Summary:

Organizations of all types are becoming more vulnerable to cyber threats due to their increasing reliance on computers, networks, programs and applications, social media, and data. Security breaches can negatively impact organizations and their customers, both financially and in terms of reputation. Global connectivity and accessibility to information by users outside the organization increase risk beyond what has been historically addressed by IT general and application controls. Organizations’ reliance on information systems and the development of new technologies render traditional evaluations of IT general and application controls insufficient to provide assurance over cybersecurity.

• The cost of cybercrime is mounting. The cost of a single ransomware incident can cost a company more than $713,000 on average.

• Cloud computing may provide the security against cyberthreats that companies need.

What is Cybersecurity:

Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attacks, damage or unauthorized access. Cybersecurity involves protecting information and systems from major cyberthreats, such as cyber terrorism, cyber warfare, and cyber espionage.

Data breaches are occurring more frequently. There are increasing pressures for businesses to step up efforts to protect personal information and prevent breaches.

Cybercriminals attack to gain political, military or economic advantage. They usually steal money or information that can eventually be monetized

Cyberattacks may come from malicious outsiders, accidental loss, malicious insiders, hacktivists and state-sponsored actors.

Internal Audit role in Cybersecurity includes:

vTheroleof the chief audit executive (CAE) related to assurance, governance, risk, and cyber

threats.

vAssessinginherent risks and threats

vThefirst,second, and third lines of defense roles and responsibilities related to risk management, controls, and governance.

vWheregaps in assurance may occur.

vThereporting responsibilities of the internal audit activity.

6 | P a g e

SBS Wiki                                                                                                                                                      www.sbsandco.com/wiki

Cyber Risk - Roles and Responsibilities

Effective risk management is the product of multiple layers of risk defense. Internal Audit should support the board’s need to understand the effectiveness of cybersecurity controls. An essential step in evaluating the internal audit activity’s role in cybersecurity is to ensure the three lines of defense are properly segregated and operating effectively.

1^st line of defense - business and IT functions, management owns and manages the data, processes, risks, and controls. For cybersecurity, this function often resides with system administrators and others charged with safeguarding the assets of the organization.

2^ndline of defense - information and technology risk management function, comprises risk, control, and compliance oversight functions responsible for ensuring that first line processes and controls exist and are effectively operating. These functions may include groups responsible for ensuring effective risk management and monitoring risks and threats in the cybersecurity space.

3^rd line of defense – internal audit, the internal audit activity provides senior management and the board with independent and objective assurance on governance, risk management, and controls. This includes assessing the overall effectiveness of the activities performed by the first and second lines of defense in managing and mitigating cybersecurity risks and threats.

Cyber risk – Assessment approach

Sensitive or confidential data can be classified and stored internally, externally, or both. Internally, most organizations rely upon technology such as secure configurations, firewalls, and access controls as their first line of defense. However, in a dedicated attack where the firewall is overloaded, the attackers may gain access and unauthorized transactions may be processed.

To reduce the risk of such attacks reaching the firewall, the first line of defense takes preventive action at the perimeter of the network. This is a challenging process that involves restricting access and blocking unauthorized traffic. Detective controls, such as monitoring, should also be established to watch for known vulnerabilities based on intelligence gained about software products, organizations, and malicious websites.

Many organizations establish a whitelist of good traffic and a blacklist of blocked traffic. However, active monitoring and frequent updating is critical due to the dynamic nature of network traffic. If the attacker manages to gain access to the system, the next line of attack is likely to obtain administrative privileges and cover their tracks.

When data is stored external to the organization, it is vital for the organization to ensure vendors are properly managing relevant risks. A critical first step for the first line of defense is to establish strong contracts that require: service organization control (SOC) reports, right to audit clauses, service level agreements (SLAs), and/or cybersecurity examination engagements.

8 | P a g e

SBS Wiki                                                                                                                                                       www.sbsandco.com/wiki

After due diligence has been performed and the contract has been negotiated and executed, management should consider overseeing and governing the vendor by monitoring and reporting on key metrics to ensure conformance with SLAs. If the vendor does not meet contractual requirements, management could invoke the right to audit clause, ask for timely resolution of concerns, enforce penalties, and consider plans to transition to an alternative vendor if necessary.

Management must also be alert to attack schemes involving social engineering, including phishing emails and malicious phone calls. By impersonating a legitimate organization or person with a need for information or action, attackers convince authorized individuals to sharesensitive data, provide their system credentials, click links that route to fraudulent websites, or perform actions that install malware on the victim’s computer. Malware is becoming more sophisticated and increasingly targeted to a specific purpose or network. Once malware is installed, it can replicate across the organization’s network, disrupt system performance and availability, steal data, and advance fraudulent efforts by the attackers.

Malware is advanced by exploiting the lack of awareness. Therefore, reminding individuals frequently to be on the lookout for any suspicious or unusual emails, unprecedented requests, phone calls, or system activity is important. Training will also help individuals recognize fictitious communications and to report such incidents quickly for research, escalation, and resolution. Lessons learned and intelligence gained from peers in the industry can also be leveraged for training, awareness, and adoption of additional preventive measures.

Role of Audit Committee

The extent of the audit committee’s involvement in cyber security issues varies significantly by company and industry. Cyber security risk in some organization is tasked directly to the audit committee, while in others, there is a separate risk committee. Regardless of the formal structure adopted, the rapid pace of technology and data growth, and the attendant risks highlighted by recent security breaches demonstrate an increasing importance of understanding cyber security as a substantive, enterprise-wide business risk.

Audit committees should be aware of cyber security trends, regulatory developments and major threats to the company, as the risks associated with intrusions can be severe and can pose systemic economic and business consequences that can significantly affect shareholders. Engaging in regular dialogue with technology-focused organizational leaders will help the committee better understand where attention should be concentrated.

Malicious software illustrations:

Ransomware is a type of malicious software (otherwise known as ‘malware’) that restricts people from accessing their computer or smartphone, or individual files stored on them. Attackers extort money from their targets by holding their device or data to ransom, often threatening to release or erase it to force payment.

9 | P a g e

SBS Wiki                                                                                                                                                       www.sbsandco.com/wiki

Impact of Ransomware on Business

The services industry is the sector most affected by ransomware, businesses in this sector, such recruitment agencies, handle high volumes of data and typically integrate with various internet services and applications that expose them to infections. Recruitment agencies are particularly vulnerable to attacks. Downloading files like applications, CVs, portfolios and contracts is an essential and everyday function for a recruiter, but antivirus software may not always pick up on files that contain ransomware.

Famous ransomware: CryptoLocker and WannaCry

Perhaps the first example of a widely spread attack that used public-key encryption was Cryptolocker, a Trojan horse that was active on the internet from September 2013 through May of the following year. The malware demanded payment in either bitcoin or a prepaid voucher, and experts generally believed that the RSA cryptography used -- when properly implemented -- was essentially impenetrable. In May 2014, however, a security firm gained access to a command-and-control server used by the attack and recovered the encryption keys used in the attacks. An online tool that allowed free key recovery was used to effectively defang the attack.

In May 2017, an attack called WannaCry was able to infect and encrypt more than quarter million systems globally. The malware uses asymmetric encryption so that the victim cannot reasonably be expected to recover the (private and undistributed) key needed to decrypt the ransomed files.

Payments were demanded in bitcoin, meaning that the recipient of ransom payments couldn't be identified, but also meaning that the transactions were visible and thus the overall ransom payments could be tallied.

According to the Symantec 2017 Internet Security Threat Report, the amount of ransom demanded roughly tripled from the previous two years in 2016, with the average demand totaling $1,077. Overall, it's difficult to say how often these demands are met. A study by IBM found that 70% of executives they surveyed said they'd paid a ransomware demand, but a study by Osterman Research found that a mere 3% of U.S.-based companies had paid (though percentages in other countries were considerably higher). For the most part, payment seems to work, though it's by no means without risk: A Kaspersky Security Bulletin from 2016 claimed that 20% of businesses that chose to pay the ransom demanded of them didn't receive their files back.

Brief: - Charitable Institutions plays an important role in social welfare. These institutions are engaged in providing various services ranging from education to relief of poor across regions of the country. They operate on non-for-profit motive. The various resources mobilised by these institutions will be used for their objectives for which they are formed.

To incentivise these institutions which are addressing various social issues the Income Tax Act, 1961 (‘ITA,1961’) has provided for exemption of income earned by Charitable Institutions vide section 11.

ITA, 1961 Provisions: -

Section 11 provides that income derived from property held under trust wholly for charitable or religious purposes to the extent applied to such purposes in India is exempt from tax.

Section 2(15) of ITA, 1961 defines Charitable Purpose. It includes: -

• Relief of the Poor; o Education;

o  Yoga;

o  Medical Relief;

o  Preservation of Environment including watershed, forest and wildlife;

o Preservation of Monuments or places or objects of artistic or historic interest; o Advancement of any other object of general public utility.

The phrase ‘advancement of any other object of general public utility’, is very wide. It should be noted that the following are not treated as advancement of any other object of general public utility ¹: -

• Carrying on any activity in the nature of trade, commerce or business or o Carrying on any activity of rendering any service in relation to the trade.

'Property' is a term of the widest import, and subject to any limitation or qualification which the context might require, it signifies every possible interest which a person can acquire, hold and enjoy. Business would undoubtedly be property unless there is something to the contrary in the enactment - J.K. Trust v. CIT 32 ITR 535.It includes immovable and movable property. - CIT v State Urban Development Agency 37 taxmann.com 193

The profits of the business carried on by a non-religious trust will be exempt provided: -

o    The business is incidental to the attainment of the objective of the trust; and

o    Separate books of account are maintained by such trust in respect of such business.

¹Where aggregate receipts from such activities exceeds 20% of total receipts of the trust or institution undertaking having object of advancement of any other object of general public utility (WEF AY 2016-17)

3 | P a g e

SBS Wiki                                                                                                                                                       www.sbsandco.com/wiki

This section requires Charitable Institutions to apply 85% of income for its purposes in India and the balance can be accumulated for application in future. The 15% of the income should be invested in the investments specified in section 11(5) of ITA, 1961.

²Any amount credited or paid out of income to another charitable institution registered under Section 12AA of ITA, 1961 as a corpus (capital) contribution shall not be treated as application of income for charitable or religious purposes.

Where 85% income cannot be applied during the previous year, it should be accumulated and applied for charitable purposes in future subject to a maximum period of 5 years. For this purpose, assessee has to file Form 10 before the due date for filing return of income specified under Section 139 of ITA, 1961.

The word ‘applied’ need not necessarily spent. Even if the amount is irretrievably earmarked and allocated for charitable or religious purposes it may said to have been ‘applied’ to the said purposes- CIT Vs Radhaswami Satsang Sabha 25 ITR 472.

Any amount by way of depreciation or otherwise in respect of any asset, acquisition of which has been claimed as application of income, is not considered as application of income for the purpose of section 11 of ITA, 1961.

Capital Donations, which are received for a specific purpose, are not subject to tax.

Any voluntary contributions received by trust or institution created wholly for charitable or religious purpose, other than capital contributions, shall be deemed to income derived from property held under trust wholly for charitable or religious purposes.(Section 12)

The objectives of Charitable Institutions are such that public in general are beneficiaries. They should not benefit a group of individuals. Section 13 of ITA,1961 specifically provides that the benefit of exemption provided in section 11 and 12 are not available if the beneficiaries of the activities of charitable institutions are only those specified there in.

Section 12(2) of ITA, 1961 states that the value of services, being medical or educational services, made available by any charitable or religious trust running a hospital or medical institution or educational institution to any person referred to clause ³ (a)/(b)/(c)/ (cc)/(d) of section 13(3) shall be deemed to be income of the trust or institution derived from property held under trust wholly for charitable or religious purpose and shall be chargeable to tax.

However, charitable institutions running educational institution or medical institution or hospital shall not lose the benefit of exemption of any income other than the income referred to in section 12(2).

²Finance Act 2017

³Author of the trust or founder of the institution or trustee or manager or relative of such person or person

who made substantial contribution.

4 | P a g e

SBS Wiki                                                                                                                                                       www.sbsandco.com/wiki

Registration requirements: -

The Charitable Institution will get the benefit of exemption U/s 11 and 12 only if it is registered U/s 12AA of the ITA, 1961.

The application should be made in form 10 to the Principal Commissioner or Commissioner of Income Tax. Order granting or refusing registration shall be passed before expiry of six months from the end of the month in which the application was received.

Where registration has been granted to the trust or institution U/s 12AA then the provisions of section 11 and 12 shall apply in respect of income related to the assessment year for which assessment proceedings are pending before assessing officer as on the date of such registration.

After grant of registration Principal Commissioner or Commissioner has satisfied that the activities of the trust or institution are not genuine or are not being carried out in accordance with the objects of the trust or institution he shall pass an order in writing cancelling the registration of such trust or institution.

If the objects of the charitable institution are modified after grant of registration, such change should be informed to the Principal Commissioner or Commissioner within 30 days of such modification.

The Organization for Economic Co-operation and Development (“OECD”) has recently released its final report on Action 13 - Transfer Pricing Documentation and Country by Country (“CbC”) reporting, under its Action Plan on Base Erosion and Profit Shifting (“BEPS”).

Action 13 recommended a three-tiered approach to TP documentation as under:

• A “Master File” that provides tax administrations with high-level information on the global business operations and TP policies of a Multi-National Enterprise (“MNE”);

• A specific “Local File” that provides the local tax administration with information regarding material related-party transactions, amounts involved, and the company’s analysis of the TP determination’s in relation to those transactions;

• A “CbC reporting template” that includes information on the economic activity of the MNE group

CbC reporting was agreed as one of the minimum standards for implementing anti-BEPS measures. The Indian Government vide Finance Act, 2016 amended the Indian tax law (ITL) to introduce provisions for additional TP documentation and CbC reporting to implement the recommendations contained in the OECD’s BEPS report on Action 13. These provisions were expected to be followed up by detailed rules for implementation.

Accordingly, recently, the Indian tax administration has issued draft rules (Draft Rules) for CbC reporting and furnishing of master file for public comments/ suggestions.

1 | P a g e

SBS Wiki                                                                                                                                                      www.sbsandco.com/wiki

The Indian tax administration has considered the above guidance and the Draft Rules are largely in line with the contents as prescribed under Action 13 report.

The Draft Rules, however, requires the following additional information:

• Maintenance of a list of all the operating entities of the international group along with their addresses;

• A description of the functions performed, assets employed and risks assumed by the constituent entities of the international group that contribute

• at least 10% of the revenues, assets and profits of the group;

• A list of all the entities of the international group engaged in development and management of intangibles along with their addresses;

• A detailed description of the financing arrangements of the international group, including the names and addresses of the top ten unrelated lenders;

• Filing procedures and the filing due dates

The Draft Rules prescribe a separate statutory form i.e. Form 3CEBA wherein the constituent entity should furnish the prescribed information. This form shall be furnished to the Director General of Income-tax (Risk Assessment) on or before the due date for furnishing the Income-tax return.

Further, in respect of the financial year (FY) 2016-17, the Draft Rules provide that the due date for furnishing master file information in Form 3CEBA is by 31 March 2018.

In case where there are more than one constituent entities of an international group resident in India, the Draft Rules provide for a single filing by a designated constituententity.

CbC reporting and its Contents

Under Action 13, the CbC reporting template requires MNEs to report the following revenue,profits, income tax paid and accrued, employees , stated capital, retained earnings and tangible assets annually for each tax jurisdiction they do business. In addition, MNEs are required to identify each entity within the group doing business in a tax jurisdiction and to provide an indication of the business activity each entity conducts.

The CbC reporting template is divided into three tables:

• Table I - Overview of allocation of income, taxes and business activities by tax jurisdiction

• Table II- List of all Constituent Entities of the MNE group included in each aggregation by tax jurisdiction, including designation of Main Business Activity

• Table III - Additional Information

The Draft Rules are in line with the above guidance and prescribe filing of economic information of the international group as per above. Further, the definition under Draft Rules are in line with Action 13 report of the OECD BEPS.

Brief of Update:

This update pertains to release of various notifications under GST as a consequence of 21st GST Council Meeting at Hyderabad. The summary of the notifications is as under:

Key Take Away:

Handicraft:

1. The casual taxable persons making inter-state taxable supplies of handicraft goods are ex- empted vide Section 23 from the obligation to get registration under GST subject to a condi- tion that the aggregate value of such supplies do not exceed Rs 20 lakhs computed on all India basis. However, they have to obtain PAN and also generate a way bill when they move goods from one state to another irrespective of the value of consignment. Notification 8/2017-IT dated 14th Sept, 17 specifies the HSN codes which would fit as handicraft – Notifica- tion 32/17 – CT and Notification 8/17- IT

   Read more: SBS I 5th Edition

   Tags: sbs i, news