ILLUSTRATION 1.

ABC Ltd. is engaged in the business of producing consumer durable products. It is facing the
problem of poor customer service due to its broken, inefficient, and manual processes. The
customers of the company are becoming more demanding with respect to higher quality of
products and delivery time.

To remain competitive in the market and to overcome the issues faced by its customers, the
company decided to optimize and streamline its essential business processes using the latest
technology to automate the functions involved in carrying out these essential processes. The
management of the company is very optimistic that with automation of business processes, it
will be able to extract maximum benefit by using the available resources to their best
advantage. Moreover, with automation the company will be able to integrate various processes
and serve its customers better and faster. The management is aware that the automation of
business processes will lead to new types of risks in the company’s business. The failure or
malfunction of any critical business process will cause significant operational disruptions and
materially impact its ability to provide timely services to its customers. The management of
ABC Ltd. adopted different Enterprise Risk Management (ERM) strategies to operate more
effectively in environment filled with risks. To reduce the impact of these risks, the company
also decided to implement necessary internal controls.

Read the above illustration carefully and answer the following questions:

1. The processes automated by ABC Ltd. are susceptible to many direct and indirect
challenges. Which of the following factor cannot be considered valid in case the company fails
to achieve the desired results?

(a) The business processes are not well thought or executed to align with business
objectives.

(b) The staff may perceive automated processes as threat to their jobs.

(c) The documentation of all the automated business processes is not done properly.

(d) The implementation of automated processes in the company may be an expensive

proposition.

2. The processes automated by ABC Ltd. are technology driven. The dependence on
technology in key business processes exposed the company to various internal as well as
external threats. According to you, external threats leading to cyber-crime in BPA is because:

(a) Organizations may have a highly-defined organization structure with clearly defined
roles, authority and responsibility.

(b) There may not be one but multiple vendors providing different services.

(c) The system environment provides access to customers anytime, anywhere using
internet.

(d) The dependence on technology is insignificant.

3. The management of ABC Ltd. adopted a holistic and comprehensive approach of

Enterprise Risk Management (ERM) framework by implementing controls across the company.
Identify the false statement w.r.t components of ERM framework.
(a) As a part of event identification, potential events that might have an impact on the
entity should be identified.

(b) As a part of risk assessment component, identified risks are analyzed to form a basis for
determining how they should be managed.

(c) As a part of monitoring, the entire ERM process should be monitored with no further
modifications in the system.

(d) As a part of control activities, policies and procedures are established and executed to
help ensure that the risk responses that management selected are effectively carried out.

4. The management of ABC Ltd. implemented different Information Technology General

Controls (ITGCs) across different layers of IT environment with an objective to minimize the
impact of risks associated with automated processes. Which of the following is not an example
of ITGC?

(a) Information Security Policy

(b) Processing Controls

(c) Backup, Recovery and Business Continuity

(d) Separation of key IT functions

SOLUTION

Question No. Answer Question No. Answer

1. (c) The documentation of all the automated business processes is not done properly.

2. (c) The system environment provides access to customers anytime, anywhere using
internet.

3. (c) As a part of monitoring, the entire ERM process should be monitored with no
further modifications in the system. 4. (b) Processing Controls

ILLUSTRATION 1.2

DXN Ltd. is engaged in manufacturing consumer products for women. The company released a
new product recently which met with unexpected success. The company was established as a
market leader in that product. The growing volume of sales transactions started to put a strain
on company’s internal processes. The company employed 300 more employees to ensure that
the customers are served better and faster. But with the increase in number of monthly
transactions to 1.5 million, the manual processes which were being followed by the company at
present, were holding it back. The company was not able to meet consumer demands even
after employing addition 300 employees. The management consultant Mr. X of DXN Ltd.
advised to automate the key business processes of the company to handle large volume of
transactions to meet the expectations of its customers and maintain its competitive edge in the
market.

Mr. X gathered extensive information about the different activities involved in the current
processes followed by DXN Ltd. like - what the processes do, the flow of various processes, the
persons who are in charge of different processes etc. The information so collected helped him
in understanding the existing processes such as flaws, bottlenecks, and other less obvious
features within the existing processes. Based on the information gathered about the current
processes, Mr. X prepared various flowcharts depicting how various processes should be
performed after automation and submitted his report to the management covering the
following points:

• The major benefits of Business Process Automation;

• The processes that are best suited to automation;

• Challenges that DXN Ltd. may face while implementing automated processes;

• Risks involved in Business Process Automation and how the management should
manage these risks

Read the above illustration carefully and answer the following Questions:

1. As the DXN Ltd. was implementing the automated processes for the first time, the
consultant suggested not to automate all the processes at a time and automate only critical
processes which would help the company to handle large volume of transactions. Which of the
following business processes are not best suited to automation:

(a) Processes involving repetitive tasks

(b) Processes requiring employees to use personal judgment

(c) Time sensitive processes

(d) Processes having significant impact on other processes and systems

2. While understanding the criticality of various business processes of DXN Ltd., the
consultant Mr. X documented the current processes and identified the processes that needed
automation. However, documentation of existing processes does not help in .

(a) providing clarity on the process

(b) determining the sources of inefficiency, bottlenecks, and problems

(c) controlling resistance of employees to the acceptance of automated processes

(d) designing the process to focus on the desired result with workflow automation

3. When DXN Ltd. decided to adopt automation to support its critical business processes,
it exposed itself to number of risks. One risk that the automated process could lead to
breakdown in internal processes, people and systems is a type of .

(a) Operational Risk

(b) Financial Risk

(c) Strategic Risk

(d) Compliance Risk

4. Mr. X of DXN Ltd. prepared various flowcharts depicting how various processes should
be performed after automation and submitted his report to the management. The flowcharting
symbol that he used to depict processing step is
(a) Rectangular Box

(b) Diamond

(c) Oval

(d) Line

SOLUTION

Question No. Answer Question No. Answer

1. (b) Processes requiring employees to use personal judgment

2. (c) controlling resistance of employees to the acceptance of automated processes

3. (a) Operational Risk 4. (a) Rectangular Box

TEST YOUR KNOWLEDGE

Theoretical Questions

1. In an enterprise, explain various categories of business processes - Operational

Processes, Supporting Processes and Management Processes with example. (Refer Section
1.2.1)

2. BPA is the tactic a business uses to automate processes to operate efficiently and
effectively. Explain the parameters that should be met to conclude that success of any business
process automation has been achieved.

(Refer Section 1.3.1)

3. Through automation, a business organization intends to increase the accuracy of its

information transferred and certifies the repeatability of the value-added task performed by
the automation of business. Being a management consultant, identify major benefits that
would help the organization to achieve its objectives.

(Refer Table 1.3.1)

4. Every business process is not a good fit for automation. Explain four examples of
business processes that are not best suited for automation.

(Refer Section 1.3.3)

5. Automated processes are susceptible to challenges. Explain the major challenges

involved in business process automation. (Refer Section 1.3.4)

6. The increased availability of choice to customers about products / services makes it

very important for businesses to keep themselves updated to new technology and delivery
mechanisms. Being a consultant, briefly explain the steps involved in BPA implementation.
(Refer Section 1.3.5)

7. As an entrepreneur, your business may face all kinds of risks related from serious loss
of profits to even bankruptcy. What could be the possible Business Risks?
(Refer Section 1.4.3 (A))

8. Automated processes are technology driven. The dependence on technology in BPA for
most of the key business processes has led to various challenges. Explain the technology
related risks involved in BPA. [Refer Section 1.4.3 (B)]

9. Effective risk management begins with a clear understanding of an enterprise’s risk

appetite and identifying high-level risk exposures. Explain the different risk management
strategies which the Board or senior management may take up.

(Refer Section 1.4.5)

10. ERM provides a framework for risk management, which typically involves identifying
events or circumstances relevant to the organization’s objectives. Discuss the main
components of Enterprise Risk Management Framework.

(Refer Section 1.5.2)

11. SA315 provides the definition of Internal Control that are required to facilitate the
effectiveness and efficiency of business operations in an organization. Explain all components
of Internal Control as per SA315. (Refer Section 1.6.4)

12. Internal control, no matter how effective, can provide an entity with only reasonable
assurance and not absolute assurance about achieving the entity’s operational, financial
reporting and compliance objectives. Explain the inherent limitations of internal control
systems. (Refer Section 1.6.5)

13. As a part of his project work submission, Mr. X, a student of ABC university needs to
prepare and present a PowerPoint presentation on the topic “Advantages and limitations of
Flowcharts” during his practical examination. What shall be the relevant content? (Refer
Section 1.8.2 III,IV)

14. Give two examples each of the Risks and Control Objectives for the following business
processes:

a. Procure to Pay at Master Level (Refer Section 1.7.2)

b. Order to Cash at Transaction Level (Refer Section 1.7.3)

c. Inventory Cycle at Master Level (Refer Section 1.7.4)

15. Explain the salient features of Section 134 & Section 143 of the Companies Act 2013.
(Refer Section 1.9.1)

16. Give five examples of computer related offences that can be prosecuted under the IT
Act 2000 (amended via 2008).

(Refer Section 1.9.2[Point No. I])

17. Draw a Flowchart for the following process:

Leebay is a new e-commerce web site that is setting up business in India. Leebay and their
partner bank Paxis have come up with a joint promotion plan for which the following offers are
proposed. Customers can either login through a mobile app or directly from the website:

(i) If the payment mode chosen is ‘Paxis Credit’, then a 20% discount is given to the user.
(ii) If the payment mode chosen is ‘Paxis Debit’, then a 10% discount is given to the user.

(iii) If other payment modes are used, then no discount is given.

Also, to promote the downloads of its new smart phone app, the company has decided to give
the following offer:

(i) If the purchase mode is ‘Mobile App’, then no surcharge is levied on the user.

(ii) If any other purchase mode is used, then additional 5% surcharge is levied on the user.
This surcharge is applied on the bill after all necessary discounts have been applied.

With bill amount, payment mode and purchase mode as inputs, draw a flowchart for the billing
procedure for Leebay.

18. Corporate Governance is defined as the framework of rules and practices by which
Board of Directors ensures accountability, fairness and transparency in a company’s
relationship with all its stakeholders. List the rules and procedures that constitute corporate
governance framework.

(Refer Section 1.9.1[III Corporate Governance])

19. Explain the following terms in brief:

(a) Data Flow Diagram (Refer Section 1.8.2)

(b) Flowchart (Refer Section 1.8.1)

(c) Risk Assessment (Refer Section 1.5.2(iv))

20. "Enterprise Risk Management (ERM) does not create a risk-free environment; rather it
enables management to operate more effectively in environment filled with risks". In view of
this statement, explain the various benefits, which Board of Directors and Management of an
entity seek to achieve by implementing the ERM process within the entity. (Refer Section
1.5.1)

21. State the required characteristics of goals to be achieved by implementing Business

Process Automation (BPA). (Refer Section 1.3.5 [Step 4])

22. Give some examples of the Risks and Control objectives for Human Resource Process at
configuration level. (Refer Table 1.7.7)

23. As a cyber-expert, you have been invited in a seminar to share your thoughts on data
protection and privacy in today’s electronic era. In your PowerPoint presentation on the same,
you wish to incorporate the main principles on data protection and privacy enumerated under
the IT Act, 2000. Identify them.

(Refer Section 1.9.2[Point III Privacy])

24. Explain the positive aspects contained in the IT Act 2000 and its provisions from the
perspective of e-commerce in India.

(Refer Section 1.9.2[Point II Advantages of Cyber Laws])

25. General Controls are pervasive controls and apply to all the components of system,
processes and data for a given enterprise or systems environment. As an IT consultant, discuss
some of the controls covered under general controls which you would like to ensure for a given
enterprise.

RTP NOV 2021

6. Organizations should identify controls as per policy, procedures and its structure and
configure them within IT software as used in the organization. Discuss widely the Information
Technology controls that can be implemented as per risk management strategy.

6. Information Technology controls can be classified as General Controls and Application

Controls.

General Controls: These are macro in nature and are applicable to all applications and data
resources. The Information Technology General Controls are as follows:

• Information Security Policy

• Administration, Access, and Authentication

• Separation of key IT functions

• Management of Systems Acquisition and Implementation

• Change Management

• Backup, Recovery and Business Continuity

• Proper Development and Implementation of Application Software

• Confidentiality, Integrity and Availability of Software and data files

• Incident response and management

• Monitoring of Applications and supporting servers

• Value Added areas of Service Level Agreements (SLA)

• User training and qualification of Operations personnel

Application Controls: Application Controls are controls which are specific to the application
software to prevent or detect and correct errors such as payroll, accounts payable, and billing,
etc. These controls are in-built in the application software to ensure accurate and reliable
processing. These are designed to ensure completeness, accuracy, authorization and validity of
data capture and transaction processing. Some examples of Application controls are as follows-

• Data edits (editing of data is allowed only for permissible fields);

• Separation of business functions (e.g., transaction initiation versus authorization);

• Balancing of processing totals (debit and credit of all transactions are tallied);

• Transaction logging (all transactions are identified with unique id and logged);

• Error reporting (errors in processing are reported); and

• Exception Reporting (all exceptions are reported).

7. An auditor Mr. Sohan has been given a prime responsibility to assess the suitable
implementation and execution of various controls in his organization XYZ Ltd. To do so, he
needs to check the controls at various levels of the computer systems. Discuss the levels at
which Mr. Sohan should check the implementation of controls.

7. In computer systems, the levels at which the controls shall be checked are as follows:

(i) Configuration: Configuration refers to the way a software system is set up. It is the
methodical process of defining options that are provided during system setup. When any
software is installed, values for various parameters should be set up (configured) as per policies
and business process work-flow and business process rules of the enterprise. The various
modules of the enterprise such as Purchase, Sales, Inventory, Finance, User Access etc. must be
configured. Configuration will define how software will function and what menu options are
displayed.

Some examples of configuration are given below:

• Mapping of accounts to front end transactions like purchase and sales

• Control on parameters: Creation of Customer Type, Vendor Type, year-end process

• User activation and deactivation

• User Access & privileges - Configuration & its management

• Password Management

(ii) Masters: It refer to the way various parameters are set up for all modules of software
like Purchase, Sales, Inventory, and Finance etc. These drive how the software will process
relevant transactions. The masters are set up first time during installation and these are
changed whenever the business process ru les or parameters are changed. The way masters
are set up will drive the way software will process transactions of that type.

Some examples of masters are given here:

• Vendor Master: Credit period, vendor bank account details, etc.

• Customer Master: Credit limit, Bill to address, Ship to address, etc.

• Material Master: Material type, Material description, Unit of measure, etc.

• Employee Master: Employee name, designation, salary details, etc.

(iii) Transactions: It refers to the actual transactions entered through menus and functions
in the application software, through which all transactions for specific modules are initiated,
authorized, or approved. For example: Sales transactions, Purchase transactions, Stock transfer
transactions, Journal entries and Payment transactions.

CH 2 EIS

ILLUSTRATION 2.1
XYZ a leading publication house of Delhi was facing many issues like delay in completing the
order of its customers, manual processing of data, increased lead time, inefficient business
processes etc. Hence, the top management of XYZ decided to get SAP - an ERP system
implemented in the publication house.

Using the proper method of vendor selection, Digisolution Pvt. Ltd. was selected to implement
SAP software in XYZ publication house. To implement the software, the IT team of Digisolution
Pvt. Ltd. visited XYZ’s office number of times and met its various officials to gather and
understand their requirements. With due diligence, the SAP software was customized and well
implemented in the publishing house.

After the SAP implementation, the overall system became integrated and well connected with
other departments. This raised a concern in the mind of few employees of XYZ worrying about
their jobs’ security leading to quitting of jobs. The top management of XYZ showed its concern
on this issue and wanted to retain few of its employees.

Answer the following questions:

1. Imagine you are core team member of Digisolution Pvt. Ltd. While customizing the
Sales and Distribution Module of SAP software, you need to know the correct sequence of all
the activities involved in the module. Identify the correct option that reflects the correct
sequence of the activities.

(i) Material Delivery

(ii) Billing

(iii) Pre-Sales Activities

(iv) Sales Order

(v) Payments

(vi) Inventory Sourcing

Choose the correct sequence from the following (a) (i) - (iii) – (ii) – (iv) – (v)- (vi)

(b) (ii) – (iv)- (vi) – (iii) – (i) – (v)

(c) (iii)- (iv) – (vi)- (i) –(ii) – (v)

(d) (iv)- (i) – (iii), (v), (ii), (vi)

2. In purview of above situation, which of the following control can be helpful to

management of XYZ ubliching house to retain its employees and stopping them to leave the
company?

(a) Training can be imparted to employees by skilled consultant.

(b) Allocation of employees to task matching their skill set, fixing of compensation
package.

(c) Management should stop the implementation of ERP.

(d) Backup arrangement is required.

3. The SAP software was successfully implemented by XYZ publication house after
overcoming many challenges. The risk associated with “Patches and upgrades not installed and
the tools being under-utilized” belongs to __________ risk.

(a) Technological

(b) Implementation

(c) People

(d) Process

SOLUTION

Question No. Answer Question No. Answer

1. (c) (iii)- (iv) – (vi)- (i)

–(ii) – (v) 2. (b) Allocation of employees to task matching their skill set, fixing of
compensation package

3. (a) Technological

ILLUSTRATION 2.2

Unique Services, a well-established firm of Chartered Accountants with nine branches at

different locations in Delhi, deals in accounting, auditing and taxation assignments like – return
filing, corporate taxation and planning, company formation and registration of foreign
companies etc. The firm has its own ERP software. The firm decided to come up with Real
Estate Regulatory Authority (RERA) registration which requires upgradation in its software.
Hence, the principal partner of the firm asked its associate partner to prepare a list of various
clients dealing in construction and development of flats, commercial properties etc.

The firm’s management took care to select the vendor to upgrade their ERP software which will
act as an online assistant to its clients providing them the complete details about registration
and filling of various forms and resolving their frequently asked questions. The firm also
wanted a safe and secure working environment for their employees to filing various forms
under RERA Act on behalf of clients using digital signature. The management also instructed its
employees to mandatorily use Digital Signature of clients for fair practices and any dishonesty
found in this regard may lead to penal provisions under various act including IT Act, 2000.

Answer the following questions:

1. In purview of case scenario, Unique Services requires to make changes in its software
for its users for RERA related matters. Identify the part of the overall software which actually
interacts with the users using the software?

(a) Back end

(b) Front end

(c) Middle layer

(d) Reports
2. The firm decided to have an online assistant for its clients to provide complete details
regarding taxation, registration and filling of various forms and solve their queries. This is an
example of application.

(a) Installed application

(b) Web Application

(c) Cloud Based Application

(d) Direct Application

3. While filling the tax for its client ABC, the firm Unique Services enters the detail of its
TDS and GST in the requisite forms. Identify from the following which type of master data it
belongs to.

(a) Accounting Master data

(b) Inventory Master Data

(c) Statutory Master data

(d) Payroll master Data

SOLUTION

Question No. Answer Question No. Answer

1. (b) Front end

2. (c) Cloud Based Application

3. (c) Statutory Master data

TEST YOUR KNOWLEDGE

Theoretical Questions

1. As an Auditor, prepare a checklist of the questions that you would ask while
performing an ERP Audit. (Refer Section 2.4)

2. Determine the reasons for the importance of Business Reporting. Identify the global
standard for exchanging business information and discuss it in detail.

(Refer Section 2.9.1 and 2.9.2)

3. An enterprise ABC Ltd. intends to acquire software for Accounting as well as Tax
compliance. Prepare a list of pros and cons of having single software for Accounting and Tax
compliance. (Refer Table 2.10.1 under Section 2.10.2)

4. An article joined an Audit firm where he was briefed on various steps involved during
Accounting Process Flow. Explain these steps involved in the process.

(Refer Section 2.6.2)

5. The Material Management (MM) Module in an ERP systems manages materials
required, processed and produced in enterprises. Discuss the steps involved in overall purchase
process. (Refer Section 2.6.3[B(f)])

6. Explain the term “Business Intelligence” with example. (Refer Section 2.8.3)

7. As a manager of a telecom service provider, you are concerned with MIS Report about
your department’s customer service calls. Determine the various criterions that the
information in the report should meet so that the report becomes useful for you. (Refer
Section 2.7.2)

8. Explain the term “Data Analytics” and recognize its application areas in today’s world.
(Refer Section 2.8)

9. Explain the different ways in which the Regulators can use eXtensible Business
Reporting Language (XBRL) for various purposes. (Refer Section 2.9.2)

10. Discuss the key features of Controlling Module in an Enterprise Resource Planning
(ERP). (Refer Section 2.6.3[B(b)])

11. Nowadays, many organizations are switching over to ‘Cloud Applications' as the
organizations do not want to indulge themselves in maintenance of their own IT infrastructure
to run their businesses. You, being an IT consultant, list out some of the advantages and
disadvantages of using these Cloud applications.(Refer Table 2.2.5)

12. Central database is the main feature of an Enterprise Resource Planning (ERP) System.
As the complete data is stored at one place, ensuring safety of data and minimizing risk of loss
of data is a big challenge. As an IT expert, discuss various risks involved during ERP
implementation. (Refer Table 2.3.1[D])

13. Discuss in brief the following terms:

(a) Regulatory Compliance (Refer Section 2.10.1)

(b) Three tier Architecture of Application Software (Refer Section 2.2.4(iii))

(c) Role-based Access Control (RBAC) in ERP (Refer Section 2.3.3)

14. Customer Relationship Management (CRM) is a system which aims at improving

relationship with customers. Briefly explain key benefits of CRM Module of ERP.

(Refer Section 2.6.3[B(k)])

15. A business organization is shifting from traditional accounting system to computerized

accounting system. The organization needs to store the data that is relatively permanent and
not expected to change frequently in accounting system. As a financial expert, suggest the
types of data used in computerized accounting system. (Refer Section 2.2.3)

RTP NOV 2021

8. ERP systems are expected to produce accurate, complete, and authorized information,
and therefore require major security aspects that involve physical safety, input validations and
access control mechanism. In light of this statement, explain the importance of Role Based
Access Control in an ERP system.
8. Role Based Access Control (RBAC) is an approach to restricting system access to
authorized users. RBAC sometimes referred to as Role-Based Security is a policy neutral access
control mechanism defined around roles and privileges that lets employees having access rights
only to the information they need to do their jobs and prevent them from accessing
information that doesn't pertain to them. It is used by most enterprises and can implement
Mandatory Access Control (MAC) or Discretionary Access Control (DAC).

• MAC criteria are defined by the system administrator strictly enforced by the Operating
System and are unable to be altered by end users. Only users or devices with the required
information security clearance can access protected resources. Organizations with varying
levels of data classification, like government and military institutions, typically use MAC to
classify all end users.

• DAC involves physical or digital measures and is less restrictive than other access
control systems as it offers individuals complete control over the resources they own. The
owner of a protected system or resource sets policies defining who can access it.

The components of RBAC such as role-permissions, user-role and role-role relationships make it
simple to perform user assignments. RBAC can be used to facilitate administration of security in
large organizations with hundreds of users and thousands of permissions. Roles for staff are
defined in organization and permission to access a specific system or perform certain operation
is defined as per the role assigned. For example - a junior accountant in accounting department
is assigned a role of recording basic accounting transactions, an executive in human resource
department is assigned a role of gathering data for salary calculations on monthly basis, etc.

9. DEF consultant is a consultancy company that provides its services to various clients on
GST, Company Law, and Income Tax. At present, the company is using separate software each
for accounting and tax compliance. Mr. Rajesh, IT head in the DEF consultant, suggested the
management that they should rather adopt single software for accounting and tax compliance
both. He prepared a supportive document highlighting the pros and cons of Accounting and Tax
compliance software over only the tax compliance software. Elaborate the content of Mr.
Rajesh’s document.

9 The pros and cons of using single software for accounting and tax over the software with tax
compliance only on various aspects are as follows:
S. Particulars Accounting & Tax Compliance Only Tax Compliance
No. Software Software
1 Ease of Less – as this is integrated More – as this is used only
software system of accounting and tax for one single purpose, i.e.
operation compliance, everything tax compliance, it is less
connected with other and complicated and bound to
making changes at one place be easy.
may affect other aspects also.
2 Features Less – as this system is not an More – as this is an
and exclusive system for tax exclusive and specifically
facilities compliance, it may have limited designed system for tax
EIS

features for tax compliance. compliance, naturally more

3 Time and Less – as this is an integrated
efforts system, time required to transfer
required data to compliance software is
zero.
4 Accuracy More – as this is an integrated
system and hence accounting
data and tax compliance data
shall always be same. No need
to transfer data to compliance
software and reconcile the data.
5 Cost More – if tax compliance feature
is not available in accounting
system, getting it customized may
require some amount of cost
which may be higher than buying
separate software.
features and facilities shall
exist in this system.
More – as this is a separate
software, data from
accounting software need to
put in this for preparation of
returns. This may take extra
time and efforts.
Less – as there are two
separate systems,
reconciliation with
accounting data is needed,
and possibility of mismatch
of data is always there.
Less – as this is specific
purpose software, there
shall be less complications
and the cost also shall be
less.

CH 3 EIS

ILLUSTRATION 3.1

In 2017, XYZ Systems had shifted to the SQL Server Relational Database Management System from
the previously used IBM Information Management System which used a hierarchical database model
to create a well-organized database to store organizational data.

On acquiring a good number of global clients and keeping in view the increased number, complexity
of the overseas transactions and the management’s need for periodic performance analysis; XYZ
Systems planned to leverage the benefit of data warehouse whereas the research team suggested
the implementation of Big data. However, XYZ Systems did not implement suitable security controls
and hence recently faced data security breach which led to the unauthorized manipulation of certain
confidential data. This resulted in XYZ Systems paying a substantial amount as compensation and
loss of a major client.

Consequently, XYZ Systems has now implemented varied controls starting from strict password
management to high level access controls and monitoring mechanism ensuring that there are no
further data security issues. In this context, let’s analyze and answer the following questions:

(A) The XYZ Systems initially used IBM Information Management system which used a
hierarchical database model. Which type of relationship is not supported by such database model?

(i) One-to-One

(ii) Many-to-One
EIS
(iii) One-to-Many

(iv) None of the above

(B) The XYZ Systems recently shifted to the SQL Server DBMS from the IBM Information
Management system that it previously used. Under which aspect, the SQL Server differs from IBM
Information Management System?

(i) One-to-one relationship

(ii) One-to-many relationship

(iii) Relational Database structure

(iv) None of the above

(C) Which among the following is not an advantage of the SQL Server DBMS?

(i) Data Sharing

(ii) Data Redundancy

(iii) Program and File consistency

(iv) None of the above

(D) To ensure that the communication between their private network and public network is
secured, one of the step taken by XYZ Systems are to install firewall. The installation of firewall is
type of control.

(i) Preventive

(ii) Corrective

(iii) Detective

(iv) None of the above

(E) XYZ Systems made its access privileges more stringent so as to prevent unauthorized users
gaining entry into secured area and also minimum entry granted to users based on their job
requirements. Which of the following Logical Access control covers this aspect?

(i) Operating System Access Control

(ii) Network Access Controls

(iii) User Access Management

(iv) Application and Monitoring System control

(F) Based on the risk assessment by the audit team, the management of XYZ Systems decided to
specify the exact path of the internet access by routing the internet access by the employees
through a firewall and proxy. This is referred to as _.

(i) Encryption

(ii) Enforced Path

(iii) Call Back Devices

EIS
(iv) None of these

SOLUTION

Question No. Answer Question No. Answer

(A) (ii) Many-to-One (B) (iii) Relational

Database structure

(C) (ii) Data Redundancy (D) (i) Preventive

(E) (iii) User Access Management (F) (ii) Enforced Path

ILLUSTRATION 3.2

Bianc Computing Ltd. has implemented a set of controls including those with respect to security,
quality assurance and boundary controls to ensure that the development, implementation,
operation and maintenance of information systems takes place in a planned and controlled manner.
It has also ensured that logs are designed to record activity at the system, application, and user level.

Along with the implementation of controls and maintenance of logs, it has approached a leading
firm of IS auditors to conduct a comprehensive audit of its controls. Within the organization also, it
has opened new job roles and has hired people with the required skill sets for the same. In this
context, answer the following.

(A) The team of network engineers of Bianc Computing Ltd. recommended certain controls to
be implemented in the organization to bridge the rate of data reception and transmission between
two nodes. Which types of controls are being referred to here?

(i) Link Controls

(ii) Flow Controls

(iii) Channel Access Controls

(iv) Line Error Controls

(B) A process is used to ensure that the user can continue working, while the print operation is
getting completed. This is known as _.

(i) Logging

(ii) Spooling

(iii) Spoofing

(iv) Print-Run-to Run Control Totals

(C) Bianc Computing Ltd. has also opened up new job roles and has hired persons with the
required skill sets for the same as given below.
EIS
Job Role Person Responsible

1. Developing logical and physical designs of data models (a) Operations Manager

2. Providing front line user support services (b) Security Analyst

3. Staffing of resources for upcoming projects. (c) Database Architect

4. Examining logs from firewalls, and providing security advisories (d) Help Desk Analyst

5. Performing maintenance and configuration operations on systems. (e) Systems Analyst

6. Build and maintain network devices such as routers, switches etc. (f) System
Administrator

7.Developing technical requirements, program design, and software (g) Network engineer

test plans

Identify the right match to the job roles assigned and the responsible persons for the job role.

(i) 1(c), 2(d), 3(a), 4(b), 5(f), 6(g), 7(e)

(ii) 1(d), 2(b), 3(c), 4(g), 5(f), 6(a), 7(e)

(iii) 1(e), 2(b), 3(c), 4(g), 5(a), 6(f), 7(d)

(iv) 1(g), 2(f), 3(e), 4(d), 5(c), 6(b), 7(a)

SOLUTION

Question No. Answer Question No. Answer

(A) (ii) Flow Controls

(B) (ii) Spooling

(C) (i) 1(c), 2(d), 3(a), 4(b), 5(f), 6(g), 7(e)

RTP NOV 2021

10. ABC Ltd., an automobile manufacturer intends to establish its new manufacturing unit plant
at Bhuj, Gujarat. Out of many controls that need to be in place, the management has little more
focus on successful implementation of Environmental controls as the Bhuj area is earthquake prone.
Mr. Nanda, the auditor of ABC Ltd. conducted various physical inspections of the building at Bhuj to
determine the implementation of environmental controls in the said manufacturing unit. Briefly
explain his role and the activities he shall conduct to audit the Environmental Controls.

10. Role of Auditor in Auditing Environmental Controls: Audit of environmental controls should
form a critical part of every IS audit plan. The IS auditor should satisfy not only the effectiveness of
various technical controls but also the overall controls safeguarding the business against
environmental risks. Audit of environmental controls requires the IS auditor to conduct physical
inspections and observe practices. Auditing environmental controls requires knowledge of building
EIS
mechanical and electrical systems as well as fire codes. The IS auditor needs to be able to determine
if such controls are effective and if they are cost-effective.

Auditors shall conduct following activities in auditing Environmental controls:

• Power conditioning: The IS auditor should determine how frequently power conditioning
equipment, such as UPS, line conditioners, surge protectors, or motor generators, are used,
inspected and maintained and if this is performed by qualified personnel.

• Backup power: The IS auditor should determine if backup power is available via electric
generators or UPS and how frequently they are tested. S/he should examine maintenance records to
see how frequently these components are maintained and if this is done by qualified personnel.

• Heating, Ventilation, and Air Conditioning (HVAC): The IS auditor should determine if HVAC
systems are providing adequate temperature and humidity levels, and if they are monitored. Also,
the auditor should determine if HVAC systems are properly maintained and if qualified persons do
this.

• Water detection: The IS auditor should determine if any water detectors are used in rooms
where computers are used. He or she should determine how frequently these are tested and if there
are monitored.

• Fire detection and suppression: The IS auditor should determine if fire detection equipment
is adequate, if staff members understand their function, and i f they are tested. S/he should
determine how frequently fire suppression systems are inspected and tested, and if the organization
has emergency evacuation plans and conducts fire drills.

• Cleanliness: The IS auditor should examine data centers to see how clean they are. IT
equipment air filters and the inside of some IT components should be examined to see if there is an
accumulation of dust and dirt.

11. The processing subsystem of any application software is responsible for computing, sorting,
classifying, and summarizing the data. The processor controls of the application software are
responsible to reduce the expected losses from errors and irregularities associated with Central
processors. Discus these controls.

11. The processor controls of any application software are as follows:

• Error Detection and Correction: Occasionally, processors might malfunction because of

design errors, manufacturing defects, damage, fatigue, electromagnetic interference, and ionizing
radiation. The failure might be transient (that disappears after a short period), intermittent (that
reoccurs periodically), or permanent (that does not correct with time). For the transient and
intermittent errors; re-tries and re-execution might be successful, whereas for permanent errors,
the processor must halt and report error.

• Multiple Execution States: It is important to determine the number of and nature of the
execution states enforced by the processor. This helps auditors to determine which user processes
will be able to carry out unauthorized activities, such as gaining access to sensitive data maintained
in memory regions assigned to the operating system or other user processes.

• Timing Controls: An operating system might get stuck in an infinite loop. In the absence of
any control, the program will retain use of processor and prevent other programs from undertaking
their work.
EIS
• Component Replication: In some cases, processor failure can result in significant losses.
Redundant processors allow errors to be detected and corrected. If processor failure is permanent in
multicomputer or multiprocessor architectures, the system might reconfigure itself to isolate the
failed processor.

CH 4 EIS

TEST YOUR KNOWLEDGE

Theory Questions

1. Define the following:

(a) E- Commerce (Refer Section 4.1)

(b) M-Commerce (Refer Section 4.3.5)

(c) Machine Learning (Refer Section 4.8.10)

(d) Bring Your Own Device (BYOD) (Refer Section 4.8.6)

(e) Grid Computing Security (Refer Section 4.8.2(point IV))

2. Explain various components that are involved in an E-Commerce.

(Refer Section 4.2)

3. Discuss the architecture of Networked Systems. (Refer Section 4.3)

4. Differentiate Traditional Commerce and E- Commerce. (Refer Section 4.1.2)

5. A business model is the mechanism by which a business intends to generate revenue and
profits. Explain the different e-commerce business models.

(Refer Section 4.1.6)

6. Explain the different steps followed by the user in buying goods online.

(Refer Section 4.4)

7. Discuss various risks associated with E-Commerce transactions that are high as compared to
general Internet activities? (Refer Section 4.5.1)

8. What are the ways of protecting your e-Commerce business from intrusion?

(Refer Section 4.5.2)

9. Explain the important provisions of IT Act 2000 related to e-commerce.

(Refer Section 4.6.3)

10. Subsequent to demonetization, one of your elderly neighbor, who was using traditional
digital methods of making payments like cards, net banking etc., asked for your help to know about
the various new methods of Digital Payments. Identify and explain various new methods of Digital
Payments for him. (Refer Section 4.7)
EIS
11. What do you mean by “Cloud Computing”? Discuss its characteristics.

(Refer Section 4.8.3[Point I])

12. Explain the different types of clouds in Cloud Computing.

(Refer Section 4.8.3(Point IV))

13. Discuss various components of Mobile Computing.

(Refer Section 4.8.4 (Point I))

14. Explain the benefits of Mobile Computing. (Refer point 4.8.4 (III))

15. Mobile Computing is an important and rapidly evolving technology that allows users to
transmit data from remote location to other locations in mobility condition. Being a communication
expert, identify the limitations in current scenario that impede users to use this technology
frequently.

(Refer Section 4.8.4[Point No. IV])

16. Discuss some best practices of Green Computing. (Refer Section 4.8.5)

17. Write short note on the following terms:

(a) Digital Library (Refer Section 4.2)

(b) Web Portal (Refer Section 4.2)

18. Discuss the concept of Virtualization and its various application areas.

(Refer Section 4.8.1)

19. Every business decision is accompanied with a set of threats and so is BYOD program.
Explain the areas in which the risks associated with BYOD program can be classified. (Refer
Section 4.8.6 [Point No. II])

20. Explain the pertinent issues involved in Cloud Computing implementation.

(Refer Section 4.8.3 [VI])

RTP NOV 2021

12. Considering the Covid situation nowadays, there has been a paradigm shift on the usage of
electronic devices like servers, laptops, tablets, storage devices and various networking and
communication devices like routers etc. Thus, arises the dire need to have relevant reforms to
reduce the use of hazardous materials and importance of recyclability or biodegradability of these
defunct products and factory waste. The said objective is achieved using Green Computing Best
Practices. Elaborate some practices of these in detail.

12. The details of Green Computing Practices are as follows:

(i) Develop a sustainable Green Computing plan

EIS
• Involve stakeholders to include checklists, recycling policies, recommendations for disposal
of used equipment, government guidelines and recommendations for purchasing green computer
equipment in organizational policies and plans;

• Encourage the IT community for using the best practices and encourage them to consider
green computing practices and guidelines.

• On-going communication about and campus commitment to green IT best practices to

produce notable results.

• Include power usage, reduction of paper consumption, as well as recommendations for new
equipment and recycling old machines in organizational policies and plans; and

• Use cloud computing so that multiple organizations share the same computing resources
thus increasing the utilization by making more efficient use of hardware resources.

(ii) Recycle

• Dispose e-waste according to central, state and local regulations;

• Discard used or unwanted electronic equipment in a convenient and environmentally

responsible manner as computers emit harmful emissions;

• Manufacturers must offer safe end-of-life management and recycling options when products
become unusable; and

• Recycle computers through manufacturer’s recycling services.

(iii) Make environmentally sound purchase decisions

• Purchase of desktop computers, notebooks and monitors based on environmental

attributes;

• Provide a clear, consistent set of performance criteria for the design of products;

• Recognize manufacturer efforts to reduce the environmental impact of products by reducing

or eliminating environmentally sensitive materials, designing for longevity, and reducing packaging
materials; and

• Use Server and storage virtualization that can help to improve resource utilization, reduce
energy costs, and simplify maintenance.

(iv) Reduce Paper Consumption

• Reduce paper consumption by use of e-mail and electronic archiving;

• Use of “track changes” feature in electronic documents, rather than red line

corrections on paper;
EIS
• Use online marketing rather than paper-based marketing; e-mail marketing solutions that
are greener, more affordable, flexible and interactive than direct mail; free and low-cost online
invoicing solutions that help cut down on paper waste; and

• While printing documents; make sure to use both sides of the paper, recycle regularly, use
smaller fonts and margins, and selectively print required pages.

(v) Conserve Energy

• Use Liquid Crystal Display (LCD) monitors rather than Cathode Ray Tube (CRT) monitors;

• Develop a thin-client strategy wherein thin clients are smaller, cheaper, simpler for
manufacturers to build than traditional PCs or notebooks and most importantly use about half the
power of a traditional desktop PC.

• Use notebook computers rather than desktop computers whenever possible;

• Use the power-management features to turn off hard drives and displays after several
minutes of inactivity;

• Power-down the CPU and all peripherals during extended periods of inactivity;

• Try to do computer-related tasks during contiguous, intensive blocks of time, leaving

hardware off at other times;

• Wherever possible, the devices that can perform more than one function should be used.
For example, multi-purpose printer saves energy by combining a printer, scanner, fax, and
photocopier into one device.

• Power-up and power-down energy-intensive peripherals such as laser printers according to

need;

• Employ alternative energy sources for computing workstations, servers, networks and data
centers; and

• Adapt more of Web conferencing offers instead of travelling to meetings to go green and
save energy.

13. Ms. Anita, a final year student of undergraduate course had to submit her project report in
pdf form. She initially prepared her report in MS Word and used online software from google to edit
the photos used in her assignment. Later, for final submission, she used online pdf converter to
convert her word file into pdf. Identify the Cloud Computing Service Model that is being used by her
and further discuss the Model’s different instances.

13. The Cloud Computing service model used by Ms. Anita is Software as a Service (SaaS). The
different instances of the model are as follows:

• Testing as a Service (TaaS): This provides users with software testing capabilities such as
generation of test data, generation of test cases, execution of test cases and test result evaluation
on a pay-per-use basis.
EIS
• API as a Service (APIaaS): This allows users to explore functionality of Web services such as
Google Maps, Payroll processing, and credit card processing services etc.

• Email as a Service (EaaS): This provides users with an integrated system of emailing, office
automation, records management, migration, and integration services with archiving, spam blocking,
malware protection, and compliance features.

CH 5

ILLUSTRATION 5.1

Mr. Shoren has recently been associated with the procurement and sale of drugs and narcotic
substances without a license which is illegal as per Narcotic Drugs and Psychotropic Substances Act,
1985. A major part of the sale proceeds amounting to ` 65 lakhs was collected and routed through
various bank accounts held in SNFC Bank which was subsequently advanced to various bogus
companies and a series of transactions were initiated to make the money appear to have been
obtained from a legal legitimate source. These activities were carried out with the assistance of one
of the employees of SNFC Bank who intentionally altered few computer sources codes so that no
records for major transactions that took place could be found in the database. A series of
transactions ranging from ` 10,000 to ` 1 lakh was initiated in a month for depositing the amount of `
65 lakhs in SNFC Bank.

However, SNCF Bank had failed to keep proper record of information relating to few of the
transactions as they were not of substantial amount. Furthermore, it was later found that one of the
staff members of SNFC bank whose relative was an insurance agent, used to obtain medical
information of the customers having account with the bank for obtaining personal benefits.

In this context, answer the following:

1. Which amongst the following activities carried out by Mr. Shoren could be considered as an
offence of Money Laundering?

(a) Expenses incurred for procurement of narcotic drugs

(b) Sale of narcotic drugs without a license.

(c) Routing the illegal proceeds through bank and other transactions to appear as obtained
from legitimate source.

(d) Being a part of the cartel/association carrying out illegal sale of drugs.

2. The employee of SNFC Bank who had assisted Mr. Shoren in routing the illegal money
through bank by altering the computer source code so that major transactions’ amounts were not
traceable in the bank’s database. Under which section of IT Act 2000 will this act be punishable?

(a) Section 66E

(b) Section 66B

(c) Section 65

(d) Section 66D

EIS
3. Mr. Shoren was involved in the collection and sale of illegal drugs and got the routing done
through various banking transactions and advances to bogus companies. Which stages of Money
Laundering process address these afore said activities?

(a) Placement and Integration

(b) Layering and Integration

(c) Placement and Layering

(d) Placement, Layering and Integration

4. SNFC Bank failed to maintain records of information relating to baking transactions carried
out by Mr. Shoren as many of the transaction amounts were not substantial. Also, the privacy
regarding the details of medical history of its customers was breached. Which kind of risk would
SNFC bank be exposed to if it has to face legal penalties as it had failed to act in accordance with
laws and requirements as per Prevention of Money Laundering Act (PMLA).

(a) Legal and Compliance Risk

(b) Compliance and Information Security Risk

(c) Information Security and People Risk

(d) Transaction processing and Legal risk

SOLUTION

Question No. Answer Question No. Answer

1 (c) Routing the illegal proceeds through bank and other transactions to appear as obtained
from legitimate source. 2 (c) Section 65

3 (c) Placement and Layering 4 (b) Compliance and Information Security

Risk

ILLUSTRATION 5.2

GNI Bank is one of the age-old conventional banks which offers an array of banking services like
EFT’S, Collections, clearing, Letter of credits/guarantees etc. to its customers. To provide latest
functionalities and to improve the overall efficiency with respect to banking services, it has recently
implemented a core banking solution. It has also put in place the necessary controls to safeguard its
business from being exposed to probable IT risks.

Mr. Doshi, a senior software developer having a savings bank account with GNI Bank has requested
for internet banking facilities. He has also applied and produced all the necessary documents for
availing a housing loan from the said bank. Though the procedures followed for sanctioning housing
loans are quite stringent, GNI bank offers floating interest rate on its loans and offers comparatively
higher interest rates on its fixed deposits compared to the other banks in the state also.

In this context, answer the following:

1. Given below are the features of Core Banking Solution recently implemented by GNI Bank
that prove advantageous to both the bank and its customers. Which among the following
EIS
advantages would relate the most to Mr. Doshi who has recently availed a housing loan in terms of
easy and effortless Internet banking?

(a) Reliance on transaction balancing

(b) Highly dependent system-based controls

(c) Daily, half yearly and annual closing

(d) Automatic processing of standing instructions

2. GNI Bank during this stage of the loan processing of Mr. Doshi, checks the borrower’s ability
to repay the loan based on an analysis of his credit history, and his earning capacity. This process
which forms a major aspect in loan approvals is referred to as _.

(a) Clearing

(b) Underwriting

(c) Collections

(d) Letter of Credit

3. GNI bank has also implemented necessary controls to ensure safeguards against the
exposure to IT risks. As a practice, whenever a connection is made to website in another network, it
will be routed through a particular server. Which among the servers would be utilized for making
connections with other network services?

(a) Web Server

(b) Application Server

(c) Proxy Server

(d) Database Server

4. GSI Bank has also implemented necessary controls to ensure safeguards against the
exposure to IT risks. Which among the following controls could be implemented when risk arises due
to lack or inadequate management direction and commitment to protect information assets?

(a) The identity of users is authenticated to the systems through passwords.

(b) Securitypolicies are established and management monitors compliance with

policies.

(c) Access to sensitive data is logged and the logs are regularly reviewed by management.

(d) Physical access restrictions are implemented and administered.

SOLUTION

Question No. Answer Question No. Answer

1 (d) Automatic processing of standing instructions

2 (b) Underwriting
EIS
3 (c) Proxy Server

4 (b) Security policies are established and management monitors compliance with policies.

Theoretical Questions

1. Distinguish between Application Server and Database Server.

(Refer Section 5.2.2)

2. Briefly explain core features of Core Banking Software. (Refer Section 5.1.4)

3. Briefly explain major components of a CBS solution. (Refer Section 5.2.1)

4. Discuss various risks that are associated with CBS software.

(Refer Section 5.3.1)

5. Briefly discuss the key provisions of Information Technology Act, 2000 regarding IT related
offences impacting banks. (Refer Section 5.5.4)

6. In line with the suggestions of RBI, M/s. ABC Bank is planning to obtain ISO 27001:2013
certification for its Information Security Management System. As an IS Auditor, you are required to
prepare a sample list of Risks w.r.t Information Security for the bank. (Refer Table 5.3.1)

7. Banks face the challenge of addressing the threat of money laundering on multiple fronts as
banks can be used as primary means for transfer of money across geographies. Considering the
above statement, discuss the Money Laundering process and its different stages. (Refer
Section 5.5.2)

8. Information Technology (IT) risks can be reduced by implementing the right type and level of
control in automated environment that is done by integrated controls into information technology.
Being an IT consultant, suggest various steps of IT control to a branch manager of a bank.

(Refer Section 5.3.3[Point No. (b])

9. Briefly explain the following terms:

(a) Proxy Server (Refer Section 5.2.2[G])

(b) Key functions of RBI (Refer Section 5.5.4[Point No. II])

10. Discuss various risks and controls associated with the Current and Savings Account (CASA)
process. (Refer Table 5.3.3)

RTP NOV 2021

14. In the Core Banking Systems, the central server supports the entire banking process through
front-end and back-end applications and enables the users to access numerous online banking
facilities 24x7. Explain various Front-end applications of Core Banking Systems.

14. Various Front-end applications of core banking systems are as follows:

o Internet Banking also known as Online Banking, is an electronic payment system that
enables customers of a bank or other financial institution to conduct a range of financial transactions
through the financial institution's website accessed through any browser. The online banking system
EIS
offers over 250+ services and facilities that give us real-time access to our bank account. We can
make and receive payments to our bank accounts, open Fixed and Recurring Deposits, view account
details, request a cheque book and a lot more, while you are online.

o Mobile Banking is a service provided by a bank or other financial institution that allows its
customers to conduct financial transactions remotely using a mobile device such as a smartphone or
tablet. Unlike the related internet banking, it uses software, usually called an app, provided by the
financial institution for the purpose. The app needs to be downloaded to utilize this facility. Mobile
banking is usually available on a 24-hour basis.

o Phone Banking: It is a functionality through which customers can execute many of the
banking transactional services through Contact Centre of a bank over phone, without the need to
visit a bank branch or ATM. Registration of Mobile number in account is one of the basic perquisite
to avail Phone Banking. The use of telephone banking services, however, has been declining in favor
of internet banking. Account related information, Cheque Book issue request, stop payment of
cheque, Opening of Fixed deposit etc. are some of the services that can be availed under Phone
Banking.

o Branch Banking: Core Banking Systems are the bank’s centralized systems that are
responsible for ensuring seamless workflow by automating the frontend and backend processes
within a bank. CBS enables single view of customer data across all branches in a bank and thus
facilitate information across the delivery channels. The branch confines itself to the following key
functions:

• Creating manual documents capturing data required for input into software;

• Internal authorization;

• Initiating Beginning-Of-Day (BOD) operations;

• End-Of-Day (EOD) operations; and

• Reviewing reports for control and error correction.

15. BMN Bank limited has recently started its core banking operations. The Bank approached
Mr. X for his advice regarding the maintenance of records as a reporting entity considering the
provisions of the PMLA, 2002. What do you think shall be the probable reply of Mr. X mentioning the
relevant provisions of the PMLA, 2002?

15. Section 12 of the Prevention of Money Laundering Act, 2002 provides for the obligation of
Banking Companies, Financial Institutions and Intermediaries i.e. the reporting entity to maintain
records of transactions. Mr. X should have advised BMN Bank Ltd. to maintain records in the
compliance to said section.

1. Accordingly, every reporting entity shall –

(i) maintain a record of all transactions, including information relating to transactions covered
under point (ii) below, in such manner as to enable it to reconstruct individual transactions. Here
records shall be maintained for a period of five years from the date of transaction between a client
and the reporting entity.

(ii) furnish to the Director within such time as may be prescribed, information relating to such
transactions, whether attempted or executed, the nature and value of which may be prescribed;
EIS
(iii) Omitted

(iv) Omitted

(v) maintain record of documents evidencing identity of its clients and beneficial owners as well
as account files and business correspondence relating to its clients.

2. Every information maintained, furnished or verified, save as otherwise provided under any
law for the time being in force, shall be kept confidential.

3. The records referred to in clause (i) of sub-section (1) shall be maintained for a period of five
years from the date of transaction between a client and the reporting entity.

4. The records referred to in clause (e) of sub-section (1) shall be maintained for a period of
five years after the business relationship between a client and the reporting entity has ended or the
account has been closed, whichever is later.

5. The Central Government may, by notification, exempt any reporting entity or class of
reporting entities from any obligation under this Chapter.