IT-ITeS sector – Evolving through fraud risks and governance challenges

The Indian information technology and technology enabled services (IT-ITeS) industry continues to benefit significantly with an uptick in private equity investments. According to a report by Venture Intelligence, private equity investments in the sector rose in 2017, accounting for 46% of the investment value and growing by 140% to $11.4 billion. Today, the IT-ITeS sector forms a formidable chunk of the India’s burgeoning start-up ecosystem, ranking the third largest globally as per NASSCOM and is poised for growth, led by the incubation of innovative ideas and technologies. 

Rising threats in a dynamic world

The global IT-ITeS industry has tackled a multitude of challenges over time, weathering the storm but trudging on. In 2017, uncertainties around changes in the US administration including immigration regulations impacted companies in India and other emerging markets. Certain companies came in the line of fire from a regulatory perspective, including parent organizations being held responsible for lack of appropriate technical and organizational measures to keep personal data secure from their outsourced agencies. According to news reports, a UK-based global firm was fined almost INR 10 million by the Information Commissioner’s office after confidential data of a few thousand customers was misused by employees of an outsourced call centre engaged by the organization.

Many IT organizations also witnessed a decline in employee headcount in the first half of the year, primarily due to lay-offs and employees moving to work with newer technology and domains. Issues around corporate governance impacted investor confidence as well as share prices. Other key threats that affected the sector included embezzlement, payroll and recruitment frauds, bribery and corruption.

Technology – a facilitator or a barrier?

Access to a sizeable and confidential amount of customer data has made the IT-ITeS sector increasingly vulnerable to cybercrime and data breaches. Last year, many firms succumbed to the notorious ransomware attacks of WannaCry and NotPetya, with systems getting locked down and a ransom demanded to retrieve data. More recently, news reports highlighted data breach at an IT company, exposing several million customer credit card records, user accounts and user login details, in addition to source codes of the company’s own software products.

Collectively, these challenges highlight a pressing need to strengthen cybersecurity measures, adopt robust internal controls, with regular monitoring and updating, and incident response frameworks. The ransomware attacks in 2017 demonstrates a critical need for companies to institutionalize robust information governance programs.


How can Forensic Data Analytics be leveraged to strengthen an organization’s Information Governance Program?

Find out more here –


Interestingly, as the sector is still grappling with contemporary risks such as stakeholder information theft, network intrusion, malware and intellectual property infringement; it has taken rapid strides to adopt emerging technologies such as Artificial Intelligence (AI), smart contracts and transactions, robotic process automation, cloud services and blockchain.

Emerging technologies form an important facet in defining the future course of the Indian IT-ITeS sector, as it turns resilient with time. Organizations are moving beyond traditional analytics to adopt AI systems. A prominent example of upgrading internal controls in sync with today’s environment is the use of in-house developed AI systems, designed with open-source tools as a combination of machine deep learning, data mining and human intelligence. For instance, while conventional analytics may spot a pattern of the same account being accessed by five internet protocol addresses within five days, and flag it as an anomaly, an organization’s customized AI systems now can analyze situations diligently and assess if is a genuine transaction. For example, an employee purchasing gifts for relatives when travelling abroad.

AI is not an off-the-shelf solution – an effective AI system continuously learns, updates and transforms. To give an example, AI could be designed to periodically check for certain parameters such as an employee’s rank-based expense eligibility, duplicate claims and expenses on a public holiday. However, instances of fictitious expense claims may still be found during forensic analysis, with employees ‘bypassing’ the AI system by claiming an expense twice in different months, with different expense amounts. Such manipulations can be addressed by constantly updating existing controls and proactive assessments.

Social media platforms, mobile, cryptocurrency and digital payments are also emerging as areas of concern. While historically, most organizations have predominantly focused on protecting their information systems and assets against external intruders, they are increasingly cognizant of safeguarding sensitive data against insider threats as well.

Gearing up for 2018

India is one of the most favoured offshoring destinations for IT organizations across the globe. The sector has the potential to grow multi-fold with its penchant for adapting to newer solutions and technologies. In 2018, one of the key developments impacting the Indian IT-ITeS sector will be EU’s upcoming General Data Protection Regulation (GDPR). It is expected to come into effect from May 2018 and aims to protect the personal and private information of EU citizens. Considering the quantum of penalties which may be imposed in case of non-compliance, it is prudent that organizations put in time, effort and financial support to build strong compliance frameworks. An effective response plan that is quick to respond, prepared with the right tools and mitigation steps can assist in minimizing the cost and impact of the incident.

It is essential for IT organizations to train their employees and stakeholders to keep up with the emerging technologies and regulations as they deal with sensitive company and client data. With increasing governance challenges and enforcement from the government and regulators expected to augment as they actively track and penalize organizations for negligence toward stakeholders’ interest, the IT sector also needs to bring greater transparency through measures like enhanced engagement of independent directors and institute robust whistle-blowing mechanisms. As opposed to the cost and efforts that comes with post-incident action in case of frauds or cybercrime, organisations need to consider the need for periodic proactive risk assessments to tackle conventional and new-fangled fraud risks, to keep their systems and controls up to date and detect early warning signs.

Follow @EY_India and track #EYForensic for regular updates

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.