CA INTER EIS

Amendments
For May 20 & Onwards Exams

CA. Saket Ghiria

 Amendments of Chapter No. 1 of EIS for May 20 & Onwards Exams
Topic 1 - Categories of Business Processes
Business processes may be classified into the following categories:

Operational Processes (Primary Processes)

Also called primary processes, these processes represent the core businesses and value chain of the
organisation. Operational processes help the entity in producing the products or rendering the services. These
processes represent essential business activities to accomplish business objectives like Order to Cash (O2C) Cycle,
Procurer to Pay (P2P) Cycle etc.

Supporting Processes (Secondary Processes)

These processes support the core process and functions of the organizations (i.e. the operational processes) and
do not provide value to customers directly. These processes are essential to carry out the core processes. For
example, human resource process, accounting process etc.

Management Processes
These processes measures, monitors and controls activities related to business procedures and systems. Unlike
other processes, these processes do not provide a value directly to customers but has direct impact on the
efficiency of the organization. For example, internal control process, strategic planning and decision-making
process, budgeting process, governance, capacity management process etc.

Concept Testing – Multiple Choice Questions

(Q-1). Consider the following aspects about the operational process:

(i) Order to Cash or O2C Process is the part of Operational Process
(ii) HR Process is not the part of Operational Process
(iii) These processes do not provide value to customers directly
(iv) These processes represent essential business activities that accomplish business objectives

Which of the above statements are correct?

(a) Point (i), (ii) & (iv) only

(b) Point (i) & (iii) only
(c) Point (ii), (iii) & (iv) only
(d) Point (i) & (iv) only

Topic 2 - Business Process Management (BPM)

Business Process Management is the systematic approach of improving the various business processes of the
organization. BPM helps organizations in achieving three E’s for business process namely:

• Effectiveness,
 • Efficiency and
• Economy

It works on improving all the parameters all the time.

Example representing all categories of Business Processes

S.N. Nature of Business Description of Decision
I. Vision & Mission A. Ltd. (one of India’s largest dairy product companies) decided to double its
Turnover from the existing ₹ 10,000 crore in next 10 years.
II. Management To implement the vision & mission, top management may decide the following:
Process − Expand in new geographical markets
− Launch new products
− Grow through acquisition in markets where company has no presence etc.
III. Support Process To successfully execute the decision taken by the top management organization
needs well trained & competent human resource
IV. Operational Now it is duty of the operational level managers to put the top management
Process decision on actions. They will plan their work accordingly.

Topic 3 - Risks & It’s Management (Most Imp)

Meaning of Risk
As per International Organization for Standardization (ISO), Risk is uncertainty in achieving the objectives. In the
other words, risk is a potential harm caused if a threat explains a particular vulnerability to cause damage to the
assets of the entity. Risk is an event that may result in significant deviation from the planned objective and leading
to negative consequences.

Sources of Characteristics of Risk

It is very important for the entity to understand the sources from where the risk may arise. The understanding of
sources of risk will help the entity in understanding the types of risk and accordingly entity can adopt the risk
management strategies. Some of the sources of risk could be legal issues, political issues, technological issues,
Natural disasters etc.

Characteristics of Risk

(i) Potential loss that exists due to threat & value ability
(ii) Uncertainty of loss expressed in terms of probability of such loss &
(iii) Probability that a threat will lead to an attack against a particular system.

Types of Risk
The Major types of Risks are:

(A) Business Risk

All businesses operate in an environment full of risk. Some of the major business risk are:

(a) Strategic Risk – Risk that would prevent an organization from achieving its goals & objectives are called
strategic Risk. For example political risk, economic risk, poor strategy, poor market reputation, poor
management, changing taste & performances of the buyers etc.
(b) Financial Risk – Risk that would result in Negative financial impact on the organization are called financial
risk. For example loss of assets, interest rate risk, forex risk, credit risk etc.
(c) Regulatory (Compliance) Risk – Risk that exposes an organization to the fines & penalties from the
regulations due to non-compliances with laws &regulations are called regulatory risk. Like violation of
employees related laws, tax related laws, customer related laws etc.
(d) Operational Risk – Risk that disturbs the normal operation of the organization and prevents it from
operating in the most effective & efficient Manner are called operational risk For example lack of
customer satisfaction, poor operational policies, failure of product or services etc.
(e) Hazard Risk – Risk due to Natural disaster, impermeant of physical assets, tenor attacks etc. These risk
are mostly insurable.
(f) Residual Risk – Any risk remaining after taking all counter measures are called residual risk. Organization
should consider the following:
− Acceptance of residual risk and
− Selection of safeguards

Even after all the safeguards applied, there would be some residual risk. These risks can be minimized but cannot
be eliminated in totality.

(B) Technology Risk (Earlier it was covered in Chapter 5 of EIS)

Today, organization uses different technologies for its different business processes & also automates its business
processes with the help of technology. Organization should consider the following technology risk & challenges:

(i) Multiplicity & Complexity of the System – Different services provided by the entity may be based on
different platforms and may be using different IT architecture. This multiplicity of the system makes it
quite complex to handle. Entity needs skilled workforce to manage it or may also decide to outsource it.
(ii) Different Controls for Different Technologies – As organization uses different technologies and to
mitigate the threats associated, it needs different kinds of controls. Now ensuring all of these controls
are effective is a big challenge for the entity.
 (iii) Frequent Charges or obsolescence of Technology – As technology evolves continuously and because of
this, existing technologies will become obsolete very quickly. The rapid obsolescence of technology is
another big challenge for the entity.
(iv) Proper alignment with Business & Regulatory Requirements – Entity needs to ensure that the system
implemented by them meets the business requirement as well as all the regulatory requirements.
E.g. Banks uses CBS and banks need to ensure that the CBS used by them meets their business
requirement as well as the regulatory requirements of RBI & others.
(v) Dependence on Vendors due to outsourcing of IT services – Entity may have outsourced various IT
services to the outside vendors and due to this, they need to be dependent on the vendors which will
lead to vendor related risk.
(vi) Vendor related concentration Risk – Entity may be using different vendors for different services or there
may be a single vendor for all the services. In both case, entity needs proper controls to manage the risk.
(vii) Segregation of Duties (SOD) – Entity needs clearly defined organizational structure with clearly
established rules, authorities & responsibilities. This segregation of duties should be clearly mapped in
the system used by the entity. Any error in the segregation of duty will make entity vulnerable for any
potential harm.
(viii) External Threats Leading to Cyber Fraud – The system used by the entity can be accessed by any one
from any where in the world using the internet. The system which was earlier accessed only internally is
now open and can be accessed by anybody. This increases the possibility of attack by hackers.

(C) Data Related Risk

Same as covered in Chapter No. 3 of EIS.

Risk Assessment
Risk Assessment involves the following:

(i) Identification of threats & vulnerabilities in the system

(ii) Potential harm organization would bear if threat exploits vulnerabilities and confidentiality, Integrity &
Availability (CIA) of the information system gets compromised.

Risk Management is the process of:

− Assessing risk
− Taking steps to reduce risk to an acceptable level &
− Maintaining risk at that level

Risk Management involves identifying, measuring and minimizing events affecting the organization.

Terminologies related to Risk Management

Various terminologies related to risk management are:

(i) Asset
Asset is something having value for the organization like data, software, hardware, information in physical or
electronic from etc. Asset usually have following characteristics:

(a) They are recognised to be of value to the organization

(b) They are not easily replaceable and their replacement needs time & cost.
(c) They form part of corporate identity of the organization (Like Software coded by Microsoft is the part of
Microsoft’s identity). Without these organization’s survival may be threatened.
 (d) Data & information assets can be classified as proprietary, Highly confidential, Top secret etc.

(ii) Vulnerability
It refers to the weakness in the system or its safeguards that exposes a system to threats. weakness in the
system’s hypsographic system (security system) or other components like design, hardware, software etc. makes
the system vulnerable that could be exploited by threat. Some of the examples are:

(a) Poor physical access controls

(b) Poor logical access controls
(c) Weak passwords
(d) Bug or Malicious codes in the software etc.

Vulnerability in Computing System / Software Vulnerabilities

A computing system is said to be vulnerable if it has any of the following conditions:

(a) Allows attacker to execute command as other user,

(b) Allows attacker to access data without authorization,
(c) Allows attacker to act as another entity,
(d) Allows attacker to cause denial of service.

Related Question- A Ltd. has developed ERP software for B Ltd. when the software will be considered
as vulnerable?

(iii) Threat
Any entity, circumstances or events having potential to harm the software system or component through

− Unauthorized access
− destruction
− modification or
− denial of service

is called threat.

(iv) Exposure
Extent of loss entity has to face when a risk materializes- It may be both short-term as well as long-term impact.

(v) Likelihood
Likelihood determines the probability of threat accessing and succeeding in achieving the undesirable events.

(vi) Attack
Attack is an attempt to gain unauthorized access to the system and compromise the CIA (Confidentiality, Integrity
& Availability) of the information system by defeating its safeguards.

(vii) Counter Measures

Action, device, procedure or technique that reduces the vulnerability of a component or system.

Risk Management Strategies / Risk Response Strategies

After risk assessment is done, entity should develop a proper risk management strategy. Some of the risk
management strategies are:
 (i) Tolerate /Accept the Risk – If risk is considered minor due to its impact or probability of occurrence,
entity may decide to accept risk as it is and have its periodic review without taking any risk reduction
measure.
(ii) Terminate / Eliminate the Risk – Giving up the cause creating the risk there by eliminating the risk. Like
if risk is associated with certain technology, Supplier or Vendor, replacing such technology, supplier or
vendor with more reliable technology, supplier or vendor will eliminate the risk.
(iii) Transfer / Share the Risk – Mitigation of risk by sharing it with other parties. Like outsourcing of IT
services, taking insurance etc.
(iv) Treat / Mitigate Risk – If other options are not feasible, entity itself has to develop the proper controls
to mitigate the risk.
(v) Turn back / Ignore Risk – If the probability of risk and its impact is very low, entity may ignore the risk.

Topic 4 - Controls & Internal Control

Meaning / Definition of control

Control is defined as-

− Policies
− Procedures,
− Practices &
− Organizational structure

designed to provide reasonable assurance that business objectives are achieved and undesired events are
prevented or detected and corrected. The ultimate objective of any control system is the timely preparation of
reliable financial statements by mitigating all types of risk. Based on the mode of implementation, controls may
be Manual, Automated or Semi-Automated.

Internal Controls & Standard on Auditing 315

SA 315 (Identifying and accessing the risk of Material Misstatement) defines the system of internal control as the
process designed, implemented and maintained by those charged with Governance, Management & Other
personal to provide reasonable assurance about the achievement of organization’s objective regarding:
 − Effectiveness & efficiency of operations
− Safeguarding of the assets of the organization
− Compliance with the applicable laws & regulations
− Reliability of internal and external financial reporting.

Components of Internal Controls / Internal control Process

There are five components of internal control that relates to the financial statement audit as follows:

(i) Control Environment

The control environment is a set of standards, processes and structures that provides a basis of carrying out
internal controls across the organization. It is the responsibility of senior management to establish an
environment for the proper & effective implementation of internal controls in the organization. The Control
environment comprises:

(a) Integrity & ethical values of the organization.

(b) Parameters enabling the Board of Directors to carry out its Governance responsibilities.
(c) Organizational structure & assignment of authority and responsibility.
(d) Process of attracting, developing & retaining competent individuals.
(e) Performance measures, incentive & rewards to drive accountability for performance.

(ii) Risk Assessment

Entity faces variety of risk both from internal & external sources. Risk assessment is the process of identifying and
assessing the risk to the achievement of organization’s objectives. Through risk assessment, entity determines
how to manage the risk. Risk makes it difficult for the entity to achieve its objectives, hence a pre-condition to
risk assessment is the establishment of objectives for all the levels of the organization.

(iii) Control Activities

Control activities are the actions taken by the management to ensure that risks are mitigated and objectives will
be achieved. Some of the control activities are:

− All transactions should be authorized.

− Duties are Segregated (SOD).
− Adequate documents & records maintained.
− Assets are properly safeguarded etc.

Control activities are needed to be performed at all the levels of the organization. Internal auditors play a very
important role in ensuring the effectiveness & efficiency of controls in the organizations.

(iv) Information & Communication

Having proper information is necessary for the organization to carry out internal control activities. Management
needs relevant and quality information both from internal and external sources to carry out internal controls
properly. Communication is the process of obtaining and sharing the necessary information. Communication can
be both internal and external. Through internal communication, employees are provided direction to carry out
internal control task. External communication serves two purpose:

− Enables entity to obtain relevant external information &

− Provide information to external parties as per their requirement.

(v) Monitoring of Controls

There should be continuous evaluation to ascertain whether the internal control and each of its five elements
are present & functioning. Findings should be compared with criteria fixed and deficiencies should be
communicated to the management.

Some of the IT controls are / Sample IT control list in Banks & other organizations
(i) System to maintain record of all log-ins & log-outs.
(ii) System access to be available only during stipulated time and days.
(iii) There should be user time-out system where in case no activity is performed from a logged- in account
for a certain period of time (e.g. Like 5 minutes), the user will be logged-out automatically.
(iv) Once end of the day processes is over, ledgers can be opened only with a supervisory level password.
(v) If transaction wants to post something in an inoperative or dormant account, it can be done only with a
supervisory level password.
(vi) All exception situations like limit excess, re-activating dormant account etc. can be done only with a
supervisory level password.
(vii) Users can access only specified data and files and access rights should be given on “Need to Know Basis”
as per their role in the organization (RBAC).

Objectives of IT Controls
The main objective of IT controls is to achieve the objectives of the entity by implementing controls within a
particular IT activity. IT controls performs two roles:

− IT enables the entity to achieve the objectives &

− Helps to mitigate the IT related risk

The better the entity can protect itself from the Cyber-Frauds & IT related risk, the more resilient it will become.

Classification of IT controls
IT controls can be classified as follows:

(A) General controls / Information Technology General Controls (ITGC)

Also known as infrastructure controls, these controls are pervasive in nature and apply to all system, components,
processes and data of an enterprise. These are Macro (overall) controls-Some of the General controls are:

(a) Information Security Policy – There should be proper information security duly approved by the senior
management and covering all areas of operation of the entity.
(b) Separation of Key IT functions – For the smooth operation of the IT functions, it is important to have
proper segregation of IT functions and there should not be any SOD conflicts.
(c) Confidentiality, Integrity & Availability of Software & Data Files – The confidentiality, Integrity and
availability of the software and data files to be assured & there should not be any compromise in it.
(d) Management of System Acquisition & Implementation – There should be effective controls over the
acquisition & implementation of information system.
(e) Change Management – IT solutions used by the entity may needed to be updated as per the changing
technology, business needs or regulatory and compliance requirements. These changes may affect the
regular business functioning. Hence organization needs effective change management system to ensure
the smooth transition from the existing system to the new or updated system.
 (f) Back-up, Recovery & Business Continuity – Entity should have proper back-up and recovery system as
well as Business continuity plans to recover quickly and continue the business operations after disaster.

(B) Application Controls

Application controls are the controls that are implemented in the application software to prevent or detect &
connect the fraud & errors. These controls are built-in in the application software itself to ensure that
transactions are authorized, complete & accurate. ERP system of the entity should prevent the sale of goods on
credit to a customer if his existing amount due exceeds the credit limit allotted to him. Some Examples of
Application Controls are:

(i) Data edits to be allowed only for permissible fields.

(ii) Separation of Business Functions (e.g. separate passwords for initiation & authorization of transaction)
(iii) Balancing of Totals (Debit & Credit side should be balanced)
(iv) Transaction logging (all transactions should be logged)
(v) Error Reporting (all errors should be reported)
(vi) Exception Reporting (all exceptions should be reported)

Having proper application controls plays very important role in mitigating the risk of fraud & errors.

Key Indicators of Effective IT Controls

IT Controls are considered to be effective if IT Controls lead to:

(i) Consistent availability & reliability of IT Services across the organization, customers and business partners.
(ii) Efficient use of customer support desk.
(iii) Ability to protect from threats & vulnerabilities.
(iv) Ability to recover from the disturbance of IT services as quickly as possible.
(v) Delivery of projects on time & within budget.
(vi) Ability to allocate resources predictably.
(vii) Spreading security awareness among the users and building a security conscious culture.

Limitations / Internet Limitations of Internal Controls

Internal Controls, no matter how effective they are, can provide only a reasonable assurance about the
achievement of organization’s objective. Internal control system suffers from following limitations:

(i) Cost of internal control may exceed the benefits expected.

(ii) possibility of defeating internal controls through collusion with employees or outside parties.
(iii) Possibility that a person responsible for internal control may assure his responsibility.
(iv) Internal control may not able to point the transactions of unusual nature.
(v) Manipulations by Management with respect to transactions or estimates and judgements.

Compensation for Failure to Protect Data (Section 43A)

read with, Reasonable Security Practices and Procedures and Sensitive Personal Data or Information)
Rules, 2011 (“Privacy Rules”)
Now a days lots of personal information about the individual is obtained & held by the body corporates & hence
to ensure the security & confidentially of such data, “Section 43A & Privacy Rules” are being introduced by the
Government. If any body corporate processing, dealing or handling any sensitive personal data or information in
a computer system or resource which it owns, operate or controls and is negligent in implementing reasonable
security practices & procedures thereby causing wrongful loss or gain to any person, it shall pay compensation
to the person affected.
Body Corporate

Body corporate means any company and includes a firm, sole proprietorship or other association of individual
engaged in the commercial or professional activities.

Note: Government & Individual without sole proprietorship is not covered within the meaning of body corporate.

Personal Information (Rule 2)

Personal information is an information that relates to a natural person through which the body corporate is
capable of identifying such person.

Sensitive personal Information (Rule 3)

Sensitive personal data or Information includes:

(i) Passwords
(ii) Financial Information
(iii) Physical / Physiological / Mental health condition
(iv) Sexual orientation (i.e. interested in male, female)
(v) Medical records & history
(vi) Biometric information (Finger Print, Facial Pattern, Voice etc.)
Reasonable Security Practices & Procedures
Security practices and procedures designed to protect such information from unauthorized access, use, damage,
modification, disclosure as may be specified.

− By agreement between the parties or

− By law for the time being in force or
− In absence of agreement or any law, then by Central Government
Consent to collect (Rule 5)

Body corporate should prior to collection, obtain constant in writing through letter, fax or email from the provider
of such information, regarding the use of that data.

Analysis – If services are delivered with little or no human interaction & data is collected through sensors on real
time basis & data is used for different purposes, it is not possible & practical to obtain written consent for every
such use.

Consent to Disclosure (Rule 6)

Disclosure of sensitive personal data by body corporate to any third party shall require prior permission from the
provider of such information. However this rule has following exceptions:

(i) If such disclosures have been agreed to in the contract between the body corporate & provider of such
information or,
(ii) Such disclosure is necessary for the compliance of any legal obligation.
 Don’t Go Underprepared in Exams. Buy Our Full
Course Fully Amended CA Inter EIS-SM Classes newly
recorded for May 20 & Onward Exams.
 Amendments of Chapter No. 2 of EIS for May 20 & Onwards Exams
Topic 1 - Mechanism of using the Financial & Accounting Software
Usually there are following mechanism of using the financial and accounting system:

Installed Applications and Web Applications

Primarily there are two ways of using financial and accounting software. These are:

(i) Installed Application - In this case, software program is installed on the hard disk of each user's computer
in the organisation.
(ii) Web Application - In this case software program is not installed on the hard disk of the user’s computer
but installed on a web server and user can access it through the web browser and corporate intranet or
Internet as the case may be. However now a days, web-based applications are replaced by cloud-based
applications.

Cloud-Based Applications
Many times, organization find it difficult to host and maintain the financial and accounting software on their own
IT infrastructure as operating and maintaining the complex IT system is not an easy task and it needs a dedicated
IT support team which causes huge cost to be incurred. Hence now a days organisation rely on the cloud
computing vendors to host their application software. The most common forms are:

(i) SaaS – Here both the financial and accounting software and their hosting are provided by the cloud
computing vendor.
(ii) IaaS – Here only hosting capacity are provided by the cloud computing vendor.

Advantages & Disadvantages of (Difference Between) Installed and Cloud Based Applications
Particulars Installed Application Cloud Based Application
Installation, As software is installed on the hard disk of Installation on user’s computer is not required
Maintenance every user’s computer, installation, and the maintenance and updation of the
and Updation maintenance and updation is very slow & software are the responsibility of the cloud
time-consuming process. computer vendor.
Accessibility As software is installed on user’s computer User can access the software from anywhere
to access the software, user need to have at any place through any computer with the
the computer in which software is installed. help of a network. The accessibility is 24×7.
Data Storage Data is physically stored in the user’s Data is not stored in the user’s computer but
computer & hence user will have full control on the server of the vendor. Ownership of
over the data. data is defined in the Service Level
Agreement (SLA) which defines the rights of
both user & service provider.
Data Security As data is under user’s control, he can Data security is a challenge in the cloud-based
ensure data can’t be accessed without application as data is not under user control.
authorization. Data security by vendor is mentioned in SLA.
Performance The performance of installed application is Performance depends on the speed of
higher as entire application is stored in internet. Slow internet will reduce the
user’s computer & internet is not needed. performance.
Flexibility Flexibility will be greater as application is The cloud based applications are successful as
installed on the user computer and it can it gives the user the flexibility against both
make the full use of computer hardware like capital expenditure (CAPEX) & operating
scanner, camera etc. However installed expenses (OPEX) and user can scale-up the
application needs higher CAPEX & OPEX operations as per needs.
compared to cloud based applications.
Mobile Using the application through mobile Through cloud computing, mobile application
Application application is difficult. is very easy as data is available 24×7. It makes
cloud-based application future oriented.

Topic 2 - Integrated Enterprise Resource Planning (ERP) System

Meaning of ERP
ERP system integrates the internal and external management information into a single integrated software
application. Core idea behind the ERP system is to enable the flow of information of different functions,
departments etc. an integrated manner. ERP system is modular in design and uses a common (central) database.
All of the modules of the ERP system like Financial Accounting Module, Human Resource Module, Controlling
Module etc. are linked to the central database and can store and retrieve information in real time.

The ERP system is modular (i.e. made of different modules) and entity an select the modules it needs and also
Mix and Match the modules purchased from different vendors also as per their needs.

For a software to be considered as ERP, it must provide the functionality of at least two or more systems to the
entity like Quick Book Accounting software provides the functionality of payroll & accounting. However most of
the ERP software provides several functions.

Some popular ERP software are SAP R/3, Oracle 9i, Microsoft Dynamics AX etc.

Advantages/Benefits of ERP
Major benefits or advantages of the ERP system are:

(i) Information integration: ERP systems are integrated as they have the ability to automatically update data
between related business functions and components.
(ii) Reduction of lead-time: The elapsed time between placing an order for raw material and receiving it is
known as the Lead-time. The ERP System is integrated and the use of the latest technologies like EFT
(Electronic Fund Transfer), EDI (Electronic Data Interchange) reduce the lead times for the entity.
(iii) On-time Shipment: Since the different functions involved in the timely delivery of the finished goods to
the customers like purchasing, material management, production planning, plant maintenance, sales and
distribution etc. are integrated, ERP system ensures on-time delivery of goods to customers.
(iv) Reduction in Cycle Time: Cycle time is the time between placement of the order and delivery of the
product to the customer. In an ERP System, all the data are updated and is available in the centralized
database, thus ERP systems helps in reducing the cycle time.
(v) Improved Resource utilization: The different modules in the ERP system ensure that:
• inventory is kept to a minimum level,
• machine down time is minimum,
• goods are produced as per the demand and
• finished goods are delivered to the customer in the most efficient way.
 Thus ERP systems help the organization in drastically improving the capacity and resource utilization.
(vi) Better Customer Satisfaction: With the help of web-enabled ERP systems, customers can place order,
track order status and make payment from home. This improves customer satisfaction.
(vii) Improved information accuracy & decision-making capability: The three fundamental characteristics of
information are accuracy, relevancy and timeliness. The information needs to be accurate, relevant for
the decision-maker and available to the decision-makers when he requires it. ERP system help in
improving the information accuracy, provides accurate information and makes information available at
the right time thus help in better decision-making.

ERP Implementation, its Risks and related Controls

ERP system implementation is a huge task and requires lot of time, money and efforts. The success or failure of
any ERP is dependent on its successful implementation and once implemented proper usage.

Major implementation and post implementation issues and related controls are discussed below:
(i) People Issues: Employees, Management, implementation team, consultants and vendors are most crucial
factor that decides the success or failure of ERP System. The associated risks & related controls are as follows:

Aspect Associated Risk Control Required

As entity migrates to the ERP system, Entity should have manuals and provide
change will occur in employees job profile training of ERP system to employees so to
and some jobs will get irrelevant while ensure smooth transition from old system to
Change some new jobs will be created. ERP system.
Management As entity migrates to ERP system, its Entity should have proper project charter
functioning will change and due to with clearly specified project requirements
information integration, planning and and signed by users and senior management.
decision-making capabilities of entity will
improve which may affect the planned
and ongoing projects.
Entity may curtail on the user training toProper and sufficient training should be
Training manage the cost. given to the users by skilled consultants and
hardware and software vendor companies.
Top ERP implementation will fail if top ERP implementation shall start only after top
Management management do not provide support and management is ready to provide full support.
Support permission to use the required resources.
As entire ERP system is integrated and Entity should allocate task to employees as
Staff connected, it becomes complex & difficult per their skill set and pay good compensation
Turnover to manage and staff turnover can affect according to the job profile so to reduce staff
entity adversely. turnover.
ERP implementation consultants might The consultant should be assigned a Liaison
Consultants not be familiar with organisational Officer (senior manager) who can make him
culture and internal working system. aware about the organisational culture and
its internal working system.

(ii) Process Risks: One of the main reasons for the ERP implementation is to improve the business process and
make it more efficient, productive and effective. The associated risks and related controls are as follows:

Aspect Associated Risk Control Required

There could be information gap between Entity should try to reduce information gap
Program day-to-day program management by making real time information flow thus
 Management activities and ERP enabled functions like
material procurement and manufacturing
etc. thus making the process inefficient.
Business To improve the processes, entity may go
Process for business process reengineering (BPR)
Reengineering mechanism.
(BPR)
enabling high quality decision making and
improving the efficiency of the business
processes.
To make BRP successful, entity may have to
do the things like staff training and skill
development, overhauling organisational
structure, making use of IT etc.

(iii) Technological Risks: The organizations implementing ERP system should be updated about the latest
technological developments. The associated risks and related controls are as follows:

Aspect Associated Risk Control Required

ERP system may have many functions and Entity should choose only those features and
Software features all of which may not be needed functions that it actually requires and also
Functionality by the entity. ensuring support of additional features that
might be needed in future.
Technological As technology evolves, the ERP system in Entity need to select the latest technologies
Obsolescence use of the entity may become obsolete. and architectures for the ERP system and
also ensure the timely upgradation of it.
Enhancement ERP system are not kept up to date and Entity should carefully choose vendors and
and Upgrades upgraded as necessary or patches or properly signed the updation and support
updates are not installed properly. contracts with them.
Application As the business expands, entity might The Entity should carefully manage the need
Portfolio need new applications and business of applications and business modules to
Management modules to fulfill business needs and reduce the duplication and complexity.
deliver new projects.

(iv) Other Implementation Issues: Many times, the ERP implementation suffers because of many hidden and
unexpected factors. The associated risks and related controls are discussed below:

Aspect Associated Risk Control Required

Insufficient The budget of ERP system is usually
Funding allocated without consulting with the
experts and it may proof insufficient.
ERP implementation is a time taking
Lengthy process and can take between 1 to 4 years
implementation depending upon the size of the
time organisation. Due to the lengthy process,
the entire implementation task may lose
the momentum.
If entity uses only one set of data and if it
Data Safety is lost, the entire business may come to
stand still.
Speed of As entire data is managed centrally,
Operation gradually the data size increases which
reduces the speed of operation.
As everybody is connected to a single
System Failure system, the failure of the system would
make the entity suffer badly.
Entity should allocate sufficient funds for the
ERP system and also allocate some
additional funds for contingencies.
Entity should take the steps to keep the
momentum going and maintain the
motivation level of employees high.
Entity should have proper data backup
mechanism and use strict access controls.
Entity should remove redundant data, uses
data warehousing techniques and upgrade
the hardware regularly.
Entity should have alternate hardware and
software arrangements so that in case of
failure of the primary system, work could be
migrated to the secondary system.
 As entire data is stored centrally and all Data access rights should be planned
Data Access the departments accesses that data, carefully and given on need to know and
possibility of the access of non-relevant need to do basis only.
data arises.

(v) Post Implementation Issues: The smooth running of the ERP system would need a lifelong commitment by
the management and the users. The associated risks and related controls are as follow:

Aspect Associated Risk Control Required

Even after ERP is implemented in the This requires a strong and consistent
Lifelong organisation, entity may need to install commitment from the management and the
commitment new modules new technologies and keep users.
upgrading the ERP system.

Topic 3 - ERP Modules

Controlling Module (CO)
Controlling module plays a very important role as it facilitates the coordination, monitoring, and optimization
of different processes in an organization. This module helps in analysing the actual figures with the planned
data and assists in strategy formulation. Two kinds of elements are managed in Controlling Module namely Cost
Elements and Revenue Elements. These elements are stored in the Financial Accounting module.

Key features of this module are as under:

• Cost Element Accounting: This provides an overview of the costs that occur in an organization. The cost
elements are the basis for cost accounting and helps management by identifying the cost of different cost
elements like cost centres, internal orders or projects.
• Cost Centre Accounting: This provides information on the costs incurred by different cost centers. Cost
Centres can be created for functional areas like Marketing, Purchasing, Human Resources, Facilities,
Research and Development, Administrative Support, Legal, Shipping etc. Some of the benefits of Cost Centre
Accounting:
o managers can set budget for the cost center thus better planning and cost monitoring;
o better distribution of costs to other cost objects.
• Activity-Based-Accounting: Many times, more than one functional or departmental activities are involved in
the creation of cost center. Through activity-based accounting, costs associated with cross-departmental
business processes are calculated.
• Internal Orders: Internal Orders helps to track costs of a specific job, service, or task. This helps management
in making better pricing and other decisions for the specific order or task.
• Product Cost Controlling: This calculates the costs that occur during the manufacture of a product or
provision of a service and helps management to better price the product or service by providing accurate
cost details of the product or service.
• Profit Centre Accounting: This evaluates the profit or loss of individual, independent areas within the
organization.

Profitability Analysis: This provides details about company’s profit or contribution margin by individual product,
market or business.
 Don’t Go Underprepared in Exams. Buy Our Full
Course Fully Amended CA Inter EIS-SM Classes newly
recorded for May 20 & Onward Exams.

Note: Nothing New has been added in Chapter No. 3rd of EIS.
 Amendments of Chapter No. 4 of EIS for May 20 & Onwards Exams
Topic 1 - E-Commerce & Related Concepts
In the last few years, advancement of technology & its widespread availability has made it possible to do
business electronically. Due to this it became possible to sale or purchase goods or services electronically via
computers & internet.

Website

Not only in the developed countries, but also in the developing countries, e-commerce is growing at a rapid pace.
In India, e-commerce seen explosive growth & in the last couple of years India become one of the fastest growing
e-commerce market of the world. Many e-commerce companies are working in India like Amazon, Flipkart,
Snapdeal, AliExpress etc.

From the Market – Some of the E-Commerce Companies in India

Traditional Commerce vs. E-Commerce

Some of the major differences between Traditional Commerce and E-Commerce are as follows:

Basis Traditional Commerce E-Commerce

Meaning Here, goods or services are traded on In e-commerce, goods and services are traded
manual or non-electronic basis. electronically using computer & internet.
Transaction Manual Electronic
Processing
Availability During limited time (Business hours only) Always available
Customer Face to face basis Scream to Face Basis
interaction
Scope of Limited Geographical World wide
Business
Inspection Goods can be physically inspected Goods cannot be physically inspected before
of goods before purchase purchase
Delivery Delivery is instant i.e. at the same time Delivery takes time but now a days many e-
time commerce vendors introduced e-commerce
vendor introduced same day or even 4 hour
delivery facility.
 Payment Cash, Debit or Credit Card, UPI etc. Cash on Delivery, Debit or Credit Card, E-wallet
options etc.
Fraud Lesser fraud as there is physical Absence of physical presence & loopholes in
interaction between Buyers & Sellers law increases the possibility of fraud
Process As manual processes are used, chances of As automated process are used, chances of
errors are high. errors are low.
Profit The cost incurred on middle man, As cost on middle man is saved, overheads are
Impact overheads, inventory etc. reduces the reduced, the profits of the entity increases.
profit of the entity.

E-Commerce Business Models/E-Market (Most Imp)

A Business Model can be defined as the organization of product, service and information flows, and the sources
of revenues and benefits for suppliers and customers. An e-business model is the adaptation of an organization’s
business model to the internet economy. Some of the e-markets are:

S.N. e-Market Type Description

An e-shop is a virtual store that sells products and services online. Orders
are placed and payments made. They are convenient way of direct sales to
1 e-Shops
customers and allows manufacturers to bypass intermediaries and reduce
costs and delivery times. Examples – www.dell.com.

The e-mall is a e-retailing model of a shopping mall where different shops

2 e-Malls
are situated in the e-commerce website like www.alibaba.com.

e-auctions provide a mechanism through which the bidding process for

3 e-auctions products and services can take place between the competing buyers.
Example – www.ebay.com
 Portals are channels which lists different websites for easy access by the
4 Portals customers and charges the companies who have listed their websites or
charging consumers a subscription fee for access. Like justdial.com

It brings together large numbers of individual buyers and provide products

Buyer at reduced prices. In this, the firm contacts goods or service providers, make
5
Aggregators them their partners, and sell their products or services under its own brand.
Example – www.zomato.com

Virtual Community is a community of users who share a common interest

Virtual and communicate with each other. Virtual communities are highly scalable
6
Communities so that more people can join and contribute to the community. The services
may be provided free of cost or for a subscription fee. Like quora.com

e-marketing is the marketing through internet. The internet changes the

7 e-marketing relationship between buyers and sellers hence e-marketing is getting more
and more important now a days.
e-procurement is management of all procurement activities electronically.
Through e-procurement, entity can access information about suppliers,
8 e-procurement
product availability, price, quality and delivery times and can better
collaborate with the suppliers.
The e-distribution helps distributors to efficiently manage large no. of
9 e-distribution customers, automating orders, communicating with partners and having
services such as order tracking through each point in the supply chain.

Some Business Models for E-Commerce

Models Definition e-business markets Examples
 Business-to It refers to the exchange of products and e-shops, e-malls,
www.cisco.com
Consumer services from a business to the final e-auctions, buyer
www.amazon.com
(B2C) consumer. aggregators, portals.
It refers to exchange of products and e-auctions,
Business-to
services from one business to another. e-procurement,
Business www.emall.com
Here end consumers are not involved & e-distribution, portals,
(B2B)
trading volume is huge. e-marketing etc.
Through C2C e-Commerce, consumers
Consumer
can sell a product or service to another
to e-auctions, virtual
customer and there is no business house www.eBay.com
Consumer communities etc.
involved. One final consumer is dealing
(C2C)
with another final consumer.

Topic 2 – Web 3.0

Distinction between Web 1.0, Web 2.0 & Web 3.0
Basis Web 1.0 Web 2.0 Web 3.0
Web generation First generation of web Second generation of web Third generation of web
Also called The web The social web The semantic web
Supports Read only web Read and write web Read, write and execute web
Interaction Level No interaction Moderate interaction Very high interaction
Main Languages HTML (Hypertext XML (Extensible Markup • RDF (Resource Description
used Markup Language) Language) Framework)
• OWL (Web Ontology
Language)
• SWRL (Semantic Web Rule
Language)
Example Main website of ICAI Wikipedia etc. Facebook, Twitter, YouTube,
etc. Self Service Portal of ICAI etc.

From Web 3.0 to Web 4.0

As technology evolves, it will further be changing the way individuals, businesses or government interact with
each other. A new concept called Web 4.0 is evolving having the following features:

• Content generating agents based on matured semantic, reasoning technologies and Artificial Intelligence
• Autonomous
• Proactive
• Self-learning capabilities
• Collaborative

Examples includes services interacting with sensors and implants, natural-language services or virtual reality
services etc.

Topic 3 – Internet of Things (IoT)

Application areas of IOT

Some of the major application areas of IOT are:

• Home Appliances - Home appliances and devices like CCTV can be connected together and owner can get
real time data.
• Office Devices - Office devices like printers, coffee machines, scanner etc. can be connected together.
• Government Uses - Government can use IOT technology on its various projects like when dustbins get
filled, they will automatically inform the local municipality.
• Human Implements - Humans also got themselves implemented with the electronic chips on their bodies
which acts as an authentication token.
• Connected Car: Connected car technology is vast having multiple sensors, software, and technologies.
• Wearables - Wearables like smart bands are another application area of IoT like Apple smartwatch.
• Smart Cities: Smart cities are an evolving concept using variety of modern technologies for water and
traffic management, environmental monitoring etc. IoT plays an important role in the smart cities.
• Smart Grids - Smart grids are another area of where IoT technology plays a big role. A smart grid monitors
users electricity consumption pattern and distributes electricity with better efficiency, economics, and
reliability.
• Industrial Internet of Things - Another evolving area of IoT is industrial IoT with connected machines and
devices such as power generation, factory equipment’s etc. With an IoT enabled system, different
devices and factory equipment containing embedded sensors communicate data about different
parameters, such as pressure, temperature, machine utilization ratio etc. that helps in optimizing and
improving performance.
• Connected Health - IoT has various applications in healthcare like connected equipment’s. It has the
potential to improve the health care services.
• Smart Retail - Retailers have started adopting IoT solutions and using IoT embedded systems across
several applications that improve store operations, reducing theft, better inventory management etc.
• Smart Supply Chain: With the IoT, entity can better manage its supply chain.
 Don’t Go Underprepared in Exams. Buy Our Full
Course Fully Amended CA Inter EIS-SM Classes newly
recorded for May 20 & Onward Exams.
 Amendments of Chapter No. 5 of EIS for May 20 & Onwards Exams
Topic 1 – Major Banking Services
(i) Granting of Advances - Bank provides various kinds of loans and advances like cash credit,
overdraft facility, bills discounting, housing loan, educational loan, car loan etc. to various
customers. Apart from these banks also provides facility of issuance of commercial paper, external
commercial borrowings (ECB) etc. An ECB is an instrument used in India to facilitate the access to foreign
money by Indian corporations and public sector undertakings. In rural areas, banks became a major
channel for disbursement of loans under various government schemes like KCC (Kisan Credit Cards),
Mudra Yozana & other social welfare schemes run by state & central government.
(ii) Remittances - Remittances involves transfer of funds from one place to another. Two of the most
common mode of remittances are demand draft and telegraphic/mail transfers (TT/MT). Demand drafts
are issued by one branch of the Bank and are payable by another branch of the Bank (in case there being
no branch than branch of another Bank). The drafts are handed over to the applicant.

Topic 2 - Key Modules of CORE Banking Solution (CBS) (Most Imp)

The key modules of CBS are:

The different modules of CBS like Branch Banking, Mobile Banking, Phone Banking, Internet Banking, Back office,
Data warehouse, credit card system, ATM switch etc. are connected to the central servers.

(a) Back End Applications

The back-end applications of the CBS consist of the following modules:

(i) Back Office

Back Office portion of the Bank consists of the administration and support personnel and performs the task like:

− Clearance & Settlement

− Record Maintenance
− Regulatory Compliances
− Accounting etc.
Back Office also monitors employees to ensure that they do not trade in the fire bidden securities. It is important
to note that Back Office personnel are not client Facing i.e. they do not have a direct interaction with the client.

(ii) Data Warehouse

Data warehouse is an important module of CBS that helps banks to simplify and standardize the data
management task. Through data warehouse, banks can consider large quantity of data standardize it, remove in
accuracy so to make the data ready for analysis.
(iii) Credit Card System
The rapid growth of the Credit Card become possible due to the Credit Card system module. It performs the
following function:
(a) Credit Card Management Functions like:
− Credit Card Management
− Customer information Management
− Customer account management
− General Ledger Function
(b) Provides online transaction authorization services
(c) Supports the payment processing
Credit Card system uses flexible parameter that supports complex organizational mechanism. It also have a
product Factory Mechanism that speeds up product time to market (i.e. assists banks to bring new Credit Card
related products in the market).

(iv) ATM Switch

ATM or Automated Teller Machine is an electronic banking outlet that allows customers to perform basic banking
tasks like balance checking and also the complex banking task like fund transfer etc. with the helping debit card.
ATM switch is one of the most important components of the ATM services.

(b) Central Servers/Centralized Data Centers

Central Servers are backbone of the entire CBS Mechanism and made centralized online real-time Environment
(CORE) Banking Possible. All the branches are connected to the central server to access data. Any banking activity
performed in any branch like deposit, withdrawal etc are reflected immediately across all the branches.

(c) Front End Applications

The back-end applications of the CBS consist of the following modules:

(i) Branch Banking

Due to the CBS, all the member branches are connected to the centralized data centers thus there is a seamless
flow of data and information across all the branches. After CBS, bank branches are confined (restricted) itself to
the following task only:

− Internal authorization
− Initiating Beginning of the day (BOD) operations.
− Managing End of the day (EOD) operations.
− Creating manual documents to capture data required for input in to software.
 − Reviewing reports for control & error connection

(ii) Mobile Banking

Mobile Banking is one of the most recent innovation in the delivery of Banking Services. Through Mobile Banking,
customer can access Banking Services through the mobile devices like smart phone or tablet. Mobile Banking
services are provided by the Banks to the customer through the “Mobile Banking APPS” which the user is needed
to download & install in their devices.

(iii) Internet Banking

Also known as on-line banking. it is the delivery of banking services through electronic mode where the customer
can perform different kinds of Banking services through the website of the bank itself. As per an estimate, over
250 kinds of services and facilities can be accessed through the internet banking like making or receiving
payments, managing account, requesting new cheque books, Making RTGS, NEFT etc.
Mobile Banking & Internet Banking are basically the two sides of the same coin and the only difference is mobile
banking services are accessed through some mobile devices while internet banking services are accessed through
the laptop or desktop computer.

(iv) Phone Banking

Through phone banking, customers can access various banking services through the telephonic conversation with
the banks contact centre thus he is not required to visit the branch or the ATM. However customer has to register
his mobile number to avail the phone banking services.
Some of the services that are provided through the Mobile Banking are checking account balance. Cheque book
issue request, stop payment of cheque request etc. However with the introduction of internet banking & Mobile
Banking the use of Phone Banking has fallen drastically.

Topic 3 - Prevention of Money Laundering Act (PMLA), 2002

Chapter Description of Chapter Section Description of Section
II Offence of Money-Laundering 3 Offence of Money-Laundering
IV Obligations of Banking Companies, 12 Reporting entity to maintain records
Financial Institutions & Intermediaries 13 Powers of Director to impose fine
X Miscellaneous 63 Punishment for false information or
failure to give information, etc.
70 Offences by companies

Chapter II Offence of Money-Laundering

Offence of money-laundering (Section 3)
Whosoever directly or indirectly

• attempts to indulge or
• knowingly assists or
• knowingly is a party or
• is actually involved

in any process or activity connected with the proceeds of crime including its concealment, possession, acquisition
or use and projecting or claiming it as untainted property (clean property) shall be guilty of the offence of money-
laundering.
Chapter IV Obligations of Banking Companies, Financial Institutions and Intermediaries
Reporting entity to maintain records (Section 12)
(1) Every reporting entity shall—

(a) maintain a record of all transactions, including information relating to transactions of clause (b), in such
manner as to enable it to reconstruct individual transactions;
(b) furnish to the Director (Enforcement Director) within such time as may be prescribed, information
relating to such transactions the nature and value of which may be prescribed;
(c) Omitted
(d) Omitted
(e) maintain record of documents evidencing identity of its clients and beneficial owners as well as account
files and business correspondence relating to its clients.
(2) Every information maintained, furnished or verified shall be kept confidential.

(3) The records referred to in clause (a) of sub-section (1) shall be maintained for a period of five years from the
date of transaction between a client and the reporting entity.

(4) The records referred to in clause (e) of sub-section (1) shall be maintained for a period of five years after the
business relationship between client and reporting entity has ended or account has been closed, whichever is
later.

(5) The Central Government may, by notification, exempt any reporting entity or class of reporting entities from
any obligation under this Chapter.

Powers of Director to impose fine (Section 13)

(1) The Director may, either of his own motion or on an application made, make such inquiry or cause such inquiry
to be made, as he thinks fit, with regard to the obligations of the reporting entity.

(1A) If at any stage of inquiry or any other proceedings, the Director having regard to the nature & complexity of
the case, is of the opinion, he may direct the concerned reporting entity to get its records audited by an
accountant from amongst a panel of accountants, maintained by the Central Government for this purpose.

(1B) The expenses of any audit under sub-section (1A) shall be borne by the Central Government.

(2) If the Director, in the course of any inquiry, finds that a reporting entity or its director or employees has failed
to comply with the obligations under this Chapter, then, he may—
 (a) issue a warning in writing; or
(b) direct such reporting entity or its director or employees, to comply with specific instructions; or
(c) direct such reporting entity or its director or employees, to send reports at such interval as may be
prescribed on the measures it is taking; or
(d) by an order, impose a monetary penalty on such reporting entity or its director or employees, which shall
not be less than ₹10,000 but may extend to ₹1,00,000 for each failure.

(3) The Director shall forward a copy of the order passed under subsection (2) to every banking company, financial
institution or intermediary or person who is a party to the proceedings.

Explanation - For the purpose of this section, "accountant" shall mean a Chartered Accountant.

CHAPTER X MISCELLANEOUS

Punishment for false information or failure to give information, etc. (Section 63)
(1) Any person willfully and maliciously giving false information and so causing an arrest or a search to be made
under this Act shall on conviction be liable for imprisonment for a term which may extend to two years or with
fine which may extend to ₹50,000 or both.

(2) If any person -

(a) being legally bound to state the truth of any matter relating to an offence under section 3, refuses to
answer any question put to him; or
(b) refuses to sign any statement made by him which an authority may legally require to sign; or
(c) to whom a summon is issued under section 50 either to attend to give evidence or produce books of
account or other documents at a certain place and time, omits to attend or produce books of account or
documents at the place or time,

he shall pay, by way of penalty, a sum which shall not be less than ₹500 but which may extend to ₹10,000 for
each such default or failure.

(3) No order under this section shall be passed unless the person on whom the penalty is proposed to be imposed
is given an opportunity of being heard.

(4) Notwithstanding anything contained in clause (c) of sub-section (2), a person who intentionally disobeys any
direction issued under section 50 shall also be liable to be proceeded against under section 174 of the Indian
Penal Code.

Section 174 of the Indian Penal Code, 1860 provides following two penalties (Only for reading)

• imprisonment for a term which may extend to one month, or fine which may extend ₹500, or both.
• imprisonment for a term which may extend to six months, or fine which may extend to ₹1000, or both.

Offences by companies (Section 70)

(1) Where a person committing a contravention of any of the provisions of this Act, rule, direction or order made
there under is a company, every person who, at the time the contravention was committed, was in charge of,
and was responsible to the company, shall be deemed to be guilty of the contravention and shall be liable to be
proceeded against and punished accordingly:

Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves
that the contravention took place

• without his knowledge or

 • he exercised all due diligence to prevent such contravention.

(2) Notwithstanding anything contained in sub-section (1), where a contravention has been committed by a
company and it is proved that the

• contravention has taken place with the consent of, or

• is attributable to any neglect on the part of any director, manager, secretary or other officer of any
company,

such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall
be liable to be proceeded against and punished accordingly.

Explanation 1 - For the purposes of this section -

(i) "company" means anybody corporate and includes a firm or other association of individuals; and
(ii) "director", in relation to a firm, means a partner in the firm.
 Don’t Go Underprepared in Exams. Buy Our Full
Course Fully Amended CA Inter EIS-SM Classes newly
recorded for May 20 & Onward Exams.