Reporting ­ It will be difficult for security and development personnel to create
  and manually manage a dashboard. A much better approach is to look to a security platform that
  will report on the effectiveness of firm's compliance controls and processes.
Similarly, a firm should also conduct the following Audits/Reviews:
· Application Security Audits.
· Technical reviews like, Vulnerability Assessments, Web Application security testing, etc.

1.12  Design of Application Level Controls
How to score your firm?
Competency Dimension                                               Point Awarding       Max Points
                                                                        Basis
1.12 Design of Application Level Controls
(i) Has the firm participated in the application design stage (i) 0 to 30%              Maximum
      for any client to suggest internal controls to be built into        instances -   Points ­ 3
      software they propose to develop/use, say, maker checker            1 Point
      controls, segregation of duties, audit logs, etc. in financial (ii) 30% to 60%
      software like accounting, payroll etc.:                             instances -
                                                                          2 Points
                                                                     (iii)Above 60%
                                                                          instances -
                                                                          3 Points
(ii) Using Social Media such as, LinkedIn and WhatsApp for For each Yes -               Maximum
      Client Communication (subject to ICAI Regulations):                  1 Point      Points ­ 10
      (a) Is the firm active on Social Media?                          For each No -
      (b) Are communications to clients done through social                0 Point
          media?
(iii) CRM/ e-mailing software for managing client
      communication:
      (a) Does the firm have a CRM/e-mailing software for
          client communication management?
      (b) Do all the employees have access to the software/CRM?
      (c) Do all the employees have access to the software/CRM
          including Articles?
(iv) Process of having client Log in passwords and authorization
      and legality:
      (a) Are all the client logs protected with password?
      (b) Logs are accessed by only authorized personnel.

                                                  27
   Competency Dimension                                                 Point Awarding     Max Points
                                                                             Basis
   (v) Segregation of data based on allocation of work and
       sensitivity:
       (a) Is there segregation of data on the basis of allocation
           of work?
       (b) Is all the data uploaded in cloud and can be accessed
           only with valid credentials?
       (c) Is data in the cloud accessible on the basis of client and
           allocation of work?

Implementation Guide - Design of Application Level Controls
(i) Design of Application Controls
      Following are few areas where IT Application Controls can be reviewed:
      · Input Controls
 Comprises the components that capture, prepare, and enter commands and data into the
 system.
      · Processing Controls
 Comprises the components that perform decision making, computation, classification,
 ordering, and summarization of data in the system.
      · Output Controls
 Comprises the components that retrieve and present data to users of the systems.
      · Database Controls
 Comprises the components that define, add, access, modify, and delete data in the system.
      · Communication Controls
 Comprises the components that transmit data among sub-systems and systems.
      · Boundary Controls
 Comprises the components that establish the interface between the user and the system.
(ii)Using Social Media such as LinkedIn and WhatsApp for Client Communication (subject
    to ICAI Regulations)
      Being active on social media by regularly posting articles on recent amendments, replying to clients,
      etc. adds value to the business. Firms should ensure that they are very prompt in responding to
      client and, one should post articles at regular intervals. (Refer Section on Social Media Presence).




                                                     28
(iii) Custody of digital signatures
      It is very important for firms to ensure that the digital signatures of partners are not misused. A
      firm can assign a person who would be in charge of digital signatures and the firm must set up
      a portal, where the employees of the firm must place a request for digital signatures, and such
      request has to be approved by manager or partner, so as to ensure proper track of digital signatures.
      The firm can also set up a policy that the digital signature of partners will be in possession of
      respective partners at all times and the digital signature has to be used in their presence.
(iv)Certain other points that requires attention
      · Use of CRM/e-mailing software for client communication management. (Refer Section on
        CRM Tools).
      · Process of having client log in passwords and authorization and legality.
      · Segregation of data based on allocation of work and sensitivity.

1.13 External Validation/Certification
How to score your firm?
   Competency Dimension                                                 Point Awarding     Max Points
                                                                             Basis
   (i) Is the firm subject to external validation/ certifications like, For each Yes -      Maximum
       ISO 27001, etc.                                                      4 Point         Points ­ 4
                                                                       For each No -
                                                                          0 Point

Implementation Guide - External Validation/Certification
Compliance is the process by which a firm can ensure that relevant external and internal requirements
such as, legislation, rules, guidelines, standards, codes, policies, procedures and controls are complied
with. The compliance function assists the business in complying as well as gaining assurance from
the business that they have complied. Firm must identify all external compliances (Validation/
Certification) related to their business operations and should implement those as per their specific
implementation guidelines.
For Illustration, ISO 27001 Implementation broadly involves following steps
· Define an Information security management systems (ISMS) policy.
· Define the scope of the ISMS.
· Perform a security risk assessment.
· Manage the identified risk.
· Select controls to be implemented and applied.
· Prepare a Statement of applicability (SOA).

                                                     29
1.14 Custody of Digital Assets
How to score your firm?
   Competency Dimension                                              Point Awarding      Max Points
                                                                          Basis
   (i) Inventory of assets (Hardware, Software, License, etc.)
       (a) Does the firm have an inventory of assets?                  For each yes ­    Maximum
                                                                          1 point        points- 7
       (b) Are the assets been given unique ID?                        For each no ­
                                                                          0 point
       (c) Are the assets allocated to an employee being tracked?       For ii (b) ­
                                                                          2 points
         (d) Is the list of assets updated on real time basis?
   (ii) Standardized and approval driven process to store and use
         the digital signatures of the clients
         (a) Are all the digital signatures in the custody of authorized
             personnel?
         (b) Does the firm have approval system for usage of digital
             signatures?
   (iii) Has the firm deployed any mechanism/ tools to safeguard For each yes ­          Maximum
         the login credentials for various clients?                        4 points      Points ­ 4
                                                                         For each No ­
                                                                            0 Point

Implementation Guide ­ Custody of Digital Assets
(i) Inventory of assets
      A firm shall have inventory of assets like, computers, laptops, TVs, projectors and others. It is
      important for the firm to keep proper track of all the assets.
      Implementation Clues
      · Assets must be given a unique ID.
      · A list of all digital assets should be maintained which shall contain the location of assets and
        unique IDs assigned.
      · The assets given to employees must be tracked properly.
      · The list of assets must be updated regularly.
      · Periodical verification of digital assets must be conducted.
(ii)Digital Signature of clients
      Digital signatures of the client if in custody of firm should be backed by an escrow agreement and
      should be physically safeguarded.

                                                     30
   Implementation Clues
   · The firm should designate one employee to take custody of all digital assets of clients.
   · The firm should set up a portal in which the employees shall place request for the digital
     signature of clients
   · The request placed on the portal should be approved by the firm's manager or partner.
   · On approval, the digital signature should be handed over by the designated employee.
   · Employees should be made aware not to hand over DSC to other teams and the DSC has to
     be routed through the designated employee after proper approval.
(iii) Login credentials of clients
   Professional accounting firm will have the login credentials of various clients and it is important
   to maintain the confidentiality of such data. The firm has to prepare a list of client credentials and
   it should be regularly updated. The access of the client credentials should be given to partners or
   managers only.




                                                  31
SECTION B : AVAILABILITY OF QUALIFIED RESOURCE POOL
AND TALENT DEVELOPMENT RELATING TO DIGITAL
COMPETENCIES
This section covers aspects relating to what extent an accounting and audit firm has leveraged
Information Technology (IT) and related processes for its own operations ­ from automation of
attendance systems to cloud based data back-up, etc. It also addresses issues of data security of client's
sensitive data.

2.1 Skilled resource for managing internal IT infra
How to score your firm?
   Competency Dimension                                               Point Awarding       Max Points
                                                                           Basis
   2.1 Skilled resource for managing internal IT infra
   (i) System Administrators or Cloud Administrators (in case of For each Yes - 1           Maximum
        cloud deployment)                                                Point              Points- 6
        (a) Is there an in-house system administrator?              For each No - 0
        (b) Have you deployed anything on the cloud?                     point
        (c) Is he well trained to manage the deployments inside the
            premises as well as on the cloud?
   (ii) Annual Maintenance Contract (AMC) Support
        (a) Is there an AMC for desktop support/ maintenance?
        (b) Is there an AMC tracker available?
        (c) Are AMC's of desktops/hardware taken on a timely
            basis?

Implementation Guide ­ Skilled resource for managing internal infra
(i) System Administrators/ Cloud Administrators (in case of cloud deployment)
     The firm may already have entrusted the System Administrator responsibility to an in-house staff.
     If not, the firm may opt for recruiting a person for this job. Alternatively, this can be entrusted to
     outsourced personnel. In both the cases, the firm will have to define the roles and responsibilities of
     the Systems Administrator. Small firms may check feasibility of entrusting system administration
     responsibility to their existing hardware AMC vendor. In that case, AMC vendor can render
     services on-call basis for system administration work. With proper security put in place, a remote
     system administration service may also be considered.
     Depending upon the volume of work, a firm (especially large and medium size firms) may
     have to formalize sub roles in System Administrator such as, Backup Administrator, Network
     Administrator, Firewall Administrator, Security Administrator, etc.




                                                     32
   Further, System Administrator is responsible for safe and secure continued availability of all
   IT resources to the authorized users. Today's System Administrator's may also oversee, apart
   from routine administrative activities, other areas of importance such as, incident reporting and
   resolution, security incidents management and reporting, capacity enhancements, participating
   in future business planning from IT perspective, etc. The firm should also define who are the
   authorized users and formally communicate the same to System Administrator.
   For example, Article assistant placed on one audit may not be authorized to access other audits
   assigned to other article assistants. The Firm should provide such information classification to
   systems administrator for defining access rights.
   Further, in case of cloud deployment, normal duties of System Administrator do not get diluted
   even though the firm has cloud deployment. Only the operational part will be the responsibility
   of the cloud service provider. In such a case, the responsibility of System Administrator will be,
   like a coordinator/ manager, who gets the job done from the cloud service provider. So, he should
   have sufficient technical knowledge to deal with technical personnel of the cloud firm. Capacity
   management and security of firm's data (at optimum cost) becomes important in the cloud
   deployment. The person should have a right balance of technical and managerial/ negotiation
   skills.
(ii)Agreement with service providers
   If digital technologies are not already in place, the firm may put in place an agreement (known
   as Service Level Agreement) with the cloud service provider and the following points have to be
   taken care:
   · The firm may maintain inventory of all hardware and software with clear demarcation between
     IT assets owned by the firm's cloud and IT assets owned by the cloud service provider.
   · In cases where more than one cloud service provider is responsible for providing service/s,
     the firm will have to establish multi-party agreements, e.g., a tri-party agreement.
   · Large and medium firms may be outsourcing (or co-sourcing) to outside experts/ firms some
     of the assignments. In such cases, customer's data protection and other IT related contractual
     obligations of both the parties are very important.
   Agreement clause with cloud service provider may include:
   · Breakdown and preventive maintenance schedules;
   · Service reporting at predefined periods (e.g., monthly);
   · Security incident management and reporting, audit and other inspection reporting;
   · All types of fees and charges;
   · Security management for data protection;
   · Changes in key support personnel, key hardware changes, ownership and custodian provisions,
     migration and knowledge transfer clauses, etc.

                                                33
2.2 Training/skill of staff related to office automation
How to score your firm?
Competency Dimension                           Point Awarding Basis           Max Points
2.2Training/skill of staff related to (i) 0 to 30% of the staff - Maximum Points - 15
      office automation                           1 Points
(i) How many of the firm's staff are (ii) 30% to 60% of the
      formally trained/skilled in ­               staff - 2 Point
      (a) Word processing software skills    (iii)Above 60% of the staff
                                                  - 3 Points (evaluation
                                                  should be made for
      (b) Spreadsheet software skills
                                                  each of the five sub-
      (c) Database/ data analytics skills         questions separately)
      (d) Presentation skills
      (e) E-mail and internet skills
(ii) Use of automated work-flow systems For each Yes - 1 Point           Maximum Points - 3
      (including Macros) ­
      (a) Do you have any automated work- For each No - 0 point
          flow systems?
      (b) Is it a web-based/ cloud solution?
      (c) Is it an on-premise solution?
(iii) How many of the firm's staff are
      formally trained/skilled in ­
      (a) Use of technology to automate (i) 0 to 30% of the staff -
          including Macros                        2 Points
      (b) Use of Emerging technology         (ii) 30% to 60% of the
                                                  staff - 3 Point
      (c) IT Security                        (iii)Above 60% of the staff Maximum Points - 12
                                                  - 4 Points (evaluation
                                                  should be made for
                                                  each of the three sub-
                                                  questions separately)

Implementation Guide ­ Training/ Skill of staff related to office
automation
Automation technologies can help free up article trainees/ employees from mundane, repetitive
tasks and enable them to do more strategic and creative work. Moreover, from the firm's perspective,
automation can increase productivity, reduce costs, and minimize errors.




                                                34
In case of small firms, senior partner/s may be handling this work himself. But now, s/he may have
to entrust this work to a permanent junior staff member. Small firms may have to recruit such a staff
and provide necessary training in scanning, classifying a document, etc. Firm may conduct training for
employees/ article staff relating to office automation.
Benefits to the firm will be as follows:
· This is very important from the point of maintaining all documentation easily traceable and also
  establishing correct workflow.
· In word processing skills, apart from usual typing skills, a person may know important word
  processing features such as, spelling check, indexing and table of contents, styles management,
  mail merging, track changes, document compare, etc., to prevent manual error.
· Key staff members may be given training in simple and advanced data analysis training, which
  can help the firm in its practice areas such as, audits and taxation. For example, large and medium
  firms may undertake Excel automation with the help of writing macros or providing other Excel
  automation utilities.
· Tremendously enhance the performance of document preparation.
· Spreadsheet programs allow streamlining of numeric data and avoiding repetitive calculations.
· Pictorial representation enhances understanding and interpretation of data.

2.3 Qualification in technology
How to score your firm?
Competency Dimension                                           Point Awarding        Max Points
                                                                    Basis
2.3 Skills related to audit in a computerized              (i) 1% to 10% of the Maximum Points- 20
    environment/Information Systems Audit                       staff - 2 Points
Do staff members possesses one or more of the said         (ii) 10% to 30% of
qualifications:                                                 the staff - 3 Points
(i) Diploma in Information Systems Audit (DISA)/           (iii)Above 30% of
     Certified Information Systems Auditor (CISA)               the staff - 4
                                                                Points (evaluate
(ii) Certified in Risk and Information Systems
                                                                separately for each
     Control (CRISC)
                                                                of the points)
(iii) Certified Fraud Examiner (CFE)/ Forensic
      Accounting & Fraud Detection (FAFD by ICAI)
(iv) ISO 27001 LA/Implementer
(v) Any other relevant certifications in field of
      digital
Note: For the above, articled clerks are to be excluded,
only partners, qualified staff and paid assistants are
to be factors
                                                   35
The firm may encourage its partner/ staff to undergo various courses and get requisite qualifications
essential for enhancing their skill set in digital era. In case of IT Audit, Post Qualification Couse in
Information Systems Audit (DISA) conducted by ICAI and Certified Information Systems Auditor
(CISA) conducted by ISACA are there. Similarly, in case of Forensic Audit Certificate Course on
Forensic Audit and Fraud Detection is conducted by ICAI and Certified Fraud Examiner is conducted
by ACFE. For those who do not wish to undergo certification, even attending lectures online will
allow them to understand and follow best practices in using IT.

Implementation Guide ­ Qualification in technology
· The Firm may put in place fee reimbursement schemes for staff passing these certification courses.
· All need not undergo all of these courses and should choose courses based on expertise.
· Medium and large firms may seek additional courses such as, ethical hacking, data analytics,
  learning programming languages (e.g., Java, Python), SQL and database learning.
· All the staff members may be encouraged for self-learning for all the above courses, in addition
  to regular formal training courses. This also helps the firm in developing new software, increase
  in IT security, enhancing the integrity in the work of audit, quick solutions to the problems, quick
  analysis of data, etc.

2.4 Digital Etiquette
How to score your firm?
Competency Dimension                                                   Point Awarding   Max Points
                                                                            Basis
2.4Digital Etiquette
(i) Does the firm provide its staff with training on drafting             For Yes -      Maximum
    mail responses/ any other form of digital communication                1 Point       Points- 4
    factoring cultural and generational diversity of the client/
    recipients?
    (a) Are there trainings being conducted on digital                    For No -
        communication by the firm for its staff ?                          0 Point
    (b) Are the trainings conducted on a regular basis?
    (c) Is training conducted by a professional soft skills trainer?
    (d) Are the trainings interactive, i.e., the employees can clear
        their queries during/ post the training with the trainer?
E-mail, texting, Skype, Instagram, Tweeting and posting on Facebook are all forms of communication
in digital world. Digital Etiquette or responsible digital behavior is increasingly important because
without it, the digital world can become a hostile or dangerous place of false comfort.

Implementation Guide ­ Digital Etiquette
The scope of digital etiquette mentioned here is limited only for outside and in-house digital
communication.

                                                    36
· The Firm may establish its own digital etiquette policy. All the staff members may be given the
  digital etiquette training, especially, e-mail communication, social media communication (official
  and unofficial), naming conventions for files/ folders, backing up individual's work, self-quality
  control of message prior to sending, etc.
· Firm can organize basic english language (and hindi/ regional language) communications and
  digital etiquette courses periodically.
· Some tools to undertake such awareness are firm newsletter, bulletin boards, on-line quizzes/
  tests, off-site training camps, etc.
Below is the Illustrative list of cautions to be taken while drafting an e-mail (i.e., Do's and Don'ts)
· Do have a clear subject line.
· Don't forget signature.
· Read and then re-read your message before you send it.
· Observe the common practices of your firm.
· Use proper salutations.

2.5 Protecting against digital threats
How to score your firm?
Competency Dimension                                                 Point Awarding       Max Points
                                                                          Basis
2.5 Protecting against digital threats
(i) Does the firm sensitize its employees on issues like:               For Yes - 1        Maximum
                                                                          Point            Points- 6
      (a) Cyber bullying                                                For No - 0
          · Has the firm sensitized its employee on                       Point
              cyberbullying?
          · Are there seminars/lectures on the threats of
              cyberbullying?
(ii) Phishing attacks/spear phishing attacks targeting key
      employees
      (a) Has the firm sensitized its employee on phishing
          attacks/spear phishing attacks to its key employees?
      (b) Are there seminars/lectures on the threats of phishing
          attacks/spear phishing attacks to its key employees?
(iii) Malware threat indicators
      (a) Has the firm sensitized its employee on malware threats?
      (b) Are there seminars/lectures on the threats of malware?




                                                   37
Implementation Guide ­ Protecting against digital threats
As a professional accounting firm, loss of critical financial data of client due to a cyber-attack can have
far-reaching consequences for the firm, like loss of reputation, trust and ultimately loss of clientele.
With the growth in technology adoption, it's imperative for the firm to protect accounting practice
against cyber security risks.
Following are measures to protect firm's practice from cyber security threats -
· Use of genuine software.
· Invest in technology solutions like, firewall and antivirus.
· Implement a cybersecurity culture.
· Developing comprehensive data security policies.
· Training employees about specific cyber hazards, alternatively, firm (especially small firms) may
  outsource this activity on a continued basis.
· An acceptable usage policy (for IT resources) will have to be established by the firm.
· Implementation of domain login facility with group policy.
· Regular backups to be done of all data, either onsite or offsite.
· Introduction of DLP (Data Loss Protection) technique.
· Training of employees with regular seminars on cyber threats to educate, and in case of any
  suspicious e-mails and software they may consult system administrator for further action.
Illustrations:
(i) Introduction of DLP (Data Loss Protection) technique in a CA firm is useful. DLP is a strategy
    for making sure that end users do not send sensitive or critical information outside the corporate
    network.
(ii) Technique of Bitlocker is a full volume encryption feature included with Microsoft Windows
     versions. It is designed to protect data by providing encryption for entire volumes. If in case of
     theft of an office laptop nobody can access the data without the Bitlocker encryption key.

2.6 Content delivery through digital platforms
How to score your firm?
 Competency Dimension                                                    Point Awarding   Max Points
                                                                              Basis
 2.6 Content delivery through digital platforms
 (i) Does the firm have an online/on-demand learning portal                 For Yes -      Maximum
     which employees can access from anywhere?                               1 Point       Points- 12
     (a) Does the firm have a digital platform for learning?                For No -
     (b) Is it accessible to all its employees including the articles?       0 Point

                                                      38
Competency Dimension                                                     Point Awarding   Max Points
                                                                              Basis
      (c) Is the portal accessible from anywhere?
      (d) Are they made mandatory for employees based on their
          job profile?
      (e) Is there a minimum of one module available per month
          for its employees?
(ii) Are at least 50% of the total Continuing Professional
      Education (CPE) sessions/training sessions through
      webinars/podcasts are attended on an average
      (a) Are there trainings conducted through digital media?
      (b) Are minimum of 50% of CPE's attended on Digital
          Media?
      (c) Are the trainings interactive, i.e., the employees can clear
          their queries during/post the training with the trainer?
(iii) Has the firm subscribed to any digital learning platforms
      from professional bodies for skill development of its staff ?
      (a) Has the firm subscribed to any digital learning platforms
          from professional body for skill development of its
          staff ?
      (b) Are the sessions available to all its employees, including
          the articles?
      (c) Are there any evaluations done at the end of the session?
      (d) Are there any programs conducted by the firm to
          communicate the availability of such skill development
          training in the office?
Digitization in learning environment is assumed to be a game changer replacing the old and traditional
methods. Every employee has a gadget and with the help of internet, they also have access to every
relevant information online. Ultimately digitalized learning is reducing the costs, easier and faster to
set up and also provides tremendous ease of access.

Implementation Guide ­ Content delivery through digital platforms
· Medium to large firms may undertake establishing their own portal for conducting on-line or
  on-demand training. Firms can go for an option of collaborating with universities or colleges or
  private institutes for such training.
· Smaller Firms can go for the second option, since lot of such digital learning platforms are now
  available, some are free while some are commercial. ICAI itself has so many on-line learning
  courses for members and students at Cloud Campus and Digital Learning Hub. Firm may subscribe
  to any digital learning platforms from professional body for skill development of its staff and may
  communicate the availability of such programmes in the office.


                                                     39
Firm can organize monthly or fortnightly, half-day or one day lectures of experts in various areas.
Since such lectures are not taken seriously, senior staff members/ partners may make it a point to
attend them throughout. A small qualifying exam may be conducted post such lectures. Attendance
and qualifying in exams may be considered for increments/ promotions.
Many a times, a person requires a handholding during performing his/her duties. Medium and large
firms can provide a centralized on-line helpdesk for addressing such requirements.
Illustrations: FAQs, knowledge databases, etc., can be used for knowledge dissemination. Small firms
may subscribe to a knowledge base website for sorting out such hand-holding needs.

2.7 Access to knowledge base, content search online and evaluating
content prior to use
How to score your firm?
Competency Dimension                                                    Point Awarding   Max Points
                                                                             Basis
2.7 Access to knowledge base, content search online and
evaluating content prior to use
(i) Access to business knowledge database, market drivers and              For Yes -     Maximum
      technology involved in the industry in which the firm operates        1 Point      Points- 11
      (a) Is there access to business knowledge database, market           For No -
          drivers and technology involved in the industry in which          0 Point
          firm's client operate?
      (b) Is there access to all its employees?
      (c) Is it accessible from anywhere?
      (d) Is the database updated with latest amendments on a
          regular basis?
(ii) Are staff trained formally on content searches related to
      work and how to identify authenticity of the source (say of
      case laws, audit check lists, etc.,)
      (a) Are the employees formally trained on how to identify
          authenticity of the source while searching for content?
      (b) Are there any list of websites given to employees from
          which information can be trusted?
(iii) Are staff trained on what online content can be legally re-used
      without IPR (Intellectual Property Rights) infringements?
      (a) Are the employees sensitized about copyright issues?
      (b) Are there trainings conducted to emphasize the legality
          of infringement issues?
      (c) Are the employees given training on how to use specific
          online content legally?
(iv) SEO (Search Engine Optimization)
      (a) Is your website optimized for SEO (Search Engine
          Optimization)?
      (b) Do you adhere to ICAI policy of pull based and not
          push based?

                                                     40
Implementation Guide ­ Access to knowledge base, content search
online and evaluating content prior to use
· Basic awareness training about IPR ((Intellectual Property Rights) may be provided to all. Similarly,
  training on Information Technology Act, 2008 may be provided to all staff members of the firm.
· The Firm can put up list of good authentic web sites on its portal or circulate through social
  media.
· Whenever, any staff wishes to take some contents from a web site, firm may have in place a tool
  to approve the same. Some websites offer such kind of services.
· Firm may encourage a practice of citing the source of taking the information to all its staff
  members.
· Firm may train the staff on what online content can be legally re-used without IPR infringements.

2.8 Creative use of digital technologies
How to score your firm?
 Competency Dimension                                 Point Awarding Basis          Max Points
 2.8 Creative use of digital technologies
 Are staff encouraged to put IT to creative (i) 1 to 2 initiatives - 2 Points Maximum Points - 4
 use, say building an app for statutory due date (ii) 3 to 4 initiatives - 3 Points
 alerts, alerts relating to professional updates, (iii)More than 4 initiatives - 4
 automating a routine function, etc.                   Points
Technology may be used in a professional accounting firm in various ways, and these include,
communication within the firm, data sharing, data protection, quick decision making, knowledge
management. This would simplify work hence would increasing productivity at work.

Implementation Guide ­Creative use of digital technologies
· Medium and large firms may have to create their own IT resource for handling such responsibility.
  Small firms may appoint an outsource consultant, formally, to look into developmental aspects.
· Employees may have lot of ideas about automating work areas, but they may be unable to actually
  implement them due to lack of relevant skills and tools. Outsourced consultant may look into
  these ideas and provide implementable plan to the firm.
· Simple alerts, schedulers, learning basic macro programming in office software (word, excel, etc.)
  can be learned by younger and motivated staff members on their own. However, they should be
  made aware about security hazards of not using these techniques systematically.
Illustrations
· A firm can build an app for statutory due date alerts, alerts relating to professional updates, etc.
· Automation of routine function by using Macro or with the help of coding, etc.
· A web app for claiming reimbursement of expenses spent over and above for the firm. This enables
  the employee/ article trainee/ a firm to have a track on their expenses spent on a particular project.

                                                  41
SECTION C1 : LEVEL OF AUTOMATION RELATING TO AUDIT
PROCESSES AND NATURE OF AUDIT SERVICES BEING
RENDERED
3.1.1 Carrying out Risk Assessment for the purpose of Audit Planning
How to score your firm?
Competency Dimension                                               Point Awarding       Max Points
                                                                        Basis
3.1.1 Carrying out Risk Assessment for the purpose of audit
planning
(i)  Does the firm have a process of reviewing IT controls and For Yes- 1 Point         Maximum
     risk of failures of the same vis-à-vis impact on audit planning, For No- 0 Point   Points- 3
     including but not limited to audit sample size selection, focus
     areas of audit, etc.
 (a) Is audit planning done before start of the audit?
 (b) Are controls including IT reviewed before the start of
          the audit?
 (c) Is there any planning done for mitigation of risks
          identified?

Implementation Guide ­ Carrying out Risk Assessment for the purpose
of audit planning
Implementation clues
Risk Assessment is performed to identify where the risk of material misstatement exists. It refers
to the focus of the audit process on those areas that are most at risk of material misstatement. A
risk register and risk control matrix may be prepared to assist in this process. While making a risk
assessment, it is recommended that the risks pertaining to IT controls are reviewed and documented.
Following are few areas where IT General Controls can be reviewed:
· System Development/ Program Development and related controls
  Assessment of the following can be reviewed ­ initiation, analysis and design, testing, data
  conversion, implementation, training and testing.
· Computer Operations and Access Controls
  Assessment of the following can be reviewed ­ batch processing, interface processing, backup,
  restoration, etc.
· Access to program and data
  Assessment of the following can be performed ­ segregation of duties, access control
  restrictions, admin accounts review, database admin controls and review.


                                                  42
Following are few areas where IT Application Controls can be reviewed:
· Input Controls
  Comprises the components that capture, prepare, and enter commands and data into the
  system.
· Processing Controls
  Comprises the components that perform decision making, computation, classification,
  ordering, and summarization of data in the system.
· Output Controls
  Comprises the components that retrieve and present data to users of the systems.
· Database Controls
  Comprises the components that define, add, access, modify, and delete data in the system.
· Communication Controls
  Comprises the components that transmit data among sub-systems and systems.
· Boundary Controls
  Comprises the components that establish the interface between the user and the system.

3.1.2 Use of Automated Audit Planning Software
How to score your firm?
Competency Dimension                                         Point Awarding           Max Points
                                                                  Basis
3.1.2 Use of Automated Audit Planning Software (i) 1 to 3 Softwares Maximum Points- 8
                                                     - 2 Points
(i) Does the firm uses any application software/tool
    for audit planning- including scheduling, resource (ii) 4 to 6 Softwares
    deployment, tracking hours/days spent vs. budgeted      - 4 Points
    time, etc.                                         (iii)>6 to Software
                                                            -8 Points

Implementation Guide ­ Use of Automated Audit Planning Software
Automated Audit Planning Software helps the professional accounting firm to manage the audit universe,
risk analysis, audit planning, resource and time management including tracking, field management,
maintaining client documentation and issue of audit reports. The features also include options to create/
maintain customized checklists, assign audit questions, templates, data storage and retrieval, etc.
Below are few applications, which are specific audit management tools/ software:



                                                   43
· Audit Automation by CCH
· Audit Management Solution by Metric Stream
· Audit Management Software by Risk Pro
· Audit Management Software by Gensuite
Alternatively, the firm may decide to customize/ alter general workflow management tools which are
adaptable for CA offices. Below are a few applications, which help in workflow management:
· Simplify Practise
· Papilio
· Cordl
· ProCAAT
Implementation Clues
· The firm can procure these tools which are mostly SaaS based and are available on per user per
  month basis.
· These tools help the firm to be organized and carry the audit in a structured manner.
· It is recommended that the firm prepares a standard checklist for various types of audit considering
  the various requirements of the statute.
· Regular updates to the checklist should be done based on the changing requirements.
· It is recommended that the firm appoints one representative to monitor and regularly update until
  it reaches a stable stage.
· Automated workflow tools ensure that the firm will be process dependent and not people
  dependent.
· Configuring attendance as well as estimated time required will help the firm to manage multiple
  audits within the timelines.
· It will also help in improvising the efficiency of the firm by tracking budgeted vs actual time spent
  for each of the tasks.
· This will also help the firm to bill the clients and explain to the clients with respect to the time
  spent on various tasks.
Following are few advantages of using Audit Automation Software by professional accounting firms:
· Automated processes are more consistent and easier to manage, reduce paperwork and the time
  to plan, customize and document an audit.
· Quality control procedures are built into every stage of the audit process to reduce errors.
· Risk analysis tools help to identify and record risk at every stage in the process.
· Reduce costs and make information easier and quicker to find.

                                                  44
· Adapt and customize documents and audit programs to suit the needs of clients.
· Design and roll out of audit program, notification to auditee, work paper creation and
  documentation, observations and issue creation, follow up on open items/audit observations,
  automated audit reporting facility, etc., becomes easier and faster.

3.1.3 Use of External Automated Audit Tools for Data Extraction,
Sampling, Analytics, etc.
How to score your firm?
Competency Dimension                                          Point Awarding       Max Points
                                                                     Basis
3.1.3 Use of External Automated Audit Tools for               For Yes - 1 Point    Maximum
Data Extraction, Sampling, Analytics, etc.                    Except sub point     Points 28
                                                               (a) in point (vi)
(i) Does the firm have/uses automated audit tools for
                                                                which carries
    data extraction, sampling, applying analytics, etc.
                                                                   2 points
    (a) Does the firm uses any automated tools?               For No- 0 Point
    (b) Are the staff communicated about the availability
        of the tools?
     (c) Are the tools available to all its employees,
         including the articles?
(ii) Are the staff adequately trained on usage of the tools
     and interpretation of results thereof ?
 (a) Are the staff, including the articles, adequately
         trained on the usage of various tools?
 (b) Are the staff trained on how to interpret the
         results?
 (c) Are there any evaluations done at the end of the
         session?
(iii)Are the audit staff trained on identifying, obtaining,
     analyzing and retaining relevant digital evidence
     pertaining to their audit work?
 (a) Are the audit staff trained on identifying what is
         digital evidence?
 (b) Are the audit staff adequately trained on how to
         obtain and analyze digital evidence?
 (c) Are the audit staff adequately trained on how to
         retain relevant digital evidence?




                                                 45
Competency Dimension                                            Point Awarding   Max Points
                                                                     Basis
(iv)Are there scenarios where client's core processes are
     fully automated while the firm continues to use manual
     audit techniques rather than system driven reviews?
 (a) Are the audit staff competent to understand the
          fully automated processes of the client?
 (b) Are the audit staff using the audit process in the
          system to verify the process rather than conducting
          the normal manual audit techniques?
(v) Adoption of Advanced Excel/ Macros/ Add-ins for
     Analysis
 (a) Are there trainings conducted on excel?
 (b) Do the employees use advanced excel tools for
          analysis during audit?
 (c) Are add-ins in excel used?
 (d) Are add-ins in excel provided to all the employees
          including the articles?
 (e) Are the add-ins purchased and legally used?
(vi)Using various tools for Data Analytics
 (a) Are various tools for Data Analytics such as,
          eCAAT, Power BI, Tableau, etc. used for analysis?
 (b) Are the tools available for all the employees?
 (c) Are the tools available for all the employees
          including the articles?
 (d) Are the tools used legally purchased?
(vii) Adoption of Cloud/ SaaS based tools for various
     office operations and automation
 (a) Does the firm has procured any cloud-based
          application?
(viii) Any customized apps used for the regular office tasks,
     say generating engagement letter, audit confirmations,
     invoice generation, etc.
 (a) Are they any apps developed for automation of
          regular office tasks?
 (b) Is there training given on how to use the app?
 (c) Is the app available to all the employees?
 (d) Is the app available to all the employees including
          the articles?
(ix)Process to upload government and statutory returns,
     digitally.
 (a) Are all the government and statutory returns
          uploaded digitally?
 (b) Are all the credentials of government portals
          secured?


                                                   46
Implementation Guide ­ Use of External Automated Audit Tools for
Data Extraction, Sampling, Analytics, etc.
(i) Adoption of Advanced Excel/ Add-ins for Analysis
Meaning of Advanced Excel
Advanced Excel here refers to usage of Excel/ Spreadsheet software to perform calculations on large
data sets, using Macros, etc.
Illustration
Usage of Macros, Scenario Managers, Auto-calculation templates, etc.
Meaning of Excel "Add-ins"
Excel "Add-ins" empower the user to perform additional functions which boost productivity, present
enhanced visuals, pivots, charts and other analysis, which the standalone Excel may have challenges in
performing.
Illustration
Examples of "Add-ins" include, eCAAT, Power User, Kutools, etc.
(ii)Using various tools for Data Analytics such as, eCAAT, Power BI, Tableau,etc.
Meaning of Data Analytics Tools
Data Analytics Tools/ Computer Assisted Audit Tools (CAAT tools) are used to automate the audit
processes and evaluate digital data, and extract the required data for analysis, sampling, etc.
Illustration
Usage of tools like, eCAAT, Power BI, Tableau, Knime, R, etc.
Implementation clues
· CAATs/ Advanced Excel/ Excel "Add-Ins" assist the firm in automating repetitive works and
  enable the audit firm to more efficiently utilize the time.
· Few of the types of tests/ analytical procedures the auditor can perform include:
     Extracting samples according to specified criteria, such as random; over a certain amount,
     below a certain amount; at certain dates, etc.;
     Calculating ratios and select indicators that fail to meet certain pre-defined criteria (i.e.
     benchmarking);
     Check arithmetical accuracy (for example additions);
     Preparing reports (budget vs actual);
     Stratification of data (such as, invoices by customer or age);
     Produce letters to send out to customers and suppliers; and


                                                 47
     Tracing transactions through the computerized system.
· It is recommended that the firm starts by using such tools on SME clients initially and slowly
  scales up.
· It is recommended to compare the audit requirements with the available data and identify the type
  of tests to be applied.
(iii) Adoption of Cloud/ SaaS based tools for various office operations
Meaning of SaaS tools
SaaS tools are software tools where licensing is on a subscription basis and is centrally hosted in a
webserver, commonly referred to as the cloud.
Illustration
Quick Books, Zoho Books, Cloud based CRM Tools, Online Invoicing Tools like, Wave Apps, etc.
(iv)Any customised Apps used for the regular office tasks
Meaning of Customised Apps
Customised Apps are software deployed by the firm's staff to track, monitor the progress of work/
perform a pre-defined activity/ sharing of information, etc.
Illustration
Developing a customised app for generating engagement letter, audit confirmations (www.
confirmation.com), invoice generation and receivable management (https://app.numberz.in/app),
stock verification, etc.
(v)Process to upload government and statutory returns digitally
The firm should establish a workflow to upload documents with regulatory authorities where approvals
are taken from the clients/ partners periodically.
Illustration
Using a workflow management tool to obtain approval and digitally signed documents.
Implementation Clues
· Customized apps could be client specific or process specific.
· These assist the firm in automating/ structuring a specific process. For instance, an invoicing
  tool and receivable management tool could help in creation of invoice, accounting and managing
  receivables and collections, etc.
· A workflow tool may be put in place to ensure the approval of client/ partners are obtained while
  uploading digitally.




                                                 48
3.1.4 Use of in-built audit tools/capabilities in client-side applications
like, ERPs
How to score your firm?
   Competency Dimension                                                Point Awarding    Max Points
                                                                            Basis
   3.1.4 Use of in-built audit tools/capabilities in For Yes- 1 Point                      Maximum
   client-side applications like, ERPs                                 For No- 0 Point     Points- 3
   (i) Has the firm used in-built audit capabilities in client
       applications say, Audit Management Module in SAP,
       Oracle Financials, audit features in Tally, etc.?
    (a) Are the audit staff aware of the various audit tools
           available in various ERPs used by the client?
    (b) Does the audit staff uses the audit tools available in
           the ERPs during audits?
    (c) Are tools reviewed before its usage, say verification
           of in-built data logic/ validation capabilities in client's
           data, etc.

Implementation Guide ­ Use of in-built audit tools/ capabilities in
client-side applications like ERPs
In-built audit tools within the ERP/ client-side applications assist the firm to quickly identify red flags
and exceptions.
Illustration
Usage of "Audit & Compliance" Module in Tally.
Implementation clues
· In built audit tools/ capabilities in client-side applications/ ERPs help auditors to quickly identify
  the issues and address them.
· Few of the features in-built in these applications include:
       Verification of chart of accounts
       Analytical procedures
       Repeated payments/ periodical payments
       Changes to Masters
       Accounts squared off during the year
       Accounts having only opening balance and no transactions
       Accounts having transactions and no opening balances.


                                                     49
SECTION C2 : LEVEL OF AUTOMATION RELATING TO TAX
AND COMPLIANCE PROCESSES AND NATURE OF TAX AND
COMPLIANCE SERVICES BEING RENDERED
3.2.1 Carrying out Risk Assessment for the purpose of Tax Computation
How to score your firm?
   Competency Dimension                                         Point Awarding      Max Points
                                                                     Basis
   3.2.1 Carrying out Risk Assessment for the purpose of For Yes- 1 Point            Maximum
   tax computation                                              For No- 0 Point      Points- 2
   (i) Does the firm have a process of reviewing IT controls
       and risk of failures of the same vis-à-vis impact on tax
       computation?
    (a) Are controls including IT reviewed before the start
          of the taxation assignment?
    (b) Is there any planning done for mitigation of risks?
Implementation Guide ­ Carrying out Risk Assessment for the purpose
of tax computation
Implementation clues
Risk Assessment is performed to identify where the risk of material misstatement exists. It refers
to the focus of the audit process on those areas that are most at risk of material misstatement. A
risk register and risk control matrix may be prepared to assist in this process. While making a risk
assessment, it is recommended that the risks pertaining to IT controls are reviewed and documented.
Following are few areas where IT General Controls can be reviewed:
· System Development / Program Development and related controls
     o Assessment of the following can be reviewed - initiation, analysis and design, testing, data
       conversion, implementation, training and testing
· Computer Operations and Access Controls
     o Assessment of the following can be reviewed ­ batch processing, interface processing, backup,
       restoration, etc.
· Access to program and data
     o Assessment of the following can be performed - segregation of duties, access control
       restrictions, admin accounts review, database admin controls and review.
2. Following are few areas where IT Application Controls can be reviewed:
· Input Controls
     o Comprises the components that capture, prepare, and enter commands and data into the
       system.

                                                 50
· Processing Controls
      o Comprises the components that perform decision making, computation, classification,
        ordering, and summarization of data in the system.
· Output Controls
      o Comprises the components that retrieve and present data to users of the systems.
· Database Controls
      o Comprises the components that define, add, access, modify, and delete data in the system.
· Communication Controls
      o Comprises the components that transmit data among sub-systems and systems.
· Boundary Controls
      o Comprises the components that establish the interface between the user and the system.

3.2.2 Use of Automated Taxation Planning Software
How to score your firm?
   Competency Dimension                                       Point Awarding       Max Points
                                                                   Basis
   3.2.2 Use of Automated Audit Planning Software         (i) 1 to 3 Software - Maximum Points- 8
                                                               2 Points
   (i) Does the firm use any application software/ tool
                                                          (ii) 4 to 6 Software -
       for Tax and Compliance- including scheduling,
                                                               4 Points
       resource deployment, tracking hours/days spent
                                                          (iii)>6 Software -
       vs. budgeted time, etc.
                                                               8 Points

Implementation Guide ­ Use of Automated Taxation Planning
Software
Automated Taxation Planning Software helps the firm to manage the tax compliance on a periodical
basis. The features also include options to create/ maintain customized checklists, assign specific
questions, templates, data storage and retrieval, etc.
Below are few applications, which are specific tax and compliance management tools/ software:
· Reylon for taxes
· Winman for taxes
· Saral for taxes
· Cleartax for taxes
· Gen CompLaw for Secretarial
· Cimply Five for Secretarial

                                                   51
Alternatively, the firm may decide to customize/ alter general workflow management tools which are
adaptable to the services provided by the firm. Below are a few applications, which help in workflow
management:
· Simplify Practise
· Papilio
· Cordl
· ProCAAT
Implementation clues
· The firm can procure these tools which are mostly SaaS based and payable per month per employee,
  per client, etc.
· These tools help the firm to be organized and carry taxation and compliance assignments in a
  structured manner.
· Regular updates on taxation and other applicable laws are mostly given by the developer.
· It is recommended that the firm appoints one representative to monitor and regularly update until
  it reaches a stable stage.
· This would ensure that the firm will be process dependent and not people dependent.
· Configuring attendance as well as estimated time required will help the firm to manage multiple
  engagements within the timelines.
· It will also help in improvising the efficiency of the firm by tracking the budgeted vs actual time
  spent for each of the tasks.
· This will also help the firm to bill the clients and explain to the clients with respect to the time
  spent on various tasks.

3.2.3 Use of External Automated Tax and Compliance Tools for Data
Extraction, Sampling, Analytics, etc.
How to score your firm?
Competency Dimension                                 Point Awarding                  Max Points
                                                          Basis
3.2.3 Use of External Automated Tax and Compliance For Yes- 5 Points                   Maximum
Tools for Data Extraction, Sampling, Analytics, etc. For No- 0 Point                   Points- 5
(i) Are there any customized apps/ API for tracking
     statutory remittances and tax management?
(ii) Adoption of Advanced Excel for Analysis
 (a) Is there training conducted on excel?           For Yes- 1 Point                  Maximum
                                                                                       Points- 15








                                                 52
Competency Dimension                                           Point Awarding      Max Points
                                                                    Basis
 (b) Do the employees use advanced excel tools for For No- 0 Point
         analysis during computation?
 (c) Are add-ins in excel provided to all the employees?
 (d) Are the add-ins purchased and legally used?
(iii)Using various tools for Data Analytics such as eCAAT,
     Power BI, Tableau, etc.
 (a) Are various tools for Data Analytics such as eCAAT,
         Power BI, Tableau,etc used for analysis?
 (b) Are the tools available for all the employees?
 (c) Are the tools available for all the employees including
         the articles?
 (d) Are the tools used have been legally purchased?
(iv)Adoption of Cloud / SaaS based tools for various office
     operations.
 (a) Does the firm have any cloud-based application?
 (b) Is the firm willing to move to cloud-based
         applications?
(v) Any customized apps used for the regular office tasks, say
     generating engagement letter, tax computation, invoice
     generation, etc.
 (a) Are they any apps which have been developed for
         automation of regular office tasks?
 (b) Is there training given on how to use the app?
 (c) Is the app available to all the employees?
(vi)Process to digitally upload government and statutory
     returns,
 (a) Are all the government and statutory returns
         uploaded digitally?
 (b) Are all the credentials of government portals secured?
Implementation Guide ­ Use of External Automated Tax and
Compliance Tools for Data Extraction, Sampling, Analytics, etc.
Meaning of API
API refers to Application Programming Interface, which is a software intermediary, which allows two
applications to talk to each other. An example could be where the tax compliance software and the
accounting tool could be integrated to pass entries automatically.
Meaning of Data Analytics Tools
Data analytics tools/ Computer assisted audit tools (CAAT tools) are used to automate the audit
processes and evaluate digital data, and extract the required data for analysis, sampling, etc. Tax
Compliance Tools assist in tax planning, tracking remittances, etc.

                                                53
Following are few tools which can assist in data extraction, sampling and other analysis:
· eCAAT
· Power BI
· Tableau
· Knime
· R, etc.
(i) Adoption of Advanced Excel / Add-ins for Analysis
Meaning of Advanced Excel
Advanced Excel here refers to usage of Excel / Spreadsheet software to perform calculations on large
data sets, using Macros, etc.
Illustration
Usage of Macros, Scenario Managers, Auto-calculation templates, etc.
Meaning of Excel "Add-ins"
Excel "Add-ins" empower the user to perform additional functions which boost productivity, present
enhanced visuals, pivots, charts and other analysis, which the standalone Excel may have challenges in
performing.
Illustration
Examples of "Add-ins" include, eCAAT, Power User, Kutools, etc.
(ii)Using various tools for Data Analytics such as, eCAAT, Power BI, Tableau, etc.
Meaning of Data Analytics Tools
Data Analytics Tools / Computer assisted audit tools (CAAT tools) are used to automate the audit
processes and evaluate digital data.
Illustration
Usage of tools like, eCAAT, Power BI, Tableau, Knime, R, etc.
Implementation clues
· The firm could consider developing a customized app which can track payments of various taxes,
  statutory charges/ levies on an ongoing basis and provide the same as inputs to the accounting
  tool/ tax management tool for regular accounting/ filing.
· CAATs/ Advanced Excel/ Excel "Add-Ins" assist the firm in automating repetitive works and
  enable the audit firm to more efficiently utilize the time.
· Few of the types of tests/ analytical procedures the auditor can perform include:
     Extracting samples according to specified criteria, such as, payments without TDS deductions,
     Invoices without GST, Summarize by B2B and B2C sales, Mismatches between GSTR-2A and
     GST-3, etc.


                                                  54
     Calculating ratios and select indicators that fail to meet certain pre-defined criteria (i.e.
     benchmarking).
     Check arithmetical accuracy (for example additions).
· It is recommended the firm starts by using such tools on SME clients initially and slowly scale up.
· It is recommended to compare the requirements of the concerned statute with the available data
  and identify the type of tests to be applied.
(iii)Adoption of Cloud / SaaS based tools for various office operations
Meaning of SaaS tools:
SaaS tools are software tools where licensing is on a subscription basis and is centrally hosted in a
webserver, commonly referred to as the Cloud.
Illustration
QuickBooks, Zoho Books, Cloud based CRM Tools, Online Invoicing Tools like Wave Apps, etc.
(iv)Any customized Apps used for the regular office tasks
Meaning of Customized Apps
Customized Apps are software deployed by the firm to track, monitor the progress of work, perform
a pre-defined activity, sharing of information, etc.
Illustration
Developing a customized app for generating engagement letter, audit confirmations
(www.confirmation.com), invoice generation and receivable management (https://app.numberz.in/
app), etc.
(v)Process to upload government and statutory returns digitally
There should be a standardized workflow to upload documents with regulatory authorities where
approvals are taken from the clients/ partners periodically.
Illustration
Using a workflow management tool to obtain approval and digitally signed documents.
Implementation Clues
· Customized apps could be client specific or process specific.
· These assist the firm in automating/ structuring a specific process. For instance, an invoicing
  tool and receivable management tool could help in creation of invoice, accounting and managing
  receivables and collections.
· A workflow tool may be put in place to ensure the approval of client/ partners are obtained while
  uploading digitally.




                                                 55
3.2.4 Use of in-built tax tools/ capabilities in client-side applications
like ERPs
How to score your firm?
 Competency Dimension                                                Point Awarding    Max Points
                                                                          Basis
 3.2.4 Use of in-built tax tools/ capabilities in client-side For Yes- 1 Point          Maximum
 applications like ERPs                                              For No- 0 Point    Points- 3
 (i) Has the firm used in-built tax and compliance capabilities
     in client applications say, taxation modules in SAP, Oracle
     financials, tax features in Tally, etc.?
  (a) Are the taxation staff aware of various tools available
          in various ERPs used by the client?
  (b) Does the taxation staff use the tools available in the
          ERPs?
  (c) Are tools reviewed before its usage, say verification
          of in-built data logic/ validation capabilities in client?
Implementation Guide ­ Use of in-built tax tools/ capabilities in
client-side applications like ERPs
Implementation clues
In-built audit tools within the ERP/ client-side applications assist the professional accounting firm to
quickly identify red flags and exceptions.
Illustration
Usage of "Statutory Reports" Module in Tally
Implementation clues
· In built audit tools/ capabilities in client-side applications/ ERPs help in quick compliance and to
  identify the any non-conformities and address them
· Few of the features in-built in these applications include:
  Verification of statutory/ tax masters
  Analytical procedures
  Verify GST / TDS Reports
  Remind periodical filings/ board meetings, etc.




                                                   56
SECTION C3 : LEVEL OF AUTOMATION RELATING TO
ACCOUNTING AND SUPPORT FUNCTION PROCESSES AND
NATURE OF ACCOUNTING AND SUPPORT FUNCTION
SERVICES BEING RENDERED
3.3.1 Use of Automated Accounting Software
How to score your firm?
 Competency Dimension                                     Point Awarding     Max Points
                                                               Basis
 3.3.1 Use of Automated Accounting Software i. 1 to 3 Software - 2 Maximum Points- 10
                                                           Points
                                                     ii. 4 to 6 Software - 4
 (i) Does the firm use any application software/           Points
      tool for automation of accounting?             iii. >6 Software- 8
                                                           Points
 (ii) Has the firm deployed any external interfaces/ For each No 0 points
      customization into their accounting tool?      For each Yes- 2 points

Implementation Guide ­ Use of Automated Accounting Software
Automated accounting software helps the professional accounting firm to pass entries automatically
by way of upload of files/ vouchers. The features may also include options to create/ maintain
customized checklists, assign questions, templates, data storage and retrieval, etc.
Illustration
Below are few applications, which are specific to automation of accounting:
· QuickBooks
· Fyle
· Tally TDLs
· E2Tally-soft
· Tally Customization applications
Implementation Clues
· The firm can procure these tools which are mostly SaaS based and payable per month per employee.
· A few tools / customizations are also one-time costs.
· The firm can identify activities which can be automated within the accounting function and target
  each of them.
· Few instances of automation include:


                                                57
  Automatic entry from bank statements
  Automatic entry of sales invoices from invoicing software
  Auto reconciliation of Bank (Auto-BRS)
  Automatic posting of month end entries, JVs, Depreciation, etc.

3.3.2 Use of External Automated Accounting Tools for Data Entry,
Sampling, Analytics, etc.
How to score your firm?
Competency Dimension                                            Point Awarding     Max Points
                                                                     Basis
3.3.2 Use of External Automated Accounting Tools for For Yes- 1 Point              Maximum
Data Entry, Sampling, Analytics, etc.                           For  No- 0 Point   Points- 8
(i) Adoption of Cloud / SaaS based tools for various office
     operations
 (a) Does the firm use any cloud-based application?
(ii) Extent of basic automation of accounting tasks ­ such as
     automated accounting tools from scanning vouchers to
     automatic passing of entries, etc.
 (a) Are financial transactions being imported from files
         and/ or from direct links with financial institutions?
 (b) Are purchase invoices and/ or sales invoices being
         processed digitally (for example, scanning, OCR, etc.)
 (c) Are the employees given training on latest automation
         techniques available in the industry?
 (d) Are there procedures carried out, on a regular basis,
         to understand which all processes can be automated?
(iii)Any customized Apps are being used for the regular
     office tasks, say generating engagement letter, service
     confirmations, invoice generation, etc.
 (a) Are they any apps developed for automation of
         regular office tasks?
 (b) Is training given to all the employees, including the
         articles, on how to use the app?
 (c) Is the app available to all the employees?




                                                58
Implementation Guide ­ Use of External Automated Accounting
Tools for Data Entry, Sampling, Analytics, etc.
(i) Adoption of Cloud/ SaaS based tools for various office operations
Meaning of SaaS tools
SaaS tools are software tools where licensing is on a subscription basis and is centrally hosted on a
webserver, commonly referred to as the cloud.
Illustration
QuickBooks, Zoho Books, Cloud based CRM Tools, Online Invoicing Tools like, Wave Apps, etc.
(ii) Extent of basic automation of accounting tasks ­ such as automated accounting tools from scanning vouchers to
     automatic passing entries, etc.
Automation of accounting process saves not just time, but also delivers greater value and reduces risk.
It reduces the likelihood of user error and opens up the possibility of real-time reporting. Automation
can also reduce mistakes and inconsistencies by placing many basic transactions in the hands of
computers. The firm will have to understand the enormous potential of automating the accounting
processes at all levels and figure out which accounting automation tool to adopt. Choosing the right
tool means understanding what each of these applications do, how they work, and whether they are a
good fit for a particular situation.
Illustration
· Linking of bank accounts to the application, in order to perform auto-reconciliation, posting
  entries, etc.
· Linking of sales/ purchases transactions to automatically post entries in books of accounts on real
  time basis or as a batch processing.
· Invoices could also be processed digitally using scanning/ OCR, etc. which could save a lot of
  time in accounting.

3.3.3 Use of in-built accounting tools/ capabilities in client-side
applications like, ERPs
How to score your firm?




                                                       59
Competency Dimension                                             Point Awarding        Max Points
                                                                      Basis
3.3.3 Use of in-built accounting tools/capabilities in For Yes- 1 Point                 Maximum
client-side applications like, ERPs                              For No- 0 Point        Points- 3
(i) Has the firm used in-built accounting capabilities in client
    applications say, BRS, etc.
 (a) Are the accounting and support staff aware of the
        various tools available in various ERPs used by the
        client?
 (b) Does the accounting and support staff uses the tools
        available in the ERPs?
 (c) Are tools reviewed before its usage, say verification
        of in-built data logic/ validation capabilities?

Implementation Guide ­ Use of in-built accounting tools/ capabilities
in client-side applications like ERPs
Implementation clues
In-built audit tools within the ERP/ client-side applications assist the professional accounting firm to
quickly identify red flags and exceptions.
Illustration
Usage of "Auto BRS" in Tally or using customized TDLs in Tally or other accounting packages.
Implementation clues
· In built audit tools/ capabilities in client-side applications/ ERPs help in quick accounting and
  reconciliation and also to identify any non-conformities and address them.
· Few of the features in-built in these applications include:
  Auto-reconciliation
  Auto posting of entries from other tools, packages, tax software, etc.




                                                  60
SECTION C4 : LEVEL OF AUTOMATION RELATING TO
MANAGEMENT CONSULTANCY SERVICES PROCESSES AND
NATURE OF MANAGEMENT CONSULTANCY SERVICES
BEING RENDERED
3.4.1 Carrying out Risk Assessment for the purpose of Management
Consultancy Services planning
How to score your firm?
Competency Dimension                                        Point Awarding  Max Points
                                                                 Basis
3.4.1 Carrying out Risk Assessment for the purpose of For Yes- 1 Point Maximum Points-
Management Consultancy Services planning                    For No- 0 Point     3
(i) Does the firm have a process of reviewing IT controls
    and risk of failures of the same vis-à-vis impact on
    planning, including but not limited to approach, focus
    areas of review, etc.
 (a) Is the planning and risk assessment of IT Controls
        done before the commencement of the consultancy
        services?
 (b) Are controls including IT reviewed before the start of
        the management consultancy services?
 (c) Is there any planning done for mitigation of risks?

Implementation Guide ­ Carrying out Risk Assessment for the purpose
of Management Consultancy Services planning
Implementation clues
Risk Assessment is performed to identify where the risk of material misstatement exists. It refers to
the focus of the audit process on those areas that are most at risk of material misstatement. A risk
register and risk control matrix may be prepared to assist in this process.
While making a risk assessment, it is recommended that the risks pertaining to IT controls are reviewed
and documented. The following are few areas where IT General Controls can be reviewed:
· System Development/ Program Development and related controls
  Assessment of the following can be reviewed - initiation, analysis and design, testing, data
  conversion, implementation, training and testing
· Computer Operations and Access Controls
  Assessment of the following can be reviewed ­ batch processing, interface processing, backup,
  restoration, etc.



                                                  61
· Access to program and data
  Assessment of the following can be performed - segregation of duties, access control
  restrictions, admin accounts review, database admin controls and review.
Following are few areas where IT Application Controls can be reviewed:
· Input Controls
  Comprises the components that capture, prepare, and enter commands and data into the
  system.
· Processing Controls
  Comprises the components that perform decision making, computation, classification,
  ordering, and summarization of data in the system.
· Output Controls
  Comprises the components that retrieve and present data to users of the systems.
· Database Controls
  Comprises the components that define, add, access, modify, and delete data in the system.
· Communication Controls
  Comprises the components that transmit data among subsystems and systems.
· Boundary Controls
  Comprises the components that establish the interface between the user and the system.

3.4.2Use of Automated Software for rendering Management
Consultancy Services
How to score your firm?
Competency Dimension                                         Point Awarding      Max Points
                                                                  Basis
3.4.2 Use of Automated Software for rendering
management Consultancy Services
i. Does the firm uses any application software/ tool for 1 to 3 Software -       Maximum
    Management Consultancy Services planning- including           2 Points       Points- 8
    scheduling, resource deployment, tools for valuation, 4 to 6 Software -
    projections, forecasts, M&A Advisory, consultancy             4 Points
    services, IT Audits, training activities, tracking hours /
    days spent vs. budgeted time, etc.                         >6 Software - 8
                                                                   Points




                                               62
Implementation Guide ­ Use of Automated Software for rendering
Management Consultancy Services
Usage of automated software for rendering management consultancy services helps the professional
accounting firm to automate repeated tasks, create repositories for future reference, perform risk
analysis, engagement planning, resource and time management including tracking, field management,
maintaining client documentation and issue of reports and other deliverables. The features also
include options to create/ maintain customized checklists, assign questions, templates, data storage
and retrieval, etc.
Illustration
Below are few applications, which assist in rendering management consultancy services:
· Budgeting and forecasting and tools of SAP, Oracle, etc.
· Tools for share projection and modelling like, Power BI, eCAAT, Macros and Statistical Function
  in Excel.
Illustration
Alternatively, the firm may decide to customize/ alter general workflow management tools which
are adaptable for professional accounting firm. Below are a few applications, which help in workflow
management:
· Simplify Practise
· Papilio
· Cordl
· ProCAAT
Implementation Clues
· The firm can procure these tools which are mostly SaaS based and payable per month per employee.
  These tools help the firm to be organized and carry the consultancy work in a structured manner.
· It is recommended that the firm prepares a standard checklist for various types of engagements
  considering the various requirements. Regular updates to the checklist need to be done based on
  the changing requirements.
· It is recommended that the firm appoints one representative to monitor and regularly update
  until it reaches a stable stage. This ensures that the firm will be process dependent and not people
  dependent.
· Configuring attendance as well as estimated time required will help the firm to manage multiple
  engagements within the timelines.
· It will also help in improvising the efficiency of the firm by tracking the budgeted vs actual time
  spent for each of the tasks assigned.


                                                 63
· This will also help the firm to bill the clients and explain to the clients regarding time spent on
  various tasks pertaining to their assignment.
Few advantages of using automation software are:
· Automated processes are more consistent and easier to manage, reduce paperwork and time to
  plan, customize and document the engagement.
· Quality control procedures are built into every stage of the process to reduce errors.
· Helps to identify and record risk at every stage in the process. Risk analysis tools allow evaluation
  of risks.
· Reduce costs and make information easier and quicker to find.
· Adapt and customize documents and engagement programs to suit the needs.
· Design and roll out of engagement program, notification to client, work paper creation and
  documentation, observations and issue creation, follow up on open items/ observations, automated
  reporting facility, etc.

3.4.3 Use of External Automated Management Consultancy Services
Tools for rendering various services
How to score your firm?
Competency Dimension                                 Point Awarding Basis            Max Points
3.4.3 Use        of     External      Automated      For Yes                      Maximum Points-27
Management Consultancy Services Tools                (a) 1 Point for each sub
for rendering various services                           point [except point
(i) Does the firm have/ uses automated
                                                         (vi) (a)].
    Management Consultancy Services tools for
    data extraction, sampling, applying analytics,   (b) 2 points for each sub
    valuation services, case law registry, etc.,         point of point (vi)(a)
                                                         For No- 0 Point
     (a) Does the firm has procured any
         automated tools?
 (b) Are the automated tools being used
         during the course of Management
         Consultancy Services?
 (c) Are the staff communicated about the
         availability of the tools?
 (d) Are the tools available to all its employees
         including the articles?
(ii) Are the staff adequately trained on usage
     of the tools and interpretation of results
     thereof ?


                                                     64
Competency Dimension                              Point Awarding Basis   Max Points
 (a) Are the staff, including the articles,
         adequately trained on the usage of
         various tools?
 (b) Are the staff trained on how to interpret
         the results?
 (c) Are there any evaluations done at the
         end of the session?
(iii)Are the staff trained on identifying,
     obtaining, analyzing and retaining relevant
     digital evidence pertaining to their work?
 (a) Are the staff trained on identifying what
         is digital evidence?
 (b) Are the staff adequately trained on how
         to obtain and analyze digital evidence?
 (c) Are the staff adequately trained on how
         to retain relevant digital evidence?
(iv) Are there scenarios where client's core
     processes are fully automated while the
     firm continues to use manual processes
     for rendering Management Consultancy
     Services rather than system driven reviews?
 (a) Are the staff competent to understand
         the fully automated processes of the
         client?
 (b) Are the staff using the modules in the
         system to verify the process rather than
         using the normal manual management
         consultancy services techniques?
(v) Adoption of Advanced Excel/ Add-ins for
     Analysis
 (a) Are there trainings conducted on excel?
 (b) Do the employees use advanced excel
         tools for analysis during Management
         Consultancy Services?
 (c) Are add-ins in excel used?
 (d) Are add-ins in excel provided to all the
         employees, including the articles?
 (e) Are the add-ins purchased and legally
         used?



                                              65
Competency Dimension                                 Point Awarding Basis           Max Points
(vi)Using various tools for Data Analytics
 (a) Are various tools for Data Analytics
          such as, eCAAT, Power BI, Tableau, etc.,
          used for analysis?
 (b) Are the tools available for all the
          employees?
 (c) Are the tools used legally purchased?
(vii)Adoption of Cloud/ SaaS based tools for
     various office operations and automation
 (a) Do you have any cloud-based
          application?
(viii) Any customized apps used for the regular
     office tasks, say generating engagement
     letter, confirmations, invoice generation, etc.
 (a) Is there any app developed for
          automation of regular office tasks?
 (b) Is there training given on how to use the
          app?
 (c) Is the app available to all the employees?
(ix) Process to upload government and statutory
     returns digitally
 (a) Are all the government and statutory
          returns uploaded digitally?
 (b) Are all the credentials of government
          portals secured?
Reference may be made to Management Consultancy Services Guidelines included in ICAI Code of
Ethics available at www.icai.org.

Implementation Guide ­ Use of External Automated Management
Consultancy Services Tools for rendering various services
Meaning of Data Analytics Tools
Data Analytics Tools/ Computer assisted audit tools (CAAT tools) are used to automate the audit
processes and evaluate digital data and extract the required data for analysis, sampling, etc.
Below is list of few tools which can assist in data extraction, sampling and other analysis:
· eCAAT
· Power BI
· Tableau
· Knime
·   R, etc.

                                                  66
(i) Adoption of Advanced Excel/ Add-ins for Analysis
Meaning of Advanced Excel
Advanced Excel here refers to usage of Excel/ Spreadsheet software to perform calculations on large
data sets, using Macros, etc.
Illustration
Usage of Macros, Scenario Managers, Auto-calculation templates, etc.
Meaning of Excel "Add-ins"
Excel "Add-ins" empower the user to perform additional functions which boost productivity, present
enhanced visuals, pivots, charts and other analysis, which the standalone Excel may have challenges in
performing.
Illustration
Examples of "Add-ins" include, eCAAT, Power User, Kutools, etc.
(ii)Using various tools for Data Analytics such as, eCAAT, Power BI, Tableau, etc.
Meaning of Data Analytics Tools
Data Analytics Tools/ Computer Assisted Audit Tools (CAAT tools) are used to automate the
engagement processes and evaluate digital data, and extract the required data for analysis, sampling,
etc.
Illustration
Usage of tools like, eCAAT, Power BI, Tableau, Knime, R, etc.
Implementation clues
· CAATs/ Advanced Excel/ Excel "Add-Ins" assist the firm in automating repetitive works and
  enable the engagement firm to more efficiently utilize the time. Few of the types of tests/ analytical
  procedures the auditor can perform include:
     Extracting samples according to specified criteria, such as, random, over a certain amount,
     below a certain amount, at certain dates, etc. ;
     Calculating ratios and select indicators that fail to meet certain pre-defined criteria (i.e.,
     benchmarking);
     Check arithmetical accuracy (for example additions);
     Preparing reports (budget vs actual);
     Stratification of data (such as, invoices by customer or age);
     Produce letters to send out to customers and suppliers; and
     Tracing transactions through the computerized system.



                                                  67
· It is recommended that the firm starts by using such tools on SME clients initially and slowly
  scales up.
· It is recommended to compare the engagement requirements with the available data and identify
  the type of tests to be applied.
(iii) Adoption of Cloud / SaaS based tools for various office operations
Meaning of SaaS tools
SaaS tools are software tools where licensing is on a subscription basis and is centrally hosted in a
webserver, commonly referred to as the cloud.
Illustration
QuickBooks, Zoho Books, Cloud based CRM Tools, Online Invoicing Tools like Wave Apps, etc.
(iv) Any customized Apps used for regular office tasks
Meaning of Customized Apps
Customized Apps are software deployed by the firm to track, monitor the progress of work/ perform
a pre-defined activity/ sharing of information, etc.
Illustration
Developing a customized app for generating engagement letter, engagement confirmations (www.
confirmation.com), invoice generation and receivable management (https://app.numberz.in/app),
etc.
(v)Process to upload government and statutory returns digitally
The firm should have a standardized workflow to upload documents with regulatory authorities where
approvals are taken from the clients/ partners periodically.
Illustration
Using a workflow management tool to obtain approval for digitally signed documents.
Implementation Clues
· Customized apps could be client specific or process specific.
· These assist the firm in automating/ structuring a specific process. For instance, an invoicing
  tool and receivable management tool could help in creation of invoice, accounting and managing
  receivables and collections, etc.
· A workflow tool may be put in place to ensure that the approval of client/ partners are obtained
  while uploading digitally.




                                                 68
3.4.4 Use of in-built tools/ capabilities in client-side applications like
ERPs
How to score your firm?
 Competency Dimension                                            Point Awarding          Max Points
                                                                      Basis
 3.4.4 Use of in-built tools/capabilities in client-side For Yes- 1 Point                  Maximum
 applications like ERPs                                          For No- 0 Point           Points- 3
 Has the firm used in-built audit capabilities in client
 applications say, forecasting models, budgeting tools of
 clients, etc.
 (a) Are the staff aware of the various audit tools available in
 various ERPs used by the client?
 (b) Does the staff use the tools available in the ERPs for
 rendering Management Consultancy Services?
 (c) Are tools reviewed before its usage say, verification of
 in-built data logic/ validation capabilities in client-side
 applications?

Implementation Guide ­ Use of in-built tools/ capabilities in client-
side applications like, ERPs
In-built audit tools within the ERP/ client-side applications assist the firm to quickly identify red flags
and exceptions.
Illustration
Usage of budget and forecasting modules in ERPs, etc.
Implementation clues
· In built audit tools/ capabilities in client-side applications/ ERPs help auditors to quickly identify
  the issues and address them.
· Few of the features in-built in these applications include:
  Verification of chart of accounts
  Analytical procedures
  Repeated payments/ periodical payments
  Changes to masters
  Accounts squared off during the year
  Accounts having only opening balance and no transactions
  Accounts having transactions and no opening balances.


                                                    69
SECTION D : ADAPTATION OF ADVANCED AND EMERGING
TECHNOLOGIES
4.1 Use of Advanced and Emerging Technologies
How to score your firm?
Competency Dimension                                   Point Awarding Basis      Max Points
4.1 Use of Advanced and Emerging                      For Yes- 4 Points        Maximum Points- 7
Technologies                                          For No- 0 Point
(i) Does the firm render Analytics/ Big Data
      driven services?
 (a) Is this handled extensively by Managers?
 (b) Are trainings being conducted on providing       For Yes- 1 Point
          Analytics driven services?                  For No- 0 Point
(ii) Is the firm using various tools for exclusive
      analytics driven/ Big Data services?
 (a) Is the tool available only to partners/
          managers?
 (b) Is the tool available to employees and
          articles?
(iii) What is the extent of automation of office      (I) 0 to 30% ­ 3 Points    Maximum Points- 5
      tasks ­ such as automated accounting tools      (ii) 30% to 60% - 4 Points
      from scanning vouchers to automatic passing     (iii) Above 60% - 5 Points
      entries, etc.
(iv)Has the firm adopted Robotic Process              For Yes- 5 Points        Maximum Points- 5
      Automation in performing various office         For No- 0 Point
      tasks?
(v) Artificial Intelligence                           For Yes- 4 Points        Maximum Points- 8
 (a) Has the firm deployed any tools pertaining       For No- 0 Point
          to Artificial Intelligence in accounting/
          office operations?
 (b) Does the firm render audit/ advisory
          services (Functional / technical) in the
          field of Artificial Intelligence?
(vi)Cyber Security                                    For Yes- 2 Points        Maximum Points- 6
 (a) Has the firm informed and educated               For No- 0 Point
          client/ staff regarding impact of cyber
          risks?
 (b) Does the firm provides advisory/ audit           For Yes- 4 Points
          services with respect to cyber security?    For No- 0 Point




                                                 70
Competency Dimension                                     Point Awarding Basis       Max Points
(vii) Digital Transformation                           (i) 0 to 30% ­ 3 Points    Maximum Points- 5
 (a) Has the firm attempted to digitally (ii) 30% to 60% - 4 Points
         transform/      perform       process     re- (iii) Above 60% - 5 Points
         engineering for any of its client's business?

Implementation Guide - Use of Emerging Technologies
(i) Analytics / Big Data driven services
In addition to using Data Analytics for assurance and tax engagements, a firm could consider providing
analytics driven solutions to its clients. This could range from providing MIS driven outputs driven by
creative visualization to advanced analytics solutions analyzing cost and volume analysis.
Illustration
Using Data Analytics tools special engagements such as, preparation of dashboards, analytics driven
dashboards, etc., daily, weekly and monthly sale analysis, etc., could be taken up.
Implementation Clues
· Identify the various opportunities where structured and unstructured data exist for decision
  making purposes.
· Identify the business problems and areas where analytics could be used to solve the problem (e.g.,
  decline in sales, increase in cost, etc.).
· Apply analytical functions on the data to solve these problems.
(ii)Extent of automation of office tasks
(such as, automated accounting tools from scanning vouchers to automatic passing entries, etc.)
The firm should adopt steps for automation of the routine tasks. This requires the firm to list the
routine tasks to be performed and evaluate tools to automate it.
Illustration
Automation of accounting entries from source data such as, bank statements, vouchers, bills, etc., so
that they are scanned/ uploaded to directly pass the journal entries.
Implementation Clues
· The firm can identify various avenues for automation. Few of them include:
     Automatic entry of bank statements.
     Automatic entry of sales invoices from invoicing softwares.
  Auto reconciliation of bank (Auto-BRS).
     Automatic posting of month end entries, JVs, depreciation, etc.
     Automatic scanning of vouchers to pass accounting entries.

                                                  71
This requires the firm to evaluate various solutions available in the market and choose the appropriate
one.
Below are few applications which are specific to automation of accounting:
· Quick Books
· Tally TDLs
· E2 Tally-soft
· Tally Customization applications.
(iii) Adoption of Robotic Process Automation
Meaning of Robotic Process Automation
Robotic Process Automation (RPA) is the use of software with artificial intelligence (AI) and machine
learning capabilities (popularly referred to as "Robots" or "Bots") to handle high-volume, repeatable
tasks that previously required humans to perform. These tasks can include queries, calculations and
maintenance of records and transactions. For more details refer "Concept Paper on Embracing
Robotic Process Automation ­ Opportunities and Challenges for Accountancy Profession" issued by
ICAI (available at www.icai.org).
Illustration
Below are few applications, which are specific to RPA, which automate the day to day tasks which are
labour intensive and manual in nature.
· UI Path
· Blueprism
· Automation Anywhere
· Tally Customization applications
Implementation Clues
· Unlike traditional computer software, RPA interacts with other IT systems via a user interface,
  mimicking the work of a user, and not via an API (Application Programming Interface) or the
  software integration bridge called middleware.
· RPA may be installed on a PC of an employee to serve as a digital assistant, to carry out labour
  intensive, monotonous tasks which involve various computer applications.
· RPA may be implemented centrally in the IT environment of a company to completely replace
  human employees with robots in certain areas of operations.
· RPA can ensure the human error rate is minimized and the firm can focus more on the qualitative
  aspects.
· Yet another advantage of RPA is that it does not require you procure any new tools, or software.
  It merely automates what the firm is doing with the help of the existing software.

                                                  72
· However, it is to be noted that, RPA cannot be an instant fix and can be implanted sequentially
  and stage by stage.
(iv)Artificial Intelligence
Meaning of AI tools
AI tools refer to software with artificial intelligence (AI) and machine learning capabilities which are
deployed to take decisions based on data being analyzed or facts of the case.
Illustration
· Botkeeper, vic.ai, ai-accountant, etc., which can auto analyze the transactions and pass the entries
  once the source document such as, voucher/ bank statement is scanned/ uploaded.
· Legalmation, premonition As, etc., which can perform legal analytics, mine for favorable judgement,
  etc.
· Mindbridge.ai, etc., which uses AI to analyze data and perform various data analytic functions.
Advisory/ Audit services in the field of Artificial Intelligence
With the Artificial Intelligence constantly evolving, there is an increasing need for functional and
technical expertise. Chartered Accountants having expert knowledge in the domains of finance, tax,
audit, compliance could utilize their skills in advising clients who are developing such tools and systems.
(v)Educating client/ staff regarding impact of cyber risks
Meaning of Cyber Risks
Cyber risk is any kind of risk to finances, reputation or information technology systems of an
organization because of the various cyber threats nesting in the world of digital technologies, devices
and inter-connectivity. Cyber risk is not only a problem concerning the IT team of an organization,
but also a prime responsibility of every individual in the organization. Professional accounting firm
will have to make their team and their clients aware of the various cyber risks and establish mechanism
to protect the same.
Illustrations of cyber attacks
Cyber attackers use many different methods to try to compromise IT systems. Most common practices
are:
· Remote attacks on IT systems or website;
· Unauthorized access to information held on a corporate network or systems;
· Unauthorized access to data held in third-party systems (e.g., hosted services);
· System infiltration or damage through malware;
· Disruption or denial of service that limits access to your network or systems;




                                                           73
Attacks could be
· targeted - where you are singled out because of a specific interest in your business or the attacker
  has been paid to target you; or
· un-targeted - where attackers indiscriminately target as many devices, services or users as possible.
Few instances of cyber attacks are -
· Phishing
· Hacking
· Misuse of employee privileges
· Distributed denial-of-service (DDoS) attack
· Malware
· Ransomware
Implementation Clues
Building a strategy for awareness and training the employees and clients are very critical part for the
firm to be cyber secure. The following are few steps that could be followed:
· Develop a security strategy;
· Keep devices and security updated;
· Regularly train employees and clients regarding security;
· Enforce and implement policies;
· Conduct quizzes and workshops to build awareness.
Advisory / audit services with respect to cyber security
Starting from drafting Cyber Security Policies in compliance with local and international requirements
to auditing the cyber security practices and controls, a firm can render a host of services to their
clients.

4.2 Use of Advanced Technology and Communication Media
How to score your firm?
Competency Dimension                              Point Awarding                      Max Points
                                                       Basis
4.2 Use of advanced technology and communication For Yes- 5 Points                     Maximum
media                                             For No- 0 Point                      Points- 5
(i) Have chatbots been used in your organization?
(ii) Mobile apps/APIs for the firm, clients,      For Yes- 1 Point                     Maximum
 article staff, etc.,                             For No- 0 Point                      Points- 4
 (a) Is there a mobile app of the firm?

                                                  74
 Competency Dimension                                               Point Awarding      Max Points
                                                                         Basis
      (b) Is all the information pertaining to the firm available
          on the app?
  (c) Is the app available to all the members of the firm?
  (d) Is the app available even to its clients?
 (iii)Awareness of concepts of blockchain and how it could          For Yes- 3 Points   Maximum
      impact our profession                                         For No- 0 Point     Points- 3
 (iv)Has the firm attempted to understand the impact of             For Yes- 2 Points   Maximum
      Internet of Things (IoT) on audit process?                    For No- 0 Point     Points- 2
(i) Have chatbots been used in your organization
Meaning of Chatbots
Chatbots are computer program designed to simulate conversation with human users, through voice
command or through text chats or both. Chatbots can be hosted on the professional accounting firm's
website, which could converse with a visitor client regarding a requirement and autoreply/ take action,
etc.
Illustration
Following are a few platforms which help to build chatbots:
· Flow XO
· Beep Boop
· Bottr
· Motion.ai
Implementation Clues
· Chatbots can answer basic questions, schedule appointments and can assist professional accounting
  firm to interact with the clients.
· It could also answer repetitive queries which the firm, generally, answers to its clients. An example
  could be what are the various tax saving options under Income Tax, what is the GST rate for a
  product, etc.?
· The firm could also consider building a chatbot over the social media page to manage social
  conversations.
· Many of the platforms available can be customized and deployed without much of technology
  knowledge. Youngsters in the firm may be given this opportunity to build such tools and modernize
  the firm.
· Care should be taken not to breach the ICAI guidelines and not involve in soliciting the clients.



                                                    75
(ii) Mobile Apps/ APIs for the firm, clients, article staff, etc.
Meaning of Mobile apps
Mobile apps are software deployed over phones of clients/ firm's staff to track, monitor the progress
of work/ perform a pre-defined activity/ sharing of information, etc.
API refers to Application Programming Interface, which is a software intermediary that allows two
applications to talk to each other.
Illustration
Developing an API/ Mobile app for communication between client and various office tasks to track,
monitor the progress of work/ perform a pre-defined activity/ sharing of information, etc.
Implementation Clues
· The world is running into mobile apps and the firms can soon get digitized.
· Mobile apps can give regular updates, reminders, status of work performed, list of tasks pending
  with client, automating client requests and many more features.
(iii)Awareness of Concepts of Blockchain and its Impact
Meaning of Blockchain
Blockchain refers to a digital ledger that keeps record of all transactions taking place on a peer-to-peer
distributed ledger, which cannot be reversed and remains encrypted. Records are entered into and
stored in a distributed, or shared, ledger, which is generally made accessible to all concerned parties,
say the accountant, regulators, auditors, and clients who would possess an identical copy of the ledger
at all times. For more details refer "Concept Paper on Blockchain Technology ­ Adoption Trends and
Implications for Accountancy Profession" issued by ICAI (available at www.icai.org).
Implementation Clues
· Professional accounting firms should be aware of blockchain technology and how this could
  impact the audit profession. While the technology and the applications are still at a nascent stage,
  over time, the way audits would be conducted would change.
· Following are few areas that could be impacted:
  Obtaining balance confirmations of a company's financial status would be less necessary if
  some or all of the transactions that underlie that status are visible on blockchain.
  A blockchain enables near real-time settlement of transactions, thus reducing the risk of non-
  payment by any party to the transaction.
· Reduction in account reconciliation, change in approach of audit, audit of smart contracts, etc.,
  are a few ways in which audit process would be impacted.




                                                           76
(iv) Impact of Internet of Things (IoT) on Audit
Meaning of IoT
Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines,
objects, animals or people that are provided with unique identifiers and the ability to transfer data over
a network without requiring human-to-human or human-to-computer interaction. When something
is connected to the internet, that means that it can send information or receive information, or both.
This ability to send and/ or receive information makes things smart.
The IoT Technology broadly helps in achieving the following:
· Collecting and sending Information.
· Receiving and acting on Information.
Few illustrative areas where IoT could impact audit are-
· Tracking assets.
· Tracking inventory.
· "Smart Accounting" - automated book-keeping based on occurrence of an event.
Implementation Clues
· Professional accounting firms should be aware of this technology and how this could impact the
  audit profession.
· While the technology and the applications are still at a nascent stage, over time, the way audits
  would be conducted would change.




                                                   77
   Digital Accounting and Assurance Board
The Institute of Chartered Accountants of India

                 www.icai.org

Home | About Us | Terms and Conditions | Contact Us
Copyright 2024 CAinINDIA All Right Reserved.
Designed and Developed by Ritz Consulting