Professional Documents
Culture Documents
CA INTER EIS Amendments May 20 & Onward Exams
CA INTER EIS Amendments May 20 & Onward Exams
Amendments
For May 20 & Onwards Exams
Management Processes
These processes measures, monitors and controls activities related to business procedures and systems. Unlike
other processes, these processes do not provide a value directly to customers but has direct impact on the
efficiency of the organization. For example, internal control process, strategic planning and decision-making
process, budgeting process, governance, capacity management process etc.
• Effectiveness,
• Efficiency and
• Economy
Meaning of Risk
As per International Organization for Standardization (ISO), Risk is uncertainty in achieving the objectives. In the
other words, risk is a potential harm caused if a threat explains a particular vulnerability to cause damage to the
assets of the entity. Risk is an event that may result in significant deviation from the planned objective and leading
to negative consequences.
Characteristics of Risk
(i) Potential loss that exists due to threat & value ability
(ii) Uncertainty of loss expressed in terms of probability of such loss &
(iii) Probability that a threat will lead to an attack against a particular system.
Types of Risk
The Major types of Risks are:
All businesses operate in an environment full of risk. Some of the major business risk are:
(a) Strategic Risk – Risk that would prevent an organization from achieving its goals & objectives are called
strategic Risk. For example political risk, economic risk, poor strategy, poor market reputation, poor
management, changing taste & performances of the buyers etc.
(b) Financial Risk – Risk that would result in Negative financial impact on the organization are called financial
risk. For example loss of assets, interest rate risk, forex risk, credit risk etc.
(c) Regulatory (Compliance) Risk – Risk that exposes an organization to the fines & penalties from the
regulations due to non-compliances with laws ®ulations are called regulatory risk. Like violation of
employees related laws, tax related laws, customer related laws etc.
(d) Operational Risk – Risk that disturbs the normal operation of the organization and prevents it from
operating in the most effective & efficient Manner are called operational risk For example lack of
customer satisfaction, poor operational policies, failure of product or services etc.
(e) Hazard Risk – Risk due to Natural disaster, impermeant of physical assets, tenor attacks etc. These risk
are mostly insurable.
(f) Residual Risk – Any risk remaining after taking all counter measures are called residual risk. Organization
should consider the following:
− Acceptance of residual risk and
− Selection of safeguards
Even after all the safeguards applied, there would be some residual risk. These risks can be minimized but cannot
be eliminated in totality.
Today, organization uses different technologies for its different business processes & also automates its business
processes with the help of technology. Organization should consider the following technology risk & challenges:
(i) Multiplicity & Complexity of the System – Different services provided by the entity may be based on
different platforms and may be using different IT architecture. This multiplicity of the system makes it
quite complex to handle. Entity needs skilled workforce to manage it or may also decide to outsource it.
(ii) Different Controls for Different Technologies – As organization uses different technologies and to
mitigate the threats associated, it needs different kinds of controls. Now ensuring all of these controls
are effective is a big challenge for the entity.
(iii) Frequent Charges or obsolescence of Technology – As technology evolves continuously and because of
this, existing technologies will become obsolete very quickly. The rapid obsolescence of technology is
another big challenge for the entity.
(iv) Proper alignment with Business & Regulatory Requirements – Entity needs to ensure that the system
implemented by them meets the business requirement as well as all the regulatory requirements.
E.g. Banks uses CBS and banks need to ensure that the CBS used by them meets their business
requirement as well as the regulatory requirements of RBI & others.
(v) Dependence on Vendors due to outsourcing of IT services – Entity may have outsourced various IT
services to the outside vendors and due to this, they need to be dependent on the vendors which will
lead to vendor related risk.
(vi) Vendor related concentration Risk – Entity may be using different vendors for different services or there
may be a single vendor for all the services. In both case, entity needs proper controls to manage the risk.
(vii) Segregation of Duties (SOD) – Entity needs clearly defined organizational structure with clearly
established rules, authorities & responsibilities. This segregation of duties should be clearly mapped in
the system used by the entity. Any error in the segregation of duty will make entity vulnerable for any
potential harm.
(viii) External Threats Leading to Cyber Fraud – The system used by the entity can be accessed by any one
from any where in the world using the internet. The system which was earlier accessed only internally is
now open and can be accessed by anybody. This increases the possibility of attack by hackers.
Risk Assessment
Risk Assessment involves the following:
− Assessing risk
− Taking steps to reduce risk to an acceptable level &
− Maintaining risk at that level
Risk Management involves identifying, measuring and minimizing events affecting the organization.
(i) Asset
Asset is something having value for the organization like data, software, hardware, information in physical or
electronic from etc. Asset usually have following characteristics:
(ii) Vulnerability
It refers to the weakness in the system or its safeguards that exposes a system to threats. weakness in the
system’s hypsographic system (security system) or other components like design, hardware, software etc. makes
the system vulnerable that could be exploited by threat. Some of the examples are:
Related Question- A Ltd. has developed ERP software for B Ltd. when the software will be considered
as vulnerable?
(iii) Threat
Any entity, circumstances or events having potential to harm the software system or component through
− Unauthorized access
− destruction
− modification or
− denial of service
is called threat.
(iv) Exposure
Extent of loss entity has to face when a risk materializes- It may be both short-term as well as long-term impact.
(v) Likelihood
Likelihood determines the probability of threat accessing and succeeding in achieving the undesirable events.
(vi) Attack
Attack is an attempt to gain unauthorized access to the system and compromise the CIA (Confidentiality, Integrity
& Availability) of the information system by defeating its safeguards.
− Policies
− Procedures,
− Practices &
− Organizational structure
designed to provide reasonable assurance that business objectives are achieved and undesired events are
prevented or detected and corrected. The ultimate objective of any control system is the timely preparation of
reliable financial statements by mitigating all types of risk. Based on the mode of implementation, controls may
be Manual, Automated or Semi-Automated.
The control environment is a set of standards, processes and structures that provides a basis of carrying out
internal controls across the organization. It is the responsibility of senior management to establish an
environment for the proper & effective implementation of internal controls in the organization. The Control
environment comprises:
Entity faces variety of risk both from internal & external sources. Risk assessment is the process of identifying and
assessing the risk to the achievement of organization’s objectives. Through risk assessment, entity determines
how to manage the risk. Risk makes it difficult for the entity to achieve its objectives, hence a pre-condition to
risk assessment is the establishment of objectives for all the levels of the organization.
Control activities are the actions taken by the management to ensure that risks are mitigated and objectives will
be achieved. Some of the control activities are:
Control activities are needed to be performed at all the levels of the organization. Internal auditors play a very
important role in ensuring the effectiveness & efficiency of controls in the organizations.
Having proper information is necessary for the organization to carry out internal control activities. Management
needs relevant and quality information both from internal and external sources to carry out internal controls
properly. Communication is the process of obtaining and sharing the necessary information. Communication can
be both internal and external. Through internal communication, employees are provided direction to carry out
internal control task. External communication serves two purpose:
Some of the IT controls are / Sample IT control list in Banks & other organizations
(i) System to maintain record of all log-ins & log-outs.
(ii) System access to be available only during stipulated time and days.
(iii) There should be user time-out system where in case no activity is performed from a logged- in account
for a certain period of time (e.g. Like 5 minutes), the user will be logged-out automatically.
(iv) Once end of the day processes is over, ledgers can be opened only with a supervisory level password.
(v) If transaction wants to post something in an inoperative or dormant account, it can be done only with a
supervisory level password.
(vi) All exception situations like limit excess, re-activating dormant account etc. can be done only with a
supervisory level password.
(vii) Users can access only specified data and files and access rights should be given on “Need to Know Basis”
as per their role in the organization (RBAC).
Objectives of IT Controls
The main objective of IT controls is to achieve the objectives of the entity by implementing controls within a
particular IT activity. IT controls performs two roles:
The better the entity can protect itself from the Cyber-Frauds & IT related risk, the more resilient it will become.
Classification of IT controls
IT controls can be classified as follows:
Also known as infrastructure controls, these controls are pervasive in nature and apply to all system, components,
processes and data of an enterprise. These are Macro (overall) controls-Some of the General controls are:
(a) Information Security Policy – There should be proper information security duly approved by the senior
management and covering all areas of operation of the entity.
(b) Separation of Key IT functions – For the smooth operation of the IT functions, it is important to have
proper segregation of IT functions and there should not be any SOD conflicts.
(c) Confidentiality, Integrity & Availability of Software & Data Files – The confidentiality, Integrity and
availability of the software and data files to be assured & there should not be any compromise in it.
(d) Management of System Acquisition & Implementation – There should be effective controls over the
acquisition & implementation of information system.
(e) Change Management – IT solutions used by the entity may needed to be updated as per the changing
technology, business needs or regulatory and compliance requirements. These changes may affect the
regular business functioning. Hence organization needs effective change management system to ensure
the smooth transition from the existing system to the new or updated system.
(f) Back-up, Recovery & Business Continuity – Entity should have proper back-up and recovery system as
well as Business continuity plans to recover quickly and continue the business operations after disaster.
Application controls are the controls that are implemented in the application software to prevent or detect &
connect the fraud & errors. These controls are built-in in the application software itself to ensure that
transactions are authorized, complete & accurate. ERP system of the entity should prevent the sale of goods on
credit to a customer if his existing amount due exceeds the credit limit allotted to him. Some Examples of
Application Controls are:
Having proper application controls plays very important role in mitigating the risk of fraud & errors.
(i) Consistent availability & reliability of IT Services across the organization, customers and business partners.
(ii) Efficient use of customer support desk.
(iii) Ability to protect from threats & vulnerabilities.
(iv) Ability to recover from the disturbance of IT services as quickly as possible.
(v) Delivery of projects on time & within budget.
(vi) Ability to allocate resources predictably.
(vii) Spreading security awareness among the users and building a security conscious culture.
Body corporate means any company and includes a firm, sole proprietorship or other association of individual
engaged in the commercial or professional activities.
Note: Government & Individual without sole proprietorship is not covered within the meaning of body corporate.
Personal information is an information that relates to a natural person through which the body corporate is
capable of identifying such person.
(i) Passwords
(ii) Financial Information
(iii) Physical / Physiological / Mental health condition
(iv) Sexual orientation (i.e. interested in male, female)
(v) Medical records & history
(vi) Biometric information (Finger Print, Facial Pattern, Voice etc.)
Reasonable Security Practices & Procedures
Security practices and procedures designed to protect such information from unauthorized access, use, damage,
modification, disclosure as may be specified.
Body corporate should prior to collection, obtain constant in writing through letter, fax or email from the provider
of such information, regarding the use of that data.
Analysis – If services are delivered with little or no human interaction & data is collected through sensors on real
time basis & data is used for different purposes, it is not possible & practical to obtain written consent for every
such use.
Disclosure of sensitive personal data by body corporate to any third party shall require prior permission from the
provider of such information. However this rule has following exceptions:
(i) If such disclosures have been agreed to in the contract between the body corporate & provider of such
information or,
(ii) Such disclosure is necessary for the compliance of any legal obligation.
Don’t Go Underprepared in Exams. Buy Our Full
Course Fully Amended CA Inter EIS-SM Classes newly
recorded for May 20 & Onward Exams.
Amendments of Chapter No. 2 of EIS for May 20 & Onwards Exams
Topic 1 - Mechanism of using the Financial & Accounting Software
Usually there are following mechanism of using the financial and accounting system:
(i) Installed Application - In this case, software program is installed on the hard disk of each user's computer
in the organisation.
(ii) Web Application - In this case software program is not installed on the hard disk of the user’s computer
but installed on a web server and user can access it through the web browser and corporate intranet or
Internet as the case may be. However now a days, web-based applications are replaced by cloud-based
applications.
Cloud-Based Applications
Many times, organization find it difficult to host and maintain the financial and accounting software on their own
IT infrastructure as operating and maintaining the complex IT system is not an easy task and it needs a dedicated
IT support team which causes huge cost to be incurred. Hence now a days organisation rely on the cloud
computing vendors to host their application software. The most common forms are:
(i) SaaS – Here both the financial and accounting software and their hosting are provided by the cloud
computing vendor.
(ii) IaaS – Here only hosting capacity are provided by the cloud computing vendor.
Advantages & Disadvantages of (Difference Between) Installed and Cloud Based Applications
Particulars Installed Application Cloud Based Application
Installation, As software is installed on the hard disk of Installation on user’s computer is not required
Maintenance every user’s computer, installation, and the maintenance and updation of the
and Updation maintenance and updation is very slow & software are the responsibility of the cloud
time-consuming process. computer vendor.
Accessibility As software is installed on user’s computer User can access the software from anywhere
to access the software, user need to have at any place through any computer with the
the computer in which software is installed. help of a network. The accessibility is 24×7.
Data Storage Data is physically stored in the user’s Data is not stored in the user’s computer but
computer & hence user will have full control on the server of the vendor. Ownership of
over the data. data is defined in the Service Level
Agreement (SLA) which defines the rights of
both user & service provider.
Data Security As data is under user’s control, he can Data security is a challenge in the cloud-based
ensure data can’t be accessed without application as data is not under user control.
authorization. Data security by vendor is mentioned in SLA.
Performance The performance of installed application is Performance depends on the speed of
higher as entire application is stored in internet. Slow internet will reduce the
user’s computer & internet is not needed. performance.
Flexibility Flexibility will be greater as application is The cloud based applications are successful as
installed on the user computer and it can it gives the user the flexibility against both
make the full use of computer hardware like capital expenditure (CAPEX) & operating
scanner, camera etc. However installed expenses (OPEX) and user can scale-up the
application needs higher CAPEX & OPEX operations as per needs.
compared to cloud based applications.
Mobile Using the application through mobile Through cloud computing, mobile application
Application application is difficult. is very easy as data is available 24×7. It makes
cloud-based application future oriented.
The ERP system is modular (i.e. made of different modules) and entity an select the modules it needs and also
Mix and Match the modules purchased from different vendors also as per their needs.
For a software to be considered as ERP, it must provide the functionality of at least two or more systems to the
entity like Quick Book Accounting software provides the functionality of payroll & accounting. However most of
the ERP software provides several functions.
Some popular ERP software are SAP R/3, Oracle 9i, Microsoft Dynamics AX etc.
Advantages/Benefits of ERP
Major benefits or advantages of the ERP system are:
(i) Information integration: ERP systems are integrated as they have the ability to automatically update data
between related business functions and components.
(ii) Reduction of lead-time: The elapsed time between placing an order for raw material and receiving it is
known as the Lead-time. The ERP System is integrated and the use of the latest technologies like EFT
(Electronic Fund Transfer), EDI (Electronic Data Interchange) reduce the lead times for the entity.
(iii) On-time Shipment: Since the different functions involved in the timely delivery of the finished goods to
the customers like purchasing, material management, production planning, plant maintenance, sales and
distribution etc. are integrated, ERP system ensures on-time delivery of goods to customers.
(iv) Reduction in Cycle Time: Cycle time is the time between placement of the order and delivery of the
product to the customer. In an ERP System, all the data are updated and is available in the centralized
database, thus ERP systems helps in reducing the cycle time.
(v) Improved Resource utilization: The different modules in the ERP system ensure that:
• inventory is kept to a minimum level,
• machine down time is minimum,
• goods are produced as per the demand and
• finished goods are delivered to the customer in the most efficient way.
Thus ERP systems help the organization in drastically improving the capacity and resource utilization.
(vi) Better Customer Satisfaction: With the help of web-enabled ERP systems, customers can place order,
track order status and make payment from home. This improves customer satisfaction.
(vii) Improved information accuracy & decision-making capability: The three fundamental characteristics of
information are accuracy, relevancy and timeliness. The information needs to be accurate, relevant for
the decision-maker and available to the decision-makers when he requires it. ERP system help in
improving the information accuracy, provides accurate information and makes information available at
the right time thus help in better decision-making.
Major implementation and post implementation issues and related controls are discussed below:
(i) People Issues: Employees, Management, implementation team, consultants and vendors are most crucial
factor that decides the success or failure of ERP System. The associated risks & related controls are as follows:
(ii) Process Risks: One of the main reasons for the ERP implementation is to improve the business process and
make it more efficient, productive and effective. The associated risks and related controls are as follows:
(iii) Technological Risks: The organizations implementing ERP system should be updated about the latest
technological developments. The associated risks and related controls are as follows:
(iv) Other Implementation Issues: Many times, the ERP implementation suffers because of many hidden and
unexpected factors. The associated risks and related controls are discussed below:
(v) Post Implementation Issues: The smooth running of the ERP system would need a lifelong commitment by
the management and the users. The associated risks and related controls are as follow:
• Cost Element Accounting: This provides an overview of the costs that occur in an organization. The cost
elements are the basis for cost accounting and helps management by identifying the cost of different cost
elements like cost centres, internal orders or projects.
• Cost Centre Accounting: This provides information on the costs incurred by different cost centers. Cost
Centres can be created for functional areas like Marketing, Purchasing, Human Resources, Facilities,
Research and Development, Administrative Support, Legal, Shipping etc. Some of the benefits of Cost Centre
Accounting:
o managers can set budget for the cost center thus better planning and cost monitoring;
o better distribution of costs to other cost objects.
• Activity-Based-Accounting: Many times, more than one functional or departmental activities are involved in
the creation of cost center. Through activity-based accounting, costs associated with cross-departmental
business processes are calculated.
• Internal Orders: Internal Orders helps to track costs of a specific job, service, or task. This helps management
in making better pricing and other decisions for the specific order or task.
• Product Cost Controlling: This calculates the costs that occur during the manufacture of a product or
provision of a service and helps management to better price the product or service by providing accurate
cost details of the product or service.
• Profit Centre Accounting: This evaluates the profit or loss of individual, independent areas within the
organization.
Profitability Analysis: This provides details about company’s profit or contribution margin by individual product,
market or business.
Don’t Go Underprepared in Exams. Buy Our Full
Course Fully Amended CA Inter EIS-SM Classes newly
recorded for May 20 & Onward Exams.
Note: Nothing New has been added in Chapter No. 3rd of EIS.
Amendments of Chapter No. 4 of EIS for May 20 & Onwards Exams
Topic 1 - E-Commerce & Related Concepts
In the last few years, advancement of technology & its widespread availability has made it possible to do
business electronically. Due to this it became possible to sale or purchase goods or services electronically via
computers & internet.
Website
Not only in the developed countries, but also in the developing countries, e-commerce is growing at a rapid pace.
In India, e-commerce seen explosive growth & in the last couple of years India become one of the fastest growing
e-commerce market of the world. Many e-commerce companies are working in India like Amazon, Flipkart,
Snapdeal, AliExpress etc.
• Content generating agents based on matured semantic, reasoning technologies and Artificial Intelligence
• Autonomous
• Proactive
• Self-learning capabilities
• Collaborative
Examples includes services interacting with sensors and implants, natural-language services or virtual reality
services etc.
The different modules of CBS like Branch Banking, Mobile Banking, Phone Banking, Internet Banking, Back office,
Data warehouse, credit card system, ATM switch etc. are connected to the central servers.
− Internal authorization
− Initiating Beginning of the day (BOD) operations.
− Managing End of the day (EOD) operations.
− Creating manual documents to capture data required for input in to software.
− Reviewing reports for control & error connection
• attempts to indulge or
• knowingly assists or
• knowingly is a party or
• is actually involved
in any process or activity connected with the proceeds of crime including its concealment, possession, acquisition
or use and projecting or claiming it as untainted property (clean property) shall be guilty of the offence of money-
laundering.
Chapter IV Obligations of Banking Companies, Financial Institutions and Intermediaries
Reporting entity to maintain records (Section 12)
(1) Every reporting entity shall—
(a) maintain a record of all transactions, including information relating to transactions of clause (b), in such
manner as to enable it to reconstruct individual transactions;
(b) furnish to the Director (Enforcement Director) within such time as may be prescribed, information
relating to such transactions the nature and value of which may be prescribed;
(c) Omitted
(d) Omitted
(e) maintain record of documents evidencing identity of its clients and beneficial owners as well as account
files and business correspondence relating to its clients.
(2) Every information maintained, furnished or verified shall be kept confidential.
(3) The records referred to in clause (a) of sub-section (1) shall be maintained for a period of five years from the
date of transaction between a client and the reporting entity.
(4) The records referred to in clause (e) of sub-section (1) shall be maintained for a period of five years after the
business relationship between client and reporting entity has ended or account has been closed, whichever is
later.
(5) The Central Government may, by notification, exempt any reporting entity or class of reporting entities from
any obligation under this Chapter.
(1A) If at any stage of inquiry or any other proceedings, the Director having regard to the nature & complexity of
the case, is of the opinion, he may direct the concerned reporting entity to get its records audited by an
accountant from amongst a panel of accountants, maintained by the Central Government for this purpose.
(1B) The expenses of any audit under sub-section (1A) shall be borne by the Central Government.
(2) If the Director, in the course of any inquiry, finds that a reporting entity or its director or employees has failed
to comply with the obligations under this Chapter, then, he may—
(a) issue a warning in writing; or
(b) direct such reporting entity or its director or employees, to comply with specific instructions; or
(c) direct such reporting entity or its director or employees, to send reports at such interval as may be
prescribed on the measures it is taking; or
(d) by an order, impose a monetary penalty on such reporting entity or its director or employees, which shall
not be less than ₹10,000 but may extend to ₹1,00,000 for each failure.
(3) The Director shall forward a copy of the order passed under subsection (2) to every banking company, financial
institution or intermediary or person who is a party to the proceedings.
Explanation - For the purpose of this section, "accountant" shall mean a Chartered Accountant.
CHAPTER X MISCELLANEOUS
Punishment for false information or failure to give information, etc. (Section 63)
(1) Any person willfully and maliciously giving false information and so causing an arrest or a search to be made
under this Act shall on conviction be liable for imprisonment for a term which may extend to two years or with
fine which may extend to ₹50,000 or both.
(a) being legally bound to state the truth of any matter relating to an offence under section 3, refuses to
answer any question put to him; or
(b) refuses to sign any statement made by him which an authority may legally require to sign; or
(c) to whom a summon is issued under section 50 either to attend to give evidence or produce books of
account or other documents at a certain place and time, omits to attend or produce books of account or
documents at the place or time,
he shall pay, by way of penalty, a sum which shall not be less than ₹500 but which may extend to ₹10,000 for
each such default or failure.
(3) No order under this section shall be passed unless the person on whom the penalty is proposed to be imposed
is given an opportunity of being heard.
(4) Notwithstanding anything contained in clause (c) of sub-section (2), a person who intentionally disobeys any
direction issued under section 50 shall also be liable to be proceeded against under section 174 of the Indian
Penal Code.
Section 174 of the Indian Penal Code, 1860 provides following two penalties (Only for reading)
• imprisonment for a term which may extend to one month, or fine which may extend ₹500, or both.
• imprisonment for a term which may extend to six months, or fine which may extend to ₹1000, or both.
Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves
that the contravention took place
(2) Notwithstanding anything contained in sub-section (1), where a contravention has been committed by a
company and it is proved that the
such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall
be liable to be proceeded against and punished accordingly.
(i) "company" means anybody corporate and includes a firm or other association of individuals; and
(ii) "director", in relation to a firm, means a partner in the firm.
Don’t Go Underprepared in Exams. Buy Our Full
Course Fully Amended CA Inter EIS-SM Classes newly
recorded for May 20 & Onward Exams.