Page 1
Approach Paper
Transforming Audit and Assurance in the
Digital World1 Background.......................................................................................................................1
2 Organizaton of this aaarr................................................................................................1
3 Vision for a Trchnology-rnablrd IA&AD...........................................................................2
3.1 IT infrastructurr and aaalicaton alaaoro.................................................................2
3.2 Auditrr Environornt and Accrss to Auditrr Data....................................................3
3.3 Audit Aaaroach, Mrthodologirs and Products..........................................................3
3.4 Organizatonal Structurrs and Huoan Rrsourcrs oooartrncirs and Skills.............4
4 Acton toaards thr vision for a Trchnology-rnablrd IA&AD...........................................5
5 Onr IAAD Onr Systro (OIOS)...........................................................................................6
6 Trchnology Landscaar Rrvira.........................................................................................7
6.1 Disruatvr Trchnologirs and Audit Ioalicatons........................................................7
6.1.1 Artficial Intrlligrncr (AI, ML, DL)........................................................................7
6.1.2 Blockchain & Distributrd Lrdgrr Trchnology.....................................................8
6.1.3 Othrr Disruatvr Trchnologirs...........................................................................9
6.2 Trchnological Drvrloaornts in Indian r-Govrrnancr and othrr High Ioaact Global
Drvrloaornts.......................................................................................................................9
7 Possiblr Ioaact on Audit................................................................................................10
7.1 Potrntal Audit Ioalicatons of Disruatvr Trchnologirs.........................................10
7.2 Possiblr Ioaact on Financial Audit...........................................................................11
7.3 Possiblr Ioaact on oooaliancr Audits....................................................................11
7.4 Possiblr Ioaact on Prrforoancr Audits..................................................................11
7.5 Audit of AI Systros..................................................................................................12
7.6 Othrr ioaacts...........................................................................................................13
7.6.1 Intrrconnrctrdnrss..........................................................................................13
7.6.2 Virtual vrrsus Physical Modrls of Engagrornt................................................14
7.6.3 Onlinr oooorrcr; E-arocurrornt in Govrrnornt.........................................14
7.6.4 ooooon Infrastructurr and rights & obligatons of countrirs........................14
P a g r 1 | 26
Page 2
7.6.5 Environornt & oross Bordrr oost and Ioaact oodrls....................................14
8 Digital Stratrgy for Audit and Assurancr........................................................................15
8.1 oAG’s Audit Engagrornts and nrrd for aroviding Assurancr................................15
8.2 Enhancing Assurancr by Going Digital.....................................................................15
8.2.1 Ioalrorntng OIOS- Onr IAAD Onr Systro.....................................................15
8.2.2 r-Officr Ioalrorntaton - Migratng thr organizaton to aaarr-lrss officrs...15
8.2.3 Data Analytcs and Data Warrhousing Rraository Plaaoro of IAAD.............16
8.2.3.1 Establishornt of orntrr for Data Managrornt and Analytcs (oDMA)...16
8.2.3.2 Vision and Rolr for Data Analytcs.............................................................16
8.2.3.3 Building thr 360-drgrrr Risk Assrssornt and Vrrificaton Plaaoro.......17
8.2.4 Digital oaaacity Building...................................................................................17
8.3 Auditng Digital.........................................................................................................17
P a g r 2 | 26
Page 3
1 Background An Accountants Grnrral oonclavr on thr thror “Transforoing Audit and Assurancr in thr
Digital World” is aroaosrd in Novrobrr 2019. Thr tao sub-thrors aaarovrd arr:
(a) Assurancr and Accountability in thr Digital World; and
(b) Enhancing accountability and transaarrncy through rlrctronic transactons- oAG’s rolr.
A groua aith Sh. Jagbans Singh, DG (NAAA) as thr Mrntor, has brrn consttutrd to arovidr
an aaaroach aaarr fulfilling thr objrctvr ‘CAG’s approach to audit and assurance in the
digital world (including organizatonal changes and leap-frogging the Department in view
of the changing technology landscape’). Thr broad outlinrs to thr groua for foroulaton of
thr aaaroach aaarr arr as folloas:
To propose a vision, structure, strategic goals, sub-goals, actons corresponding, for the
Department as a whole (not confned to partcular vertcals), to adjust organizatonal
directon towards these common goals.
To think strategically about the organizatonal structure and skill sets that will be
necessitated for audit given how Government is increasingly being data driven in
today's fast changing policy and governance environment.
To identfy technologies that are causing the most disrupton in the service delivery and
governance models. To understand the Governance Structures around these
technologies (Governance framework, Strategy or Policy Implementaton framework,
Security, Data standards) and its pace of development vis-a-vis the spread of
technology.
To develop an approach on how to leverage technology for efectve audit (what should
be supportng structures, data access protocols, skill requirement and its sourcing)
To identfy data streams that can be contnuously accessed and consttuted into a
centrally hosted Data Warehouse for risk assessment and sectoral insights, (fscal,
fnancial including IFMS, PFMS, scheme MIS, e procurement. surveys. etc.); to propose a
mechanism for this actvity on an on-going basis. To understand scope and underlying
architecture of data platorms (e-pragat, Bhamashah, etc.) and its impact on
availability of credible data.
Propose partnerships and collaboratve mechanisms that will be needed both within and
outside the Department to succeed in this environment.
To examine feasibility of change in audit approach/methodology due to (potental)
availability of sufcient and credible evidence (data) to provide a stated level of
assurance (reasonable/limited) in Performance and Compliance Audits.
2 Organization of this paperThis aaarr consists of srvrral aarts:
P a g r 1
Page 4
Srcton 3 outlinrs thr vision for a trchnology rnablrd IAAD, notng that stratrgic alans
(ovrr a 3-5 yrars’ torfraor) and short-trro ioalrorntaton alans (lrss than onr yrar)
aill br drvrloard froo this vision. Thr skills srts that aill br nrcrssary for audit in a
data drivrn rnvironornt havr brrn orntonrd in this vision; hoarvrr, this aaarr dors
not covrr thr organizatonal structurr in such an rnvironornt, rxcrat for thr nrrd for a
“flat” hirrarchy, and thr nrrd for non-hirrarchical oooounitrs of Practcr (ooPs) 1.
Srcton 4 givrs an ovrrvira of thr acton alrrady takrn or alannrd to br takrn toaards
this vision.
Srcton 5 givrs an ovrrvira of OIOS. Srcton 6 arovidrs a trchnology landscaar rrvira,
including disruatvr trchnologirs and trchnological drvrloaornts in Indian-r-
govrrnancr and othrr high ioaact drvrloaornts. Srcton 7 covrrs thr aossiblr ioaact
on audit of thrsr trchnological changrs, including aossiblr changrs in thr audit
aaaroach orthodology rtc.
Srcton 8 lists out a digital stratrgy for audit and assurancr, consistrnt aith thr vision
outlinrd in Srcton 3. In aartcular, thr roll-out of OIOS, thr ioalrorntaton of r-Officr,
thr alan for a data analytcs and data aarrhousing rraository alaaoro for IAAD, and
digital caaacity building arr orntonrd. Thr drtailrd stratrgirs for data analytcs and
aarrhousing rraository, thr data strraos that could br consttutrd into a crntralizrd
data rraository, as arll as thr ioalrorntaton alan (including rrliancr on rxtrrnal and
in-housr rrsourcrs) aill br covrrrd as aart of a drtailrd alan for data analytcs.
3 Vision for a Technology-enabled IA&ADIn thr longrr trro (say soorahrrr around 10 yrars latrr), our vision for a trchnology-
rnablrd Indian Audit & Accounts Draartornt aould br on thr folloaing linrs:
3.1 IT infrastructure and application platform
Evrry staf orobrr in thr Firld Audit Officr (Firld Auditor or Firld Hradquartrrs) has a
cooautng drvicr; sraolrss and high sarrd (at thr oiniouo, fit for arocrss) Intrrnrt
connrctvity is availablr both onsitr and ofsitr, suaaortrd by a robust nrtaorking
infrastructurr; cooautng infrastructurr is oanagrd and srcurrd through rfrctvr and
rfficirnt arocrssrs (ITSM – I IT Srrvicr Managrornt or succrssor).
All aaalicatons arr crntrally cloud hostrd.
All audit arocrssrs in all officrs (Hradquartrrs and firld) arr autooatrd rnd-to-rnd;
audit arocrss data is bring oinrd for nrcrssary arocrss ioarovrornts; accuoulatrd
audit contrnt data is oinrd for audit risk oanagrornt and analytcs.
Non-audit (i.r. oainly adoinistratvr) functons aill br autooatrd rnd-to-rnd aith
aorkfloa, rlioinatng all aaarr-basrd systros.
1 A oooounity of Practcr for IAAD aould involvr a grouaing of staf orobrrs (as arll as rxtrrnal rrsourcrsas nrrdrd) aho aork togrthrr in a non-hirrarchical fashion on a coooon thror or srctor, and arovidrfacilitaton suaaort – I on a aart tor as nrrdrd basis - for sarcific audit assignornts on thr thror or srctor,during audit alanning drsign and or audit rxrcuton. Thr ooP aould havr onr or oorr orntors oroodrrators.
P a g r 2
Page 5
All A&E aaalicatons of IA&AD arr autooatrd rnd-to-rnd and crntrally cloud hostrd;
arocrss data is bring oinrd for arocrss ioarovrornts; srrvicr drlivrry is highly IT-
lrvrragrd.
3.2 Auditee Environment and Access to Auditee Data
E-Govrrnancr is aidrly ioalrorntrd, going arll bryond MISs to rnd-to-rnd autooatrd
aorkfloa-basrd solutons (largrly cloud-basrd crntrally hostrd) for rfficirnt and
rfrctvr srrvicr drlivrry and transaarrncy; Entrrarisr Architrcturr (across Govrrnornt
as a aholr) is in ioalrorntaton; srcurity and data arivacy concrrns arr largrly
(arrhaas not fully) addrrssrd; data analytcs and AI arr aidrly usrd across Govrrnornt.
Problros of IAAD’s accrss to auditrr data havr largrly brrn solvrd; such accrss is
largrly through a coobinaton of (a) API arb-srrvicrs basrd accrss; and (b) IAAD’s oan
data analytcs AI oodulrs aluggrd into thr auditrr IT systros; sraolrss, but srcurr,
intrrfacrs brtarrn IAAD IT systros and auditrr systros havr brrn rnsurrd.
With thr rxtrnsivr usr of arivatr srctor arovidrrs for srrvicr drlivrry (cutng across
thr sovrrrign functons othrr srrvicrs dividr), sraolrss accrss to thr data systros of
thr arivatr srrvicr arovidrrs is thr nrxt frontrr for IA&AD to ovrrcoor.
3.3 Audit Approach, Methodologies and Products
Thr thrrr tyars of audit (financial, cooaliancr and arrforoancr) arobably rroain, but
thr aay thrsr audits arr alannrd and conductrd has changrd draoatcally.
Thr audit aaaroach has gonr arll bryond individual raisodic drficirncirs grnrratrd
through individual audit assignornts through assurancr-basrd auditng to data
analytcs AI-rnablrd audit arocrssrs. IA&AD krras aacr aith thr auditrr in trros of
trchnology as arll as arocrss and stratrgy, and in srvrral casrs, gors bryond thr
auditrr’s aacr for grtng ahrad of thr curvr and stoa alaying catch-ua.
“Audit saoaling” is not nrcrssary ahrrr rnd-to-rnd arocrss autooaton is
ioalrorntrd and “100 arrcrnt” audit is frasiblr. Data analytcs and Artficial
Intrlligrncr (largrly Machinr Lrarning), availablr through a cloud-hostrd, srcurr
alaaoro, foros thr foundaton for audit risk assrssornt and alanning.
“Auditrr units rnttrs” no longrr foro thr arioary basis for audit alanning; instrad,
an AI analytcs alaaoro, aith substantal staf rrsourcrs, drivrs thr idrntficaton of
rrd-flaggrd anooalous transactons through a aorkfloa aiarlinr for drtailrd
rxaoinaton and or dirrct intoaton to thr auditrr. Firld audit is no longrr thr
arioary oodr of audit but is usrd to suaalrornt AI data-analytcs basrd aaaroachrs.
Dooain knoalrdgr (srctoral r.g. hralth, school rducaton, uastrrao oil and gas rtc. or
transvrrsal r.g. PPP, data analytcs AI & statstcs, blockchain rtc.) is thr othrr drivrr
for audit; incrrasing usr is oadr of rxtrrnal rrsourcrs (rithrr on a arr-assignornt or a
longrr-trro basis).
Audit guidancr is rrvaoard and contnuously krat ua-to-datr and is rasily accrssiblr
and sraolrssly linkablr intrgratrd aith thr onlinr audit arocrssing alaaoro.
P a g r 3
Page 6
All audit assignornts arr budgrtrd costrd, and ortrics usrd to drivr audit rfficirncy.
Budgrts costs arr nrutral, ahrthrr rrsourcrs arr intrrnal to thr audit officr, arovidrd
by anothrr unit aithin IA&AD or arovidrd through rxtrrnal rrsourcrs.
Audit of thr rnd-to-rnd autooatrd IT systros is usrd to drrivr assurancr about
arocrss rrliability.
Wr don’t think of only thr o&AG’s Audit Rraorts as our Audit Products, ahich ar arr
confidrnt of, or aroud of. Rathrr, rvrry audit aroduct cooing froo thr o&AG’s
organizaton, thr IA&AD, not only carrirs a staoa of crrdibility and rrliability, but also
clrarly arovidrs conclusions for thr drfinrd audit objrctvrs and scoar for that audit
aroduct. Thrsr audit aroducts covrr thr rntrr sarctruo froo financial atrst audit
outauts to Insarcton Rraorts and Managrornt Lrtrrs Draartorntal Aaarrciaton
Notrs to o&AG’s Audit Rraorts. In additon, thr tyar of audit aroducts that ar aroducr
aill rvolvr, basrd on our assrssornt of addrrssing stakrholdrrs nrrds and adding
valur to thro; thrsr could includr aroducts likr a “High Risk Srrirs” for thr actvitrs of
rach Govrrnornt2, Brst Good Practcr Guidrs, Study Rrsrarch Rraorts rtc. Wr aill
also br systroically aorking aartnrring aith concrrnrd stakrholdrrs in thr Exrcutvr,
in ioaroving intrrnal control and intrrnal audit orchanisos. Thrsr “non-lrgislatvr”
Audit Products consttutr a largr aroaorton of our valur additon objrctvr.
Our audit aroducts arr intrractvr, digital aroducts, aith aaarr-basrd vrrsions availablr
only as a suaalrornt. Balancrd rraortng is a “givrn” for all our audit aroducts.
Engagrornt aith stakrholdrrs (Lrgislatvr ooooitrrs and Lrgislaturr; Exrcutvr;
Mrdia; NGOs and oSOs; Public at largr) is rfrctvr and contnuous, backrd by robust
arocrssrs for arriodic contnuous rngagrornt.
3.4 Organizational Structures and Human ResourcesCompetencies and Skills
Thr organizatonal hirrarchy is oadr as flat as nrcrssary. IA&AD blrnds organizatonal
hirrarchical structurrs aith transvrrsal suaaortng structurrs (aroviding srrvicrs on
rrqurst to firld audit officrs and functonal aings) and non-hirrarchical oooounitrs of
Practcr (ooPs).
Evrry audit trao, and its orobrrs, arr IT-rrady (i.r. all officr autooaton aaalicatons,
and grnrral-auraosr audit sofaarr); thry can oakr usr of curatrd datasrts oadr
availablr by thr data analytcs traos. oollrctvrly, thr audit trao aossrssrs thr
nrcrssary skills (including dooain skills) for rach audit assignornt. Audit trao
orobrrs aill br “knoalrdgr aorkrrs”; routnr audit aork (currrntly donr by non-
suarrvisory staf) aould br rithrr largrly autooatrd or rrndrrrd rrdundant through
rnd-to-rnd auditrr autooaton.
Soor, but not all, audit trao orobrrs oay aossrss data analytcs caaabilitrs. Audit
traos can oakr usr of data analytcs rrsourcrs availablr in thr firld audit officrs, and
ahrrr nrcrssary, crntralizrd data analytcs rrsourcrs froo thr crntral trao. Thr
2 On thr linrs of thr High Risk Srrirs aroducrd uadatrd by thr US GAO rvrry tao yrars, covrring difrrrntrisk-aronr actvitrs of thr Frdrral Govrrnornt.
P a g r 4
Page 7
crntral and local data analytcs traos foro a hub-and-saokr arrangrornt for caaacity-
building and knoalrdgr suaaort, rrfrrral of cooalrx assignornts; this should covrr
both thr oanagrornt of thr auditrr data rraository aarrhousr as arll as data
analytcs AI oodrls.
Audit staf at thr firld and IA&AD Hradquartrrs aill br for (a) QA Qo functons, and (b)
transvrrsal suaaort for audit assignornts. Audit oonitoring and control aould br
rnsurrd largrly through IT autooaton.
Lrarning oanagrornt and caaacity building coobinrs oultalr oodrls – I rxtrrnal
vrrsus intrrnal; classrooo vrrsus on-thr job orntoring, and ofsitr arojrcts; acadroic
vrrsus aractcal audit-sarcific; r-lrarning srlf-lrarning coursrs vrrsus facr-to-facr
lrarning. Drlivrry of lrarning and caaacity building aill br highly IT arocrss rnablrd and
trackablr, and intrgratrd aith othrr intrrnal IAAD IT systros for HR, arrforoancr
oanagrornt, rtc.
Rrcruitornt arocrssrs (as arll as caaacity building) arr drivrn by skill gaa
idrntficaton. Thr rrcruitornt of nra staf and thrir aroooton and arrforoancr
oanagrornt (both incrntvrs and disincrntvrs) arocrssrs arr rrvaoard to rnsurr
utoost ariority to quality of audit staf rrsourcrs ovrr quantty. Froo an HR
arrsarctvr, IA&AD brcoors a lran and rfficirnt organizaton.
4 Action towards the vision for a Technology-enabled IA&AD
Thr long-trro vision aill nrrd to br ioalrorntrd through succrssivr ordiuo-trro
stratrgirs (3 to 5 yrars) and short-trro ioalrorntaton alans (lrss than 1 yrar). Hoarvrr,
in srvrral arras, actons toaards this vision arr alrrady bring ioalrorntrd or alannrd to
br ioalrorntrd.
IA&AD has initatrd thr trndrring arocrss for “Onr IAAD Onr Systro” (OIOS), ahich
aill br to crratr a singlr rntrrarisr-aidr rnd-to-rnd IT alaaoro, ahich aill crratr a
singlr sourcr of truth rrgarding all audit actvitrs of IA&AD. Drvrloaornt,
ioalrorntaton and roll-out of OIOS aill br a kry cooaonrnt of our long-trro vision
(srr 3.1 IT infrastructurr and aaalicaton alaaoro ).
Thr vision for a data analysis and data aarrhousr rraository alaaoro has brrn
oaaard out. A ahasrd aaaroach is alannrd, aith Poos (Proof of ooncrats) bring
ioalrorntrd ovrr thr nrxt 6-12 oonths. Wr aill also br rngaging a consultant to assist
us in drafing an RFP for drvrloaing and ioalrorntng thr data analysis and datr
aarrhousr alaaoro.
A sraaratr rxrrcisr for rrvising and rrfining thr organizatonal structurr of thr
Draartornt to orrt futurr challrngrs is currrntly ongoing; this aill nrrd to addrrss
thr challrngrs of a trchnology-rnablrd organisaton. Sioilarly, as a aart of acton undrr
thr argis of a sub-coooitrr of thr Audit Advisory Board, a task forcr is aorking on
aroaosals for rrfining thr staffing structurr, arrforoancr oanagrornt, and caaacity
building srtua for various catrgorirs of staf in thr Draartornt.
P a g r 5
Page 8
The vision for a technology-enabled IAAD is critcally dependent on seamless and routne
access to auditee IT systems and electronic data, as is expected in a professional auditor-
auditee relatonship. The legislatve mandate for the C&AG, which is nearly half a century
old, does not explicitly refer to electronic data, and seamless access to such data,
although it enjoins the auditee to “comply with requests for informaton in as complete a
form as possible and with all reasonable expediton”. Lack of tmely access to data and IT
systems, without statutorily defned tme limits (unlike in the case of the Right to
Informaton Act) is a key barrier, which may need to be addressed through a duly
strengthened legislatve mandate. In the absence of such tmely and routne access, it
may be quite difcult, if not impossible, to fulfl the objectve of a technology-enabled
organizaton.
5 One IAAD One System (OIOS)Thr high-lrvrl vision for OIOS in IA&AD is as folloas:
OIOS aill br an rnd-to-rnd rntrrarisr-aidr, intrgratrd IT systro for all audit actvitrs
in IA&AD, covrring all Firld Audit Officrs and thr Hradquartrrs Officr. It aill br thr
arioary systro of rrcord (singlr sourcr of truth) for thr rntrr chain of audit actvitrs
(froo thr oaintrnancr of thr auditrr univrrsr through audit rxrcuton, to QA Qo and
finalizaton of audit aroducts of difrrrnt tyars and thrir folloa-ua), and aill covrr all
tyars of audit. It aill br a aorkfloa-basrd IT systro, and not basrd on aost-facto data
rntry.
OIOS aill havr a coooon corr structurr and oiniouo rrquirrd oandatory
functonality (ahich aill rnsurr consistrnt, rrliablr data in a uniforo foroat across all
Audit Officrs). At thr saor tor, it aill arovidr for “configurablr” functonality, ahich
can br configurrd audit strrao audit officr aing-aisr and can also br configurrd rr-
configurrd ovrr tor. It aill also havr an MIS aith configurablr dashboards and drill-
doan, disarnsing aith aaarr-basrd rrgistrrs and rrturns.
OIOS is not just an audit arocrss oanagrornt systro. An rqually ioaortant cooaonrnt
of OIOS is to roaoarr thr auditor in various aays – I (a) through a KMS aith both audit
guidancr and auditrr inforoaton in difrrrnt foroats, (b) thr ability to srarch through
and oinr data aithin OIOS to rrfinr our audit aaaroach and arocrssrs (c) thr ability to
rlrctronically link and rrfrrrncr (and rr-usr) suaaortng docuorntaton and othrr
rvidrncr (r.g. gro-taggrd, tor-datr staoard foroats) (d) IT rnablrd audit toolkits to
facilitatr ioalrorntaton of Audit Drsign Matricrs in individual audit assignornts.
OIOS aill br a crntrally hostrd soluton aith suaaort for oultalr languagrs, accrssiblr
in a alaaoro indrarndrnt oannrr. Lioitrd ofinr functonality, as also a oobilr aaa,
aill br availablr as a back-ua to thr firld audit traos. At thr saor tor, rigorous
inforoaton srcurity controls (for oaintaining confidrntality, intrgrity, availability and
non-rraudiability) aill br ioalrorntrd, and accrss to data aill br controllrd on a nrrd-
to-knoa basis.
P a g r 6
Page 9
Thr RFP for OIOS aas issurd in August 2019, and thr contract aaard is targrtrd for
Drcrobrr 2019. Thr drvrloaornt of OIOS has brrn dividrd into thrrr Phasrs, and
individual rrlrasrs aithin rach Phasr aill br rollrd out across IA&AD officrs in a thrrr stagr
aaaroach (to droonstratr and validatr thr configurability of thr soluton) – I 6-7 Pilot
Officrs, 24-25 Pilot Officrs, and thrn all rroaining Audit Officrs. According to thr
aggrrssivr and challrnging High Lrvrl Tiorlinrs for OIOS, drvrloaornt and roll-out of
Phasr-I to thr Pilot Officrs is targrtrd for Q2 2020, aith final drvrloaornt of all ahasrs and
roll-out across all officrs trntatvrly targrtrd for rnd-2022.
6 Technology Landscape Review
6.1 Disruptive Technologies and Audit Implications
This srcton arovidrs an ovrrvira of thr trchnologirs that could causr thr oost disruaton
in thr srrvicr drlivrry and govrrnancr oodrls for Govrrnornts, ahrthrr in India or
abroad. Thrsr trchnologirs includr Artficial Intrlligrncr (AI), including Machinr Lrarning
(ML) and Drra Lrarning (DL), Blockchain and Distributrd Lrdgrr Trchnology, Natural
Languagr Procrssing (NLP), Intrrnrt of Things (IOT), and Robotc Procrss Autooaton (RPA).
Furthrr drtails arr rxalainrd in Annrxurr-1 of this docuornt.
6.1.1Artificial Intelligence (AI, ML, DL)
Artficial intrlligrncr (AI) stands out as a transforoatonal Grnrral-Puraosr Trchnology of
this digital agr. Whilr thr trro AI itsrlf is not nra, incrrasing cooautatonal aoarr and
loarr costs of storagr havr arroitrd incrrasing voluors of data bring grnrratrd and
analysrd, and thus lrd to significant brrakthroughs in AI. Machinr Lrarning (ML) and Drra
Lrarning (DL) arr tao kry trchniqurs or subsrts undrr thr uobrrlla of AI.
Machinr Lrarning (ML) is basrd on thr crraton of algorithos, ahich arr originally crratrd
through huoan intrrvrnton aith fraturr rnginrrring (idrntfird aith rrlrvant dooain
knoalrdgr) but lrarn (and ioarovr i.r. oodify throsrlvrs) through rxarrirncr (i.r.
oultalr itrratons of structurrd data). By contrast, Drra Lrarning (DL) algorithos lrarn or
ioarovr throsrlvrs through layrrs of Artficial Nrural Nrtaorks (ANNs), aithout rxtrnsivr
huoan fraturr rnginrrring. DL algorithos arr “black box” algorithos i.r. it is not
ioaossiblr to undrrstand thr rrason or “ahy” thr algorithos givr aartcular rnd-rrsults. In
contrast to Machinr Lrarning, Drra Lrarning nrtaorks rrquirr largrr voluors of data for
“lrarning”, usually nrrd highrr-rnd oachinrs, and takrr longrr tors to train.
Takr thr rxaoalr of an ioagr rrcogniton algoritho, ahrrr a systro has to rrcognizr
ahrthrr thr givrn ioagr is a arn or a arncil. For a oachinr lrarning aroblro, thr analyst
aill drfinr thr rrlrvant fraturrs for rrcogniton r.g.
A arn is thinnrr (i.r. rato of diaortrr to lrngth is loarr) than a arncil.
A arncil has a graahitr ta, ahich is contnuously rxaosrd ahrn thr surrounding aood
is shavrd of. A arn has a ta (tyaically ortal) through ahich ink floas.
A arncil oay br cylindrical or hrxagonal, and it oay havr an rrasrr atachrd. A arn is
aloost alaays cylindrical.
P a g r 7
Page 10
and lrt thr oachinr idrntfy (through “lrarning”) ahich fraturrs arr ioaortant for
rrcogniton. By contrast, drra lrarning aill autooatcally (through “lrarning”) find out thr
fraturrs ahich arr ioaortant for classificaton.
What AI fundaorntally dors is to loarr thr cost of arrdicton. Wr could srr aidrsarrad
adoaton of AI in thr aublic srctor for oaking drcisions basrd on accratrd aublic aolicy.
Thr Black-Box naturr of Drra Lrarning algorithos aoarring AI aosrs challrngr to its
adoaton in thr Public Srctor. Public srctor agrncirs arr to br hrld to a highrr standard
ahrn it coors to trchnical systros and arr rxarctrd to adhrrr to noros of transaarrncy
and accountability.
Thr Whitr Housr rraort of May 2016 on ‘Big Data: A Rraort on Algorithoic Systros,
Oaaortunity, and oivil Rights’ had obsrrvrd that thr unfairnrss in AI drivrn autooatrd
drcision oaking arisrs arioarily on account of tao difrrrnt tyars of challrngrs
a. ohallrngrs rrlatng to data usrd as inauts to an algoritho – I a bias in thr historical data
taints thr futurr drcisions arrdictons and
b. ohallrngrs rrlatrd to thr innrr aorkings of thr algoritho itsrlf – I thr black-box naturr of
thr algorithos
AI Ethics is thus rorrging as an ioaortant arra of rrsrarch. Thr acronyo FAT – I Fairnrss,
Accountability and Transaarrncy – I is noa closrly associatrd aith discussions around
Machinr Lrarning.
6.1.2Blockchain & Distributed Ledger Technology
Blockchain trchnology is a foro of distributrd lrdgrr trchnology that acts as an oarn and
trustrd rrcord of transactons froo onr aarty to anothrr that is not storrd by a crntral
authority. Instrad, a coay is storrd by rach usrr running Blockchain sofaarr and
connrctrd to a Blockchain. Thr nrtaork usrs cryatograahic trchniqurs such that nobody
can taoarr aith thr lrdgrr, and a oajority of nodrs foroing aart of thr Blockchain oust
rrvira and validatr a transacton brforr it can br vrrifird and rrcordrd. Thus, trust is
grnrratrd aithout thr nrrd for any crntral authority. Thr oost aoaular ioalrorntaton of
Blockchain trchnology is thr cryatocurrrncy Bitcoin.
Thr storagr costs in a blockchain arr vrry high, brcausr rvrry nodr in thr nrtaork nrrds
to storr thr full lrdgrr. Thr usr of cryatograahy and consrnsus building in a drcrntralisrd
arrr-to-arrr srtua lrads to an rxtrrorly sloa transacton arocrssing ratr ahrn cooaarrd
to a crntralisrd databasr architrcturr, thus lioitng thrir scalability. Finally, thrrr is thr
issur of thr rolr of Govrrnornt as a trustrd rntty, and thr lioitrd usr-casrs ahrrr
govrrnornt should aould actvrly try to crratr trust by suaalantng itsrlf as a krrarr of
crntralisrd rfficirnt and srcurr databasrs and rrcords aith a drcrntralisrd nrtaork, aith
no crntral authority.
As arr NASSoOM’s 2019 Blockchain rraort, about 50 arr crnt of thr Statrs in India arr
involvrd in Blockchain-rrlatrd initatvrs, aith thr toa thrrr usr-casrs bring Land Rrgistry,
Faro Insurancr, and Digital orrtficatrs.
P a g r 8
Page 11
6.1.3 Other Disruptive Technologies
Natural languagr arocrssing (NLP) is a rangr of cooautatonal trchniqurs for thr autooatc
analysis and rrarrsrntaton of huoan languagr. IT rnablrs cooautrrs to arrforo a aidr
rangr of natural languagr rrlatrd tasks at all lrvrls, ranging froo aarsing and aart-of-
sarrch (POS) tagging, to oachinr translaton and dialogur systros. ooooon rxaoalrs of
NLP arr chatbots, as arll as voicr rrcogniton-basrd aaalicatons likr Alrxa and Siri.
Thr Intrrnrt of Things (IoT) alloas cooautng drvicrs as arll as orchanical and digital
oachinrs, objrcts rtc. arovidrd aith Uniqur Idrntfirrs (UIDs) to intrract aith rach othrr
and transfrr data ovrr a nrtaork aithout rrquiring huoan intrrvrntons.
Robotc Procrss Autooaton (RPA) is an innovaton to autooatr rrarttvr tasks or
transactons (tyaically aithin an ovrrall businrss or IT arocrss) in an rfficirnt and cost-
rfrctvr oannrr. oognitvr autooaton lirs of thr far-rnd of thr sarctruo, ahich
autooatrs actvitrs that rrquirr highrr-lrvrl skill, judgrornt and critcal thinking.
6.2 Technological Developments in Indian e-Governance andother High Impact Global Developments
E-Govrrnancr in India is stll a aork-in-arogrrss. Plaaoros for digital govrrnancr using
rstablishrd oaturr trchnologirs arr stll bring rollrd out ioalrorntrd, ahilr on thr
othrr hand, trchnologirs likr AI, blockchain rtc. arr also bring considrrrd for
ioalrorntaton (oostly using a ahasrd aaaroach)
Govrrnornt of India has launchrd thr “Digital India” Prograoor in 2015; for thr auraosrs
of this aaarr, thr folloaing aillars arr rrlrvant:
E-Governance: Reforming Government through technology – I This involvrs foro
sioalificaton and rrducton; onlinr aaalicatons and tracking; usr of onlinr rraositorirs;
intrgraton of srrvicrs and alaaoros; oaking all databasrs, inforoaton and aorkfloas
rlrctronic.
E-Krant – I Elrctronic drlivrry of srrvicrs aith 44 Mission Modr Projrcts (MMPs)
(orntral, Statr and Intrgratrd)
Informaton for all – I Oarn data alaaoros for aroactvr rrlrasr of datasrts, social ordia
rngagrornt and onlinr orssaging.
Thr Digital India Prograoor and E-Krant has lrd to a oovr aaay froo MISs (involving aost
facto data rntry) to transacton arocrssing systros. Furthrr, thr introducton of DBT (Dirrct
Brnrfit Transfrr) for dirrct aayornts undrr a host of arograoors dirrctly to thr
brnrficiarirs aithout ahysical intrrordiaton has also brrn a gaor-changrr.
In thr arra of taxaton, introducton of IT – I both for transacton arocrssing, as arll as for
BI data analytcs – I has brcoor aidrsarrad. For rxaoalr:
GSTN (Goods and Srrvicrs Tax Nrtaork) arovidrs thr basic IT alaaoro for thr
adoinistraton of GST by oBIo and oultalr Statr UT oooorrcial Tax Draartornts (tax
adoinistrators), and also arovidrs srrvicrs to taxaayrrs as arll as accountng
authoritrs.
P a g r 9
Page 12
Thr Incoor Tax Draartornt has intrgratrd srrvicrs in thr foro of an Incoor Tax
Businrss Aaalicaton (ITGA) through an r-aortal for tax aayrrs, tax-drductors and
vrrifirrs; a orntral Procrssing orntrr for suooary assrssornt and idrntficaton of
scrutny casrs; and BI DA (through Projrct Insight) on data collrctrd through Annual
Inforoaton Rrturns and othrr sourcrs;
Thr oustoos Draartornt has thr IoEGATE aortal for aroviding r-filing srrvicrs to thr
tradr, cargo carrirrs and othrr trading aartnrrs rlrctronically for ioaorts rxaorts
clrarancr.
Taxaton is thr arra ahrrr thr adoaton of AI (largrly Whitr-Box basrd) for incrrasing thr
“tax nrt” of rligiblr taxaayrrs assrssrrs as arll as incrrasing thr assrssornt collrcton of
taxrs froo assrssrs is alrrady in alacr. Thr othrr oajor arra of usr of data analytcs is in
thr arra of fraud analytcs, aartcularly in rrcriat of brnrfits froo divrrsr Govrrnorntal
arograoors, and aublic utlitrs (rlrctricity, aatrr rtc.).
Thrrr havr also brrn significant changrs in thr aay that GoI is ioalrorntng IT arojrcts.
Onr such rnablrr is thr drvrloaornt of India Stack (srt of oarn APIs aith four trchnology
stacks or layrrs), aith thr objrctvr of crratng a unifird sofaarr alaaoro to bring thr
aoaulaton of India into thr digital agr. Othrr drvrloaornts includr:
Movr toaards cloud cooautng as a arrfrrrrd choicr
Mobilr aaas for citzrn crntric srrvicrs
Extrnsivr usr of gro-tagging
Othrr Public Trchnology Plaaoros – I Hralthstack; Bharat Bill Payornt Systro (BBPS);
Fastag rtc.
Non-rraudiability, through incrrasing (oandatrd) usr of digital signaturrs r-
signaturrs.
7 Possible Impact on Audit
7.1Potential Audit Implications of Disruptive Technologies
In thr long run, thrsr trchniqurs (r.g. AI) could br usrd intrrnally by us, intrgratrd as
aart of our audit orthodology, lrading to an incrrasr in our audit rfrctvrnrss. This
oay rrquirr a big changr in our audit aaaroach by oaking oany traditonal audit
trchniqurs rrdundant and by forcing us to rrvira our orthodology.
Soor frar that thr cooaliancr and traditonal financial assurancr rolrs oay rvrn
disaaarar or at lrast substantally dioinish ahrn thr aorld adoats to trchnological
drvrloaornts and thr audit cooounity rrsaonds by using oany of thrsr tools in thrir
aork.
It is trur that cognitvr trchnologirs rnablr thr autooaton of tasks that havr brrn
conductrd oanually for drcadrs. Hoarvrr, this could vrry arll rnablr thr auditor to
focus oorr on risk arras and lrss on routnr tasks likr vouching or rvrn rrconciliaton
and confiroaton of balancrs. It can also rnhancr an auditor’s arofrssional judgornt
P a g r 10
Page 13
by oodrlling thought arocrssrs that can br contrastrd aith inital conclusions. Auditors
can rnhancr audit quality by oonitoring thr outcoors of autooatrd tasks, rrviraing
advancrd analytcs, and assrssing thr ioalicatons of findings.
Thr govrrnancr fraoraork for adoaton of cognitvr cooautng in aublic audit has to
br undrrainnrd by strong rthical considrratons and thr adoaton of thr FAT tool has to
br critcal in this rrgard.
7.2 Possible Impact on Financial Audit
Thr ioaact of trchnological changrs could br oost significant and rarlirst in thr arra of
financial audit. For rxaoalr, thr adoaton of Blockchain distributrd lrdgrrs could lrad to
fundaorntal changr in thr orirntaton of audit. Thr arocrss aould oovr to chrck of 100%
data froo thr saoaling basrd audit arocrssrs, at lrast for crrtain atributrs; thr
rrgulators stakrholdrrs in a contrarian fashion oay rrquirr auditors to incrrasr thrir
aroarirty chrcks, and judgrornts on thr quality of oanagrornt bryond thr sufficirncy of
intrrnal control and rrasonablr assurancr of thr financial statrornts that is thr noro
today.
7.3 Possible Impact on Compliance Audits
With grratrr adoaton of trchnology, cooaliancr audits could undrrgo a raaid changr,
ahrrr thr trchnology oay ioarovr thr intrrnal controls robrddrd in thr systro and
hrncr validatr rvrry transacton against rrgularity rrquirrornts as undrrstood in thr
aublic audit systros.
Thr draloyornt of trchnologirs likr RPA (Robotc Procrss Autooaton) could furthrr
rnhancr thr ability of audit, by autooatng routnr validaton vrrificaton chrcks, to
undrrtakr cooaliancr audits of thr rntrr univrrsr and oovr bryond rrasonablr assurancr
to a total assurancr of thr systro. In such a situaton, audit could incrrasingly oovr to
highrr ordrr functons tackling thr qurstons of outcoors and ioaact, ahilr hrlaing, in an
autooatrd fashion, to validatr thr assurancr ioalicit in thr functoning of organisatons.
Audit alanning and rxrcuton could undrrgo a aaradigo shif, aith saoaling-basrd
srlrcton of units, and aithin such units, saoaling-basrd srlrcton of transactons,
brcooing a thing of thr aast.
Evrn in thr nrar to ordiuo trro, thrrr aould br oultalr oaaortunitrs for draloying data
analytcs to flag anooalous transactons for substantvr drtailrd vrrificaton, arrhaas
using a aiarlinr-basrd aorkfloa orchaniso. Thr audit aould br brtrr structurrd and
alannrd aith thr firld aork bring oorr focussrd on transactons alrrady idrntfird for
drtailrd scrutny, aith oorr rrsourcrs bring draloyrd for thr back-officr analytcs and
alanning. This aould br broadly on thr linrs of thr aaaroach adoatrd by thr Incoor Tax
Draartornt of classifying rrturns into (a) rrturns – I flaggrd using statc and or dynaoic
arocrssrs – I for drtailrd scrutny and (b) rrturns for suooary assrssornt (ahich could
largrly br autooatrd).
Assrssornt of aroarirty aould stll rroain an arra of cooaliancr audit.
7.4 Possible Impact on Performance Audits
P a g r 11
Page 14
With adoaton of trchnology suaaort for Financial and oooaliancr Audits, ar oay br
drvotng oorr rrsourcrs to Prrforoancr Audits. This could aosr thr folloaing qurstons -
Hoa aill arrforoancr audits br scoard in thr futurr?
Hoa aill audits br conductrd? Extrnt of autooaton AI (ML &DL) data drivrn audits?
Tioing of audits – I hoa controaoranrous? Will thry (or do thry nrrd to) br rral-tor
audits nrar rral-tor audits?
Will ar conduct IT srcurity and arivacy audits?
Will ar conduct audits of data quality (hoarfully, likrly to rrducr in thr futurr as data
quality in Indian Govrrnornt systros ioarovrs?)
7.5 Audit of AI Systems
Dur to concrrns raisrd globally rrgarding thr Fairnrss, Accountability and Transaarrncy of
Algorithoic drcisions in thr Public Srctor, thrrr could br an rorrging nrrd for aroviding
assurancr on thr fairnrss of high-stakrs (ioaactng thr rights intrrrsts of citzrns)
algorithoic drcisions robrddrd aithin thr Autooatrd Drcision Systros usrd aotrntally
to br usrd in thr Public Srctor.
As an accountability organisaton, our arincialr for artculaton in thr cooing agr of AI
could br: “Algorithms and the data that drive them are designed and created by people,
and as a result, there is always a human who can be held responsible for decisions made or
informed by an algorithm”. In a Parliaorntary droocracy ahrrr thr Exrcutvr is
accountablr to thr Lrgislaturr, thrrr is no alacr for thr ansarr “brcausr thr cooautrr said
so…” (Thr oooautrr Says No…).
Whilr our Draartornt had brrn an rarly adoatrr of IT Tools and Trchniqurs and has soor
orasurr of aroficirncy, thr task of auditng AI could havr tao additonal challrngrs:
Firstly, soor of thrsr algorithos could br black-box algorithos, and novrl trchniqurs
aould havr to br adoatrd to obtain assurancr rrgarding thrir arrforoancr. Wr oay
rvrn havr to rrcord our objrcton to roll-out of crrtain AI solutons ahrrr such
assurancr cannot br arovidrd.
Srcondly, any trchniqur of assrssing thrsr systros aould call for handling largr
voluors of data, and thr usr of rqually cooalrx AI ML (Machinr Lrarning) DL (Drra
Lrarning) Trchniqurs. Thr black-box naturr of crrtain algorithos aould arrcludr any
drsk rrvira, or rvrn lioitrd trstng of saoalr casrs for violaton of thr govrrning
rulrs rrgulatons or schror guidrlinrs.
ISAoA, in a rrcrnt (2018) aaarr ttlrd ‘Auditng Artficial Intrlligrncr’ takrs an IT Auditor’s
arrsarctvr on this issur and statrs:
IT auditors should not go down the path of overthinking the challenges of auditng
Al. Refectng on how they frst audited cloud computng or cybersecurity should
provide them with a useful frame of reference. For example, it is unlikely they
examined all the protocols in depth and tested that the Open Systems
Interconnecton (OSI) layer 5 implementaton was functoning appropriately.
P a g r 12
Page 15
Instead, with Al, as with those previous new technologies, auditors will focus on the
controls and governance structures that are in place and determine that they are
operatng efectvely. Auditors can provide some assurance by focusing on the
business and IT governance aspects.
Whilr this aaaroach aould br sufficirnt for a arivatr srctor auditor, thr grratrr
rrsaonsibility and accountability of thr aublic srctor and of thr aublic srctor auditor could
nrcrssitatr rxaoining thr largrr issurs rrgarding thr usr of autooatrd drcision systros.
Aaart froo issurs of fairnrss rrlatng to AI, concrrns arr also bring raisrd rrgarding data
arivacy. Thr Euroaran lrgislaton on data arivacy – I GDPR, ahich has brrn in rfrct sincr
May 2018, has oadr thr first stra in lrgislatng a foro of right to rxalanaton as arotrcton
of thr citzrn against autooatrd drcision systros. Thr draf Indian act on data arivacy,
though oodrllrd to soor rxtrnt on GDPR, dors not havr analogous clausrs.
Whilr AI aould undoubtrdly lrad to rfficirncy gains, ar aould nrrd to rnsurr through our
audit that thrsr arr also rfrctvr. Auditng an AI systro aould nrrd to br ootvatrd by
thr tain objrctvrs of aroviding assurancr on thr fairnrss of thr algorithos and rnsuring
that thr organisaton rroains accountablr for thr autooatrd drcisions.
It is for futurr considrraton ahrthrr ar should considrr thr nrrd for an assurancr
crrtficatr froo thr o&AG for draloyornt of high-stakrs autooatrd drcision systros in thr
aublic srctor. This can br in thr foro of a Policy on Accrrditaton of Public Srctor AI
Systros by o&AG and could givr an ioartus to adoaton of AI in thr aublic srctor, as thr
concrrns of both thr rxrcutvr and thr citzrns aould br addrrssrd through thr
crrtficaton arocrss.
Data has brrn callrd as thr “nra oil”, for it is huoan intrractons that crratr thr oost
valuablr data. With a rrsaonsiblr aaaroach for auditng AI, thr o&AG can suaaort
draloyornt of AI in thr aublic srctor, but at thr saor tor guard thr rights of thr citzrns
as robodird in thr oonsttuton and rnsurr accountability of thr rxrcutvr. This aill br a
drlicatr balancing act and aill call for uaskilling IAAD in Analytcs AI.
7.6 Other impacts
7.6.1 Interconnectedness
In an incrrasingly intrrconnrctrd aorld, countrirs oay rntrr into tradr blocs or
intrrnatonal obligatons oay arisr of bilatrral and oultlatrral trratrs cooing into forcr.
This oay lrad to joint audits of various tyars, ahich arr govrrnrd by intrrnatonal auditng
standards likr ISSAI 5800 on joint audit.
Wr oay also havr a situaton ahrrr thr cooaliancr rrquirrornts oay vary on account of
transactons aith intrrnatonal raoificatons. Alrrady, fund raising in oany casrs has gonr
intrrnatonal, aith funds bring raisrd in onr jurisdicton in thr local currrncy (r.g. Masala
Bonds) froo intrrnatonal invrstors and draloyrd in thr local arojrcts. If thr arojrcts or thr
fund-raising rntty is undrr thr jurisdicton of our SAI, ar oay havr to conduct cooaliancr
in accordancr aith thr rrgulatory rrquirrornts of oorr than onr jurisdicton, ahilr thr
P a g r 13
Page 16
audit of arrforoancr oay nrrd to takr into account rxchangr risk and its oitgaton ahich
oay rrquirr sarcialisrd knoalrdgr.
Thrrr oay br rrquirrornts undrr intrrnatonal arrangrornts likr WTO rrgulatons and
GDPR rrquirrornts of thr Euroaran Union, ahich oay br rrlrvant additonal audit critrria
during audits. Thrrr could br aotrntal scoar for conflict brtarrn tao srts of rrgulatons
ahich oay havr to br confrontrd during thr coursr of our audit.
7.6.2Virtual versus Physical Models of Engagement
Thr oodrl of audit rngagrornt oay changr by substantally rrducing or rvrn rlioinatng
ahysical audit as a orans of rxrcuton. Virtual audits oay throa ua issurs of orthodology
and rulrs of rngagrornt, by rrdrfining thr rulrs of rvidrncr and of arocrdurr. It oay
throa ua challrngrs of accrss and of trying to distnguish brtarrn a contnuous audit
arocrss and an audit oainion as at a sarcific aoint of tor. In a casr of draloyornt of AI
tools to srt thr aricrs, for rxaoalr, of a rrgulatrd coooodity, its audit oay not br aossiblr
by using convrntonal data handling orthods as thr data aould br contnuously changing,
ahilr thr algoritho oay not br visiblr or suscratblr to audit.
7.6.3Online Commerce; E-procurement in Government
Thr futurr oay bring in r-arocurrornt, aithout rrgard to natonal boundarirs, ahich oay
vrry arll lrad to arocrss and cost rfficirncirs. Thr ioalicatons of natonal boundarirs for
taxaton is a cooalrx firld ahich has to br carrfully thought through. Alrrady transfrr
aricing is a vrry contrntous firld in thr arra of taxaton ahrrr thr suaaly chains arr global
in rrsarct of oany oanufacturing rnttrs. Whrn thr trchnology rnablrs srrvicrs also to br
ofrrrd rrootrly likr trlrordicinr, thr aicturr is likrly to turn rvrn oorr cooalrx
rrquiring thr auditors to strivr for a govrrnancr fraoraork, ahich addrrssrs all thr
rrlrvant issurs.
Thr r-taxaton of digital srrvicrs aill br an arra of high ioaact and significancr occuaying
thr oind saacr of thr aublic auditors, ahrn thr aorld turns oorr intrrconnrctrd.
7.6.4Common Infrastructure and rights & obligations ofcountries
Thr Intrrnrt as a carrirr of inforoaton has alrrady turnrd out to br thr oost ioaortant
coooon infrastructurr in thr aorld. Thr incrrasing bandaidth and thr suaaly of oost
goods and srrvicrs onlinr or through onlinr salrs aill only oakr it oorr vital.
Wr arr likrly to aitnrss challrngrs in trros of thr rights of natonal rrgulators vis-à-vis thr
rrquirrornts of thr intrrnatonal cooounity and thr rolr of thr aublic auditors in rnsuring
thr cooaliancr to thr govrrnancr fraoraork oay br a critcal rrquirrornt. Alrrady thr
arguornts in thr arra of Nrt Nrutrality and thr clashrs in thr oargin ovrr rights,
rrsaonsibilitrs and obligatons of difrrrnt alayrrs likr thr right to inforoaton vrrsus
natonal srcurity, arivacy vs aublic ordrr and thr likr arr taking aublic stagr. Wr oay rntrr
an rra ahrrr aublic auditors oay br callrd uaon to affiro cooaliancr to intrrnatonal
coooitornts of thr natonal and sub natonal authoritrs, ahich oay rrquirr trchnical
rxarrtsr and rrlrvant orthodologirs.
P a g r 14
Page 17
7.6.5Environment & Cross Border Cost and Impact models
Incrrasingly, thr aorld has coor to rralisr that rnvironorntal ioaact dors not rrsarct
artficial natonal boundarirs and thr ioaact of raaid drvrloaornt and high arr caaita usr
of rrsourcrs oay dralrtr rrsourcrs in othrr aarts of thr aorld.
8 Digital Strategy for Audit and Assurance
8.1 CAG’s Audit Engagements and need for providingAssurance
Audits by o&AG covrr Financial, oooaliancr and Prrforoancr Audits as arll as
coobinatons thrrrof.
Thr nrrd for aroviding rrasonablr assurancr as aart of financial audit is arll
undrrstood and accratrd.
Thr ISSAI standards rrquirr assurancr to br arovidrd for oooaliancr Audit
rngagrornts too, aith tao aossiblr lrvrls of assurancr – I rrasonablr and lioitrd.
Rrasonablr assurancr is a aositvr assrrton by thr auditor saying that, in thr
auditor’s oainion thr subjrct oatrr is is not in cooaliancr in all oatrrial rrsarcts
aith thr statrd critrria; in casr of lioitrd assurancr, thr auditor only assrrts that
nothing has coor to thr auditor’s atrnton to causr hio hrr to brlirvr that thr
subjrct oatrr is not cooaliant aith thr critrria.
Though Prrforoancr auditors arr not noroally rxarctrd to arovidr an ovrrall
oainion (cooaarablr to thr oainion on financial statrornts) on thr auditrd rntty’s
achirvrornt of rconooy, rfficirncy, and rfrctvrnrss, thrrr is stll an rxarctaton
that thr audit rraort aould br rvidrncr-basrd and thr usrrs of arrforoancr audit
rraorts can br confidrnt about thr rrliability of thr inforoaton. Thus, assurancr on
rrliability is stll a rrquirrornt for Prrforoancr Audit.
8.2 Enhancing Assurance by Going Digital
By transforoing oursrlvrs to a trchnology-lrd organisaton – I Going Digital – I ar should aio
at oaking rach of our Audit aroducts to rxalicitly arovidr soor lrvrl of assurancr, at a
oiniouo lioitrd assurancr. Soor of thr ioaortant initatvrs ahich could br undrrtakrn
for rralising this goal arr givrn brloa.
8.2.1 Implementing OIOS- One IAAD One System
Drvrloaornt and Ioalrorntaton of an audit arocrss oanagrornt systro for firld audit is
onr of thr kry arojrcts for digital transforoaton of thr Draartornt. Thr high-lrvrl vision
for OIOS and thr ioalrorntaton alan is sarlt out in aaragraah 5 – I Onr IAAD Onr Systro.
According to thr aggrrssivr and challrnging High Lrvrl Tiorlinrs for OIOS, drvrloaornt
and roll-out of Phasr-I to thr Pilot Officrs is targrtrd for Q2 2020, aith final drvrloaornt
of all ahasrs and roll-out across all officrs trntatvrly targrtrd for rnd-2022.
P a g r 15
Page 18
8.2.2e-Ofce Implementation - Migrating the organization topaper-less ofces
Going digital aould also oran robrdding IT in rvrry asarct of our aork. Thr r-Officr
aaalicaton of NIo aould br ioalrorntrd in all officrs in a ahasrd oannrr ovrr tao yrars,
aith roll-out to thr Nodal Pilot Officrs covrrrd undrr OIOS aithin six oonths, to covrr
routnr adoinistratvr tasks, thus lrading to rfficirnt aaarr-lrss officrs across thr
Draartornt.
8.2.3Data Analytics and Data Warehousing/ Repository Platformof IAAD
8.2.3.1 Establishment of Centre for Data Managementand Analytics (CDMA)
oonsidrrablr arraaratory aork has brrn donr by thr Draartornt sincr 2016 in thr firld of
data analytcs. A Big Data Managrornt Policy aas issurd in 2016, and Guidrlinrs for Data
Analytcs issurd in 2017. Thr orntrr for Data Managrornt and Analytcs (oDMA) aas srt
ua aith an advisory and suaaortng rolr, including facilitaton and trchnical suaaort to firld
officrs and vrtng and aaaroval of data analytcs oodrls of firld officrs; data analytcs
grouas arrr srt ua in firld officrs undrr a Groua Officrr. oaaacity building in data analytcs
(largrly rxaosurr lrvrl) for nrarly 300 officrrs had brrn undrrtakrn. Infrastructurr for data
analytcs in firld officrs had brrn srt ua, as also a oini data crntrr on NIo’s Mrghraj oloud;
a guidr for data rrstoraton had also brrn issurd. Srvrral data analytcs oodrls havr brrn
drvrloard, and a cooarndiuo of casr studirs on data analytc arojrcts issurd; tools for
data analytcs (Idra, Knior, Tablrau rtc.) had also brrn idrntfird.
8.2.3.2 Vision and Role for Data Analytics
Thr futurr vision and rolr for data analytcs aould includr thr folloaing:
orntralizrd data sourcrs aould br acquirrd crntrally for usr by firld audit officrs and
traos throughout thr country; local data sourcrs aould br acquirrd locally. An SOP
aould br ioalrorntrd for rnsuring uadaton and currrncy of crntralisrd data. Data
rrstoraton hrladrsk suaaort as nrrdrd aould br arovidrd to firld officrs for
rrstoraton of local data sourcrs. Thr ordiuo-trro objrctvr aould br to rnsurr all
data rrstoraton and accrss on a crntralizrd alaaoro, accrssiblr srcurrly.
ouratrd datasrts (ahich could br suooary datasrts dashboards, datasrts crratrd
through rxcraton-orirntrd qurrirs as arll as analytcs) could br arovidrd for firld
officrs and audit tras for usr during alanning, drsign and rxrcuton of audit
assignornts;
Rr-usablr rrfinablr data analytcs oodrls for crntralizrd standardizrd data sourcrs
(or coobinatons thrrrof) aould br arraarrd and hostrd, and a alaaoro for caaablr
firld audit arrsonnrl to drvrloa thrir oan oodrls aould also br oadr availablr.
All this is to br donr aithin an ovrrall architrcturr, ahich takrs carr of rolr-basrd accrss,
srcurity, docuorntaton and Quality Assurancr Quality oontrol.
P a g r 16
Page 19
Data Visualisaton and Advancrd Analytcs tools aould br oadr availablr as an onlinr
srrvicr for usr on this onlinr data rraository. Good aractcrs on valur insight rxtracton
froo data aould br sharrd across thr Draartornt.
Tiorfraor: Drvrloaornt of a full-scalr alaaoro (for AI and data analytcs as arll as data
aarrhousing rraository) is a longrr-trro arojrct aith a torfraor of srvrral yrars and aill
rrquirr a full-scalr RFP. Hoarvrr, as aroof of concrats (Poo), Budgrt and Exarnditurr
Rrcriats & Public Accounts data froo IFMS VLo for a fra Statrs (2-3) aould br brought
into thr orntral rraository by Junr 2020 and oadr usablr through a suitablr analytcs
soluton; thr aaaroach aould br rralicablr and SOP-basrd, to rnsurr that this is rralicablr
across thr Draartornt and rraratablr aith tor.
8.2.3.3 Building the 360-degree Risk Assessment andVerification Platform
A dynaoic (i.r. not just basrd on statc aaraortrrs but using a flrxiblr and dynaoic oodrl
utlizing insights drrivrd froo thr availablr data) assrssornt of ahrrr thr grratrst risks to
valur for oonry, aublic srrvicrs drlivrry, cooaliancr and accountability lir aould rnablr
thr Draartornt to targrt thr audit rforts ouch oorr arrcisrly and arovidr thr rrquirrd
assurancr. A usrful cooaarison is thr aaaroach usrd by thr Incoor Tax Draartornt to
drtrroinr ahich tax rrturns should go through scrutny assrssornt, and ahich tax rrturns
should go through suooary assrssornt.
Using thr draartorntal data rraository and analytcs alaaoro along aith OIOS, it aould br
aossiblr to crratr a ‘360 Drgrrr Risk Assrssornt and Monitoring Plaaoro’– I an AI-cuo-
data analytcs basrd Systro ahich aould look ovrr thr audit landscaar, analysr
rxarnditurr (Statrs and orntrr) and audit thrrron, ordia rraorts and oultalr sourcrs of
auditrr data and grnrratr rral-tor and dynaoic risk scorr ranks3 for audit rnttrs and
transacton classrs. This could br usrd for an AI Data Analytcs -basrd idrntficaton of rrd-
flaggrd (anooalous) transactons ahich thrn go through a aorkfloa “aiarlinr” for firld
audit or othrr drtailrd vrrificaton; this could br intrrfacrd intrgratrd aith OIOS and its
aorkfloa. Thr AI oodrl should br dynaoic to accoooodatr frrdback through falsr
aositvrs idrntfird through thr drtailrd vrrificaton and aiarlinr, and also falsr nrgatvrs.
Thr Draartornt aould also br crratng rnabling structurrs for oorr intrractvr digital
aroducts, by building on thr ailotrd oustoos Intrractvr Digital Audit Rraort.
8.2.4Digital Capacity Building
Systroatc training, coualrd aith a Knoalrdgr Managrornt Systro (KMS) ahich aill foro
aart of OIOS and a Lrarning Managrornt Systro (LMS), aould br usrd to transforo IAAD
staf to brcoor Digital Natvrs – I coofortablr aith thr usr of trchnology in various asarcts
of audit. Work focusrd social ordia and instant orssaging aaalicatons aould br usrd to
3 Thr Audit Planning rxrrcisr should sraaratr thr risk assrssornt and annual audit alanning andarograooing, aith thr objrctvr that thr risk assrssornt oodrls should not grt rrbuilt froo scratch rvrryyrar
P a g r 17
Page 20
bring about grratrr collaboraton aoong traos and knoalrdgr sharing and rstablishing
non-hirrarchical “oooounitrs of Practcr” (ooPs).
Furthrr, data analytcs caaability is critcal to thr digital transforoaton of IAAD, and hrncr,
in-housr rxarrtsr aould nrcrssarily nrrd to br nurturrd – I but in a rrlatvrly short tor.
An Analytcs oaaability Fraoraork aould br drvrloard covrring Statstcs, Visual Analytcs,
Advancrd Analytcs and AI, basrd on a drfinrd curriculuo and droonstrablr skillsrts.
Tiorfraor for Inital Projrcts: Thr curriculuo for tao lrvrls (Statstcs and Visual Analytcs)
aould br drsignrd in consultaton aith lrading insttutrs industry rxarrts aithin a arriod
of six oonths, training arograos drvisrd and launchrd by Drcrobrr 2020.
8.3 Auditing Digital
Thr orntral and Statr Govrrnornts arr ioalrorntng cooalrx arojrcts ahich havr
significant digital trchnological cooaonrnts, aith thr aio of drlivrring aublic srrvicrs oorr
rfficirntly (GST, various DBT schrors, othrr r-govrrnancr alaaoros for srrvicr drlivrry
and data transaarrncy). Thrsr arojrcts aould call for us to audit digital systros and
arovidr assurancr, ahich aould involvr trstng ahrthrr trchnology is bring usrd srcurrly
and rfrctvrly across govrrnornt, aartcularly in thosr Draartornts ahrrr thrrr is a high
voluor of transactons. Thrsr assignornts aould throa ua challrngrs bryond thr noroal
IT challrngrs dur to changing naturr of thr IS trchnology. Nrarr trchnologirs likr
Blockchain oay oakr thr job rasirr by building in assurancr, ahilr thr usr of AI and ML
aould oakr it hardrr for thr auditor to aork around thr digital aorld – I ofrn, thrrr aould
not br any othrr trail.
Wr aould nrrd a flrxiblr risk assrssornt aaaroach to auditng digital aublic srrvicrs (r.g.
Hoa do ar oovr froo a arrdooinantly “onsitr” audit of “auditrr units” to an “ofsitr
survrillancr, suaalrorntrd by onsitr audit, ahrrr nrcrssary, aaaroach”? Hoa do ar,
contnuously, drrivr and arovidr assurancr as to thr adrquacy and rfrctvrnrss of
controls for a digital aublic srrvicrs systro? Hoa do ar audit (or not audit) algorithos
ioalrorntrd and uadatrd by Tax Draartornts for srlrcton of transactons assrssornts
for drtailrd ahysical scrutny?). With fast-ooving digitsaton, it is ioaortant for us to br a
arofrssional and innovatvr organisaton that rfrctvrly usrs its oanagrornt and auditrr
inforoaton. Wr nrrd to intrgratr digital risks into our audits and rraort aaaroariatrly to
our audit stakrholdrrs.
P a g r 18
Page 21
Annrxurr-1: Othrr Disruatvr Trchnologirs
A1. Artfcial Intelligence
Artficial intrlligrncr (AI) stands out as a transforoatonal Grnrral-Puraosr Trchnology of
this digital agr. Govrrnornt of India has coooissionrd tao rraorts in thr last tao yrars
focusrd on usr of AI. Thrsr arr: (i) Rraort of thr ‘Thr Artficial Intrlligrncr Task Forcr’ – I
March 2018 and (ii) Natonal Stratrgy for Artficial Intrlligrncr (Discussion Paarr), NITI Ayog
– I Junr 2018. Both thr rraorts havr idrntfird srctors ahrrr AI aould br of rrlrvancr, and
ahrrr GoI should takr actvr stras for usr of AI. Thr NITI rraort idrntfirs fivr srctors
ahich arr likrly to brnrfit thr oost froo AI in solving socirtal nrrds: Hralthcarr,
Agriculturr, Educaton, Soart citrs and Infrastructurr, and Soart Mobility and
Transaortaton.
Thr trro AI itsrlf is not nra, having brrn coinrd by John Mcoarthy in 1956, aho drfinrd it
as “thr scirncr and rnginrrring of oaking intrlligrnt oachinrs”. Hoarvrr, rrcrnt
drvrloaornts lrading to incrrasrd cooautatonal aoarr and loarr costs of storagr, in
turn has arroitrd thr incrrasing voluor of data bring grnrratrd to br storrd and
analysrd, has lrd to significant brrakthroughs in thr last drcadr. Thr rrsultant trchnologirs
havr brrn cooorrcialisrd to grrat succrss, aith aaalicatons across social dooains. Most
of thr cooorrcial brrakthroughs arr atributrd to a singlr class of algorithos – I that of
drra lrarning, to thr rxtrnt that McKinsry Global Insttutr (2018) in thrir rrcrnt rraort
cataloguing thrir study of AI draloyornt across srctors has rvrn rquatrd thr drfiniton of
AI aith drra lrarning, statng that for thr auraosr of thrir rraort, AI aas bring
charactrrisrd as drra lrarning trchniqurs using artficial nrural nrtaorks. Thr rraort has
assrssrd that drra lrarning trchniqurs basrd on artficial nrural nrtaorks aould alonr br
rrsaonsiblr for as ouch as 40 arrcrnt of thr total aotrntal valur that all analytcs
trchniqurs could arovidr.
Thr drfiniton of AI is broad, and includrs oachinr lrarning, of ahich drra lrarning is but
onr of thr trchniqurs ahich has brrn ort aith grrat succrss in oultalr firlds in thr last
fra yrars. A drcadr ago, all thrsr trchniqurs arrr includrd undrr thr broad uobrrlla
trro of Analytcs. Virard froo this arrsarctvr that AI is thr largrr trro rncooaassing
various tools and trchniqurs of Analytcs and Machinr Lrarning, oany organisatons havr
brrn using AI aithout calling
it by that naor. Thr onr thing
that trs togrthrr all foros of
Analytcs is thr usr of Data for
inforoatonal and
oanagrornt nrrds lrading
to ioarovrd drcisions. Thr
rrlatonshia of thr coooonly
usrd trros – I Machinr
Lrarning (ML), Drra Lrarning
P a g r 19
Page 22
(DL) Artficial Nrural Nrtaorks (ANN), and Artficial Intrlligrncr is illustratrd in thr figurr 1
abovr.
Onr ioaortant fraturr of AI algorithos basrd on Drra Lrarning is that thrsr arr Black-Box
Algorithos. Evrn thr trchnical rxarrts drsigning and draloying thr AI soluton aould not
br ablr to rxalain hoa a aartcular drcision is takrn, all onr grts is thr outaut.
What AI fundaorntally dors is to loarr thr cost of arrdicton. Wr arr likrly to srr
aidrsarrad adoaton of AI in thr aublic srctor for oaking drcisions basrd on accratrd
aublic aolicy. It oay br soor tor brforr Policy foroulaton itsrlf aould br donr using AI.
Thr Black-Box naturr of thr lrading algorithos aoarring AI aosrs challrngr to its adoaton
in thr Public Srctor. Public srctor agrncirs arr to br hrld to a highrr standard ahrn it
coors to trchnical systros, and arr rxarctrd to adhrrr to noros of transaarrncy and
accountability. Thrrr arr concrrns rrgarding built-in biasrs and thr discrioinatory ioaact
causrd by thrsr algorithos ahich go unchrckrd on account of thrir black-box naturr.
Thr Whitr Housr rraort of May 2016 on ‘Big Data: A Rraort on Algorithoic Systros,
Oaaortunity, and oivil Rights’ had obsrrvrd that thr unfairnrss in AI drivrn autooatrd
drcision oaking arisrs arioarily on account of tao difrrrnt tyars of challrngrs
a. ohallrngrs rrlatng to data usrd as inauts to an algoritho – I a bias in thr historical
data taints thr futurr drcisions arrdictons and
b. ohallrngrs rrlatrd to thr innrr aorkings of thr algoritho itsrlf – I thr black-box
naturr of thr algorithos
AI Ethics is thus rorrging as an ioaortant arra of rrsrarch. Thr acronyo FAT – I Fairnrss,
Accountability and Transaarrncy – I is noa closrly associatrd aith discussions around
Machinr Lrarning.
A2. Blockchain & Distributed Ledger Technology
Blockchain trchnology is a foro of distributrd lrdgrr trchnology that acts as an oarn and
trustrd rrcord of transactons froo onr aarty to anothrr that is not storrd by a crntral
authority. Instrad, a coay is storrd by rach usrr running Blockchain sofaarr and
connrctrd to a Blockchain. Thr nrtaork usrs cryatograahic trchniqurs such that nobody
can taoarr aith thr lrdgrr, and a oajority of nodrs oust rrvira and validatr a transacton
brforr it can br vrrifird and rrcordrd. This aay, trust is grnrratrd aithout thr nrrd for
any crntral authority.
Thr oost aoaular ioalrorntaton of Blockchain trchnology is thr cryatocurrrncy Bitcoin.
Thr 2019 Gartnrr, Inc. Hyar oyclr for Blockchain Businrss shoas that thr businrss ioaact
of blockchain aill br transforoatonal across oost industrirs (arrsuoably in thr US
coraoratr srctor contrxt) aithin fivr to 10 yrars.
Blockchain trchnology’s undrrlying aio is to functon indrarndrntly of crntralisrd
authoritrs. This is its USP – I it is a “trust oachinr”. Thr Econooist had aut this vrry
succinctly in a 2015 artclr “blockchain lrts aroalr aho havr no aartcular confidrncr in
P a g r 20
Page 23
rach othrr collaboratr aithout having to go through a nrutral crntral authority. Sioaly aut,
it is a oachinr for crratng trust”.
To quotr froo an AIoPA aaarr on “Blockchain Trchnology and its Potrntal Ioaact on thr
Audit and Assurancr Profrssion”, “Soor aublicatons havr hintrd that blockchain
trchnology oight rlioinatr thr nrrd for a financial statrornt audit by a oPA auditor
altogrthrr. If all transactons arr caaturrd in an iooutablr blockchain, thrn ahat is lrf for
a oPA auditor to audit?” Whilr thr aaarr gors to idrntfy hoa thr auditor can stll add
valur, this arrsuaaosrs that rnttrs aould oaintain thrir accounts on a Blockchain. This
has yrt to haaarn, and also unlikrly to haaarn, unlrss oandatrd accratrd by thr
rrgulator.
In casr of Bitcoin, thr trust aas crratrd through “aroof of aork” ahich caor at thr high
cost of rxtrror rnrrgy (rlrctricity) consuoaton. Thr storagr costs in a blockchain arr vrry
high, brcausr rvrry nodr in thr nrtaork nrrds to storr thr full lrdgrr. Thr usr of
cryatograahy and consrnsus building in a drcrntralisrd arrr-to-arrr srtua lrads to an
rxtrrorly sloa transacton arocrssing ratr ahrn cooaarrd to a crntralisrd databasr
architrcturr, thus lioitng thrir scalability. Thr Bitcoin nrtaork can arocrss lrss than srvrn
transactons arr srcond, as cooaarrd to thousand-fold highrr transacton arocrssing
caaability of Visa and Mastrrcard nrtaorks.
Finally, thrrr is thr issur of thr rolr of Govrrnornt as a trustrd rntty, and thr lioitrd usr-
casrs ahrrr govrrnornt should aould actvrly try to crratr trust by suaalantng itsrlf as a
krrarr of crntralisrd rfficirnt and srcurr databasrs and rrcords aith a drcrntralisrd
nrtaork, aith no crntral authority.
Thr OEoD aaarr ttlrd ‘Blockchains Unchainrd: Blockchain Trchnology and its Usr in thr
Public Srctor’ (Junr 2019) concludrs “At this rorrgrnt stagr, it is not aossiblr to oakr any
drcisivr claios about thr futurr of Blockchain trchnology or any clrar-cut
rrcooorndatons about ahrrr it should br usrd and arrcisrly hoa. Thr only clrar
rrcooorndaton that can br oadr is that govrrnornts should invrst in building its
knoalrdgr of this trchnology and rxalorr, and rvrn rxarriornt aith, its aossiblr
aaalicatons.”
As arr NASSoOM’s 2019 Blockchain rraort, about 50 arr crnt of thr Statrs in India arr
involvrd in Blockchain-rrlatrd initatvrs, aith thr toa 3 usr-casrs bring Land Rrgistry,
Faro Insurancr, and Digital orrtficatrs. SAI-India should actvrly track this trchnological
drvrloaornt, and takr ua, at an aaaroariatr tor, thr audit of thr Blockchain arojrcts
draloyrd by thr aublic srctor in India.
A3. Natural Languagr Procrssing, ohat Bots
It should coor as no surarisr that rrcrnt succrssrs in Natural Languagr Procrssing (NLP)
ahich has alloard aaalicatons likr Siri, Alrxa and Googlr Assistant to intrract aith us is
also onr of thr ioalrorntatons of AI. Natural languagr arocrssing (NLP) is a rangr of
cooautatonal trchniqurs for thr autooatc analysis and rrarrsrntaton of huoan
languagr. NLP rnablrs cooautrrs to arrforo a aidr rangr of natural languagr rrlatrd
tasks at all lrvrls, ranging froo aarsing and aart-of-sarrch (POS) tagging, to oachinr
P a g r 21
Page 24
translaton and dialogur systros. NLP aoarrs chatbots – I onr can havr a convrrsaton in
natural languagr (in a chat aindoa) aith “custoorr-suaaort” at any tor of thr day; just
that thrrr is no huoan custoorr rrarrsrntatvr on thr othrr sidr, it is an AI aoarrrd
algoritho ahich rrsaonds to thr qurrirs. NLP takrs businrss analytcs to a nra lrvrl. Whilr
data visualisaton oadr data accrssiblr rvrn to aroalr aith lioitrd trchnical skills, aith
NLP, onr can sioaly ask a businrss qurry in natural languagr, and NLP aould frtch thr
rrsaonsr froo thr data, and arrsrnt it through a suitablr visualisaton. This fraturr is
alrrady availablr in Poarr BI and Tablrau.
Onr aaalicaton of NLP is to autooatr rraort aritng by grnrratng oraningful drscriatvrtrxt froo thr data.
A4. Idrntty Managrornt
Thr 2018 rraort for Global Trrnds in Govrrnornt Innovaton (arraarrd by OEoD) listrd
innovatons around Idrntty as onr of thr thrrr kry trrnds, aith India highlightrd as onr of
thr succrssrs through rollout of Aadhaar. Idrntty is a fundaorntal rrquirrornt for
individuals and businrssrs to accrss govrrnornt srrvicrs and aartciaatr in socirty and thr
rconooy. It hrlas govrrnornts unlock thr aotrntal of innovatvr srrvicrs. Worldaidr,
Govrrnornts arr concriving of nra aays of aroviding idrnttrs to individuals though
bioortrics and rorrging trchnologirs such as blockchain.
Elrctronic authrntcaton is rssrntal for rstablishing accountability onlinr. It arovidrs a
lrvrl of assurancr that sooronr or soorthing is aho or ahat it claios to br in a digital
rnvironornt. It alays a kry rolr in rstablishing trust for digital cooorrcr, digital
govrrnornt and oany othrr social intrractons. It also consttutrs an rssrntal cooaonrnt
of any stratrgy to arotrct inforoaton systros and nrtaorks, financial data, arrsonal
inforoaton and othrr assrts froo unauthorisrd accrss or idrntty thrf.
A groaing nuobrr of countrirs alrrady havr fully functoning and succrssful natonal digital
idrntty arograoors in alacr. For rxaoalr, Estonia alloas its citzrns and rrsidrnts to
conduct virtually all govrrnornt and rvrn arivatr srctor transactons onlinr using thrir ID
card and a PIN. Such transactons includr votng, banking, filing taxrs, and accrssing hralth
rrcords and arrscriatons
Bioortrics involvrs thr usr of autooatrd tools to idrntfy an individual through ahysical
charactrristcs, such as fingrrarints, iris scans or facr rrcogniton. Bioortric r-IDs arroit
Idrntty confiroaton aith a high lrvrl of accuracy, thrrrby oinioising idrntty thrf and
rralacing thr nrrd for “facr-to-facr” validaton. In govrrnornt, thry can draoatcally
rrducr brnrficiary fraud, oakr digital intrractons sraolrss, rnablr rlrctronic signaturrs,
and alloa for sioalrr intrractons for both govrrnornt and businrssrs, thrrrby oaking it
rasirr to crratr innovatvr arograoors and srrvicrs. Thry arr raaidly brcooing a standard
for accrssing srrvicrs brcausr of thrir rfficirncy, rfrctvrnrss and srcurity of accrss.
Hoarvrr, bioortric IDs havr also saarkrd firrcr controvrrsy. Oaaonrnts of bioortric
idrnttrs argur that thry could br usrd to oonitor and track individuals, lrading to lack of
arivacy, and takr aaay citzrns’ ability to control data about throsrlvrs.
P a g r 22
Page 25
As oorr srrvicrs brcoor intrgratrd through a bioortric idrntty, it brcoors aossiblr to
aircr togrthrr data to crratr a drtailrd arofilr of an individual. Ovrr tor, such arofilrs
could br usrd to arrdict futurr brhaviours in aays ioaossiblr aith traditonal orthods of
idrntty.
In India, thr bioortric rnablrd id through Aadhaar has alrrady brcoor thr foundaton for
various Dirrct Brnrfit Transfrr (DBT) schrors. In FY 2019-20 alonr, nrar onr lakh crorr has
brrn disbursrd through DBT by 56 oinistrirs in 438 schrors. Thr drsign of arlfarr
schrors is undrrgoing a changr on account of DBT, and ar aould nrrd to rvolvr
innovatvr trchniqurs for Auditng schrors rrlying on DBT.
A5. IOT
Thr Intrrnrt of Things (IoT) is a “systro of intrrrrlatrd cooautng drvicrs, orchanical and
digital oachinrs, objrcts, anioals or aroalr that arr arovidrd aith uniqur idrntfirrs (UIDs)
and thr ability to transfrr data ovrr a nrtaork aithout rrquiring huoan-to-huoan or
huoan-to-cooautrr intrracton” (Wikiardia).
What IoT dors is to alloa far oorr data to br gathrrrd and storrd for subsrqurnt
rxaloitaton through analytcs. As oorr and drvicrs grt connrctrd and brcoor a aart of
IoT, thry arr also controllablr through thr nrtaork, and Analytcs can lrad to thr nrxt
stagr of autooatng arrscriatvr analytcs.
A6. RPA & oognitvr Autooaton
Robotc Procrss Autooaton is a rrcrnt innovaton to carry out rrarttvr tasks in an
rfficirnt and cost-rfrctvr oannrr. Gartnrr drfinrs Robotc arocrss autooaton (RPA) as a
aroductvity tool that alloas a usrr to configurr onr or oorr scriats (ahich soor vrndors
rrfrr to as “bots”) to actvatr sarcific krystrokrs in an autooatrd fashion. Thr rrsult is that
thr bots can br usrd to oioic or roulatr srlrctrd tasks (transacton stras) aithin an
ovrrall businrss or IT arocrss. Thrsr oay includr oaniaulatng data, aassing data to and
froo difrrrnt aaalicatons, triggrring rrsaonsrs, or rxrcutng transactons.
Thr audit of RPA throas ua oany challrngrs, viz. thrrr arr changrs in arocrss risk
drfinitons aost autooaton, changrs to job rolrs and accrss srcurity, aaalicaton changr
oanagrornt considrratons, stratrgy and govrrnancr of RPA rnvironornt.
Many audit arocrssrs oay itsrlf incoraoratr RPA trchniqurs to furthrr oakr audit oorr
controaoranrous and arrvasivr.
Cognitve automaton (CA) lirs on thr far rnd of thr sarctruo, ahich autooatrs actvitrs
that rrquirr highrr-lrvrl skill, judgornt, and critcal thinking. Thry usr advancrd
trchnologirs such as natural languagr arocrssing, artficial intrlligrncr, oachinr lrarning,
and data analytcs to oioic huoan actvitrs such as infrrring, rrading rootonal curs,
rrasoning, hyaothrsizing, and cooounicatng aith huoans.
Thr rrsaonsr to thrsr trchnologirs by thr auditor aould br to rvolvr a govrrnancr
fraoraork for its ioalrorntaton at thr outsrt. Oncr thr ioalrorntaton is donr, thr
auditor oay rxaoinr both thr businrss casr and thr ioalrorntaton, using a srt of divrrsr
P a g r 23
Page 26
tools ahich includr hyaothrsrs trstng, big data analytcs and algorithoic rrvira ahrrr
frasiblr.
P a g r 24
