Professional Documents
Culture Documents
INDEX
S No. Topics Page No.
1. Automated Business Process 1 – 20
2. Financial and Accounting System 21 – 43
3. Information System & Its Components 44 – 69
Start!! For more Content, Subscribe Unacademy YouTube Channel, Telegram Channel & Download the App.
CA Kishan Kumar Automated Business Processes
C HAPTER 1
1. BUSINESS PROCESS
Types of Business Processes / Vision & Mission of Top Management is achieved by implementing
P a g e |1
Automated Business Processes CA Kishan Kumar
2. B U S I N E S S P R O C E S S A U T O M A T I O N – R E M O V I N G H U M A N I N T ER V E N T I O N
▪ It is technology enabled automation of activities or services to achieve specific function/ task/ objective.
▪ This can be done for different functions like, sale, Purchase, supply chain management, HR, IT etc.
▪ Involves use of integrated Apps & s/w in automating business processes throughout Organisation.
▪ BPA enables business process to operate effectively and efficiently.
3. W H I C H B U S I N E S S P R O C E S S E S S H O U L D B E A U TO M A TE D ?
▪ Every business process is not a good fit for automation. Companies tend to automate those business
processes that are time and resource-intensive or those that are subject to human error.
▪ Following are the few examples of processes that are best suited to automation:
1. Processes involving Automating these processes results in reduction of cost and work efforts. E.g.
high-volume of making purchase orders; generating invoices etc.
tasks or repetitive
tasks
2. Processes requiring Automating these processes results in reduction of waiting time and in costs. E.g.,
multiple people to Help desk services; Tracking of goods etc.
execute tasks
3. Time-sensitive BPA results in streamlined processes and faster turnaround times. It eliminates
processes wasteful activities and focus on enhancing tasks that add value. For example -
online banking system, railway/aircraft operating and control systems etc.
4. Processes involving Since every detail of a particular process is recorded. These details can be used to
need for demonstrate compliance during audits. For example- invoice issue to vendors,
compliance and Employee management system i.e. Salary calculations & employee Attendance.
audit trail
5. Processes having Some processes are cross-functional and have significant impact on other processes
2|P a ge
CA Kishan Kumar Automated Business Processes
significant impact and systems. E.g., the marketing department may work with sales department.
on other processes Automating these processes results in easy sharing of information resources and
and systems improving the efficiency and effectiveness of business processes.
4. C H A L L E N G E S I N V O L V E D I N B U S I N E S S P R O C ES S A U T O M A T I O N
1. Automating Sometimes organizations start off BPA by automating the processes they find
Redundant suitable for automation without considering whether such processes are necessary
Processes and create value. In other cases, some business processes and tasks require high
amount of tacit knowledge (that cannot be documented and transferred from one
person to another) and therefore seek employees to use their personal judgment.
2. Defining Complex This requires a detailed understanding of the underlying business processes to develop
Processes an automated process.
3. Staff Resistance Human factor issues are the main obstacle to the acceptance of automated
processes. Staff may see BPA as a way of reducing their decision-making power.
Moreover, the staff may perceive automated processes as threat to their jobs.
4. Implementation The implementation of BPA involves significant costs like acquisition cost of
Cost automated systems & special skills required to operate and maintain these systems.
5. BPA I M P L E M E N T A T I O N :
Steps Explanation
i) Define why we plan to Answer to this Question provides justification for implementing BPA. List of
implement BPA generic reasons for justifying BPA may include-
a) Errors in manual process leading to enhanced cost
b) Payment process not streamlined leading to duplicate payment.
c) Payment for G/Sr supplied not received on time.
d) Poor debtor management system leading to more bad debts.
e) Poor customer services.
f) Delay in furnishing documents during audit.
ii) Understand Rules/ Any BPA must comply with applicable laws & regulations. Hence it is essential
Regulations under to Understand Rules/ Regulations under which business performs.
which business E.g. Books of A/c must be maintained for specified time as per Income Tax
performs Act.
iii) Document the process All current processes & documents which are planned to be automated must be
we want to automate correctly & completely documented.
Things to be kept in mind-
a) What docs needs to be captured?
b) Where do docs come from - Vendor or accounting software?
c) What format are they in: Paper, FAX, E-mail or PDF?
d) What is the impact of regulations on processing of these documents?
e) Can there be a better way to do the same job?
Benefits :-
1. Provide clarity on process.
2. Helps identify source of inefficiencies, bottlenecks & problems.
P a g e |3
Automated Business Processes CA Kishan Kumar
Steps Explanation
3. Allows designing the process to focus on desired results.
iv) Define the objectives/ Enables the developer & user to understand reason for doing BPA. While
goals to be achieved by determining objectives of BPA, Goals should be-
implementing BPA
S → Specific i.e., clearly determined
M → Measurable – Easily quantifiable in monetary terms
A → Attainable – Achievable through best result.
R → Relevant – Entity Must be in need of BPA.
T → Timely- Achieved with a given time frame.
v) Select BPA Entity needs to appoint an Expert who can implement BPA. Selection depends
consultant/Company on-
a) Objectivity of consultant in understanding entity’s situation.
b) Does he have experience with entity BPA?
c) Is he experienced in resolving critical issue?
d) Can he can recommend combination of H/w & S/w for BPA & implement
it?
vi) Calculate ROI It helps in convincing Top Management to say ‘Yes’ to BPA exercise.
Some of the methods for justification of BPA are-
a) Cost saving; being clearly computed and demonstrated.
b) Time saving; How BPA could lead to reduction in required manpower.
c) The cost of space regained from paper, file cabinets, etc. is reduced.
d) Eliminating fines to be paid for delayed payment & eliminate double
payment
e) Taking advantage of early payment
f) Reducing cost of audits and lawsuits.
vii) Developing BPA Once requirements have been documented, ROI is computed & approval of Top
Management obtained, Consultant develop required BPA.
viii) Testing of BPA Before making the BPA live, BPA should be tested fully to determine-
a) How it works
b) Remove all problems
c) Enable improvement before official launch.
Testing helps increase user adoption and decreases resistance to change.
Final version of process is documented for
a) Training of new employees &
b) Future reference.
4|P a ge
CA Kishan Kumar Automated Business Processes
6.1. R I S K
Refers to
➢ Any uncertain event that may result in loss for an organization
➢ Any uncertain event that may result in significant deviation from planned objective resulting in negative
consequences
Types of Risk
A. B U S I N E S S R I S K
Business risk is a broad category which applies to any event or circumstances related to business goals.
Businesses face all kinds of risks ranging from serious loss of profits to even bankruptcy
a) Strategic Risk Risk that prevents an organization from achieving its strategic objectives. E.g. Risk
related to strategy, regulatory, global market condition like recession.
b) Financial Risk Risk that results in negative financial impact to organization. E.g. Volatility of foreign
exchange rate, interest rate, liquidity risk etc.
c) Regulatory Risk Risk that can expose organization to fines & penalties due to non- compliance with
laws. E.g. - violation of law w.r.t Taxation, Environment, Employee health.
d) Operational Risk that can prevent organization from operating in most effective and efficient
Risk capacity. E.g. - risk of loss resulting from inadequate or failed internal processes,
fraud or any criminal activity by an employee etc.
e) Hazard Risk Risks that are insurable. E.g. - Nature disaster, Asset impairment, Terrorism etc.
f) Residual Risk Risks remaining even after counter measures are applied. All risk can’t be eliminated.
It should be minimized & kept at an acceptable low level.
P a g e |5
Automated Business Processes CA Kishan Kumar
B. T E C H N O L O G I C A L R I S K
BPA is technology driven and this dependence on technology has led to various challenges. All risks related
to the technology equally apply to BPA.
a) Downtime due to technology failure Information system facilities may become unavailable due to
technical problems or equipment failure.
b) Frequent change or obsolescence of Since technology keeps on evolving & is changing rapidly, there is
Technology a risk of obsolescence of tech resulting in loss.
c) Dependence on vendor due to BPA requires staff with specialized domain skills to manage IT
outsourcing of IT service deployed. These services could be outsourced to vendors and
there is heavy dependency on vendors.
d) External threat leading to cyber If I.S can be accessed anytime & anywhere using internet, there
fraud/ crime is a risk of fraud.
e) Proper alignment of tech with Business must ensure it.
business objectives & legal
requirement :
f) Higher impact due to intentional or Employee are weakest link in tech environment. Employees are
unintentional act of employee expected to be trusted individuals that are granted extended
privileges, which can easily be abused.
g) Need to ensure continuity of business Organizations must have well documented business continuity
in case of major emergency plan.
6.2. R I S K M A N A G E M E N T & R E L A T E D T E R M I N O L O G Y
b) Vulnerability Refers to weakness in the system safeguards that exposes the system to threats.
It may be a weakness in information system/s, cryptographic system (security
systems), or other components (e.g., system security procedures, hardware design,
internal controls) that could be exploited by a threat.
6|P a ge
CA Kishan Kumar Automated Business Processes
c) Threat Refers to any entity, circumstance, or event with the potential to harm the software
system or component through its unauthorized access, destruction, modification, and/or
denial of service.
Threat has capability to attack on a system with intent to harm.
Assets and threats are closely correlated. A threat cannot exist without a target asset.
Threats are typically prevented by applying some sort of protection to assets.
d) Exposure: Refers to extent of loss the enterprise has to face when a risk materializes. It is not just
the immediate impact, but the real harm that occurs in the long run.
For example - loss of business, failure to perform the system’s mission, loss of
reputation, violation of privacy and loss of resources etc.
e) Likelihood: Refers to estimation of the probability that the threat will succeed in achieving an
undesirable event.
f) Attack: Refers to attempt to gain unauthorized access to the system’s services or to
compromise the system’s dependability.
In software terms, an attack is a malicious intentional fault, usually an external fault
that has the intent of exploiting vulnerability in the targeted software or system.
Basically, it is a set of actions designed to compromise CIA (Confidentiality, Integrity or
Availability).
g) Counter An action, device, procedure, technique or other measure that reduces the vulnerability
Measure: of a component or system is referred as Counter Measure.
For example, well known threat ‘spoofing the user identity’, has two countermeasures:
a) Strong authentication protocols to validate users; and
b) Passwords should be stored in some secure location.
Similarly, for other vulnerabilities, different countermeasures may be used.
P a g e |7
Automated Business Processes CA Kishan Kumar
After above analysis, strategies for managing Risk are decided. Not all risk requires controls to counter them
[cost Benefit analysis]
6.3. R I S K M A N A G E M EN T S T R A T EG I ES / R E S P O N S E [5 T S ]
Tolerate/ Accept Terminate/ Eliminate Transfer / Share Treat/ Mitigate Turn Back
In case of minor If risk is associated Risk may be When other options Where probability
risk i.e., where with use of a shared with are not feasible, or impact of Risk is
impact or technology, trading partners suitable controls must very low, then
probably of supplier, or vendor, & suppliers. be developed & management may
occurrence is low, it can be E.g. Outsourcing implemented decide to ignore the
Management may eliminated by of IT a) to prevent risk Risk.
accept risk as cost
➢ Replacing tech Infrastructure from occurring, or
of doing business. mgt.
with more robust b) to Minimize its
products; and Risk can also be impact.
➢ by seeking more insured.
capable
suppliers and
vendors.
8|P a ge
CA Kishan Kumar Automated Business Processes
7.1. E N T E R P R I S E R I S K M A N A G E M E N T
ERM Framework
ERM provides a framework of eight interrelated components for risk management which involves:
➢ identifying potential threats or risks.
➢ determining how big a threat or risk is, what could be its consequence, its impact, etc.
➢ implementing controls to mitigate the risks.
i) Internal Environment It is foundation for risk management. It involves analysis of organization/ entity,
people of organization & environment in which it works.
ii) Objective setting ERM involves setting of objectives in line with Vision & Mission of management
& consistent with risk appetite of entity.
iii) Event Identification Includes identifying uncertain events, internal as well as external, which may
represent opportunity, risk or both.
iv) Risk Assessment Involves analysis in terms of likelihoods of risk & impact on entity.
v) Risk Response Management selects risk response in line with entity risk tolerance & risk
appetite. Higher Risk Appetite = Higher Risk tolerance = Lower Risk response
vi) Control Activity Refers to policies & procedures established to mitigate risk & maintain it at
acceptable level.
vii) Info & Risk response & controls to be applied are communicated to relevant employee
communication across the entity for carrying out necessary activities for risk management.
viii) Monitor entire ERM Entire ERM process should be monitored regularly &, if necessary, modified.
process
7.2 . B E N E F I T S O F ERM
a) Align risk appetite with ERM helps in aligning risk appetite with its strategy for achieving
strategy goals.
b) Link growth, risk & return Entities accept risk as part of value creation & expect return
commensurate with risk taken.
c) Minimize operational surprise ERM provide advanced ability to identify potential, event, assess risk &
& Losses respond to it.
d) Seize opportunity ERM enables organization to identify opportunity & take advantage.
e) Enhanced risk response ERM helps to identify & select alternative risk response i.e 5 Ts
P a g e |9
Automated Business Processes CA Kishan Kumar
decision
f) Identify & manage Cross Entity faces various risks. Management needs to manage not only
Enterprise risk individual risk but also related risk.
g) Provide Integrated response to ERM helps to provide integrated solution for multiple risks.
multiple risk
Refers to policy, procedures & practices that are designed to provide reasonable assurance that
a) Business objectives are achieved
b) Undesired events are prevented, detected or corrected
c) Risks are mitigated
d) Assets are safeguarded and
e) Efficiency and effectiveness of Business Processes are achieved.
8.1. T Y P ES O F C O N TR O L S
8.2. IT C O N TR O L S O B J EC TI V E S
Meaning Need
Statement of desired result or purpose to be a) Control cost & remain competitive
achieved by implementing controls within an IT b) To promote reliability & efficiency
activity.
c) Makes organization Resilient & helps them sustain
Implementing right type of controls is any disruption in Business Process
responsibility of management.
d) Provides policy & guidance for directing &
IT Controls helps perform dual role monitoring performance of IT activity to achieve
a) Enables enterprise to achieve objective objective
b) Mitigate Risk
8.3. T Y P ES O F IT C O N T R O L S
10 | P a g e
CA Kishan Kumar Automated Business Processes
8.4. K E Y I N D I C A T O R S O F E F F E C T I V E IT C O N T R O L S
IT controls implemented in an organization are considered to be effective on the basis of following criteria:
a) Ability to Plan & Execute new work like infrastructure upgradation to support new product/service.
b) Development projects are delivered on time and within budget, and better product and service offerings
compared to competitors.
c) Ability to allocate resource predictability.
d) Protect against new threats & vulnerability & recover from any disruption.
e) Ensure CIA & ACA of data
f) Heightened security awareness among users & security conscious controls.
8.5. F R A M E W O R K O F I N T E R N A L C O N T R O L A S P E R SA 315
P a g e | 11
Automated Business Processes CA Kishan Kumar
SA 315 - Identifying & assessing the Risk of Material Misstatement by understanding entity & its
Environment
SA 315 defines Internal Control as
➢ Policy, practice & procedure implemented by TCWG & MGT
➢ To provide reasonable Assurance about achieving Entity’s objective regarding
a) Reliability of F.S
b) Efficiency & effectiveness of operations
c) Safeguarding of assets
d) Compliance with applicable laws & regulations.
Need for I.C → It helps organisation in ensuring RECS.
Note: I.C. mitigates Risk & does not eliminate it.
8.6. C O M P O N E N T S O F I N TE R N A L C O N TR O L A S P E R SA 315
Information &
Control Environment Risk Assessment Control Activities Monitoring of Control
Communication
It is a set of It involves Refers to P, P, P to It is necessary for It is Ongoing & cyclic
Standards, process & identification of a) Mitigate Risk & entity to collect process of Monitoring
structure that Risks & its important info each of 5
provides basis for assessment in b) Achieve objective about I.C. & components of I.C to
implementing I.C. terms of likelihood They are performed communicate ensure it is
It comprises of & its impact. at all levels of the with functioning smoothly.
Risk Assessment entity and may be a) employees for Comprises of
▪ integrity & ethical preventive or
& its tolerance implementatio
values of Org detective in nature. ▪ Ongoing evaluations
depends on n of I.C.
built into business
▪ organizational objective of an Includes elements like (internal)
processes which
structure organization. authorizations, b) external provide timely
▪ assignment of Risk Assessment approvals, parties in information.
authority & resp. forms the basis verifications, reco. response to
for determining and business requirements ▪ Separate
▪ accountability etc. how risks will be performance reviews & evaluations
managed. that ensure expectations conducted
BOD & Senior Mgt
(external). periodically to
establish the tone a) Transactions are
assess risks &
at the top regarding authorized
effectiveness of
the importance of
b) Duties are ongoing evaluations.
I.C. including
segregated
expected standards Findings are
of conduct. c) Proper Records evaluated against
are Maintained Mgt’s criteria and
d) Assets are deficiencies are
safeguarded communicated to
Mgt & BOD as
appropriate.
8.7. L I M I T A T I O N O F IC
▪ I.C. provides reasonable assurance & not absolute assurance about achieving entity’s objective of RECS.
12 | P a g e
CA Kishan Kumar Automated Business Processes
9. R I S K S A N D C O N T R O L S F O R S PEC I F I C B U S I N ES S P R O C ES S E S
9.1. S I X B U S I N ES S P R O C E S S E S :
P a g e | 13
Automated Business Processes CA Kishan Kumar
C M T C M T C M T C M T C M T C M T
3) Inventory cycle
▪ Process of accurately tracking the on-hand inventory level (measured in number of days).
3 Phases Involved
a) Ordering Phase → Time required to order & receive RM.
14 | P a g e
CA Kishan Kumar Automated Business Processes
b) Production Phase → Time taken to convert RM into Finished Goods ready for use by customer.
c) Finished Goods & → Finished Goods that remains in stock & delivery time to customer.
delivery
4) Human Resource
▪ HR lifecycle refers to HRM & covers all stages of an employee’s time within the organization & the role
played by HR at each stage.
4 stages involved
a) Recruitment & ▪ Recruitment - Process of hiring which involves placing job ads, selecting
onboarding candidates, conducting interview & choosing / finalizing etc.
▪ Onboarding - Process of getting successful applicant set up in organization [Id
card , laptop, Access & privilege]
b) Orientation & ▪ Orientation - Process by which employee becomes part of company workforce i.e.,
Career Planning Learning job, establishing relationship etc.
▪ Career planning - Employee & supervisor work out long-term career goals of
employee.
c) Career ▪ It is essential to provide career development opportunity for retaining employee
Development for long term.
d) Termination or ▪ Ensure all exit policies are followed, exit interviews are conducted & employee is
transition removed from system.
5) Fixed Assets
▪ Process of ensuring that all F.A. of enterprise are tracked for purpose of –
➢ Financial Accounting [Dep];
➢ Preventive maintenance; &
➢ Theft deterrence.
▪ It involves maintaining proper details of quantity, type, location, condition & depreciation of asset.
6 Steps Involved
1. Procuring an Asset On purchase of an asset, entry is made in A/C system when invoice is
received.
2. Registering or Adding an For depreciation purpose, details like date of acquisition, type, &
Asset depreciation basis is registered
3. Adjusting an Asset Adjustment is required due to repair, improvement, change in basis for
depreciation etc.
P a g e | 15
Automated Business Processes CA Kishan Kumar
4. Transferring an Asset To other branches, subsidiaries or dept. within the organization group. This
needs to be reflected accurately in the fixed assets management system.
5. Depreciating an Asset Refers to decline in economic & physical value of Asset. Depreciation should
be properly calculated.
6. Disposing an Asset When as asset is no more in use, becomes obsolete or beyond repair, it is
disposed off. Any difference between the book value, and realized value, is
reported as a gain or loss and dep is no longer charged.
Mode of disposal – Sale, Abandonment or Trade-in
6) General Ledger
▪ Process of recording the transaction in system to finally generate reports from system.
▪ Input for GL→ Financial transaction
▪ Output for GL → Reports like BS, P&L, CFS, Ratio Analysis etc.
5 steps involved
a) Entering of financial transaction in Accounting system
b) Review of transaction
Control
c) Approval of transaction
d) Posting of transaction
e) Generation of financial report
▪ Examples of GL Master Data file:
a) Ledger b) Group c) Voucher Type
10. R E G U L A T O R Y & C O M PL I A N C E R E Q U I R EM EN T S
10.1. C O M P A N I ES AC T, 2013
16 | P a g e
CA Kishan Kumar Automated Business Processes
10.2. IC AI G U I D A N C E N O T E S O N A U D I T O F I N T ER N A L C O N T R O L O V E R F I N A N C I A L S T A T E M E N T S
▪ CG ensures that company works in best interest of stakeholders i.e. shareholders, Govt., society, bank
etc.
▪ It refers to Framework of Rules & practice by whole BOD ensures
➢ Accountability
➢ Fairness and
➢ Transparency in
Co's relationship with its stakeholders.
▪ CG Framework consists of
a) Contract between Company & stakeholders for distribution of rights, responsibilities & Rewards.
b) Procedure for reconciling conflicting interest of stakeholders with their role.
c) Procedure for supervision, control & Information flow to serve as checks & balance.
11.1. I N T R O D U C T I O N O F IT A C T
▪ IT Act covers all internet activities in India, i.e., all online transaction in India.
P a g e | 17
Automated Business Processes CA Kishan Kumar
▪ It provides validity & legal sanctity to all online/ Electronic Transactions, Docs, signature etc.
▪ It also provides penalties & remedies in case of non- compliance & offence.
11.2. K E Y P R O V I S I O N S O F IT A C T
Section 43 - Penalty If any person, without permission of the owner or any other person who is in-
and compensation for charge of a computer, computer system or computer network (hereinafter
damage to computer, ‘Computer resource’)
computer system, etc. a) accesses or secures access to such computer resource;
b) downloads, copies or extracts any data from such computer resource;
c) damages or causes to be damaged any computer resource;
d) disrupts or causes disruption of any computer resource;
e) denies or causes the denial of access to computer resource by auth.
persons;
f) destroys, deletes or alters any information residing in computer resource;
g) introduces or causes to be introduced virus etc. into any computer resource;
h) steal, conceals, destroys or alters or causes any person to steal, conceal,
destroy or alter any computer source code,
he shall be liable to pay damages by way of compensation to the person so
affected.
Section 43A: Where a body corporate, possessing, dealing or handling any sensitive personal
Compensation for data or information in a computer resource which it owns, controls or operates,
failure to protect data.
➢ is negligent in implementing and maintaining reasonable security and
➢ thereby causes wrongful loss or wrongful gain to any person,
➢ such body corporate shall be liable to pay damages by way of compensation
to the person so affected.
Punishments for various Computer Related Offences
Section Nature of Offence Punishment
65: Tampering with If a person knowingly or intentionally Imprisonment – upto 3 years; or
Computer Source conceal, destroys or alter or cause other Fine - upto 2 lakhs; or
Documents person to conceal, destroys or alter a source
code used for a computer resource when Both.
source code is required to be kept by law.
66E: Punishment for If a person intentionally or knowingly Same as above
violation of privacy captures, publishes or transmits the image
of a private area of any person without his
or her consent.
66 C: Punishment for If a person Fraudulently make use of Imprisonment – upto 3 years; and
Identify theft electronic signature, password or other Fine – upto 1 Lakh
Identification feature of a person
66D: Punishment for If a person cheats by personation using any Same as above
cheating by computer resource
personation by using
computer resource
18 | P a g e
CA Kishan Kumar Automated Business Processes
66: Computer Related If a person, fraudulently does any act Imprisonment – upto 3 years; or
Offences u/s 43 referred to in section 43 Fine – upto 5 Lakhs; or
Both.
66 B: Punishment for If a person dishonestly and knowingly Imprisonment – upto 3 years; or
dishonestly receiving receives or retains stolen computer resources Fine – upto 1 Lakhs; or
stolen computer or communication devices.
resource or Both.
communication device
11.3. O B J E C T I V E O F C Y B E R L A W / A D V A N T A G ES / W H Y IT A C T W A S EN A C T E D
i) To grant legal recognition for transactions carried out by means of electronic data interchange or
electronic commerce in place of paper-based method of communication. [Section 4]
ii) To give legal recognition to digital signature for authentication of any information or matter, which
requires authentication under any law. [Section 3]
iii) To facilitate electronic filing of documents with Government departments. [Section 6]
iv) The Act now allows Government to issue notification on the web thus heralding e-governance.
v) To facilitate electronic storage of data.
vi) To provide legal sanction to transfer fund electronically to and between banks and financial
institutions.
vii) To provide legal recognition for keeping books of account in electronic format by bankers. [Section 4]
viii) To provide legal infrastructure to promote e-commerce and secure information system.
ix) To manage cyber-crimes at national and international levels by enforcing laws.
11.4. C O M P U T E R R E L A T E D O F F E N C E
‘Cyber Crime’ finds no mention either in IT Act 2000 or in any legislation of the Country. Cyber Crime is not
different than the traditional crime. The only difference is that in Cyber Crime, the computer technology is
involved and thus it is a computer related crime.
1. Credit card fraud Credit card cloning is common fraud committed against person using credit
card.
2. Cyber Terrorism Terrorist use virtual & physical storage media to hide info & record of illegal
business.
3. Cyber pornography Its legal in few countries but child pornography is illegal across world.
4. Cyber crime Any crime using computer technology is known as cyber-crime.
5. Phishing & Email Involves fraudulently acquiring PIN, Password sensitive info through
scams pretending/ masquerading itself as a trusted entity.
6. Source code theft It is most critical part of s/w & regarded as crown jewel/ Asset of company.
7. Harassment using of a person on social media.
fake profile
8. Online sale of illegal Involves sale of drugs, narcotics etc.
Articles
9. Webpage defacement Homepage of a website is replaced with defamatory post or pornographic
material.
P a g e | 19
Automated Business Processes CA Kishan Kumar
11.5. P R I V A C Y
11.6. S E N S I T I V E P E R S O N A L D A T A I N F O R M A T I O N
11.7. S C O P E O F SPDI
Rule 5 Body corporate shall obtain consent in writing from provider of SPDI, before collecting
Consent to collect SPDI, about usage of such data.
Rule 6 Disclosure of SPDI by body corporate to any third party requires permission from
Consent to disclose provider of SPDI. No permission required if-
a) Such disclosure is necessary for compliance with legal obligation
b) Such disclosure has been agreed to in contract b/w body corporate & provider of
SPDI.
20 | P a g e
Financial Accounting System
CFinancial
HAPTER 2 System
Accounting
1. INTRODUCTION
❖ Financial Accounting System (FAS) is integral part of any business & acts as backbone for it.
❖ FAS includes other forms of business management like HR, inventory, customer relationship management etc.
R Requirement from FAS is different for different person & it should fulfill Needs of all users simultaneously
2. C O N C E P T S I N C O M P U T E R I Z E D A C C O U N T I N G S Y S T E M S
2. 1. TYPES OF DATA
2.2. M A S T E R D A T A (All business process modules must use common master data.)
Accounting Master DATA Inventory Master Data Payroll Master Data Statutory Master Data
P a g e | 21
Financial Accounting System
2.3. VOUCHER
2. 4. V O U C H E R T Y P E S
22 | P a g e
Financial Accounting System
S No. Voucher Type Use
Module - Accounting
4 Journal For recording of all non-cash/bank transactions. E.g., Depreciation, Provision,
Financial
discount given/received, Accounting
Purchase/Sale System
of fixed assets on credit, write-off etc.
5 Sales For recording all types of trading sales by any mode (cash/bank/credit).
6 Purchase For recording all types of trading purchase by any mode (cash/bank/credit).
7 Credit Note For making changes/corrections in already recorded sales/purchase transactions.
8 Memorandum For recording of transaction which will be in the system but will not affect the
trial balance. In other words, memorandum vouchers are used to record suspense
payments, receipt, sales, purchase etc.
Module - Inventory
9 Purchase Order For recording of a purchase order raised on a vendor.
10 Sales Order For recording of a sales order received from a customer.
11 Stock Journal For recording of physical movement of stock from one location to another.
12 Physical Stock For making corrections in stock after physical counting.
13 Delivery Note For recording of physical delivery of goods sold to a customer.
14 Receipt Note For recording of physical receipt of goods purchased from a vendor.
Module - Payroll
15 Attendance For recording of attendance of employees.
16 Payroll For recording all employee–related transactions like salary calculations.
2.5. A C C O U N T I N G F L O W : 7 S T E P S (5 S/W , 2 H U M A N )
▪ Basic objective of any Accounting S/w is to generate two primary accounting reports , i.e., P&L and Balance
sheet.
▪ For FAS, ledgers may be classified in two types only Ledger having Debit Balance and Ledger having Credit
Balance.
▪ Every ledger is classified in 1 of 4 categories only i.e., Income , expense , Asset or liability.
▪ There may be any number of sub- groups under these four basic groups. (Asset → fixed Asset → P&M –Office
Equipment – Motor vehicle )
▪ Since balance in P/L account i.e Net Profit or Net Loss is reflected in Balance sheet, everything in accounting
s/w boils down to balance sheet.
P a g e | 23
Financial Accounting System
3. T E C H N I C A L C O N C E P T S – C OM PU T E R I Z E D FAS
24 | P a g e
Financial Accounting System
PARTICULARS FRONT END BACK END
Domain expertise Meant for handling request form users Meant for storing and handling the data.
Presentation Meant for presenting information in proper Not meant for presentation and it’s not
format , different colors, etc. expected also.
Financial Accounting System
User Experience User interface should be simple and intuitive It processes raw data and no need of user
i.e., min help should be sought by user experience.
Language Can speak in user’s language as well as Speaks only in technical language not
technical language understood by layman (user)
Speed Separate back-end software is used for handling (storage/processing) data. This reduces
load and increases speed.
Application software generally comprises of three layers which together form the Application namely; an
Application Layer, an Operating System Layer and a Database Layer. This is called Three Tier architecture.
a) Application Layer receives the inputs from the users and performs certain validations like, if the user is
authorized to request the transaction.
b) Operating System Layer then carries these instructions and processes them using the data stored in the
database and returns the results to the application layer.
c) Database Layer stores the data in a certain form.
P a g e | 25
Financial Accounting System
Non – integrated System → System of maintaining data in decentralized way. Each dept. has its own
database separately. Two major problems:
a) communication Gap &
b) Mismatched Data (leads to confusion between various departments)
4 . I N T E G R A T E D E N T E R P R I S E R E S O U R C E P L A N N I N G [ E R P]
5. E RP I S B A S E D O N
26 | P a g e
Financial Accounting System
6. B E N E F I T S O F E R P
1. Use of new technology like client server tech., cloud computing, mobile computing etc.
2. Information Integration as it automatically updates data b/w related functions.
Financial Accounting System
3. On-time shipment as process involved in delivery of goods is automated and errors are reduced.
4. Better customer satisfaction Customer can place order, track order etc. sitting at home.
5. Reduction in Lead time Time elapsed b/w placing of order & receiving it.
6. Reduction in Cycle time Time elapsed b/w placement of order & delivery of order.
7. Reduction in Quality cost ERP eliminates duplication/ redundancy of process & provide tools for Total
Quality Management.
8. Improved Flexibility by making info available across dept, automating process which helps it to
react to changing environment in a better way.
9. Improved Analysis, planning & as it enables use of many decision support systems & “what if scenario”.
decision
10. Improved supplier performance it provides vendor management tools & procurement support tools.
11. Improved resource utilization Efficiency is increased as inventory is maintained at minimum level &
machine downtime is minimum.
7. R I S K & C O N T R O L I N E RP E N V I R O N M E N T
Two Major Risks arising due to use of Centralized Common Database (all Data at one place)
▪ All persons in an organization access same set of ▪ All users use same data for recording transactions.
data on day-to-day basis.
▪ This results in Risk of putting incorrect data in the
▪ This Poses/ results in risk of leakage of info. or system by unauthorized user.
access of info. System by unauthorized person. E.g. - HR person recording, purchase data.
E.g.- sales person checking salary of his friend in
production dept.
Control: RBAC
8 . R O L E B A S E D A C C E S S C O N T R O L : (R B AC )
P a g e | 27
Financial Accounting System
Examples of Access that can be allowed & disallowed for various types of Personnel:
Directors Complete access to all Reports, Masters & Transactions but only for viewing. Can’t create or alter.
CFO Same as director but in some cases, creation or alteration access to Masters & Transactions may
be given.
Head of a Full access to all Department related masters & transactions. No access to non-related masters,
Department transactions and reports.
Accountant Can make voucher entry & view accounting master data. Can’t create masters or access Reports.
Data Entry Very limited access should be given. Can’t create accounting masters or access Reports.
Operator
9. E R P I M P L E M E N T A T I O N , R I S K & C O N T R O L
▪ ERP Implementation is a huge task and requires substantial money, time & patience
▪ Success, in terms of payback or RoI of ERP, depends upon successful implementation & once implemented,
proper usage of ERP.
28 | P a g e
Financial Accounting System
People Issues Process Issues Technological Other Implementation Post Implementation
Issues Issues Issues
▪ Vendor & Consultant efficient.
Business Process BPR is not just change but dramatic Requires overhauling of Organizational
Reengineering change & dramatic improvement in way structure, job descriptions, skill
business is conducted. development, & training in use of IT.
P a g e | 29
Financial Accounting System
Lengthy implementation It may take between 1 to 4 years depending Care should be taken to keep momentum
Time upon size at organization. high & enthusiasm alive.
Insufficient funding Budget is allocated without consulting Necessary to allocate required funds & also
Experts & then work stops due to lack of allocate some funds for contingencies.
fund.
Data safety Since there is only one set of data, if its Back up and disaster recovery plan should
lost, whole business stops. be maintained. Strict physical & Logical
access control should be maintained.
System Failure Since there is central database, in case of Allocate alternate Hardware and Network
system failure, entire business operations (Internet) arrangement.
will get adversely affected.
Data Access Leakage & Unauthorized Access of data. Access rights need to be defined carefully
& provided on ‘need to do’ & ‘need to know
basis’.
1 1. A U D I T O F E RP S Y S T E M
1 1.1. C O N T R O L S
30 | P a g e
Financial Accounting System
Management Environmental information assets?
Control Control iv) Does it have controls to process only authentic, valid,
Deals with Operational Control accurate transactions?
organisation Policy, administered v) Are all system resources protected from unauthorized
procedure & planning through computer Financial
accessAccounting
and use? System
w.r.t. ERP system centre/computer
control. operations group vi) Are user privileges based on what is called ‘role-based
and the built-in access?’
operating system vii) Is there an ERP system administrator with clearly defined
controls. responsibilities?
viii) Are there adequate audit trails and monitoring of user
activities?
ix) Are users trained?
x) Do they have complete and current documentation?
xi) Is there a problem-escalation process?
Auditing Aspect
Ensure Physical Ensure Access is given on Includes Testing of different Involves checking of rules
Control Over Data “Need to know” and “Need modules/functions & features for input of data into the
to Do” basis. in ERP and system.
Testing of overall process of E.g. Cash sale should be
part of process in system & recorded on date of sale,
comparing it with actual. not before, not later.
1 2. B U S I N E S S P R O C E S S M O D U L E S A N D T H E I R I N T E G R A T I O N W I T H F I N A N C I A L A N D A C C O U N T I N G S Y S T E M S
ACCOUNTING FLOW
SOURCE
DOCUMENT
P a g e | 31
Financial Accounting System
1. Source Document A document that captures data from transactions and events.
2. Journal Transactions are recorded into journals from the source document.
3. Ledger Entries are posted to the ledger from the journal.
4. Trial Balance Unadjusted trial balance containing totals from all account heads is prepared.
5. Adjustments Appropriate adjustment entries are passed.
6. Adjusted Trial balance The trial balance is finalized post adjustments.
7. Closing Entries Appropriate entries are passed to transfer accounts to financial statements.
8. Financial statement The accounts are organized into the financial statements.
1 4. F U N C T I O N A L M O D U L E S O F E R P
32 | P a g e
Financial Accounting System
Account Groups, creation of General Ledger Account.
d) Account Receivables → creation of customer master data &
customer related finance attributes like payment terms.
e) Account Payables
Financial → creation
Accounting Systemof vendor master data & vendor
related finance attributes like payment terms.
f) Asset Accounting → creation of Asset Master Data.
g) Tax Configuration & Creation and Maintenance of House of
Banks.
1 4. 2. C O N T R O L L I N G M O D U L E [ CO]
▪ It controls cost elements & revenue c) Activity based Costing- Facilitates analysis of cross function cost
elements. allocation to various cost centres.
d) Product cost accounting- Analysis of cost incurred to manufacture
a product or provision of service.
e) Profit Centre accounting- Evaluates P&L on individual independent
areas of business.
f) Profitability accounting - Reviews info. w.r.t. Co’s profit by
individual market segment.
It is used by organisation to support sales & distribution activities of goods & services starting from enquiry to
order and ending with delivery.
Pre-sale Sales Order Inventory Delivery of Billing Payment
Activities Processing Sourcing Material
Prospecting of On receipt of PO, Ensuring Goods Should be as per Raising of sales Receipt of
customers, SO (Qty, Rate, are ready & SO. invoice against payment &
identifying them, Description) is available for Inventory will delivery of recording it
fixing recorded in delivery reduce on material to against sales
appointment, books. recording of this customer invoice
showing demo & Transaction
submit quotation
Features
Setting up Org. structure ▪ Creation of new Co., Co. code, sales organisation, distribution channels, divisions,
maintaining sales office, etc.
Assigning org units ▪ Assigning individual component created above to each other like company code to
company, sales organization to company code, distribution channel to sales
organization, etc.
Defining pricing component ▪ Like sale document, billing, tax related component etc.
P a g e | 33
Financial Accounting System
Customer master data ▪ Setting up Customer master data records and configuration.
1 4. 4. M A T E R I A L M A N A G E M E N T M O D U L E [ M M]
Process
Evaluation of Quotation
Production Sends Purchase Purchase Evaluate Request wrt current If requisition accepted Select best
Dept Requisition Dept stock and pending order ask for quotation from option & place
approved vendor order (send PO)
1 4.5. P R O D U C T I O N P L A N N I N G M O D U L E [ PP]
34 | P a g e
Financial Accounting System
1 4.6. P L A N T - M A I N T E N A N C E M O D U L E [ P M]
Overview Objectives:
▪ It is a functional module. a) Achieve minimum breakdown and to keep machines in good
Financial Accounting
working condition System
at minimum cost.
▪ It handles maintenance of
equipment & enable efficient b) Keep machines in a condition that they are used at optimum
planning of production. capacity.
▪ This application component provides c) Ensure availability of machines & service required by other sections
comprehensive software solution for of factory for performing their functions at optimum capacity.
all maintenance activities that are
performed within a company.
1 4.7. P R O J E C T S Y S T E M M O D U L E [ P S M]
▪ Integrated project management tool used for planning & managing projects & portfolio management.
▪ It ensures that:
a) Projects are executed within budget & time.
b) Resources are allocated to project as per requirement.
Example: DLF is executing a project of building a mall
ERP Implementation
1 4. 8. Q U A L I T Y M A N A G E M E N T M O D U L E [ QM]
1 4.9. S U P P L Y C H A I N M O D U L E [ SC M]
▪ It is network of
P a g e | 35
Financial Accounting System
1 4.1 0. C U S T O M E R R E L A T I O N S H I P M A N A G E M E N T M O D U L E [ C RM]
1 4.1 1. H U M A N R E S O U R C E P L A N N I N G [ HR M]
36 | P a g e
Financial Accounting System
c) Handles input transaction like attendance, leave, holidays, advance etc
d) Generate payroll reports.
15. I N T E G R A T I O N O F V A R I O U S M O D U L E S O F E RFinancial
P Accounting System
▪ ERP has many modules & all modules are inter-related & inter- dependent.
▪ All modules must work in harmony with other to get desired result.
Integration (Illustrative)
i) MM with FICO ii) HRM with FICO iii) MM with PP iv) MM with PP
v) MM with S&D vi) MM with QM vii) PP with S&D viii) SD with FICO
16. R E P O R T I N G S Y S T E M & M A N A G E M E N T I N F O R M A T I O N S Y S T E M ( MI S )
Report ▪ Presentation of info in proper & meaningful way. E.g. BS, P/l Account, CFS.
Reporting System ▪ system of regularly reporting on pre-decided aspects.
Objective of Reporting System ▪ Give right info to right people at right time for right decisions making.
Two Basic Reports ▪ Balance sheet & P&L
▪ Used for basic analysis of financial position & financial Performance.
For decision making by Mgt, more reports are required. Hence, we need proper reporting system to serve the purpose.
16. 1. M A N A G E M E N T I N F O R M A T I O N S Y S T E M ( MIS )
▪ It is a tool for providing accurate, relevant, timely & structured info/ data to managers for decision
making.
▪ It is a tool used by manager to evaluate business process & operations.
▪ Large businesses have separate MIS department whose only job is to gather info & create MIS reports.
▪ Tech used - Simple S/w and spreadsheets (small businesses) to sophisticated one (large ones).
Types of MIS Depends on number of divisions/departments in an organization
➢ Sales & Marketing
➢ Manufacturing & Production
➢ HR etc.
➢ Accounting & Finance
It automatically collects data from various areas within a business & generates
P a g e | 37
Financial Accounting System
Sent to key member throughout Org as prescribed Allows managers & other users to generate customised
MIS report whenever needed.
16. 2. F E A T U R E S O F MIS R E P O R T S
17. D A T A A N A L Y T I C S & B U S I N E S S I N T E L L I G E N C E
Tech. tools used for Data Analysis Application Area of Data Analytics
▪ Business Intelligence a) Bank & credit card companies analyses withdrawal &
spending pattern to prevent fraud.
▪ Data mining
b) Healthcare Org. mine data to evaluate effectiveness of
▪ Machine Learning treatment of diseases like AIDS, Covid-19, Cancer.
▪ OLAP [Online Analytical Processing] c) E- commerce Company & Marketing Sr company use D.A. to
▪ Text Mining identify website visitors who are more likely to buy a product
or service.
d) Mobile Network operators examine data to forecast how to
retain customer.
38 | P a g e
Financial Accounting System
Quantitative Qualitative Exploratory Confirmatory Data Mining Machine Predictive
D.A. D.A. D.A. D.A. D.A. Learning Analysis
measures of judge during relationships model/ tech /
a trial Softwares
Financial Accounting System
Big Data Analytics applies data mining, predictive analytics and machine learning tools to sets of big data that
often contain unstructured and semi-structured data.
Text mining provides a means of analysing documents, emails and other text-based content.
Data collected
for analysis Participants in Data Analytics Process
a) Data Analyst
Data from diff
source is combined b) Data Engineer
in std. form c) Data Scientist – Builds data analytical
model using predictive modelling tools and
Integrated data loaded
other software & languages like SQL, Python.
in analytical system
etc.
Fix data quality
problem
Analytical mode is
run on data set
17. 4. B U S I N E S S I N T E L L I G E N C E (T O O L F O R D A T A A N A L Y T I C S )
P a g e | 39
Financial Accounting System
1 8. B U S I N E S S R E P O R T I N G / E N T E R P R I S E R E P O R T I N G
Refers to
a) public reporting of financial data by business enterprises or
b) Regular provision of info to decision makers within an organization to support them in their work.
It involves ETL with data warehouse & one or more reporting tools.
What does an organisation report? Types of Business Reporting
a) Vision, mission, objective & strategy a) Financial & Regulatory Reporting. E.g. Annual
b) Governance, arrangement & risk management Report
c) Financial, society & environmental performance b) Environmental, Social & Governance Reporting
d) Trade off b/w long-term & short-term strategies c) Integrate Reporting
a) Allows organizations to present a cohesive explanation of their business and helps them engage with
internal and external stakeholders.
b) Crucial for stakeholders to assess organizational performance and make informed decisions
c) Various stakeholder groups are demanding increased ESG information, as well as greater insight into how
these factors affect financial performance and valuations.
d) High-quality reports also promote better internal decision-making.
e) High-quality business reporting is at the heart of strong & sustainable org, financial markets & economies.
19. X B RL: E X T E N S I V E B U S I N E S S R E P O R T I N G L A N G U A G E
19. 1. X B RL T A G G I N G
▪ It is a process by which
➢ financial data is tagged/linked with
40 | P a g e
Financial Accounting System
➢ most appropriate element/ definition in taxonomy (dictionary of accounting terms)
➢ that best represent the data.
▪ All XBRL reports use same taxonomy.
▪ Numbers tagged with same element areFinancial
comparableAccounting
irrespective ofSystem
how they are described by those
preparing reports.
▪ This tagging facilitates
a) identification/classification of data.
b) interchange of data b/w different I.S. & different users
c) comparison between the reports.
19. 2. W H A T D O E S X BR L D O ?
XBRL makes reporting more accurate and more efficient. It allows unique tags to be associated with reported
facts, allowing:
a) People publishing To do so with confidence that the information contained in them can be consumed and
reports analysed accurately
b) People consuming To test them against a set of business and logical rules, to capture and avoid mistakes at
reports their source.
c) People using the To do so in the way that best suits their needs.
information
d) People consuming To do so confident that the data provided to them conforms to a set of sophisticated pre-
the information defined definitions
19.3. U S E R S O F X BR L
19. 4. F E A T U R E S O F X BRL:
P a g e | 41
Financial Accounting System
a) Clear Definition ▪ It allows creation of reusable & authoritative elements/definitions i.e., Taxonomy
that best represent financial data. These elements/ taxonomies are developed by
Regulators, AS setters, Government agencies etc.
b) Testable ▪ It allows creation of business rules, that can be logical or mathematical.
Business Rules
▪ These rules stop poor quality information from being prepared, shared or used.
▪ It flags/ highlight questionable info resulting in corrective action or explanation.
▪ Provides value added info like ratios.
c) Multi–lingual ▪ Allows definitions i.e. Taxonomy to be prepared in as many languages as possible.
support It can also be translated into other languages.
d) Strong software ▪ Supported by wide variety of s/w - large vendor to small vendor.
support
2 0. A P P L I C A B L E R E G U L A T O R Y & C O M P L I A N C E R E Q U I R E M E N T S
▪ RC refers to Organization’s adherence with laws, regulations & guidelines relevant for business.
▪ Organizations aspire to ensure that they are aware of relevant laws, rules & regulation & take steps to comply
with it.
▪ Organizations are using consolidated & harmonized sets of compliance controls so that all necessary
compliance are met w/o unnecessary duplication of efforts & activities.
▪ Violation of regulatory compliance leads to punishment like interest, penalty, fee & prosecution.
GENERAL RC SPECIFIC RC
▪ Closely connected as R.C requires data & A/c data comes from A/c system. Two Approaches:
Basis Same Software For A/C & Tax Compliance Diff. Software For A/C & Tax Compliance
Ease of operation LESS - As its integrated system, making MORE - As this is used only for one
changes at one place may affect other single purpose, so more specialised
aspects also
Features & LESS - As this is not an exclusive system for MORE - As its exclusive for Tax
functionality tax compliance compliance
Time & effort LESS - As this is integrated system, no time MORE - As data needs to be moved
required to transfer data to compliance s/w from A/c s/w to Tax s/w.
Accuracy MORE – As no movement of data between LESS - As there are two separate
different systems, so no error systems, possibility of mismatch of
data is always there.
Cost MORE – Customizing A/c system for Tax LESS – as its specific s/w, its less
compliance is more costly than purchasing
42 | P a g e
Financial Accounting System
separate Tax compliance s/w complicated and hence less cost
P a g e | 43
Information System & Its Components
C HAPTER 3
1. INTRODUCTION
2. I N F O R M A T I O N S Y S T E M / C O M P U T E R B A S E D I.S. (CBIS)
It is the combination of Hardware, software, people, data resources & Network which
a) Processes Data into Information
b) For specific purpose/objective.
Example:
Tally: Accounting Software in India
QuickBooks: Accounting Software across world.
Objectives Characteristics
To convert the data into information a) CBIS is developed on the basis of predetermined objective.
which is useful and meaningful. b) Inter-related and Inter dependant sub- system.
It helps Enterprises in: c) If one sub –system fails, whole system won’t work.
a) Making Decision. d) Components Interact among themselves.
b) Controls the operation. e) Work done by individual sub–system is integrated to
c) analyze problems and create new achieve common goal.
products or services as an output
44 | P a g e
Information System & its Components
3. I N F O R M A T I O N S Y S T E M M O D E L
I.S. Model provides a framework that emphasizes four major concepts that can be applied to all types of
information systems:
a) Input Data is collected from an organization or from external environments and converted into
suitable format required for processing.
b) Process A process is a series of steps undertaken to achieve desired outcome or goal. It facilitates
conversion of data into information.
c) Output The system processes the data by applying the appropriate procedure on it and the
information thus produced (output) is stored for future use or communicated to user.
d) Feedback I.S. needs feedback that is returned to appropriate members of the enterprises to help
them to evaluate at the input stage.
4. C O M P O N EN TS O F I N F O R M A TI O N S Y S T E M
Network &
PEOPLE Computer System Data Resource
Communication System
Anyone who manage, Comprise of ▪ Data ▪ Computer Network
run, program or use I.S.
Hardware Software ▪ Database ▪ Telecommunication
▪ Programmers
▪ Input Device ▪ OS S/W ▪ Database
▪ System Admin. Management
▪ Processing ▪ App S/W System
▪ Data Entry Device
Operator ▪ DBMS Module
▪ Storage
▪ Help Desk Device
▪ CIO ▪ Output Device
P a g e | 45
Information System & Its Components
4.1. HARDWARE
4.1.1. P R O C E S S I N G D E V I C E
▪ Most common processing device is CPU which is the actual hardware that interprets and executes the
software instructions.
▪ Built on a small flake of silicon containing the equivalent of several million transistors.
▪ Transistors are like switches which could be “ON” or “OFF” i.e. taking a value of 1 or 0.
▪ CPU is known as brain of computer & consists of following three functional units:
Control Unit ALU Processor Registers
It It performs Registers are part of the computer processor which is used
➢ controls flow of ➢ arithmetic ➢ to hold a computer instruction,
data & instruction operations such as
➢ perform mathematical operation &
to and from addition,
memory, subtraction, ➢ execute commands.
multiplication,
➢ interprets the These are high speed, very small memory units within CPU
and
instruction; and for storing small amount of data (mostly 32 or 64 bits).
➢ logical comparison Registers could be
➢ controls which
of numbers: Equal
tasks to execute
to, Greater than, a) accumulators (for keeping running totals of arithmetic
and when. values),
Less than, etc.
b) address registers (for storing memory addresses of
instructions),
c) storage registers (for storing the data temporarily) and
d) miscellaneous (used for several functions for general
purpose).
46 | P a g e
Information System & its Components
4.1.2. D A T A S T O R A G E D EV I C ES
4.1.3. O U T P U T D E V I C E S
P a g e | 47
Information System & Its Components
4.2. SOFTWARE
▪ Set of instructions & programs that tells Computers what to do. Created through a process of
coding/programing through language like C++, JAVA
▪ Two types:
Operating system Application Software
Set of instruction/program/software that Include all software that causes computer to
perform useful tasks other than running the
➢ manages H/w resource and
computer itself.
➢ acts an intermediary b/w hardware & App software.
It addresses real-life problems of its end users
Example which may be business or scientific or any
Windows, Linux, Android, Tizen, Harmony OS, iOS other problem.
Virtual Memory is not a separate device but an imaginary memory supported by OS.
IF RAM required to run a program falls short, OS moves data from RAM to a space in HDD called paging
file.
This frees RAM to execute the work Thus, it is allocation of HD space to help RAM.
Organization generates & collects huge quantity of different type of data like production related data, HR
related data, market related data etc. These are stored in DATABASES.
48 | P a g e
Information System & its Components
A) H I E R A R C H I C A L D A T A B A S E M O D E L
▪ Records/ nodes are arranged logically in hierarchy of relationship in Inverted Tree Structure.
▪ Top parent record in the hierarchy that “own” other records is called Parent Record/ Root Record which
may have one or more child records, but no child record may have more than one parent record.
▪ Types of Relationships - 1 to 1 relationship, 1 to Many relationship
▪ Data is accessed from top to down manner
▪ Search is difficult & Time consuming.
B) N E T W O R K D A T A B A S E M O D E L
C) R E L A T I O N A L D A T A B A S E M O D E L
P a g e | 49
Information System & Its Components
b) Attribute – Columns of the relation are called Attributes [Identify key Attribute]
c) Domain – Set of values that attributes can take.
▪ Relational database contains multiple tables.
▪ For each table, one of the fields is identified as a Primary Key, which is the unique identifier for each
record in the table.
▪ If the primary key of one table is used in another table to access the former, it is called Foreign Key.
▪ Example: MS Access, MYSQL, Oracle
D) O B J E C T O R I E N T E D D A T A B A S E M O D E L
4.3.1. A D V A N T A G E S O F DBMS
1. Program & File Consistency As file formats & programs are standardized.
2. Minimize data redundancy as duplication of info is either eliminated or controlled or reduced.
3. Allows data sharing same info is available to different users.
4. Integrity can be maintained Database contains Accurate, consistent & upto date data.
Change in Database is allowed to be made only by authorised person.
5. User Friendly Enable user to access data & use it easily without need of computer
expert.
6. Improved Security Since multiple users uses same data, necessary to define user access
rules.
7. Data Independence Data resides in DB & not in App; so both are independent.
8. Faster application Since data is already present in DB, so App developer has to think only
development about logic to retrieve data in the way a user needs.
4.3.2. D I S A D V A N T A G E S O F DBMS
50 | P a g e
Information System & its Components
4.3.3. S O M E C O N C E P T S R E L A T E D W I T H D A T A B A S E
A. B I G D A T A
▪ Refers to such massive large data sets that conventional database tools do not have processing power
to analyze them. E.g.- Google handle billions of searches every day.
▪ Some industries that use big data analytics include E-commerce (Amazon), Retail Business (Walmart),
Healthcare Industry, Hospitality Industry etc..
Benefits of Big Data Processing
a) Improved Customer Services as it is helps in reading & evaluating customer feedback.
b) Better Operational Integration of Big Data technologies and data warehouse helps an Org to
Efficiency offload infrequently accessed data, this improving efficiency.
c) Better Decision Making by using outside intelligence. E.g. Access to social data from Facebook,
Twitter etc. helps Org to finetune their business strategy.
Also helps in Early identification of risk to the products/services, if any.
B. D A T A W A R E H O U S E
▪ Data warehouse is a large collection of business data used for storage & analysis to help an organization
make decisions.
▪ However, directly analyzing the data that is needed for day-to-day operations is not a good idea as it
creates interference in normal functioning of Organisation.
▪ The process of extracting data from operational databases and bringing it into the data warehouse is
commonly called ETL, which stands for Extraction, Transformation, and Loading.
a) First stage, the data is Extracted from one or more of the organization’s databases.
b) Second stage, the data so extracted is placed in a temporary area called Staging Area where it is
Transformed like cleansing, sorting, filtering etc. of the data as per the information requirements.
c) Final stage, Loading of the data so transformed into a data warehouse which itself is another
database for storage and analysis.
Features i.e. data warehouse should meet following criteria:
a) Uses Non-Operational Data i.e. a copy of data from the active databases
b) Data Is time Variant i.e. when data is loaded in data warehouse, it receives time stamp which allows Org.
to compare over a period of time.
c) Data is standardized in terms of rules & format like Date, Units of measurements etc.
Two School of thoughts/Approach
Bottom-Up Approach Top-Down Approach
Step I: Create small data warehouses known as Step I: Create enterprise wise data warehouse
Data Marts to solve specific problems.
Step II: Combine them to form large data Step II: As specific needs are identified, create
warehouse. smaller data marts from data ware house.
P a g e | 51
Information System & Its Components
C. D A T A M I N I N G
▪ Process of analyzing large data to find previously unknown trends & pattern to make decision.
▪ This is accomplished through automated means against extremely large data set such as data warehouse.
▪ Examples of Data Mining tools - MS Excel, Oracle Data Mining, Rapid Miner
The steps involved in the Data Mining process
1. Data Integration ▪ Data is collected and integrated from all the different sources which could
be flat files, relational database, data warehouse or web etc.
2. Data Selection ▪ All the collected data may not be required for data mining. So, we select
only those data which we think is useful for data mining.
3. Data Cleaning ▪ The data that is collected may contain errors, missing values or
inconsistent data. It needs to be cleaned to remove all such
inconsistencies.
52 | P a g e
Information System & its Components
4. Data Transformation ▪ The cleaned data needs to be transformed into an appropriate form for
mining using different techniques like - smoothing, aggregation,
normalization etc.
5. Data Mining ▪ Various data mining tools are applied on the data to discover the
interesting hidden patterns.
6. Pattern Evaluation and ▪ Involves visualization, transformation, removing redundant patterns etc.
Knowledge Presentation: from the patterns generated from data mining .
7. Decisions / Use of ▪ This step helps user to make use of the knowledge acquired to take better
Discovered Knowledge informed decisions.
D. D I F F E R E N C E S B / W D A T A B A S E , D A T A W A R E H O U S E & D A T A M I N I N G
4.4. N E T W O R K I N G A N D C O M M U N I C A T I O N S Y S T EM S
P a g e | 53
Information System & Its Components
5. I N F O R M A T I O N S Y S T E M C O N T R O L S
54 | P a g e
Information System & its Components
6. T Y P ES O F I.S. C O N T R O L S
6.1. I.S. C O N TR O L S B A S ED O N O B J EC T I V ES
P a g e | 55
Information System & Its Components
6.2. C O N T R O L S B A S E D O N N A T U R E O F I.S. R ES O U R C ES
6.2.1. Environmental Controls - Related to IT environment in which I.S. functions. Environmental exposures
& relevant controls are as follows:
Fire Water Electricity exposure Pollution Damage
Damage to equipment & Damage to equipment & Due to electrical faults Major pollutant is
facility due to fire. facility due to water related like sudden upsurge in Dust which can
Controls incidents like pipe burst, power supply, voltage cause permanent
cyclone, floods etc. fluctuations etc. damage to H/w.
a) Fire resistant material
Controls Controls Controls
b) Install manual &
a) Install water alarms at a) Voltage regulator & a) Regular
automatic alarm at
strategic location. strategic locations Circuit breakers cleaning
b) Use of water proof walls, b) UPS/Generator b) Prohibition on
c) Install smoke detectors
ceilings & floors c) Emergency Power
eating ,
d) Install fire extinguishers drinking &
c) Put computer room off switch
e) Emergency Exit/Fire exit above Ground floor but smoking in I.S
plan not top floor facility.
c) Power leads
d) Proper drainage system
from two sub-
station
6.2.2. Physical Access Control – Relates to physical security of I.S. resources. It is applied against physical
exposures which include abuse of information processing device, theft, damage, Blackmail etc.
Physical information
Locks on doors Logging on Facility Others
medium
a) Bolting door lock - a) Personal Official record of access/ a) CCTV monitored by
No duplicate key. Identification activity security.
b) Cipher locks
Number (PIN) – a) Manual logging – Visitors b) Simple security guard.
combination locks means to identify & sign visitor’s log
verify authenticity c) Controlled visitor
- To enter, a indicating their name, access – Responsible
person presses a of user. User needs date & time of visit,
to login by inserting employee will escort
four-digit number, company represented,
a card in some purpose of visit, & person
visitor
and the door will
device and then to see d) Single entry point
unlock for a
enter their PIN via a
predetermined PIN keypad for b) Electronic logging - e) Dead Man’s Door -
period authentication. Combination of Pair of doors where
c) Electronic door biometric security & first entry door must
b) Plastic card - used close & lock, for
lock-magnetic or electronic security
for identification second door to open,
chip-based system.
purposes. with only one person
plastics card key Maintains details/logs of
c) Identification badge permitted in the
is used to gain access attempt, whether holding area.
access in these failed or successful.
systems. f) Alarm system &
Perimeter fencing
56 | P a g e
Information System & its Components
6.2.3. L O G I C A L A C C E S S C O N T R O L
▪ Applied to protect I.S. from logical access violators like Hacker, current & past employees, IS personnel,
End User etc.)
▪ Ensures that access to system, data, program, OS is restricted to authorized users only.
▪ Key factors considered in designing logical access controls include
➢ confidentiality and privacy requirements,
➢ authorization, authentication and incident handling,
➢ virus prevention and detection,
➢ firewalls, centralized security administration, user training and tools for monitoring compliance
Logical Access Exposure/ Risk, if no logical access control is applied
Technical Exposure Asynchronous Attack
Includes Unauthorized modification of data & s/w. Data that is waiting to be transmitted is
Types liable to unauthorized access called
Asynchronous attack.
a) Data diddling - Change in data before or after entering it
into system. Limited tech knowledge required. These attacks make use of the timing
difference between the time when the
b) Bomb - Malicious code which explodes when logic inside the data is inputted to the system and the
code is satisfied causing immediate damage. Can’t infect time when it gets processed by the
other programs & hence damage is not widespread. system.
Logical bomb – E.g. If turnover reaches 1 crore, delete all Types
data.
a) Data leakage - Leaking of information
Time bomb - Explodes at given time. out of computer by copying data into
c) Trojan house - Malicious s/w or code that looks legitimate external devices or print outs.
/harmless program. Once installed, it can damage, steal or b) Wire tapping - Spying on info being
disrupt the system. E.g. Christmas card. transmitted over computer network.
d) Worm - Malicious program which self-replicates itself in c) Subversive Attack - Enables intruders
ideal memory, thus slowing computer. No other damage is to access data being transmitted & also
caused. modify/violate integrity of data.
e) Rounding down - Round off of small fraction of an amount d) Piggybacking - Act of following an
and transfer this amount to unauthorized A/c. unauthorized person through a secured
f) Salami Technique - slicing of small fixed amount of money door that intercepts and alters
from computerized transaction & transfer to unauthorized transmissions.
A/c.
g) Trap door/Back Door - Created by developer to gain access
for maintenance. Can be misused by unauthorized users to
access software as well.
h) Spoofing - involves forging one’s source address. One
machine is used to impersonate the other & user is made
to think that s/he is interacting with the operating
system.
P a g e | 57
Information System & Its Components
58 | P a g e
Information System & its Components
6.3. C L A S S I F I C A T I O N O F C O N T R O L S B A S E D O N A U D I T F U N C T I O N S
Auditors have found two ways to be useful when conducting information systems audits, as given below:
Managerial Controls Application Control
Objective: Managerial Control ensures that I.S. is Objective: App controls ensures data remains
developed, implemented, operated & maintained in complete, accurate & valid through input, update
planned and controlled manner. & storage.
Types Ensures processing is complete.
a) Top Management & I.S. Management Controls Types
b) System Development Management Controls a) Boundary Controls
c) Programming Management Controls b) Input Controls
d) Data Resource Management Controls c) Processing Controls
e) Quality Assurance Management Controls d) Output Controls
f) Security Management Controls e) Database Controls
g) Operations Management Controls f) Communication Controls
6.3.1. M A N A G E R I A L C O N T R O L S
▪ Controls of Top Management should ensure that I.S. functions properly & meets strategic business
objectives.
▪ Scope of controls includes Framing high level of IT policies, procedures & standards
▪ Controls flow from the top of an Organization to down but responsibility still lies with the senior
management.
▪ 4 Major functions of Senior Management:
Planning Organising Leading Control
Top Mgt. prepares plan for To create IT organizational Includes motivating & Comparing actual
achieving I.S. goals. Two structure with documented Communicating with performance with
types of plans (Strategic & roles and responsibilities Personnel. planned
Operational plan). and agreed job descriptions. Ensures that personal performance.
Steering committee shall Includes arranging and objectives are aligned In case of any
assume overall responsibility allocating Resources needed with Org. objectives so deviation, corrective
for I.S. function. to achieve goals determined that there is harmony action is taken.
in Planning phase. of objects w/o conflict
6.3.1.2 . S Y S T E M D E V E L O P M E N T M A N A G E M EN T C O N TR O L S
P a g e | 59
Information System & Its Components
2. User Specification User needs to provide detailed requirement in written form (known as Functional
Activities Requirements Document). It discusses user’s view w.r.t problems
3. Technical Design User’s specification is converted into technical design by system developer.
Activities
4. Programme Testing All modules must be tested before implementation.
Result of test is compared with standard to determine if there is any error in
logic or program.
5. User Test & Before implementation, all modules are tested as whole by user & ensures that
Acceptance it functions as per requirement of user.
6. Internal Auditor’s Should be involved at inception of system development process to examine &
Participation give suggestions on system requirements & controls throughout all phases.
6.3.1.3. P R O G R A M M I N G M A N A G E M E N T C O N T R O L S
1. Planning Uses of different techniques for s/w development like WBS [Work breakdown structure]
& PERT [Program evaluation Review technique]
2. Design Structured / systematic approach to design programme.
Modular design
3. Coding Structured/ systematic approach is adopted for coding Program.
5. Operation & Involves monitoring and making changes in system when required on timely basis.
Management Three types:
a) Repair/ corrective → Remove errors from s/w or fix the bugs.
b) Perfective → Program is finetuned to reduce resource consumption. E.g. Better UI
c) Adaptive → Change in s/w due to change in user requirement.
60 | P a g e
Information System & its Components
6.3.1.4. D A T A R E S O U R C E M A N A G E M E N T C O N TR O L S
Ensures that data is available It ensures that database is Back up refers to making copy of data
only to authorized user. It updated by authorized persons & storing it somewhere else so that it
involves: only. can be used when first copy of data
i) User access control through is not available.
PIN, Password, CARD etc. It helps to ensure availability of data
ii) Encryption of data etc.
when required.
6.3.1.5. Q U A L I T Y A S S U R A N C E M A N A G E M E N T C O N T R O L
6.3.1.6. S E C U R I T Y M A N A G E M E N T C O N T R O L
P a g e | 61
Information System & Its Components
6.3.1.7. B U S I N E S S C O N T I N U I T Y P L A N N I N G C O N TR O L S
6.3.1.8. O P E R A TI O N S M A N A G E M E N T C O N T R O L
2. Network Operations Ensures proper functioning of network devices, communication channels etc.
3. Data Preparation & Keyboard environment & facilities should be designed to promote speed &
Entry efficiency.
4. File Library Management of Org. data stored in machine- readable storage media like CD/
DVD, pen-drive & Hard disk.
5. Help Desk Assist end-user in deploying & using H/W & S/W & resolving issues.
6.3.2. A P P L I C A T I O N C O N T R O L S
Objective → to ensure that data remains complete, accurate and valid during its input, update and
storage.
62 | P a g e
Information System & its Components
6.3.2.1. B O U N D A R Y C O N T R O L S
Refers to access control mechanisms that links the authentic users to the authorized resources. Involves
Identification & Authentication of users by S/w & Authorization i.e., privilege management.
Biometric
Cryptography/Encryption Password PIN ID Card
Device
Conversion of clear text into a cipher text
Helps in Similar to Used to store Includes
for storage and transmission over identification password but info for use of
networks by sender. Receiver decrypts this
of users is independent authentication thumb,
cipher code using auth key. through of any user id. purpose. retina etc.
Strength of cryptography depends on time confirmation Assigned to as
& cost to decipher the cipher text by of user id user by Org. biometric
crypto analyst. allotted to control
them. Helps in user tech.
Three techniques of cryptography are identification.
a) Transposition - Permute the order of
characters within a set of data,
b) Substitution- Replace text with a key-
text
c) Product Cipher - combination of
transposition and substitution.
6.3.2.2. I N P U T C O N T R O L S
P a g e | 63
Information System & Its Components
6.3.2.3. P R O C E S S I N G C O N T R O L
6.3.2.4. O U T P U T C O N T R O L
Applied to ensure that output is presented, formatted & distributed to users in a secured & consistent
manner.
Controls Over Spooling/ Report Retention Storage &
Printing Queueing distribution & Control Logging of
Collection Sensitive, critical
Forms
Output should Simultaneous Peripheral Time gap b/w Considers the Pre-printed
be printed on Operations Online generation & duration for stationery like
correct printer. distribution of which output Co. letter Head,
64 | P a g e
Information System & its Components
User should be If more than I user gives print report should be is to be Blank cheques
trained to select command, printer should print reduced. retained etc. should be
correct printer. in sequential order & save A log should be before being stored securely
other print command for maintained for destroyed. to prevent
printing after current job is reports that Date should be unauthorized
printed. were generated deter-mined destruction or
Ensure that user can continue and to whom for each removal and
working while print operation is these were output. usage.
getting completed. distributed.
6.3.2.5. D A T A B A S E C O N T R O L S
Applied to ensure that integrity of database is maintained while updating the database. Two types:
Update Controls Report Controls
a) Sequence check b/w transaction & master file - a) Print suspense A/c entry - so that corrective
Synchronous & correct sequencing b/w master action can be taken on time.
files & transaction file is critical to maintain b) Print-Run-to Run Control Totals: Helps in
integrity of updating, addition or deletion of identifying errors or irregularities like record
master file. dropped erroneously from a transaction file,
b) Ensure all records on transaction file are processed wrong sequence of updating or the application
- Transaction file records are mapped with software processing errors.
respective master file c) Existence /Recovery control - Backup &
c) Maintain a suspense A/c - Where master record & recovery strategies together are required to
transaction record are mismatched due to failure restore any failure in DB.
in corresponding record entry in master file, such d) Standing data - Application program use many
mismatches are maintained in suspense file. internal data to perform functions like bill
d) Process multiple transactions for a single master calculation based on rate list or interest rate
file in correct order. calculation etc. Maintaining integrity of price
rate or Int. rate is critical.
6.3.2.6. C O M M U N I C A T I O N C O N T R O L S
Applied to ensure that the data transmitted over network is accurate, complete & authentic.
Physical
Component Line Error Controls Flow Control Channel access Control
Controls
d) Mitigates possible While transmission of Applied, when there is Two different nodes in a
effects of data through transmission difference in speed at network can complete to
exposures to line, there can be data which two nodes in a use a communication
physical loss due to noise network can send, receive channel.
components of distortion called line error. or process data resulting a) Where possibility of
System. These errors must be in loss of data. contention of channel
detected & corrected. exists, some type of
channel access control
should be used.
P a g e | 65
Information System & Its Components
7. I N F O R M A T I O N S Y S T E M ’ S A U D I T I N G - B Y IS A U D I TO R
7.1. R E A S O N S / N E E D F O R I.S. A U D I T
Factors which influence Organisation/Management w.r.t. Implementation of Controls & Audit of Computers
are:
1. Value of computer H/w , ▪ These I.S resources are valuable & important & must be safeguarded
S/w & Personnel
2. Maintenance of Privacy ▪ An organization collects a lot of data which are private regarding
individuals. Any leakage of private personnel data is against interest of
company & must be protected.
3. Controlled evolution of ▪ Use of technology & reliability of computer system can’t be guaranteed.
computer use Hence it must be audited.
4. Cost of Data Loss ▪ Data is very critical resource of an organization . Data loss can cause
severe damage to Organization & hence it must be protected.
5. Cost of Incorrect Decision ▪ Management takes decisions based on information produced by I.S. In
case of incorrect info, management can take incorrect decision which
affects the Organization adversely.
6. Cost of Computer Abuse ▪ Unauthorized access to computer system may cause huge damage. It
may also result in introduction of virus, malware, hacking, theft of data
etc.
7. Cost of Computer error ▪ Error may occur while performing a task which may incur huge cost for
Orgn.
7.2 . I.S. C O N T I N U O U S A U D I T
Real time production of information → Real time recording → Real time Auditing → Continuous Assurance
about Quality of data.
Thus, Continuous Audit reduces time gap between occurrence of Client’s event & Auditor’s assurance service
thereon.
Two basis for collecting audit evidence are:
66 | P a g e
Information System & its Components
a) Embedded module (Audit S/w) in system to collect, process & print Audit Evidence.
b) Special Audit records used to store Audit evidence collected.
Types of Continuous Audit Tools
System
Integrated Test Continuous &
Snapshots Control Audit Audit Hook
Facility Intermittent Simulation
Review File
Helps in tracing a ITF involves SCARF Variation of SCARF. Audit
transaction as it flows in creation of involves Used as Trap exception routines
App system. dummy entity/ embedding whenever App system that flags/
Built into the system at Test data in App audit S/w uses DBMS. highlights
points where material system. module suspicious
within an Procedure transactions
processing takes place. This test data is
incorporated in App system ▪ DBMS passes all as soon as
Takes image of flow of to provide they occur
normal data used transactions to CIS
Transactions as it moves continuous on a real
as input in App which determines
through the App. monitoring time basis.
system as a whether it wants to
These images are utilized means to verify of system’s examine it further. Thus,
to assess Authenticity, processing transactions. auditors can
completeness & accuracy ▪ CIS simulates the App
Info be informed
of process being carried • Authenticity collected is
system process.
of
out by system. • Completeness & written on ▪ Result of selected questionable
Important points to • Accuracy. SCARF transactions processed transactions
consider- master file. by CIS is compared as soon as
Auditor must decide
Similar to with result produced they occur.
a) Locate the snapshot a) Method to be by App s/w to
point based on snapshot This
used to enter determine whether
materiality. technique approach of
test data in both are same or not.
with data real-time
b) Determine when will System.
collection ▪ In case of any diff, notification
snapshot be captured. b) Method for capabilities. displays a
exceptions are
c) Reporting system is removing effect identified by CIS & message on
designed & of ITF written to exception auditor’s
implemented to transaction. file. terminal.
present data in
Advantage:
meaningful manner.
No modification in App
system but provides
online audit capability
P a g e | 67
Information System & Its Components
4. Training for new Using the Integrated Test Facilities (ITF)s, new users can submit data to the
users application system, and obtain feedback on any mistakes they make via the
system’s error reports.
8. A U D I T T R A I L
▪ Refers to logs that record activities at system, App & user level.
▪ Provides detective control to help achieve security objectives.
▪ Ensures that a chronological record of all events that has occurred in system is maintained.
▪ Example: App logs contain details w.r.t who initiated a transaction, who authorized it, date, time etc.
Need for Audit Trail
Accounting AT Operations AT
Shows source & nature of data & processes that Record of attempted or actual resource
update database. consumption in a system.
8.1. O B J E C T I V E S O F A U D I T T R A I L
8.2. I M P L E M E N T A T I O N O F A U D I T T R A I L /G E N E R A TI N G A U D I T T R A I L S
68 | P a g e
Information System & its Components
8.3. A U D I T O F V A R I O U S C O N T R O L S
9. S E G R E G A T I O N O F D U T I E S
▪ It advocates that Privilege/ Access Rights should be given on “Need to Do” & “Need to know” basis.
▪ Ensures that single individual do not passes excess privilege that could result in unauthorized activity like
fraud or manipulation of data security.
▪ For example-the person approving the purchase orders should not be allowed to make payment and
pass entries in the books at the same time.
▪ Both preventive & detective control should be place to manage SOD control.
Examples of SoD Controls
Transaction Split custody of high value Periodic review of user
Work Flow
Authorization assets rights.
I.S requires 2 Password to an encryption key Internal audit Applications that are
or more person that protects sensitive data personnel can workflow-enabled can use a
to approve can be split in two halves, one periodically review user second (or third) level of
certain half assigned to two persons, access rights to approval before certain high-
transactions and the other half assigned to identify whether any value or high-sensitivity
two persons, so that no single segregation of duties activities can take place.
individual knows the entire issues exist. E.g. workflow application
password. that is used to set up user
Two keys for sensitive locker. accounts can include extra
management approval steps
in requests for administrative
privileges.
When SOD issues (conflicts b/w access rights of individuals) are encountered, Management needs to
mitigate the matter. How?
Reduce access privilege of individual user so Introduces new mitigation control
that conflict no longer exists. If management determines that the person need to
retain privileges which are viewed as conflict, new
preventive & detective control needs to be implemented
like increased logging of records, reconciliations of data
sets etc.
P a g e | 69
E-Commerce, M-Commerce &
Emerging Tech
C HAPTER 4
1. E-C O M M E R C E
▪ Refers to doing Business (Buying, Selling & Other related functions like inventory mgt.) electronically.
▪ Means use of Technology (Internet, computer, Mobile, Apps, website etc.) to enhance processing of
commercial transactions between company, customer & business partners like seller.
▪ Involves automation of variety of transactions such as B2B, B2C, C2C, C2B etc. through Reliable &
Secure Technology.
2. D I F F E R E N C E B E T W E E N T R A D I T I O N A L C O M M E R C E & E-C O M M E R C E
3. B E N EF I TS O F E-C O M M E R C E
70 | P a g e
E-Commerce, M- Commerce& Emerging Tech
e) Easy to Find Reviews - User ➢ Time required to complete
can give feedback & ratings transactions;
which helps buyer to make ➢ Errors in billing, invoicing & data
better decision. entry
f) Coupon and Deals ➢ Inventory holding cost due to JIT.
4. D I S A D V A N T A G E S O F E-C O M M E R C E
a) Internet Connection Internet connectivity is a pre-requisite to perform online transactions. It may not
be available in rural or remote areas.
b) High start-up costs Various components of costs involved with e- commerce are due to following
▪ Connection: Connection costs to Internet.
▪ Hardware/software: Includes cost of sophisticated computers, routers etc.
▪ Set up: Includes employee work hours involved in setting up systems.
▪ Maintenance: Includes costs involved in training of employees & maintenance
of web-pages.
c) Legal issues The legal environment in which e-commerce is conducted is full of unclear &
conflicting laws.
d) Security Concerns There is risk of security and reliability of network and internet as well as fear of
safety and security to the personal information due to the increased spywares
and malwares
e) Cultural Some customers are still somewhat fearful of sending their credit card numbers
impediments over the Internet. Also, many customers are simply resistant to change.
f) Some businesses Items such as perishable foods and high-cost items such as jewellery and
may never lend antiques may be impossible to adequately inspect from a remote location.
themselves to e-
comm
▪ B.M. means organization of product, service & information flows for benefits of suppliers & customers.
▪ A business model enables a firm to
➢ analyze its environment more effectively and
➢ exploit the potential of its markets;
➢ better understand its customers; and
➢ raise entry barriers for rivals.
▪ An e-business model is the adaptation of an organization’s business model to internet economy.
▪ E-business models utilize the benefits of electronic communications to achieve the value additions.
▪ Some of the e-market models are explained below:
1. E-shop It is an online version of retail stores that sells products & services online. It is
convenient way of effecting direct sale to customers.
No intermediaries are involved, hence cost & time delay is reduced.
Eg- www.vanheusenindia.com
2. E- malls It is e-retailing model of a shopping mall.
P a g e | 71
E-Commerce, M-Commerce &
Emerging Tech
It is Conglomeration of different e-shops situated in an e-commerce location.
Eg – www.emallofAmerica.com
3. E- Auction It provides channel of communication (auction websites) though which bidding process
for products & services can take place between completing buyers.
Eg – www.bidderboy.com
4. Portals It is a website that serves as a gateway on the internet to a specific field of interest or
an industry.
It is a channel through which websites are offered as content.
Firms control the content or portal and earn revenue by charging customers for
subscription or advertising.
Website + login + motive is to earn money.
Eg – www.mca.gov.in, Netflix, Tax sutra, Taxmann.com
5. Buyer They bring together large no. of buyers so that they can enjoy savings which are
Aggregator generally enjoyed by large volume buyers.
Firms collects info about Goods/Services, make services providers their partners & sell
under its own brand. Eg- www.zomato.com, Ola, Uber
6. Virtual Community of customers who share common Interest & use internet to communicate
Community with each other.
It helps participants as they get greater benefits like solving queries, sharing ideas etc.,
without additional cost. E.g.- Microsoft community
7. E- marketing Process of marketing a product or service using the Internet. E.g.- Mail marketing,
digital marketing.
It changes relationship b/w buyer & seller as market information is available to all
parties in the transaction.
8. E-Procurement Refers to Management of all procurement activities though electronic means.
E- procurement infomediaries provide upto date & real time information w.r.t. supply of
material to business partners.
Leads to efficiency in accessing info & saving of time & cost. E.g. www.e-procure.gov.in
9. E- distribution e-distributor is a Co. that supplies products & services directly to individual business.
E-distribution helps in achieving efficiency by managing large volume of customers,
automating orders, communicating with partners and providing value added services like
order tracking.
An example of a firm specializing in e-distribution is www.wipro.com that uses internet
to provide fully integrated e-business enabled solutions that help to unify the
information flows across all the major distribution processes.
The e-business models relating to e-business markets can be summarized as given below:
72 | P a g e
E-Commerce, M- Commerce& Emerging Tech
6. C O M PO N EN TS O F E-C O M M E R C E
P a g e | 73
E-Commerce, M-Commerce &
Emerging Tech
Technology Internet/ Payment
User E-Commerce Vendors Web Portal
Infrastructure Network Gateway
Supplementary & b) Mobile App - Smaller experience of ▪ Debit card
complementary to w/h version of computer buying a
operation. Fast return is s/w programmed to product ▪ Credit Card
USP of vendors. run on mobile/ tablet. online. ▪ UPI
e) Showroom and offline Expensive & runs on 1 ▪ COD
purchase - Many type of OS.
vendors have opened c) Digital Library -
outlets for customer Special library
experience of their focussed on
products. collection of digital
f) Marketing & loyalty objects (text, audio,
program - To establish video) stored in e-
long-term relationship media format.
with customer. Type of info. retrieval
g) Privacy policy - Explains system.
usage of customer’s d) Data Interchange -
data in as per IT Act Electronic
2000. communication of
h) Security policy - So that data b/w different
data is safe through parties.
tech like SSL. There are defined
standards to ensure
seamless comm.
7. A R C H I T E C TU R E O F N E T W O R K ED S Y S TE M
Architecture refers to style of designing/ method of construction. In e-Business, it denotes the way
network architectures are built. E-Commerce runs through network connected system
74 | P a g e
E-Commerce, M- Commerce& Emerging Tech
7.1. A D V A N T A G E S & L I M I TA TI O N S O F T W O - T I ER A R C H I T EC T U R E
7.2 . A D V A N T A G E S & L I M I TA TI O N S O F T H R EE T I E R A R C H I T EC TU R E
8. M- C O M M E R C E
▪ Refers to Buying & Selling of Goods & services and related activities though wireless hand-held devices
like mobile phones and Personal Digital Assistants (PDAs) like tablet etc.
▪ M-commerce enables users to access the Internet without needing to find a place to plug in.
▪ Growth in m-Commerce has been through App. It can be downloaded by user or pre-installed.
P a g e | 75
E-Commerce, M-Commerce &
Emerging Tech
Application Tier App server & Back–end server. Same
(includes seller, logistic partner,
Payment gateway)
It allows customer to check the
products available on merchant’s
website.
Database Tier DB server i.e., Info store house where Same
all data is stored.
9. W O R K F L O W O F E-C O M M E R C E
10. R I S K S & C O N T R O L S I N E- C O M M E R C E
10.1. Risks i.e Possibility of Loss in case of e-commerce are high compared to general internet activities.
76 | P a g e
E-Commerce, M- Commerce& Emerging Tech
Problem of
Delay in delivery of Anonymity → Needs
goods & hidden cost Needs internet & no to identify &
(delivery/ processing personal touch authenticate user as
cost) well as supplier
Repudiation of contract
Denial of service → → seller may repudiate Attack from Hacker →
Due to unavailability order after accepting it. E-commerce website
of system due to customer can also refuse may be attacked by
virus, bomb etc. to accept delivery hackers
10.2. C O N T R O L S → N E C E S S A R Y F O R E A C H P A R T I C I P A N T O F E- C O M M ER C E
1. User ▪ To ensure that genuine users are on e- commerce website. This prevents attack on
website from Hackers.
2. Seller/Merchant ▪ Should be financially & operationally stable. Control is needed for
➢ Product catalogues
➢ Price catalogues
➢ Discount and promotional schemes
➢ Shipping & return
➢ Accounting for cash received through Cash on Delivery mode of sales.
3. Government ▪ Two major concerns - Tax accounting of Goods/Services sold & only legal G/Sr are
sold.
4. Network Service ▪ To ensure availability & security of network. Any downtime can be disastrous.
Provider
5. Technology ▪ Includes all service other network service. E.g. cloud computing, App Backends etc.
Service Provider ▪ To ensure availability & security of technology.
6. Logistics ▪ Responsible for timely delivery of product as ordered.
service provider ▪ Success or failure of any e-commerce / m- commerce venture finally lies here.
7. Payment ▪ To ensure effective & efficient processing of payment.
Gateway
10.3. C O N TR O L S F O R M I T I G A T I N G R I S K
Communication of Ensure
Educate participants organizational compliance with Protect your e-commerce website from
about nature of risk policy to Industry Body Intrusion
Customers standard
Policy may include a) Privacy policy RBI releases a) Hackers - Use security software
a) Frequency and i.e., How data these standards package to protect website.
from time to
P a g e | 77
E-Commerce, M-Commerce &
Emerging Tech
nature of will be used time which must b) Virus- Scan website daily for viruses.
educational b) Information be complied. c) Password - Ensure employees use
programmes. Security policy strong password & change it
b) Participants for periodically.
c) Shipping &
such programme Billing policy Also access of ex-employees must be
Example d) Return & terminated.
“Dos and Don’ts” Refund policy d) Regular s/w update - Website should
for online payments have newest version of security s/w.
advertised by e) Sensitive data - Encryption of
Banks. financial & other confidential data.
11. G U I D E L I N E S & L A W S G O V E R N I N G E- C O M M ER C E
11.1. G U I D E L I N E S G O V E R N I N G E- C O M M E R C E (D EC I D ED B Y E- C O M M E R C E )
All e-commerce vendors need to create clear policy guidelines for the following & communicate it to its
users.
Product
Billing Shipping Delivery Payment Return
Guarantee/Warranty
Format Shipping Mode of delivery? Mode Which goods can Proper display
of Bill Date & - Courier be returned? guarantee/warranty
- COD
Details in Time, - Hand delivery - online Within how many on website
Bill Expected payment days? Also send G/w
When will goods
Applicable date of be delivered? Specific payment Process of document along
GST dispatch verifying with product.
& mode for specific
- Time & date authenticity
delivery product must be
Where delivery is highlighted. Duration after
to be made? which money will
- Home be refunded.
- Office
11.2. C O M M E R C I A L L A W S G O V E R N I N G E-C O M M ER C E
All e-commerce transactions are essentially commercial transactions. Hence following laws are applicable:
1. Income Tax Act 1961 ▪ Act to levy & collect Income Tax on Income.
▪ concerned with deciding place of origin of Transaction for tax purpose.
2. GST Act, 2017 ▪ Covers all aspect of E- commerce
▪ Each supplier is required to upload details of outward supply on common
portal.
3. Companies Act, 2013 ▪ Regulate companies. All major e-commerce organizations are companies.
4. Factories Act, 1948 ▪ Regulates working condition of workers. Extend to place of storage as well
as transportation.
5. Customs Act, 1962 ▪ Deals in Import/ Export of goods. India is signatory to GATT of WTO &
can’t levy custom duty that are not WTO compliant.
78 | P a g e
E-Commerce, M- Commerce& Emerging Tech
11.3. S P E C I A L L A W S G O V E R N I N G E- C O M M E R C E
11.4. T R E N D S I N E-C O M M E R C E
E- marketers need to develop not only their product quality but also user experience to retain customers.
Social Mobile Artificial
Content Predictive Analysis Biometrics
commerce commerce Intelligence
Due to great Social media
P.A. helps in analysing Since e- User is Use of AI like
competition in is integral
customer’s behaviour commerce moving from fully
e-commerce, a part of asuch as If customer involves serious desktop to automated
visually customer does not return within security threats mobile chat bot is
attractive online habit.
30days, he is lost. such as hacking, computing. another latest
website or Latest trend It helps to spamming, 55% online trend.
display of is to use online fraud, traffic is Chatbot is first
product is no a) predict customers theft of
social media buying habits as generated on point of
more sufficient. for doing e- confidential mobile & its contract &
per their taste & data etc.,
Latest trend is commerce preference, both increasing. answers all Q
to use video for like FB, Biometric of consumers.
Q&Q & verification is a Creation of
content Google etc. mobile apps Also known as
marketing to b) segmenting means to solve
customers in security issues & mobile messenger
attract marketing is bots.
customers. different using physical
categories & characteristics latest trend. Live chat users
Shoppable improve of users such as tend to spend
videos instead of conversions by fingerprint, face more & buyer
images enables offering or voice. conversion rate
customer to is higher.
shop directly ▪ Right customers
from videos. ▪ the right product
▪ in the right way
▪ at the Right time
P a g e | 79
E-Commerce, M-Commerce &
Emerging Tech
12. D I G I T A L P A Y M E N T
12.1. T Y P E S D I G I T A L P A Y M E N T
12.1.1. T R A D I TI O N A L M E T H O D S
Cards
Internet Banking
Debit Card Credit Card Smart Card
Small plastic card Small plastic card Prepaid card similar to credit card Customers login to
containing unique no. issued by a bank/ and debit card in appearance, but his/ her bank
linked with bank A/c issuer, allowing the has a small microprocessor chip in account and
number holder to purchase it to store customer’s personal info. makes payments.
Issued by a bank & goods or services on such as financial facts, encryption All public sector
allows the holder to credit. keys, account information & so on. banks & large
make payment Buyer’s cash flow isa) These are not linked to any bank private sector
directly from his not instantly account & user is not mandated to banks allow this
Bank A/c. impacted as user have a bank account. facility to their
Buyer’s cash is makes payment to b) It is used to store money which is customers.
instantly affected i.e. card issuer at end of reduced as per usage.
as soon as payment billing cycle.
c) E.g. Mondex and Visa Cash cards.
is approved, buyers
account is debited.
12.1.2. N EW M ETH O D S
UPI [Android only] IMPS Mobile Apps Mobile Wallet AEPS USSD
Unified payment Immediate BHIM/Bharat Mobile wallet or Aadhar Unstructured
80 | P a g e
E-Commerce, M- Commerce& Emerging Tech
UPI [Android only] IMPS Mobile Apps Mobile Wallet AEPS USSD
interface. Payment Interface for e-wallet is Enable Supplementary
It is payment mode System money digital version Payment Service Data
to make instant Facilitates Developed by NPCI of a physical or system is a Banking or *99#
fund transfer from Instant inter- (National real-life wallet. Aadhaar is mobile
sender’s bank bank electronic Payment Corp. of Users can keep based digital Banking based
account to the fund transfer India) his/her money payment on Digital
receiver’s bank in E-wallet & mode. payment that
through Mobile, Based on UPI & works on basic
account through ATM & Net built on IMPS use it when AEPS allows
the mobile App. needed bank to bank phone through
banking. infra. SMS.
Steps Allows user to It stores bank transactions
account or i.e. money No need of
▪ User downloads send or receive
money to/ from Dr/Cr card info will be smartphone or
UPI APP such deducted Internet
other UPI address on mobile
as PhonePe, from sender’s
by device. Can be used for
Google Pay, A/c and
Used to make credited to financial as well
BHIM a) scanning QR
payment to as non –
code; or the payee’s
▪ Create VPA/ UPI merchants financial
A/c directly. operations like
ID b) using A/c listed with
number with mobile wallet Customers checking bank
▪ Register for
Mobile Banking Indian service provider. need to link balance,
Financial Aadhar with generating MPIN
▪ Link Bank A/c Systems Code E.g. PAYTM Bank A/c etc.
with UPI ID & (IFSC) code Mobikwik Can be used
Transfer Fund. or for financial
Freecharge
It can be used to c) MMID (Mobile as well as non
transfer funds b/w Money – financial
two accounts as Identifier) operations
well. Code for users Planning to
who don’t have launch
a UPI-based
bank A/c
Crypto Currency ▪ It is a digital currency (no physical form) produced by public network rather
than any Government or bank. It is completely decentralized i.e, no controlling
authority.
▪ It is a medium of exchange. Strong cryptography is used to ensure that payments
are sent & received safely.
▪ Records of individual coin ownership is stored in computerized database using
strong cryptography.
▪ Strong cryptography makes it nearly impossible to counterfeit & doubled spend
▪ E.g. – Bitcoin, Litecoin, Ethereum
▪ Advantages: Less transaction processing, fast transfer b/w sender & receiver, no
risk of hacking or counterfeit currency.
Mobile Banking ▪ Service provided by a bank or other FI that allows its customers to conduct
different types of financial & non-financial transactions remotely using a
mobile device such as a mobile phone or tablet & the Mobile App provided by
Bank or FI.
▪ Each Bank provides its own mobile banking App for Android, Windows and iOS
mobile platform(s).
P a g e | 81
E-Commerce, M-Commerce &
Emerging Tech
P ART II - E MERGING T ECHNOLOGIES
13. V I R T U A L I S A T I O N
▪ Refers to creation of virtual version of a device or resource such as server, network or storage device etc.
▪ It provides a layer of abstraction between hardware and software working on them.
▪ Core Concept – Partitioning which divides one physical hardware into multiple logical server/ virtual
machines and each logical server can run an OS independently.
▪ Example - Partitioning of a hard drive is considered virtualization because one drive is partitioned in a
way to create two separate hard drives.
▪ Helps in cutting IT expenses, enhancing security, and increasing operational efficiency.
13.1. A P P L I C A TI O N A R EA S O F V I R TU A L I S A T I O N
13.2. T Y P ES O F V I R T U A L I S A T I O N
82 | P a g e
E-Commerce, M- Commerce& Emerging Tech
server scalability, flexibility etc.
▪ Two softwares: Hypervisor and
virtual machine manager.
14. G R I D C O M P U T I N G
▪ It is a computer network in which each computer’s resource (processor, storage, Network etc.) is shared
with other computer in a system/network.
▪ It is a distributed architecture of large number of computers connected to solve complex problems. E.g.:
Data mining.
▪ In the grid computing model, servers or personal computers run independent tasks and are loosely
linked by the Internet.
▪ It turns a computer network into a powerful super-computer.
14.1. B E N E F I T S O F G R I D C O M P U T I N G
14.2 . T Y P E S O F R E S O U R C E S I N G R I D
Special Equipment
Computation Power Software and capacities,
Storage Communications
(CPU) License architecture and
policies
It’s the most common ▪ Each machine ▪ Refers to ▪ Refers to those ▪ Different
resource shared in G.C. on grid network s/w installed in computers in a
Processors offered by provides some bandwidth Grid which are Grid will have
members of Grid may storage, even issued for too expensive different
differ in architecture, if temporary. sending one work for installation architectures,
memory etc. but can from one on each operating
▪ Storage may
still be shared. computer/ member systems, devices,
be memory
machine to computer. capacities, and
Three ways to exploit attached to
another. equipment.
this resource in G.C.: processors, ▪ Some S/W
RAM, ROM or ▪ Bandwidth is vendor permits ▪ Grid can use
a) To run an App on
secondary critical resource to install such criteria for
computer in grid
devices like and it should be s/w on all assigning job to
P a g e | 83
E-Commerce, M-Commerce &
Emerging Tech
rather than locally. Hard Drive redundant and computers in any member of
b) To run an App that efficient, else it grid but at any Grid.
may affect given time,
needs to be executed ▪ For example,
multiple times on effectiveness of only limited no.
some machines
diff. computers in a G.C. of computer
may be
Grid. will be able to
designated to
use the s/w.
c) To split the work in only be used for
separate parts so medical research.
that it can be
executed in parallel
on different
computers.
14.3. A P P L I C A T I O N S O F G R I D C O M P U T I N G
a) Civil engineers collaborate to do experimental research to design, execute, analyze, and validate
different models in earthquake engineering.
b) Insurance companies mine data from partner hospitals for fraud detection.
c) In scientific research, using an entire network of computers to analyze data.
d) In film industry, to give special effects in a movie.
e) In financial industry, to forecast the future of a particular stock.
14.4. G R I D C O M P U T I N G S E C U R I T Y C O N S T R A I N TS / I S S U ES TO C O N S I D E R
G.C. is a highly collaborative & distributed computing model. To develop secure Grid, following need to be
considered:
a) Secured Single Sign- User should be needed to authenticate once & should be able to access resources,
on use them, & to communicate internally without further authentication.
b) Mgt. & Protection of User’s credentials like User Id, Passwords, PIN should be protected.
credentials
c) Support for secure Among Grid member computers.
group connections
d) Support for multiple There should be security for multiple participants of a Grid based on public and
implementation private key cryptography.
e) Inter-operability Access to local computer resource should have local security & there should be
between Grid Security Inter-operability between Grid Security & local security.
& local security
f) Standardization: Since G.C. is highly integrated system, standardizing protocols and interfaces
between Grid participants is a big issue.
g) Exportability The code should be exportable i.e. they cannot use a large amount of encryption
at a time.
15. C L O U D C O M PU T I N G
▪ “The Cloud” refers to applications, services, and data storage on the Internet.
84 | P a g e
E-Commerce, M- Commerce& Emerging Tech
▪ C.C. refers to accessing these computing resources through internet. E.g. Google Drive, E-mail, Netflix
etc.
▪ It is a combination of H/w & S/w based resources delivered as a service which can be accessed online.
15.1. C H A R A C T E R I S T I C S O F C L O U D C O M P U T I N G
All the characteristics may or may not be present in a specific Cloud solution.
a) Elasticity & Scalable Gives the user ability to expand or reduce resources according to requirement.
b) Pay per use User pays for cloud services only when they use it.
c) On Demand Cloud service is not permanent part of IT infrastructure. It is availed when
required.
d) Resiliency Failure of a server or storage resource does not affect Org as work is migrated
to different server in same data center or to different data center with or
without human intervention.
e) Multi – Tenancy Public cloud offers its services to multiple users making it multi–tenancy
f) Work load It is related with resiliency & cost consideration. A cloud service provider may
Management move workload from one data center to another due to:
a. save cost [where operating data center is cheap]
b. regulatory considerations
b) better network bandwidth.
15.2. A D V A N T A G E S O F C L O U D
a) Streamline business by getting more work done in less time with less resource.
process
b) Reduced capital Cost No need to spend huge amount on s/w & H/w etc.
c) Reduced spending on Tech as data can be accessed on demand on pay as per use basis.
Infrastructure
d) Improved Flexibility Fast changes can be done in work environment.
e) Pervasive Accessibility Data can be accessed from anywhere on any device through internet.
f) Minimize maintenance As infrastructure is maintained by cloud service provider.
g) Globalise the workforce As people can access cloud with internet across world.
15.3. D R A W B A C K S O F C L O U D
P a g e | 85
E-Commerce, M-Commerce &
Emerging Tech
15.4. TYPES OF CLOUD C O M PU T I N G E N V I R O N M EN T ( B A S ED ON USAGE &
DEPLOYMENT)
15.4.1. C H A R A C T E R I S T I C S O F C L O U D C O M P U T I N G E N V I R O N M E N T
15.5. T Y P E S O F C L O U D C O M P U T I N G S E R V I C E M O D E L
National Institute of Standards and Technology (NIST) defines three basic service models through which
cloud services are offered to users. These are as follows:
Infrastructure as a Service (IaaS) Platform as a Service [PaaS] Software as a Service [SaaS]
It is a H/w level service which provides It provides the user ability to It provides ability to user to
computing resources like access an App over internet.
➢ Develop & Deploy
➢ Processing power ➢ app on platform S/w is installed, managed,
➢ Memory provided by Sr provider. updated & upgraded by cloud
➢ Network & Service provider.
PaaS changes Application
86 | P a g e
E-Commerce, M- Commerce& Emerging Tech
15.5.1. F I V E I N S T A N C E S O F I A A S
P a g e | 87
E-Commerce, M-Commerce &
Emerging Tech
15.6. I S S U E S W I T H C L O U D C O M P U T I N G
16. M O B I L E C O M P U T I N G
▪ Technology that allows transmission of data via a computer/ mobile device without having to be
connected to a fixed physical link (wireless).
▪ Users can transmit data from remote locations to other remote or fixed location, thus solving issue of
‘Mobility’
▪ Widely established, rapidly evolving & rapidly growing across world.
16.1. K E Y C O M P O N EN TS O F M O B I L E C O M PU TI N G
88 | P a g e
E-Commerce, M- Commerce& Emerging Tech
a) User enters or accesses data on hand held computing device using App.
b) This new data is transmitted from hand held computing device to physical I.S. where DB shall be
updated & New data is accessible to other system user as well.
c) Now, both systems i.e., handled device & physical I.S. have same information & they are in sync.
d) This process works in same way starting from other direction.
a) Flexibility in working It has enabled users to work from anywhere as long as they are connected to a
network, thus enabling work from home or work while travelling.
b) Increase in as workers can simply work efficiently and effectively from which ever
Employee’s location they see comfortable and suitable.
Productivity
c) Improved Customer For example, by using a wireless payment terminal the customers in a
Service restaurant can pay for their meal without leaving their table.
d) Remote access to Provides mobile workforce with remote access to work order details, such as
work order details work order location, contact information, required completion date.
e) Improved Enables to improve Mgt. effectiveness by enhancing information flow & ability
Management to control mobile workforce.
effectiveness
f) Facilitates excellent Mobile computing facilitates excellent communication.
communication
a) Insufficient Bandwidth It uses technologies such as GPRS & EDGE & 3G, 4G networks which are
slower than direct cable connection. Higher speed wireless LANs are
inexpensive but have very limited range.
b) Security standard Since public network is used, VPN should be carefully used.
c) Power consumption In case power is not available, batteries are used which are expensive.
d) Human Interface with device Small screen and small keys are hard to use.
e) Transmission Interface Weather, terrain and the range from the nearest signal point can all
interfere with signal reception. Signal in tunnel, lift, rural area may not
be good.
f) Potential Health Hazard No mobile should be used while driving as it distracts drivers. Cell phone
may interfere with sensitive medical devices, thus causing health issues.
17. G R E E N C O M P U T I N G
P a g e | 89
E-Commerce, M-Commerce &
Emerging Tech
▪ Objective
17.1. G R E E N C O M PU T I N G B ES T P R A C T I C ES
Make
Recycle Reduce
Develop sustainable environmentally
consumption of Conserve Energy
Green Computing plan sound purchase
paper
decision
Involve all ▪ Dispose e- ▪ Purchase IT ▪ By using E- ▪ Use LCD & LED
stakeholders. waste as per resources based mail & monitors instead
Includes Govt. on Green electronic of CRT.
guidelines & Attributes. archiving.
a) Checklist ▪ Use notebook/
regulations.
▪ Recognize ▪ Online Laptop rather than
b) Recycling policies
▪ Manufacturer manufacturer’s marketing the Desktop.
c) Recommendation must offer efforts to reduce rather than
for purchasing G.C. ▪ Use power
safe end of life environmental paper-based
Management
d) Reduction of paper mgt. & impact of product marketing.
feature to turn off
consumption recycling by reducing or
▪ While printing, hard drives and
options when eliminating use
e) Use cloud print both sides displays after
product is of
computing so that using smaller several minutes of
unusable. environmentally
multiple Org share font size. inactivity.
sensitive
common infra. ▪ It should
material. ▪ Use ‘Track ▪ Use alternative
recycle
f) Create awareness changes’ in E- source of energy
computer ▪ Use shared
about commitment document like solar energy.
using its Resources &
to G.C. rather than red
recycling virtualization ▪ Adapt more of Web
line correction
service. that can help to conferencing
on paper.
improve resource instead of
utilization, reduce travelling.
energy costs &
simplify maint.
17.2. G R E E N IT S E C U R I T Y S E R V I C E S & C H A L L EN G E S
▪ Green Security is a new research field which involves defining & investigating security solutions under
the energy-aware perspective.
▪ The objectives of Green Security are to:
a) Evaluate the actual security mechanisms in order to assess their energy consumption.
b) Building new security mechanisms by considering the energy costs from the design phase.
▪ Need to evaluate a client’s infrastructure to accommodate green technology is really a vital issue’.
▪ Green security can be a cost-efficient and lucrative green IT service for solution providers.
90 | P a g e
E-Commerce, M- Commerce& Emerging Tech
18. B R I N G Y O U R O W N D E V I C E (BYOD)
▪ It is a business policy that allows Employees to use their preferred IT device like Laptop for business
purpose.
▪ Employees can connect personal device to corporate network to access information & application.
▪ It makes workspaces flexible as it enables employees to work beyond required hours.
18.1. A D V A N T A G E S O F BYOD
a) Happy Employees as Employees love to use own device at work & need not carry multiple
devices.
b) Increased Employee as he is not required to learn working on new system.
efficiency
c) Lower IT Budget Leads to financial saving as Org is not required to provide device to staffs.
d) Reduced support requirement as Employees maintain the device on their own, resulting in cost saving.
e) Early adoption of technology as Employees are more proactive in adopting new technologies which leads
to enhanced productivity.
18.2. E M E R G I N G T H R E A T S / D I S A D V A N T A G E S O F BYOD
Introduction
➢ Web 1.0 → Initial days of Google/Prior to Google. Static page that could be read. No write, No sharing
➢ Web 2.0 → Dynamic page + Read & write (users can upload photos, comment on other’s photo).
Resulted in Social media network b/w people & people.
➢ Web 3.0 → Web 2.0 + such device & website are able to generate, store & share data with other
compatible devices w/o human intervention.
P a g e | 91
E-Commerce, M-Commerce &
Emerging Tech
Web 3.0
It is known as semantic web. (Study of how language is used to produce meaning).
Refers to websites wherein raw data is generated by computer/devices (TV, AC, etc) & shared with other
devices without direct human intervention.
It is next step in evolution of Internet & web-tech. It uses
a) Semantic web tech
b) AI
c) User behavior
d) Widgets/Apps
e) User engagement depending on interest of users .
Example Content management systems along with artificial intelligence can answer questions posed by
the users, because the application can think on its own and find the most probable answer, as per
context
In this way, Web 3.0 can also be described as a “machine to user” standard in the internet.
19.2. F U T U R E O F W E B T E C H N O L O G I E S
20. I N T E R N E T O F T H I N G S (IOT)
▪ IoT is a system of –
➢ interrelated Computing devices, mechanical & Digital machines, animals or people with capability to
92 | P a g e
E-Commerce, M- Commerce& Emerging Tech
20.1. A P P L I C A T I O N S O F IOT
a) All home appliances to be connected and that shall create a virtual home. Home owners can keep track
of all activities in house through their hand-held devices including home security through CCTV.
b) Office machines shall be connected through net.
HR managers can see how many people had a cup of coffee from vending machine & how many are
present.
How many printouts are being generated through office printer?
c) Governments can keep track of resource utilizations / extra support needed.
Under SWACHH mission government can tag all dustbins with IOT sensors. They (dustbins) generate a
message once they are full.
d) Smart Wearables
e) Connected Cars
f) Smart Supply Chain
20.2. R I S K S O F IOT
Risk to User
Risk to Product Privacy, Intentional Environmental
Technology Risk
Manufacturer Security Autonomy & Obsolescence Risk
Control
a) Data storage Greatest Risk of loss of On launching Due to Lack of May have
& analysis threat control over new device, technology impact on
must be Since devices personal life as features of old standard & house air
secured & are personal data device may be Due to variety quality due to
protected. connected to may be leaked. disabled or of H/w & S/w use of heavy
b) Manufacture N/w, they will Other major slowed down. used on earth metals
r not be hit by all concern is Who Where a different in devices.
providing IOT N/w related has ownership of manufacturer devices, it’s
will not be risks like this personal buys another, it difficult to
able to data may not support develop App.
▪ Hacker
survive in old devices sold.
future. ▪ Bomb
▪ Trojan
etc.
P a g e | 93
E-Commerce, M-Commerce &
Emerging Tech
21. A R T I F I C I A L I N T E L L I G E N C E (AI)
▪ Intelligence means ability to use memory, knowledge & experience to solve a problem.
▪ Intelligence exhibited/ displayed by a machine is called AI.
Application Risks
➢ Autonomous vehicle (self-driving cars) a) AI Relies on data it gets. Thus, incorrect Input will give
incorrect conclusions.
➢ Creating Art, poetry
b) AI (robots) carries security threat. Countries are
➢ Playing online game like chess discussing to have a kill switch in AI capable devices.
➢ Online Assistants (SIRI, ALEXA) c) In long term, AI may kill people’s skill of thinking the
➢ Medical diagnosis, in cancer Research unthinkable. AI can’t think out of the box.
➢ Robotics
22. M A C H I N E L E A R N I N G ( ML)
▪ Application of AI that enable computers to learn automatically without being explicitly programmed.
▪ Science and art of programming computers so that they can learn from data & can change when
exposed to new data.
▪ Machine learning can be used for solving problems that either are too complex for traditional
approaches or have no known algorithm such as speech recognition.
▪ Application & risks are similar to AI.
94 | P a g e
Core Banking Systems
C HAPTER 5
1. O V E R V I E W O F B A N K I N G S E R V I C E S
1.1. I N T R O D U C T I O N
Key factors/ reasons that enabled Banks to compete at world level & provide basic banking services to citizens
of India staying in remotest area of India are as follows:
a) Rapid development & adoption of IT by Banks which facilitates anytime & anywhere access.
b) Global business opportunities leading to Indian opportunities & customer’s demand for integrated services.
c) Growth of Internet penetration across India.
d) Successive Government’s focus towards financial inclusion for all Indians. E.g. Jan Dhan Yojana.
1.2. C H A R A C T E R I S T I C S / K E Y F E A T U R E S O F B A N K I N G B U S I N ES S
a) Custody of Large volume of Monetary Items like cash & Negotiable Instruments.
b) Dealer in Large volume (in number, value and variety) of transactions.
c) Operating through Wide Network of Branches & Departments, which are geographically dispersed.
d) Increased possibility of fraud making it mandatory for Banks to provide multi-point authentication checks
& high level of information security.
1.3. F U N C T I O N S O F B A N K / M A J O R P R O D U C TS & S E R V I C ES P R O V I D E D B Y B A N K S / T Y P ES O F B A N K I N G
SERVICES
Acceptance of
Core functions deposit
[Pay Interest] Lending of money
[Earn Interest]
P a g e | 95
Core Banking Solution
96 | P a g e
Core Banking Systems
S No. Functions Explanation
ECS credit ECS Debit
In this, number of beneficiary In this, large number of accounts with
accounts are credited by debiting the Bank are debited for credit to a
periodically a single account of the single account.
bank. Examples: Tax collections, loan
Examples: Payment of amounts instalment repayment, investments in
towards dividend distribution, interest, mutual funds etc.
salary, pension, etc.
6 Letter of Credit & Letter of Credit Guarantee
Guarantee
It is an undertaking by Bank to the It is provided by Bank, on request of
payee (supplier of goods & services) customer of Bank (supplier), to
➢ to pay him on behalf of buyer ➢ buyer of Goods / services
➢ any amount upto the limit ➢ to guarantee performance of
specified in L.C contractual obligation or
➢ provided T&C are satisfied. ➢ for submission to Govt. authorities
like customs in lieu of the
stipulated security deposit.
7 Credit Card ▪ Processing of Application for credit card is entrusted to separate division at
central office of Bank.
▪ It is linked to one of the international credit card networks like VISA, Master,
Amex or India’s own RuPay which currently issues debit cards but credit cards
are also expected to be launched in near future.
8 Debit Card ▪ Issued by central office of Bank where customers have their account.
▪ It facilitates withdrawal of money from ATMs as well pay at authorized
outlets. When debit card is used for a transaction, amount is immediately
deducted from customer’s account.
9 Other Banking Operations
High Net Worth Risk
Back operations Retail Banking Specialized Services
Individuals (HNIs) management
Covers all Known as front Specialized It is done at Underwriting: Life
operations done office services to HNIs - Strategic Process of assessing insurance
by back office. operations that based on value/ credit worthiness or
provide direct volume of deposits - Tactical
Related to risk of a potential
services to / transactions. - Operational borrower & his
- General leger customers for & ability to repay
- MIS personal use. loan.
- technology
- Reporting E.g. Debit areas of Critical process
cards, personal Bank while determining
- Compliance loans,
etc. grant of loan to
mortgages etc. customer.
P a g e | 97
Core Banking Solution
2. C O R E B A N K I N G S Y S T E M / S O L U T I O N
2.1. I N T R O D U C T I O N T O CBS
C •Centralised
O •Online
R •Real Time
E •Exchange/Environment
2.2. C H A R A C T E R I S T I C S O F CBS
2.3. E X A M P L E S O F CBS
2.4. K E Y M O D U L E S O F CBS
Core of CBS
• Back Office • Mobile Banking
• Data Warehouse • Internet Banking
• Credit Card System • Central Server • Phone Banking
comprising of App
• ATM Switch Server & Database • Branch Banking
Server
Back End Front End
Applications Applications
98 | P a g e
Core Banking Systems
S No. Modules Explanation
1 Back Office ▪ Part of Bank comprising of Administration and Support Personnel who are not
client facing.
▪ Back-office functions include settlement, record maintenance, regulatory
compliance , Accounts & IT.
2 Data warehouse ▪ Banking professionals use data warehouses to simplify and standardize the
way they gather data and finally get to one clear version of the truth.
3 Credit Card ▪ It provides services of
system
➢ Customer Management
➢ Credit Card Management
➢ Customer Information Management
➢ online transaction authorization
➢ Supports Payment Application
4 ATM ▪ It is an electronic Banking outlet that allows customers to do basic banking
transactions without help of any branch official.
▪ Need debit card or credit card to access ATM.
▪ Enables customer to perform
➢ Quick self-service online transactions like Deposit, Withdrawal etc.
➢ to more complex transactions like bill payments.
5 Mobile Banking ▪ Internet Banking
and Internet
Banking ▪ Mobile Banking
▪ Phone Banking
6 Branch Banking ▪ Due to CBS, Front end & Back-end processes within a bank have been
automated resulting in seamless workflow. Branch Confines itself to following
key functions:
a) Creating manual document capturing data required for Input into s/w.
b) Initiating Beginning of Day (BOD) operations
c) End of Day (EOD) operations
d) Reviewing reports for control and error correction.
e) Internal Authorization.
2.5. C O R E F E A T U R E S O F CBS ( O T H E R T H A N B A N K I N G S E R V I C ES )
In addition to basic banking services that a Bank provides through use of CBS, the technology enables
Banks to add following features to its service delivery:
i) Online real time processing
ii) Transactions are posted immediately
iii) All database updated simultaneously
iv) Centralized operations [All data stored in one common database]
v) Anytime, anywhere access to customers and vendors
P a g e | 99
Core Banking Solution
vi) Banking access through multiple channels like mobile, web etc.
vii) Remote interaction with customers
viii) Automatic processing of standing instructions like auto deduction of credit balance on specific date.
ix) Centralized Internet application for all accounts
x) Business and Services are productized.
3. C O M P O N E N T S & A R C H I T E C T U R E O F CBS
3.1. T E C H N O L O G Y C O M P O N E N T S O F CBS
3.2. K E Y A S P EC T S B U I L T W I T H I N A R C H I T EC TU R E O F CBS
1. Information flows This facilitates Information flow within Bank and increases speed and
accuracy of decision-making.
2. Customer Centric This enables Bank to target customers with right offers at right time to
increase profitability.
3. Regulatory Compliance This has built-in and regularly updated regulatory platform which ensures
complex compliance by Banks. Eg:- maintain required % of CRR, SLR
4. Resource optimization This optimizes resource utilisation through improved assets sharing, reusability,
faster processing and increased accuracy.
3.3. CBS IT E N V I R O N M E N T
100 | P a g e
Core Banking Systems
➢ Clients (called Service Outlets which are connected through channel servers) branches.
The server is a sophisticated computer that accepts service requests from different machines called
Clients. The requests are processed by the server and sent back to the clients.
P a g e | 101
Core Banking Solution
d) Internet Banking ▪ It stores username & password of all internet Banking customers and the branch
Channel Server to which the customer belongs. Such information is not stored in ATM servers.
e) Internet Banking ▪ It stores Internet Banking software which authenticates customer with login
Application details stored in IBCS.
Server
f) Web Server ▪ It hosts website and all internet related S/w. All online requests on website are
serviced through web server.
▪ It is a program that uses HTTP (Hypertext Transfer Protocol) to serve the files
that form Web pages to users, in response to their requests.
g) Proxy Server ▪ It’s a computer that offers indirect n/w connection to other network server.
▪ Client connects to proxy server and then requests a connection or file or resource
available on different bank server.
h) Anti-virus ▪ It is used to host Anti-virus software. It is installed for ensuring that all s/w being
Software Server deployed on CBS are first scanned to ensure that they are safe from
virus/malware.
3.4. F U N C T I O N A L A R C H I T E C T U R E O F CBS
CBS is the ERP software of a Bank. It covers all aspects of Banking operations from
➢ Micro- to macro operations and covers all Banking services ranging from
➢ Back office to front office operations
➢ Transactions at counter to online transactions &
➢ G.L to reporting.
However, it is modular in nature & it is implemented for all functions or core functions as decided by
management.
Implementation depends on Need and critically of specific Banking service provided by the Bank.
Eg:- If FOREX transactions of Bank are minimal, related functions may not be implemented.
3.5. I M P L E M E N T A T I O N O F CBS
Deployment and Implementation of CBS should be controlled at various stages to ensure that Bank’s
automation objectives are achieved.
1. Planning Planning for implementation of CBS should be done as per Bank’s strategic and
business objectives.
2. Approval Since high investment and recurring costs are involved, decision must be approved by
B.O.D.
3. Selection There are multiple vendors of CBS, each solution has key differentiators. Bank should
select the right one as per their objective & requirements.
4. Design & Develop Earlier CBS was developed in-house by Banks. Currently, its mostly procured. There
or Procured should be control over design and development or procurement of CBS.
5. Testing Extensive testing must be done before CBS is live. Testing is done at various phases:
102 | P a g e
Core Banking Systems
- at procurement stage (to test suitability)
- to data migration (to ensure all existing data is migrated)
- to testing processing of different types of Transactions of all modules (to ensure
correct results are produced)
6. Implementationa) Must be implemented as per pre-defined & agreed plan in a time bound manner.
7. Maintenance CBS needs to be properly maintained. E.g. Program bugs fixation.
8. Support To ensure it is working effectively.
9. Updation CBS must be updated based on changing requirements of business, technology &
regulatory compliances.
10. Audit Should be done internally & externally to ensure controls are working as expected.
4. CBS R I S K S , S E C U R I T Y P O L I C Y & C O N T R O L S
4.1. R I S K S A S S O C I A T E D W I T H CBS
1. Operational Risk Refers to risk arising from direct or indirect loss to Bank due to inadequate or failed
➢ Internal Process, People & System.
Operational risk necessarily excludes business risk and strategic risk.
The components of operational risk include:
Transaction Information
Legal Risk Compliance Risk People Risk
Processing Risk Security Risk
Arises because Refers to risk Refers to risk Refers to Refers to risk
of faulty arising due to arising exposure to legal arising from
reporting of use of info. because of penalties & loss
➢ lack of
important systems & the an organization
➢ treatment trained key
market environment can face when it
of clients, personnel,
developments in which these fails to act as
to Bank systems ➢ sale of per industry ➢ tampering of
management. operate. products, laws and records and
May also occur or regulations.
➢ nexus
due to errors in ➢ business between front
entry of data practices and back-end
for processing. of a Bank. offices.
2. Credit Risk Refers to risk of an Asset/Loan becoming irrecoverable due to outright default or Risk
of unexpected delay in servicing of loan.
A form of counter party risk since Bank and borrower usually sign a loan contract.
3. Market Risk Refers to risk of losses in Bank’s trading book due to changes in
➢ equity price; commodity price; Interest rate; foreign currency rate etc.
To manage this risk, Bank deploys highly sophisticated mathematical & statistical
techniques.
4. Strategic Risk/ Refers to risk that earnings will decline due to change in business environment. E.g.
Business Risk New competitor, change in demand of customer etc.
5. IT Related Risk Some of the common IT risks related to CBS are as follows:
a) Ownership of Data is stored in data center. Bank must establish clear ownership of data so that
P a g e | 103
Core Banking Solution
Data / Process accountability can be fixed and unwanted changes to the data can be prevented.
b) Authorization It ensures only authorized person can enter data in CBS. If authorization process is
process not robust, unauthorized person can access customer Information & other sensitive
data.
c) Authentication Username, password, PIN, OTP are commonly used for authentication process.
process
d) Several S/w A Data center may have as many as 100 different interfaces & App software.
Interface across It requires adequate Infra. like uninterrupted power supply, backup generator etc.
diverse n/w
e) Maintaining Maintaining optimum response time & uptime can be challenging.
response time
f) Access Control Since Bank is subjected to all types of attack, designing access control is a
challenging task.
g) Change It reduces risk that new system is rejected by users. However, it requires changes at
management App level & data level of DB - Master files, transaction files and reporting software.
Large organizations like Financial Institutions and Banks need to have laid down framework for security with
proper organization structure, defined roles, responsibilities within the organization.
Since Banks deal in third party money and need to create a framework of security for its systems, this
framework needs to be of global standards to create trust in customers in and outside India
Information security → Refers to ensuring CIA of Information. It is critical to mitigate risk of risk of
Information Technologies.
RBI has suggested use of 1SO 27001: 2013 to implement information security. Also advised to obtain 1SO 27001
certification for data centers.
Information security comprises following sub-processes:
a) Info Security Policies, Refers to processes related to approval & implementation of Info security.
Procedures & I.S. policy is the basis for developing detailed procedures & practices for I.S.
Practices security & implementing it.
b) User Security Refers to the security of various users of I.S. It defines how users are created and
Administration Access is granted or disabled as per Organization structure & Access matrix.
c) Application Security Refers to how security is implemented at various aspects of Application. E.g. Event
Logging
d) Database security Refers to how security is implemented at various aspects of database. E.g. RBAC
e) Operating system Refers to how security is implemented at various aspects of OS.
security
f) Network security Refers to how security is implemented at various aspects of network & connectivity
to the servers. E.g. Use of VPN for employees, implementation of firewalls etc.
g) Physical Security Refers to how security is implemented for physical access. For example - Disabling
the USB ports.
104 | P a g e
Core Banking Systems
Risk & Control w.r.t. Information Security
Risk Control
a) Lack of Management Direction & Commitment to Security policies are established and management
protect Information Asset. has to monitor compliance with policies.
b) User accountability is not established All users are required to have unique user ID.
c) Potential loss of CIA of data/ Info Appropriate physical access controls should be
implemented.
Vendor default password for OS, DB, N/w etc. User
should change it on receiving software.
d) It is easier of unauthorized users to guess Password should be complex & changed frequently
password of an authentic user
e) Security breach may go undetected Access to sensitive data is logged and log should be
reviewed regularly by management.
f) Inadequate preventive measure for server and IT Adequate environmental controls should be
system in case of environmental threats like flood, implemented like fire alarm, disaster recovery plan,
fire etc. back up etc.
4.3. I N T E R N A L C O N T R O L S Y S T E M I N B A N K
I.C. helps mitigate the risk and must be integrated in IT solution implemented at Bank’s Branches.
Objectives of I.C. a) Ensuring Accuracy and completeness of A/c record
in Bank b) Timely preparation of reliable F.S.
c) Orderly & efficient conduct of business
d) Compliance with regulatory requirements
e) Safeguard of Assets through prevention & detection of fraud.
f) Adherence to management policy.
Examples of I.C. i) Maker Checker process - Work of one staff is checked by another worker irrespective
of nature of work.
ii) System of job rotation among staff exists.
iii) Financial and Administrative powers of each Employee is fixed & communicated.
iv) All books are to be regularly balanced and confirmed by authorized official.
v) Fraud prone items like currency, valuables etc should be in custody of 2 or more
officials of Bank.
vi) Details of lost security forms are immediately sent to controlling authority.
4.4. IT C O N T R O L S I N B A N K
IT risks are mitigated by implementing right type & level of IT controls in automated environment.
It is done by integrating controls into Info Tech/CBS.
Examples:
a) System maintains records of all log-ins and log-outs.
b) Transaction is allowed to be posted in Dormant A/c only with supervisory password.
P a g e | 105
Core Banking Solution
c) System checks whether the amount to be withdrawn is within the drawing power.
d) Access to system is available only b/w stipulated hours & specified days only.
e) User Timeout is prescribed [auto log out in case system is inactive]
f) User should be given access on “Need to know basis”
g) Once end of day operations are over, ledger can’t be opened w/o supervisory password.
4.5. A P P L I C A T I O N S/ W - C O N F I G U R A T I O N , M A S T E R S , T R A N S A C T I O N S A N D R EP O R T S
There are 4 Gateways through which an Enterprise can control, access & use the various menus and
functions of Software. Examples of each are given below:
106 | P a g e
Core Banking Systems
5. CORE B U S I N E S S P R O C E S S E S – R E L E V A N T R I S K S & C O N T R O L S
CASA Credit Card Mortgage Loan Loan & Trade Treasury process E-commerce Internet
finance Transaction Banking
▪ Process ▪ Process ▪ Process ▪ Process ▪ Process ▪ Process ▪ Process
▪ Risk & Control ▪ Risk & Control ▪ Risk & Control ▪ Risk & control ▪ Risk & Control
5.1. C U R R E N T A C C O U N T S A V I N G A C C O U N T [C ASA]
P a g e | 107
Core Banking Solution
6. Inaccurate A/c entries generated in CBS CBS should be configured to generate entry as per
defined rules AS.
5.2. C R E D I T C A R D
Credit Card Process Flow of Sale - Authorization Process of Credit Card Facilities
Process Flow - Using Credit Card / Authorisation Process of Credit Card facilities
Risks & Controls w.r.t. Credit Card – Same as CASA (first 4 points)
5.3. M O R T G A G E L O A N
108 | P a g e
Core Banking Systems
Mortgages are used by individuals and businesses to make large real estate purchases without paying the
entire value of the purchase up front.
Home Loan Top – up Loan Loan for under –construction
property
Traditional mortgage for Additional loan is applied by a Loan is granted in parts/tranches as
purchase of property. customer who is already having a per construction plan.
Customer has an option of loan either for refurbishment or
selecting fixed or variable renovation of the house.
rate of interest.
P a g e | 109
Core Banking Solution
5.4. L O A N A N D T R A D E F I N A N C E P R O C E S S
Lending business is main business of Bank. It is carried on by bank by offering various credit facilities.
It carries inherent risks and Bank can’t lend more than calculated risk.
Bank should ensure:
a) Proper recovery of funds lent by it; and
b) Be aware of legal remedies & laws w.r.t credit facilities provided by it .
110 | P a g e
Core Banking Systems
Process Flow - Loan Disbursal / Credit Facility Utilisation & Income Accounting
Customer Bank
Provide credit facility after verifying credit limit in loan disbursal system
5.5. T R E A S U R Y P R O C E S S
P a g e | 111
Core Banking Solution
Core Areas of Treasury Operations – can be divided into the following broad compartments
Front office Middle office Back office
F.O. operations consist of M.O. operations include It supports front office. B.O.
dealing room operations where a) Risk Management operations include
dealers enter into deal/trade a) Confirmation of deals entered by
with corporate & Inter Bank b) Pricing & Valuations front office Team
counter parties. c) Responsible for Treasury A/c
b) Settlement of funds/ securities
Deals are entered by dealers on d) Documentation of various
various trading platforms like c) Performs Front office and Back-
deals &
Telephone, Broker & other office reconciliation to ensure
e) Producing financial result accuracy & completeness of all
private channels.
analysis & budget forecast & deals in a day
Dealer is responsible for
f) Preparing financial statement d) Checking and confirming
checking
for regulatory reporting. existence of valid & enforceable
- Counter party credit time. ISDA (International swap dealer
- Eligibility & Other regulatory Association) Agreement.
requirements of Bank before
entering into deal with
customers.
All risks are borne by dealer.
112 | P a g e
Core Banking Systems
Risks & Controls w.r.t. Treasury Process
Risk Control
a) Unauthorized security set-up in systems such as Appropriate SOD and review controls to ensure
F.O./ B.O. accurate security set-up.
b) Inaccurate trade is processed Appropriate SOD and review controls for ensuring
accuracy of Trade processing.
c) Unauthorized confirmations are processed Complete and accurate confirmations to be
obtained from counter-party.
d) Inaccurate info flow b/w 3 systems Inter-system reconciliation & Inter-system
Interfaces
e) Insufficient securities available for settlement Effective controls on security & margins
f) Insufficient fund available for settlement Effective controls on security and margins.
5.6. I N T E R N E T B A N K I N G P R O C E S S
P a g e | 113
Core Banking Solution
5.7. E-C O M M E R C E T R A N S A C T I O N P R O C E S S I N G
Most of the e-Commerce transactions involve advance payment either through a credit or debit card
issued by a bank.
The figure below highlights flow of transaction when a customer buys online from vendor’s e-commerce
website.
114 | P a g e
Core Banking Systems
6. A P P L I C A B L E R E G U L A T O R Y A N D C O M P L I A N C E R E Q U I R E M EN TS
6.1. B A N K I N G R E G U L A T I O N A C T , 1949
It regulates all Banking Companies in India Including co-operative Banks. It provides framework for regulating
and supervision of commercial Banks.
It gives RBI power to:
a) License Bank
b) Regulating shareholding and voting rights
c) Supervise appointment of BOD and Management
d) Merger and acquisition, Liquidation
e) Impose penalties
f) Control moratorium [Period of time during which borrower need not to pay EMI on loan]
g) Issue directives to Bank in Interest of public & Bank.
h) Give instructions for Audit.
RBI also provides
i) tech platform for NEFT and RTGS & other Central processing (clearing house).
ii) Guidelines on how to deploy IT.
6.2. N E G O T I A B L E I N S T R U M E N T A C T , 1881
Truncated Cheque i.e. electonic image of a paper cheque NI Act gives validity &
Cheque
enforceability to these
Electronic cheque i.e. cheque in electrnoic form two types of cheque.
6.3. RBI R E G U L A T I O N S
RBI was established on 1st April, 1935 as per RBI Act, 1934.
Key functions of RBI:
1. Monetary RBI formulates, implements & monitors monetary policy with objective of:
authority a) maintaining price stability; and
b) ensuring adequate flow of credit to productive sectors
Tools: CRR, SLR, Open market operations
P a g e | 115
Core Banking Solution
2. Issuer of Currency Issues, exchanges or destroys currency and coins with objective of providing
adequate quantity of supply of currency notes and coins in good quality.
3. Regulator and RBI regulates financial system with objective of
Supervisor of the
➢ maintaining public confidence;
Financial System
➢ protect depositor’s interest; and
➢ provide cost effective banking services to the public.
6.4. P R E V E N T I O N O F M O N E Y L A U N D E R I N G A C T , 2002
6.4.1. A N T I -M O N E Y L A U N D E R I N G ( AML) U S I N G T E C H N O L O G Y
116 | P a g e
Core Banking Systems
Bank can be used in M.L. as primary means for placement and layering of proceeds of crime as it acts as a
means to transfer money across geographics, A/c & currencies.
The challenge is even greater for Banks using CBS as all transactions are integrated. With regulators
adopting stricter regulations on Banks and enhancing their enforcement efforts, Banks are using special
fraud and risk management S/w to:
a) Prevent and detect M.L.
b) Daily processing and reporting of suspicious Transaction.
6.4.2. F I N A N C I N G O F T E R R O R I S M
Money to fund terrorist activities moves through the global financial system via wire transfers and in and
out of personal and business accounts.
It is a form of M.L. but it does not work the way conventional M.L. works. Money starts as clean i.e., as
“charitable donation” before moving to terrorist A/c.
It is highly time sensitive requiring quick response.
P a g e | 117
Core Banking Solution
6.5. I N F O R M A T I O N T E C H N O L O G Y A C T , 2000
118 | P a g e
Core Banking Systems
The Amendment Act 2008 provides stronger privacy data protection measures as well as implementing
reasonable information security by implementing ISO: 27001 or equivalent certifiable standards to protect
against cyber-crimes.
For the banks, the Act exposes them to both civil and criminal liability.
The civil liability could consist of exposure to pay damages by way of compensation up to 5 crores.
The criminal liability exposure may be to the top management of the Banks and it could consist of
➢ imprisonment for a term which would extend from three years to life imprisonment as also fine.
6.5.1. C Y B E R C R I M E
7. B A S E L III N O R M S & AI I N B A N K I N G I N D U S T R Y
P a g e | 119