Forensic Accounting Methods

Compliance now sits at the heart of corporate strategy for India Inc, reports The Economic Times. Indian firms with international exposure are embedding compliance into core decision-making. Reasons? Rising tariffs, carbon taxes, localisation norms, labour laws, and data regulations are reshaping costs, pricing, and market access. Legal experts describe this shift as the start of a new era of “regulated strategy”. “Managing regulatory complexity has become a strategic imperative across geographies," says Koushik Chatterjee, CFO, Tata Steel. The company’s Netherlands operations posted an operating profit of €210 million from April-Dec FY26 period after absorbing €150 million in carbon emission-related costs and €50 million from US tariffs. “Without these regulatory-linked costs, operating profit would have topped €400 million, showing how policy has weighed on the bottom line,” he adds further. Smaller exporters are facing similar pressures, point out Pankaj Chadha, Partner, Jyoti Steel Industries. Legal accountability is also tightening at the same time. Non-compliance can expose directors to civil and even criminal liability, in some cases on a strict liability basis. “Gone are the days when Indian companies treated regulatory issues lightly. With increased regulatory scrutiny, mandatory self-reporting obligations, and the risk of stringent penalties, compliance is now one of the most critical functions,” notes Madhavan Srivatsan, Senior Partner at Emerald Law. How do you think this will influence law and governance-related opportunities? Share your thoughts in the comments below. ✍: Nakul Ghai 📷: Getty Images Source: The Economic Times: https://lnkd.in/dpHwfe7p #Law #Governance #Business

Control testing evaluates how well a control is working. But what if the control itself is flawed by design? That’s where Control Design Assessment comes in, it ensures the control is logically sound, appropriately mapped to risks, and capable of preventing or detecting the risk it's meant to address. Without a proper design, even the most rigorously tested control might still fail in practice. Test the blueprint before the building. A well-designed control sets the foundation for effective and meaningful testing. Anup Singh, CISA® #RiskManagement #Controls #InternalControls #Governance #OperationalRisk #ControlTesting #ControlDesign #Compliance #LinkedIn LinkedIn LinkedIn Guide to Creating

The IIA has released the Third-Party Topical Requirement. It sets a clear baseline for how internal auditors must assess risks linked to vendors, suppliers, contractors, and even downstream partners. Why does this matter? Because working with third parties always comes with risks: strategic, operational, reputational, financial, legal, cyber, and even sustainability. When they fail, your organization suffers. The key reminder: Outsourcing the work does not mean outsourcing accountability. The primary organization always owns the risk. The requirement covers three big areas: ↳ Governance: Is there a formal approach, clear roles, policies, and timely reporting on third-party performance and risks? ↳ Risk management: Are risks identified, prioritized, and reviewed regularly with proper responses and escalation processes? ↳ Controls: Is there due diligence, strong contracts, onboarding, ongoing monitoring, incident management, and structured offboarding? Actionable Insights: ↳ Treat third-party risks as part of your risk universe. ↳ Don’t just rely on contracts. Test how effective monitoring and escalation processes really are. ↳ Keep an updated inventory of all third-party relationships. It sounds basic, but many organizations miss this. ↳ Make sure third-party offboarding includes revoking access and securing sensitive data. Reference: Third -Party Topical Requirement. 2025. The Institute of Internal Auditors, Inc (link to download in the comments) #internalaudit #ITaudit #digitaltransformation

🌍 ESG Compliance Independent directors serve as the moral and strategic compass of the board. Their fiduciary role extends beyond profitability It includes: → Protecting stakeholder interests → Ensuring ethical conduct and transparency → Embedding sustainability and inclusivity into business strategy 🌱 Environmental Oversight (E) Independent directors must ensure that environmental stewardship is embedded in corporate policy and practice. Key responsibilities: → Monitor resource conservation and emission reduction targets → Approve capital allocation for renewable energy and energy efficiency → Oversee compliance with environmental laws (Environment Protection Act, 1986) → Review sustainability disclosures under SEBI (LODR) Regulation 34(2)(f) on Business Responsibility and Sustainability Reporting (BRSR) 🤝 Social Responsibility (S) Boards must ensure that the organization’s people and communities are treated equitably and ethically. Focus areas: → Enforce fair labor and inclusion policies (aligned with POSH Act, 2013 and Equal Remuneration Act, 1976) → Oversee CSR spending and impact assessment under Section 135 of the Companies Act, 2013 → Foster diversity in board composition and workforce → Support community development and employee well-being programs ⚖️ Governance Accountability (G) Governance defines the credibility of leadership and the trust of stakeholders. Key expectations: → Promote transparent decision-making and ethical conduct → Integrate ESG into strategic risk and performance management → Ensure data privacy compliance (Digital Personal Data Protection Act, 2023) → Mandate board-level ESG committees for monitoring and disclosures → Uphold accountability through internal audits and ESG-linked KPIs 🧭 Legal Compass for Directors Independent directors are guided by: → Companies Act, 2013 – Sections 149 & 166 (duties of independent directors and fiduciary responsibilities) → SEBI LODR Regulations (board oversight of ESG and sustainability reporting) → CSR Rules, 2021 (CSR compliance and reporting) 💡 Key Takeaway ESG is not an optional metric It’s a governance philosophy. For independent directors, compliance begins with conscious boardroom conversations and measurable actions. Daily choices from approving a green project to ensuring fair pay ,define whether your board is truly ESG-compliant. #Corporategovernance #Independentdirectors #ESG #Compliance

I once saw a company where everything looked fine on paper. Filings were done. Registers existed. Minutes were signed. But there was no order in records. No accuracy in dates and disclosures. And no accountability for who was responsible. During review, small gaps started appearing. One missed approval. One wrongly dated resolution. One assumption that “this won’t matter.” That’s when it became clear— compliance isn’t about documents. It’s about discipline. This is where a Company Secretary adds real value. Not by filing forms, but by creating systems, ownership, and control. Order. Accuracy. Accountability. That’s compliance. Because when these three are missing, risk doesn’t arrive loudly. It creeps in quietly. #CompanySecretary #Compliance #SecretarialAudit #CorporateGovernance #CompanyLaw #CSLife

DPDP Act Decoded #33: Independent Data Auditor — Designing Audits That Actually Test Compliance Most DPDP audits will pass. That does not mean the organisation is compliant. The independent data auditor under the DPDP Act is not a ceremonial appointment. For a Significant Data Fiduciary, the Act requires appointment of an independent data auditor to carry out a data audit and evaluate compliance. Separately, Section 10(2)(c) requires periodic DPIAs and audits. Rule 13 fixes the cadence: once in every period of 12 months from the date on which the entity is notified as an SDF or included in that class, a DPIA and audit must be undertaken, and significant observations furnished to the Board. That should change how audits are designed. The privacy audits shouldn't read like documentation reviews. Effective DPDP audits require something else. An audit that actually tests compliance must be evidence-led, control-led, and rights-led. Not: “Do you have a policy?” But: “Can you prove what your systems are doing?” At a minimum, an effective DPDP audit should test: 1. Lawful processing in practice Notice at collection demonstrable? Valid consent evidenced where relied on? Each material processing mapped to a legal basis? Cessation on withdrawal within a reasonable time, unless another legal basis applies? 2. Operational controls under Section 8 Test, not assume: • accuracy controls where decisions/disclosures occur • appropriate technical and organisational measures • reasonable security safeguards • breach detection and response workflows • erasure triggers when purpose is no longer served • contact publication and grievance mechanisms If systems, logs, workflows, vendor arrangements, deletion jobs, and incident records are not sampled, the audit is incomplete. 3. Algorithmic and technical risk (Rule 13(3)) The SDF must exercise due diligence to verify that technical measures, including algorithmic software, are not likely to pose a risk to the rights of Data Principals. The auditor should examine whether the organisation has exercised due diligence over: • product logic and automated workflows • model-linked decision inputs and outputs • risk testing and validation • change management and deployment controls If the system makes decisions, the audit must test the system. One practical implication: SDF audits are likely to shape the enforcement baseline. Even where the Act does not mandate an independent data auditor, this is a prudent compliance benchmark for organisations. If your audit ends with a slide deck, no failed samples, no system walkthroughs, and no remediation tracker, it is not testing compliance. It is documenting aspiration. Relevant Statutory Provisions DPDP Act, 2023 Section 10(2)(b), 10(2)(c)(i), (ii), (iii), 8(3) to 8(10) DPDP Rules, 2025 Rule 13(1), (2), (3) #DPDPAct #DataProtectionIndia #PrivacyLaw #DataGovernance #DataAudit #Compliance #RiskManagement #CyberSecurity #DPO #DPDPA #DPDP #PrivacyEngineering

Traditionally, KYC (know your client) due diligence is done on the corporate using ACRA registry data. Then, further litigation and sanction/PEP checks are done on the directors and/or the shareholders. However, looking at the facts of the Singapore’s S$2.8 billion money laundering case (see link in comment), I think these are the areas we should be scrutinising. 🔎When analysing the business profile, look out for instances where the nationality of the directors/shareholders are different from their residential addresses. Are there similarities in the residential addresses? 🔎We should also analyse the business interests of each directors and shareholders too, to see what other companies are they directors or shareholders of currently or have been in the past. From this case, we see that they are related via corporate ties. Also, we should be on higher alert for those which has a high number of existing directorships and shareholdings. 🔎We should also analyse companies who share common registered addresses with other companies and pay extra attention if that address does not belong to a corporate secretarial company (who might be providing legitimate registered office services). 🔎Lastly, instead of merely doing transactional checks on the businesses, portfolio reviews need to be done as well to unearth any patterns. What do you think? Any more due diligence steps we should be taking? Find these contents useful? Follow all my posts by hitting 🔔 on my profile. #aml #moneylaundering #kyc #acra #data #singapore #jenetalksaboutdata Photo : Experian Goldman Tan Kabir Khanna Dawn Lai Shubham Gupta Jason Leong Nazlinda Hishammudin Nitin Mathur Nicole Gan Diane S. Caroli Yeo Velle Chen

GRC is not just compliance - it’s an integrated system. Most organizations struggle with Governance, Risk & Compliance because they treat it as isolated activities instead of connected layers. This visual breaks GRC down into clear, structured layers - from strategy and governance at the top, to data, technology, and automation at the foundation. 🔍 What this framework highlights: Governance sets direction and accountability Risk management identifies and treats uncertainty Compliance ensures regulatory and policy alignment Controls and assurance validate effectiveness KPIs, KRIs, monitoring, and remediation close the loop Technology and data enable scale and visibility When these layers work together, GRC becomes a decision-support system, not a checkbox exercise. 💡 Strong GRC = better decisions, stronger controls, and resilient organizations. If you work in GRC, Risk Management, Internal Audit, Compliance, or IT Governance, this framework is for you. 👉 Follow the page for more practical GRC visuals, frameworks, dashboards, and insights. Get a High-Quality Risk Management Templates & Documents: https://lnkd.in/dUh8suRQ #GRC #Governance #RiskManagement #Compliance #InternalAudit #ITGovernance #EnterpriseRisk #Controls #Audit #RiskAndCompliance

Are your board directors ready to sign on the dotted line? From January 2026, UK boards will face a new reality under Provision 29 of the Corporate Governance Code: they must explicitly declare that their internal controls are effective. Not that they exist. Not that they are documented. That they work.   This is not another compliance checkbox. It is a governance reckoning.   Here is what most people miss. Compliance rules come from external sources such as legislation, regulators and industry standards. Governance is different. It is the framework your board creates to manage risk and set the ethical tone for your entire organisation.   Provision 29 captures this distinction clearly. It is not asking, “Are you compliant?” It is asking, “Board, can you confidently stand behind the effectiveness of your controls?”   This shift brings controls management out of the finance silo and places it firmly on the boardroom agenda. Boards will not only be asked whether controls exist. They will need to explain how those controls were monitored, whether they worked, and what evidence supports that conclusion.   The uncomfortable truth is that many boards are treating this as a compliance exercise to be delegated. They are missing the point.   The real questions are: → Does your board truly understand what “material controls” means for your business? → Are directors asking about effectiveness throughout the year, or scrambling in December? → Can you demonstrate continuous monitoring rather than annual theatre?   If your board is expected to sign off at the end of 2026, it will need a full year of solid evidence, not a few hastily written lines at the end of the year. That makes 2025 your dress rehearsal.   Good governance is not about ticking boxes. It is about boards taking genuine ownership of the control environment, asking uncomfortable questions, and being accountable when things do not work.   Provision 29 is coming. The question is not whether you will comply. It is whether your governance is actually up to the job.   https://lnkd.in/eMDddbfp   #CorporateGovernance #BoardAccountability #UKGovernance #Provision29

GRC Governance vs. Risk vs. Control: The Most Interconnected Trio in Modern Organizations Many professionals use Governance, Risk, and Control interchangeably, yet each plays a distinct role in how organizations create value and protect it. Understanding the line between them turns complexity into clarity. 👉 Governance sets the direction. It defines who makes decisions, how they’re made, and how accountability is ensured. It’s the framework that aligns purpose, ethics, and performance. Example: A Board establishes a policy requiring all strategic projects to undergo an ethical and financial review before approval. 👉 Risk Management maps the uncertainty. It’s about identifying what could prevent the organization from achieving its objectives, and deciding how to respond. Example: The Risk team identifies that depending on one supplier for core services exposes the organization to operational disruption. 👉 Control ensures execution happens as intended. It’s the mechanism that keeps actions aligned with governance and risk decisions — through checks, authorizations, and monitoring. Example: The system prevents any vendor payment without dual approval — a control that enforces policy and mitigates fraud risk. When these three elements work together: Governance provides the vision, Risk Management ensures resilience, Control delivers discipline. That’s the essence of GRC (Governance, Risk & Compliance) not bureaucracy, but a strategic advantage that builds trust and sustainability. #Governance #RiskManagement #InternalControl #GRC #InternalAudit #CorporateGovernance #Compliance #RiskCulture #Leadership #AuditProfession