Professional Documents
Culture Documents
ABC Ltd. is engaged in the business of producing consumer durable products. It is facing the
problem of poor customer service due to its broken, inefficient, and manual processes. The
customers of the company are becoming more demanding with respect to higher quality of
products and delivery time.
To remain competitive in the market and to overcome the issues faced by its customers, the
company decided to optimize and streamline its essential business processes using the latest
technology to automate the functions involved in carrying out these essential processes. The
management of the company is very optimistic that with automation of business processes, it
will be able to extract maximum benefit by using the available resources to their best
advantage. Moreover, with automation the company will be able to integrate various processes
and serve its customers better and faster. The management is aware that the automation of
business processes will lead to new types of risks in the company’s business. The failure or
malfunction of any critical business process will cause significant operational disruptions and
materially impact its ability to provide timely services to its customers. The management of
ABC Ltd. adopted different Enterprise Risk Management (ERM) strategies to operate more
effectively in environment filled with risks. To reduce the impact of these risks, the company
also decided to implement necessary internal controls.
Read the above illustration carefully and answer the following questions:
1. The processes automated by ABC Ltd. are susceptible to many direct and indirect
challenges. Which of the following factor cannot be considered valid in case the company fails
to achieve the desired results?
(a) The business processes are not well thought or executed to align with business
objectives.
(b) The staff may perceive automated processes as threat to their jobs.
(c) The documentation of all the automated business processes is not done properly.
2. The processes automated by ABC Ltd. are technology driven. The dependence on
technology in key business processes exposed the company to various internal as well as
external threats. According to you, external threats leading to cyber-crime in BPA is because:
(a) Organizations may have a highly-defined organization structure with clearly defined
roles, authority and responsibility.
(b) There may not be one but multiple vendors providing different services.
(c) The system environment provides access to customers anytime, anywhere using
internet.
(b) As a part of risk assessment component, identified risks are analyzed to form a basis for
determining how they should be managed.
(c) As a part of monitoring, the entire ERM process should be monitored with no further
modifications in the system.
(d) As a part of control activities, policies and procedures are established and executed to
help ensure that the risk responses that management selected are effectively carried out.
SOLUTION
1. (c) The documentation of all the automated business processes is not done properly.
2. (c) The system environment provides access to customers anytime, anywhere using
internet.
3. (c) As a part of monitoring, the entire ERM process should be monitored with no
further modifications in the system. 4. (b) Processing Controls
ILLUSTRATION 1.2
DXN Ltd. is engaged in manufacturing consumer products for women. The company released a
new product recently which met with unexpected success. The company was established as a
market leader in that product. The growing volume of sales transactions started to put a strain
on company’s internal processes. The company employed 300 more employees to ensure that
the customers are served better and faster. But with the increase in number of monthly
transactions to 1.5 million, the manual processes which were being followed by the company at
present, were holding it back. The company was not able to meet consumer demands even
after employing addition 300 employees. The management consultant Mr. X of DXN Ltd.
advised to automate the key business processes of the company to handle large volume of
transactions to meet the expectations of its customers and maintain its competitive edge in the
market.
Mr. X gathered extensive information about the different activities involved in the current
processes followed by DXN Ltd. like - what the processes do, the flow of various processes, the
persons who are in charge of different processes etc. The information so collected helped him
in understanding the existing processes such as flaws, bottlenecks, and other less obvious
features within the existing processes. Based on the information gathered about the current
processes, Mr. X prepared various flowcharts depicting how various processes should be
performed after automation and submitted his report to the management covering the
following points:
• Challenges that DXN Ltd. may face while implementing automated processes;
• Risks involved in Business Process Automation and how the management should
manage these risks
Read the above illustration carefully and answer the following Questions:
1. As the DXN Ltd. was implementing the automated processes for the first time, the
consultant suggested not to automate all the processes at a time and automate only critical
processes which would help the company to handle large volume of transactions. Which of the
following business processes are not best suited to automation:
2. While understanding the criticality of various business processes of DXN Ltd., the
consultant Mr. X documented the current processes and identified the processes that needed
automation. However, documentation of existing processes does not help in .
(d) designing the process to focus on the desired result with workflow automation
3. When DXN Ltd. decided to adopt automation to support its critical business processes,
it exposed itself to number of risks. One risk that the automated process could lead to
breakdown in internal processes, people and systems is a type of .
4. Mr. X of DXN Ltd. prepared various flowcharts depicting how various processes should
be performed after automation and submitted his report to the management. The flowcharting
symbol that he used to depict processing step is
(a) Rectangular Box
(b) Diamond
(c) Oval
(d) Line
SOLUTION
Theoretical Questions
2. BPA is the tactic a business uses to automate processes to operate efficiently and
effectively. Explain the parameters that should be met to conclude that success of any business
process automation has been achieved.
4. Every business process is not a good fit for automation. Explain four examples of
business processes that are not best suited for automation.
7. As an entrepreneur, your business may face all kinds of risks related from serious loss
of profits to even bankruptcy. What could be the possible Business Risks?
(Refer Section 1.4.3 (A))
8. Automated processes are technology driven. The dependence on technology in BPA for
most of the key business processes has led to various challenges. Explain the technology
related risks involved in BPA. [Refer Section 1.4.3 (B)]
10. ERM provides a framework for risk management, which typically involves identifying
events or circumstances relevant to the organization’s objectives. Discuss the main
components of Enterprise Risk Management Framework.
11. SA315 provides the definition of Internal Control that are required to facilitate the
effectiveness and efficiency of business operations in an organization. Explain all components
of Internal Control as per SA315. (Refer Section 1.6.4)
12. Internal control, no matter how effective, can provide an entity with only reasonable
assurance and not absolute assurance about achieving the entity’s operational, financial
reporting and compliance objectives. Explain the inherent limitations of internal control
systems. (Refer Section 1.6.5)
13. As a part of his project work submission, Mr. X, a student of ABC university needs to
prepare and present a PowerPoint presentation on the topic “Advantages and limitations of
Flowcharts” during his practical examination. What shall be the relevant content? (Refer
Section 1.8.2 III,IV)
14. Give two examples each of the Risks and Control Objectives for the following business
processes:
15. Explain the salient features of Section 134 & Section 143 of the Companies Act 2013.
(Refer Section 1.9.1)
16. Give five examples of computer related offences that can be prosecuted under the IT
Act 2000 (amended via 2008).
Leebay is a new e-commerce web site that is setting up business in India. Leebay and their
partner bank Paxis have come up with a joint promotion plan for which the following offers are
proposed. Customers can either login through a mobile app or directly from the website:
(i) If the payment mode chosen is ‘Paxis Credit’, then a 20% discount is given to the user.
(ii) If the payment mode chosen is ‘Paxis Debit’, then a 10% discount is given to the user.
Also, to promote the downloads of its new smart phone app, the company has decided to give
the following offer:
(i) If the purchase mode is ‘Mobile App’, then no surcharge is levied on the user.
(ii) If any other purchase mode is used, then additional 5% surcharge is levied on the user.
This surcharge is applied on the bill after all necessary discounts have been applied.
With bill amount, payment mode and purchase mode as inputs, draw a flowchart for the billing
procedure for Leebay.
18. Corporate Governance is defined as the framework of rules and practices by which
Board of Directors ensures accountability, fairness and transparency in a company’s
relationship with all its stakeholders. List the rules and procedures that constitute corporate
governance framework.
20. "Enterprise Risk Management (ERM) does not create a risk-free environment; rather it
enables management to operate more effectively in environment filled with risks". In view of
this statement, explain the various benefits, which Board of Directors and Management of an
entity seek to achieve by implementing the ERM process within the entity. (Refer Section
1.5.1)
22. Give some examples of the Risks and Control objectives for Human Resource Process at
configuration level. (Refer Table 1.7.7)
23. As a cyber-expert, you have been invited in a seminar to share your thoughts on data
protection and privacy in today’s electronic era. In your PowerPoint presentation on the same,
you wish to incorporate the main principles on data protection and privacy enumerated under
the IT Act, 2000. Identify them.
24. Explain the positive aspects contained in the IT Act 2000 and its provisions from the
perspective of e-commerce in India.
25. General Controls are pervasive controls and apply to all the components of system,
processes and data for a given enterprise or systems environment. As an IT consultant, discuss
some of the controls covered under general controls which you would like to ensure for a given
enterprise.
6. Organizations should identify controls as per policy, procedures and its structure and
configure them within IT software as used in the organization. Discuss widely the Information
Technology controls that can be implemented as per risk management strategy.
General Controls: These are macro in nature and are applicable to all applications and data
resources. The Information Technology General Controls are as follows:
• Change Management
Application Controls: Application Controls are controls which are specific to the application
software to prevent or detect and correct errors such as payroll, accounts payable, and billing,
etc. These controls are in-built in the application software to ensure accurate and reliable
processing. These are designed to ensure completeness, accuracy, authorization and validity of
data capture and transaction processing. Some examples of Application controls are as follows-
• Balancing of processing totals (debit and credit of all transactions are tallied);
• Transaction logging (all transactions are identified with unique id and logged);
7. In computer systems, the levels at which the controls shall be checked are as follows:
(i) Configuration: Configuration refers to the way a software system is set up. It is the
methodical process of defining options that are provided during system setup. When any
software is installed, values for various parameters should be set up (configured) as per policies
and business process work-flow and business process rules of the enterprise. The various
modules of the enterprise such as Purchase, Sales, Inventory, Finance, User Access etc. must be
configured. Configuration will define how software will function and what menu options are
displayed.
• Password Management
(ii) Masters: It refer to the way various parameters are set up for all modules of software
like Purchase, Sales, Inventory, and Finance etc. These drive how the software will process
relevant transactions. The masters are set up first time during installation and these are
changed whenever the business process ru les or parameters are changed. The way masters
are set up will drive the way software will process transactions of that type.
(iii) Transactions: It refers to the actual transactions entered through menus and functions
in the application software, through which all transactions for specific modules are initiated,
authorized, or approved. For example: Sales transactions, Purchase transactions, Stock transfer
transactions, Journal entries and Payment transactions.
CH 2 EIS
ILLUSTRATION 2.1
XYZ a leading publication house of Delhi was facing many issues like delay in completing the
order of its customers, manual processing of data, increased lead time, inefficient business
processes etc. Hence, the top management of XYZ decided to get SAP - an ERP system
implemented in the publication house.
Using the proper method of vendor selection, Digisolution Pvt. Ltd. was selected to implement
SAP software in XYZ publication house. To implement the software, the IT team of Digisolution
Pvt. Ltd. visited XYZ’s office number of times and met its various officials to gather and
understand their requirements. With due diligence, the SAP software was customized and well
implemented in the publishing house.
After the SAP implementation, the overall system became integrated and well connected with
other departments. This raised a concern in the mind of few employees of XYZ worrying about
their jobs’ security leading to quitting of jobs. The top management of XYZ showed its concern
on this issue and wanted to retain few of its employees.
1. Imagine you are core team member of Digisolution Pvt. Ltd. While customizing the
Sales and Distribution Module of SAP software, you need to know the correct sequence of all
the activities involved in the module. Identify the correct option that reflects the correct
sequence of the activities.
(ii) Billing
(v) Payments
Choose the correct sequence from the following (a) (i) - (iii) – (ii) – (iv) – (v)- (vi)
(b) Allocation of employees to task matching their skill set, fixing of compensation
package.
(a) Technological
(b) Implementation
(c) People
(d) Process
SOLUTION
–(ii) – (v) 2. (b) Allocation of employees to task matching their skill set, fixing of
compensation package
3. (a) Technological
ILLUSTRATION 2.2
The firm’s management took care to select the vendor to upgrade their ERP software which will
act as an online assistant to its clients providing them the complete details about registration
and filling of various forms and resolving their frequently asked questions. The firm also
wanted a safe and secure working environment for their employees to filing various forms
under RERA Act on behalf of clients using digital signature. The management also instructed its
employees to mandatorily use Digital Signature of clients for fair practices and any dishonesty
found in this regard may lead to penal provisions under various act including IT Act, 2000.
1. In purview of case scenario, Unique Services requires to make changes in its software
for its users for RERA related matters. Identify the part of the overall software which actually
interacts with the users using the software?
(d) Reports
2. The firm decided to have an online assistant for its clients to provide complete details
regarding taxation, registration and filling of various forms and solve their queries. This is an
example of application.
3. While filling the tax for its client ABC, the firm Unique Services enters the detail of its
TDS and GST in the requisite forms. Identify from the following which type of master data it
belongs to.
SOLUTION
Theoretical Questions
1. As an Auditor, prepare a checklist of the questions that you would ask while
performing an ERP Audit. (Refer Section 2.4)
2. Determine the reasons for the importance of Business Reporting. Identify the global
standard for exchanging business information and discuss it in detail.
3. An enterprise ABC Ltd. intends to acquire software for Accounting as well as Tax
compliance. Prepare a list of pros and cons of having single software for Accounting and Tax
compliance. (Refer Table 2.10.1 under Section 2.10.2)
4. An article joined an Audit firm where he was briefed on various steps involved during
Accounting Process Flow. Explain these steps involved in the process.
6. Explain the term “Business Intelligence” with example. (Refer Section 2.8.3)
7. As a manager of a telecom service provider, you are concerned with MIS Report about
your department’s customer service calls. Determine the various criterions that the
information in the report should meet so that the report becomes useful for you. (Refer
Section 2.7.2)
8. Explain the term “Data Analytics” and recognize its application areas in today’s world.
(Refer Section 2.8)
9. Explain the different ways in which the Regulators can use eXtensible Business
Reporting Language (XBRL) for various purposes. (Refer Section 2.9.2)
10. Discuss the key features of Controlling Module in an Enterprise Resource Planning
(ERP). (Refer Section 2.6.3[B(b)])
11. Nowadays, many organizations are switching over to ‘Cloud Applications' as the
organizations do not want to indulge themselves in maintenance of their own IT infrastructure
to run their businesses. You, being an IT consultant, list out some of the advantages and
disadvantages of using these Cloud applications.(Refer Table 2.2.5)
12. Central database is the main feature of an Enterprise Resource Planning (ERP) System.
As the complete data is stored at one place, ensuring safety of data and minimizing risk of loss
of data is a big challenge. As an IT expert, discuss various risks involved during ERP
implementation. (Refer Table 2.3.1[D])
8. ERP systems are expected to produce accurate, complete, and authorized information,
and therefore require major security aspects that involve physical safety, input validations and
access control mechanism. In light of this statement, explain the importance of Role Based
Access Control in an ERP system.
8. Role Based Access Control (RBAC) is an approach to restricting system access to
authorized users. RBAC sometimes referred to as Role-Based Security is a policy neutral access
control mechanism defined around roles and privileges that lets employees having access rights
only to the information they need to do their jobs and prevent them from accessing
information that doesn't pertain to them. It is used by most enterprises and can implement
Mandatory Access Control (MAC) or Discretionary Access Control (DAC).
• MAC criteria are defined by the system administrator strictly enforced by the Operating
System and are unable to be altered by end users. Only users or devices with the required
information security clearance can access protected resources. Organizations with varying
levels of data classification, like government and military institutions, typically use MAC to
classify all end users.
• DAC involves physical or digital measures and is less restrictive than other access
control systems as it offers individuals complete control over the resources they own. The
owner of a protected system or resource sets policies defining who can access it.
The components of RBAC such as role-permissions, user-role and role-role relationships make it
simple to perform user assignments. RBAC can be used to facilitate administration of security in
large organizations with hundreds of users and thousands of permissions. Roles for staff are
defined in organization and permission to access a specific system or perform certain operation
is defined as per the role assigned. For example - a junior accountant in accounting department
is assigned a role of recording basic accounting transactions, an executive in human resource
department is assigned a role of gathering data for salary calculations on monthly basis, etc.
9. DEF consultant is a consultancy company that provides its services to various clients on
GST, Company Law, and Income Tax. At present, the company is using separate software each
for accounting and tax compliance. Mr. Rajesh, IT head in the DEF consultant, suggested the
management that they should rather adopt single software for accounting and tax compliance
both. He prepared a supportive document highlighting the pros and cons of Accounting and Tax
compliance software over only the tax compliance software. Elaborate the content of Mr.
Rajesh’s document.
9 The pros and cons of using single software for accounting and tax over the software with tax
compliance only on various aspects are as follows:
S. Particulars Accounting & Tax Compliance Only Tax Compliance
No. Software Software
1 Ease of Less – as this is integrated More – as this is used only
software system of accounting and tax for one single purpose, i.e.
operation compliance, everything tax compliance, it is less
connected with other and complicated and bound to
making changes at one place be easy.
may affect other aspects also.
2 Features Less – as this system is not an More – as this is an
and exclusive system for tax exclusive and specifically
facilities compliance, it may have limited designed system for tax
EIS
CH 3 EIS
ILLUSTRATION 3.1
In 2017, XYZ Systems had shifted to the SQL Server Relational Database Management System from
the previously used IBM Information Management System which used a hierarchical database model
to create a well-organized database to store organizational data.
On acquiring a good number of global clients and keeping in view the increased number, complexity
of the overseas transactions and the management’s need for periodic performance analysis; XYZ
Systems planned to leverage the benefit of data warehouse whereas the research team suggested
the implementation of Big data. However, XYZ Systems did not implement suitable security controls
and hence recently faced data security breach which led to the unauthorized manipulation of certain
confidential data. This resulted in XYZ Systems paying a substantial amount as compensation and
loss of a major client.
Consequently, XYZ Systems has now implemented varied controls starting from strict password
management to high level access controls and monitoring mechanism ensuring that there are no
further data security issues. In this context, let’s analyze and answer the following questions:
(A) The XYZ Systems initially used IBM Information Management system which used a
hierarchical database model. Which type of relationship is not supported by such database model?
(i) One-to-One
(ii) Many-to-One
EIS
(iii) One-to-Many
(B) The XYZ Systems recently shifted to the SQL Server DBMS from the IBM Information
Management system that it previously used. Under which aspect, the SQL Server differs from IBM
Information Management System?
(C) Which among the following is not an advantage of the SQL Server DBMS?
(D) To ensure that the communication between their private network and public network is
secured, one of the step taken by XYZ Systems are to install firewall. The installation of firewall is
type of control.
(i) Preventive
(ii) Corrective
(iii) Detective
(E) XYZ Systems made its access privileges more stringent so as to prevent unauthorized users
gaining entry into secured area and also minimum entry granted to users based on their job
requirements. Which of the following Logical Access control covers this aspect?
(F) Based on the risk assessment by the audit team, the management of XYZ Systems decided to
specify the exact path of the internet access by routing the internet access by the employees
through a firewall and proxy. This is referred to as _.
(i) Encryption
SOLUTION
Database structure
ILLUSTRATION 3.2
Bianc Computing Ltd. has implemented a set of controls including those with respect to security,
quality assurance and boundary controls to ensure that the development, implementation,
operation and maintenance of information systems takes place in a planned and controlled manner.
It has also ensured that logs are designed to record activity at the system, application, and user level.
Along with the implementation of controls and maintenance of logs, it has approached a leading
firm of IS auditors to conduct a comprehensive audit of its controls. Within the organization also, it
has opened new job roles and has hired people with the required skill sets for the same. In this
context, answer the following.
(A) The team of network engineers of Bianc Computing Ltd. recommended certain controls to
be implemented in the organization to bridge the rate of data reception and transmission between
two nodes. Which types of controls are being referred to here?
(B) A process is used to ensure that the user can continue working, while the print operation is
getting completed. This is known as _.
(i) Logging
(ii) Spooling
(iii) Spoofing
(C) Bianc Computing Ltd. has also opened up new job roles and has hired persons with the
required skill sets for the same as given below.
EIS
Job Role Person Responsible
1. Developing logical and physical designs of data models (a) Operations Manager
4. Examining logs from firewalls, and providing security advisories (d) Help Desk Analyst
6. Build and maintain network devices such as routers, switches etc. (f) System
Administrator
7.Developing technical requirements, program design, and software (g) Network engineer
test plans
Identify the right match to the job roles assigned and the responsible persons for the job role.
SOLUTION
10. ABC Ltd., an automobile manufacturer intends to establish its new manufacturing unit plant
at Bhuj, Gujarat. Out of many controls that need to be in place, the management has little more
focus on successful implementation of Environmental controls as the Bhuj area is earthquake prone.
Mr. Nanda, the auditor of ABC Ltd. conducted various physical inspections of the building at Bhuj to
determine the implementation of environmental controls in the said manufacturing unit. Briefly
explain his role and the activities he shall conduct to audit the Environmental Controls.
10. Role of Auditor in Auditing Environmental Controls: Audit of environmental controls should
form a critical part of every IS audit plan. The IS auditor should satisfy not only the effectiveness of
various technical controls but also the overall controls safeguarding the business against
environmental risks. Audit of environmental controls requires the IS auditor to conduct physical
inspections and observe practices. Auditing environmental controls requires knowledge of building
EIS
mechanical and electrical systems as well as fire codes. The IS auditor needs to be able to determine
if such controls are effective and if they are cost-effective.
• Power conditioning: The IS auditor should determine how frequently power conditioning
equipment, such as UPS, line conditioners, surge protectors, or motor generators, are used,
inspected and maintained and if this is performed by qualified personnel.
• Backup power: The IS auditor should determine if backup power is available via electric
generators or UPS and how frequently they are tested. S/he should examine maintenance records to
see how frequently these components are maintained and if this is done by qualified personnel.
• Heating, Ventilation, and Air Conditioning (HVAC): The IS auditor should determine if HVAC
systems are providing adequate temperature and humidity levels, and if they are monitored. Also,
the auditor should determine if HVAC systems are properly maintained and if qualified persons do
this.
• Water detection: The IS auditor should determine if any water detectors are used in rooms
where computers are used. He or she should determine how frequently these are tested and if there
are monitored.
• Fire detection and suppression: The IS auditor should determine if fire detection equipment
is adequate, if staff members understand their function, and i f they are tested. S/he should
determine how frequently fire suppression systems are inspected and tested, and if the organization
has emergency evacuation plans and conducts fire drills.
• Cleanliness: The IS auditor should examine data centers to see how clean they are. IT
equipment air filters and the inside of some IT components should be examined to see if there is an
accumulation of dust and dirt.
11. The processing subsystem of any application software is responsible for computing, sorting,
classifying, and summarizing the data. The processor controls of the application software are
responsible to reduce the expected losses from errors and irregularities associated with Central
processors. Discus these controls.
• Multiple Execution States: It is important to determine the number of and nature of the
execution states enforced by the processor. This helps auditors to determine which user processes
will be able to carry out unauthorized activities, such as gaining access to sensitive data maintained
in memory regions assigned to the operating system or other user processes.
• Timing Controls: An operating system might get stuck in an infinite loop. In the absence of
any control, the program will retain use of processor and prevent other programs from undertaking
their work.
EIS
• Component Replication: In some cases, processor failure can result in significant losses.
Redundant processors allow errors to be detected and corrected. If processor failure is permanent in
multicomputer or multiprocessor architectures, the system might reconfigure itself to isolate the
failed processor.
CH 4 EIS
Theory Questions
5. A business model is the mechanism by which a business intends to generate revenue and
profits. Explain the different e-commerce business models.
6. Explain the different steps followed by the user in buying goods online.
7. Discuss various risks associated with E-Commerce transactions that are high as compared to
general Internet activities? (Refer Section 4.5.1)
8. What are the ways of protecting your e-Commerce business from intrusion?
10. Subsequent to demonetization, one of your elderly neighbor, who was using traditional
digital methods of making payments like cards, net banking etc., asked for your help to know about
the various new methods of Digital Payments. Identify and explain various new methods of Digital
Payments for him. (Refer Section 4.7)
EIS
11. What do you mean by “Cloud Computing”? Discuss its characteristics.
14. Explain the benefits of Mobile Computing. (Refer point 4.8.4 (III))
15. Mobile Computing is an important and rapidly evolving technology that allows users to
transmit data from remote location to other locations in mobility condition. Being a communication
expert, identify the limitations in current scenario that impede users to use this technology
frequently.
16. Discuss some best practices of Green Computing. (Refer Section 4.8.5)
18. Discuss the concept of Virtualization and its various application areas.
19. Every business decision is accompanied with a set of threats and so is BYOD program.
Explain the areas in which the risks associated with BYOD program can be classified. (Refer
Section 4.8.6 [Point No. II])
12. Considering the Covid situation nowadays, there has been a paradigm shift on the usage of
electronic devices like servers, laptops, tablets, storage devices and various networking and
communication devices like routers etc. Thus, arises the dire need to have relevant reforms to
reduce the use of hazardous materials and importance of recyclability or biodegradability of these
defunct products and factory waste. The said objective is achieved using Green Computing Best
Practices. Elaborate some practices of these in detail.
• Encourage the IT community for using the best practices and encourage them to consider
green computing practices and guidelines.
• Include power usage, reduction of paper consumption, as well as recommendations for new
equipment and recycling old machines in organizational policies and plans; and
• Use cloud computing so that multiple organizations share the same computing resources
thus increasing the utilization by making more efficient use of hardware resources.
(ii) Recycle
• Manufacturers must offer safe end-of-life management and recycling options when products
become unusable; and
• Provide a clear, consistent set of performance criteria for the design of products;
• Use Server and storage virtualization that can help to improve resource utilization, reduce
energy costs, and simplify maintenance.
• Use of “track changes” feature in electronic documents, rather than red line
corrections on paper;
EIS
• Use online marketing rather than paper-based marketing; e-mail marketing solutions that
are greener, more affordable, flexible and interactive than direct mail; free and low-cost online
invoicing solutions that help cut down on paper waste; and
• While printing documents; make sure to use both sides of the paper, recycle regularly, use
smaller fonts and margins, and selectively print required pages.
• Use Liquid Crystal Display (LCD) monitors rather than Cathode Ray Tube (CRT) monitors;
• Develop a thin-client strategy wherein thin clients are smaller, cheaper, simpler for
manufacturers to build than traditional PCs or notebooks and most importantly use about half the
power of a traditional desktop PC.
• Use the power-management features to turn off hard drives and displays after several
minutes of inactivity;
• Power-down the CPU and all peripherals during extended periods of inactivity;
• Wherever possible, the devices that can perform more than one function should be used.
For example, multi-purpose printer saves energy by combining a printer, scanner, fax, and
photocopier into one device.
• Employ alternative energy sources for computing workstations, servers, networks and data
centers; and
• Adapt more of Web conferencing offers instead of travelling to meetings to go green and
save energy.
13. Ms. Anita, a final year student of undergraduate course had to submit her project report in
pdf form. She initially prepared her report in MS Word and used online software from google to edit
the photos used in her assignment. Later, for final submission, she used online pdf converter to
convert her word file into pdf. Identify the Cloud Computing Service Model that is being used by her
and further discuss the Model’s different instances.
13. The Cloud Computing service model used by Ms. Anita is Software as a Service (SaaS). The
different instances of the model are as follows:
• Testing as a Service (TaaS): This provides users with software testing capabilities such as
generation of test data, generation of test cases, execution of test cases and test result evaluation
on a pay-per-use basis.
EIS
• API as a Service (APIaaS): This allows users to explore functionality of Web services such as
Google Maps, Payroll processing, and credit card processing services etc.
• Email as a Service (EaaS): This provides users with an integrated system of emailing, office
automation, records management, migration, and integration services with archiving, spam blocking,
malware protection, and compliance features.
CH 5
ILLUSTRATION 5.1
Mr. Shoren has recently been associated with the procurement and sale of drugs and narcotic
substances without a license which is illegal as per Narcotic Drugs and Psychotropic Substances Act,
1985. A major part of the sale proceeds amounting to ` 65 lakhs was collected and routed through
various bank accounts held in SNFC Bank which was subsequently advanced to various bogus
companies and a series of transactions were initiated to make the money appear to have been
obtained from a legal legitimate source. These activities were carried out with the assistance of one
of the employees of SNFC Bank who intentionally altered few computer sources codes so that no
records for major transactions that took place could be found in the database. A series of
transactions ranging from ` 10,000 to ` 1 lakh was initiated in a month for depositing the amount of `
65 lakhs in SNFC Bank.
However, SNCF Bank had failed to keep proper record of information relating to few of the
transactions as they were not of substantial amount. Furthermore, it was later found that one of the
staff members of SNFC bank whose relative was an insurance agent, used to obtain medical
information of the customers having account with the bank for obtaining personal benefits.
1. Which amongst the following activities carried out by Mr. Shoren could be considered as an
offence of Money Laundering?
(c) Routing the illegal proceeds through bank and other transactions to appear as obtained
from legitimate source.
(d) Being a part of the cartel/association carrying out illegal sale of drugs.
2. The employee of SNFC Bank who had assisted Mr. Shoren in routing the illegal money
through bank by altering the computer source code so that major transactions’ amounts were not
traceable in the bank’s database. Under which section of IT Act 2000 will this act be punishable?
(c) Section 65
4. SNFC Bank failed to maintain records of information relating to baking transactions carried
out by Mr. Shoren as many of the transaction amounts were not substantial. Also, the privacy
regarding the details of medical history of its customers was breached. Which kind of risk would
SNFC bank be exposed to if it has to face legal penalties as it had failed to act in accordance with
laws and requirements as per Prevention of Money Laundering Act (PMLA).
SOLUTION
1 (c) Routing the illegal proceeds through bank and other transactions to appear as obtained
from legitimate source. 2 (c) Section 65
ILLUSTRATION 5.2
GNI Bank is one of the age-old conventional banks which offers an array of banking services like
EFT’S, Collections, clearing, Letter of credits/guarantees etc. to its customers. To provide latest
functionalities and to improve the overall efficiency with respect to banking services, it has recently
implemented a core banking solution. It has also put in place the necessary controls to safeguard its
business from being exposed to probable IT risks.
Mr. Doshi, a senior software developer having a savings bank account with GNI Bank has requested
for internet banking facilities. He has also applied and produced all the necessary documents for
availing a housing loan from the said bank. Though the procedures followed for sanctioning housing
loans are quite stringent, GNI bank offers floating interest rate on its loans and offers comparatively
higher interest rates on its fixed deposits compared to the other banks in the state also.
1. Given below are the features of Core Banking Solution recently implemented by GNI Bank
that prove advantageous to both the bank and its customers. Which among the following
EIS
advantages would relate the most to Mr. Doshi who has recently availed a housing loan in terms of
easy and effortless Internet banking?
2. GNI Bank during this stage of the loan processing of Mr. Doshi, checks the borrower’s ability
to repay the loan based on an analysis of his credit history, and his earning capacity. This process
which forms a major aspect in loan approvals is referred to as _.
(a) Clearing
(b) Underwriting
(c) Collections
3. GNI bank has also implemented necessary controls to ensure safeguards against the
exposure to IT risks. As a practice, whenever a connection is made to website in another network, it
will be routed through a particular server. Which among the servers would be utilized for making
connections with other network services?
4. GSI Bank has also implemented necessary controls to ensure safeguards against the
exposure to IT risks. Which among the following controls could be implemented when risk arises due
to lack or inadequate management direction and commitment to protect information assets?
(c) Access to sensitive data is logged and the logs are regularly reviewed by management.
SOLUTION
2 (b) Underwriting
EIS
3 (c) Proxy Server
4 (b) Security policies are established and management monitors compliance with policies.
Theoretical Questions
2. Briefly explain core features of Core Banking Software. (Refer Section 5.1.4)
5. Briefly discuss the key provisions of Information Technology Act, 2000 regarding IT related
offences impacting banks. (Refer Section 5.5.4)
6. In line with the suggestions of RBI, M/s. ABC Bank is planning to obtain ISO 27001:2013
certification for its Information Security Management System. As an IS Auditor, you are required to
prepare a sample list of Risks w.r.t Information Security for the bank. (Refer Table 5.3.1)
7. Banks face the challenge of addressing the threat of money laundering on multiple fronts as
banks can be used as primary means for transfer of money across geographies. Considering the
above statement, discuss the Money Laundering process and its different stages. (Refer
Section 5.5.2)
8. Information Technology (IT) risks can be reduced by implementing the right type and level of
control in automated environment that is done by integrated controls into information technology.
Being an IT consultant, suggest various steps of IT control to a branch manager of a bank.
10. Discuss various risks and controls associated with the Current and Savings Account (CASA)
process. (Refer Table 5.3.3)
14. In the Core Banking Systems, the central server supports the entire banking process through
front-end and back-end applications and enables the users to access numerous online banking
facilities 24x7. Explain various Front-end applications of Core Banking Systems.
o Internet Banking also known as Online Banking, is an electronic payment system that
enables customers of a bank or other financial institution to conduct a range of financial transactions
through the financial institution's website accessed through any browser. The online banking system
EIS
offers over 250+ services and facilities that give us real-time access to our bank account. We can
make and receive payments to our bank accounts, open Fixed and Recurring Deposits, view account
details, request a cheque book and a lot more, while you are online.
o Mobile Banking is a service provided by a bank or other financial institution that allows its
customers to conduct financial transactions remotely using a mobile device such as a smartphone or
tablet. Unlike the related internet banking, it uses software, usually called an app, provided by the
financial institution for the purpose. The app needs to be downloaded to utilize this facility. Mobile
banking is usually available on a 24-hour basis.
o Phone Banking: It is a functionality through which customers can execute many of the
banking transactional services through Contact Centre of a bank over phone, without the need to
visit a bank branch or ATM. Registration of Mobile number in account is one of the basic perquisite
to avail Phone Banking. The use of telephone banking services, however, has been declining in favor
of internet banking. Account related information, Cheque Book issue request, stop payment of
cheque, Opening of Fixed deposit etc. are some of the services that can be availed under Phone
Banking.
o Branch Banking: Core Banking Systems are the bank’s centralized systems that are
responsible for ensuring seamless workflow by automating the frontend and backend processes
within a bank. CBS enables single view of customer data across all branches in a bank and thus
facilitate information across the delivery channels. The branch confines itself to the following key
functions:
• Creating manual documents capturing data required for input into software;
• Internal authorization;
15. BMN Bank limited has recently started its core banking operations. The Bank approached
Mr. X for his advice regarding the maintenance of records as a reporting entity considering the
provisions of the PMLA, 2002. What do you think shall be the probable reply of Mr. X mentioning the
relevant provisions of the PMLA, 2002?
15. Section 12 of the Prevention of Money Laundering Act, 2002 provides for the obligation of
Banking Companies, Financial Institutions and Intermediaries i.e. the reporting entity to maintain
records of transactions. Mr. X should have advised BMN Bank Ltd. to maintain records in the
compliance to said section.
(i) maintain a record of all transactions, including information relating to transactions covered
under point (ii) below, in such manner as to enable it to reconstruct individual transactions. Here
records shall be maintained for a period of five years from the date of transaction between a client
and the reporting entity.
(ii) furnish to the Director within such time as may be prescribed, information relating to such
transactions, whether attempted or executed, the nature and value of which may be prescribed;
EIS
(iii) Omitted
(iv) Omitted
(v) maintain record of documents evidencing identity of its clients and beneficial owners as well
as account files and business correspondence relating to its clients.
2. Every information maintained, furnished or verified, save as otherwise provided under any
law for the time being in force, shall be kept confidential.
3. The records referred to in clause (i) of sub-section (1) shall be maintained for a period of five
years from the date of transaction between a client and the reporting entity.
4. The records referred to in clause (e) of sub-section (1) shall be maintained for a period of
five years after the business relationship between a client and the reporting entity has ended or the
account has been closed, whichever is later.
5. The Central Government may, by notification, exempt any reporting entity or class of
reporting entities from any obligation under this Chapter.