Course Updates

Becker Professional Education
Business Course Updates—June 2022
The purpose of this document is to provide you with a list of items that have been updated in the June
2022 Business textbook version (V4.1). All other text is unchanged from V4.0.
Becker students who have a version 4.0 Business textbook may purchase the new version 4.1 textbook
for a nominal cost. Please the Becker website for more details.
Table of Contents
CPA Exam Review Replacement Textbook Pages ..................................................................... 2
V4.1 B6 Modules 1—6 pages 1—108 ................................................................................ 3—110
V4.1 BEC updated flash cards ....................................................................................... 111—156
Final Review Replacement Textbook Pages ........................................................................... 157
V4.1 Final Review BEC IV ............................................................................................. 158—189
V4.1 Final Review BEC V Topic C ................................................................................. 190—195

CPA Exam Review Replacement Textbook Pages
Details on the replacement textbook pages are provided below.
V4.1 Location V4.0 Location Description of Update
B6 All modules Same The text of unit B-6 was updated and expanded to include
more details and more graphics on the covered topics.
BEC Flash Cards Same 23 BEC flash cards were updated for V4.1 in units B-1 (6),
Various B-2 (7), and B-6 (10).
BEC
6
Process Management
and Information Technology
Module
1 Process Management 3
2 IT Governance 17
3 The Role of IT in Business 31
4 Data Management and Analytics 51
5 System Development and Change Management 73
6 IT Risks and Responses 89

NOTES
B6–2 © Becker Professional Education Corporation. All rights reserved.

1
MODULE
Process Management BEC 6
1 Introduction to Business Process Management
1.1 Approaches
Business process management (BPM) is a management approach that seeks to coordinate the
functions of an organization toward an ultimate goal of continuous improvement in customer
satisfaction. Customers may be internal or external to an organization. Process management
seeks effectiveness and efficiency through promotion of innovation, flexibility, and integration
with technology.
Business process management attempts to improve processes continuously. By focusing
on processes, an organization becomes more nimble and responsive than hierarchical
organizations that are managed by function.
1.2 Activities
Business process management activities can be grouped into five categories: design, modeling,
execution, monitoring, and optimization.
Design: The design phase involves the identification of existing processes and
the conceptual design of how processes should function once they have been improved.
The original process is defined as a baseline for current processing.
Modeling: Modeling introduces variables to the conceptual design for what-if analysis.
Various simulations or models are used to determine the targeted or optimal improvement.
Execution: Design changes are implemented and key indicators of success are developed.
Indicators that will show a change to the process (e.g., reduced time, increased customer
contacts, etc.) are determined.
Monitoring: Information is gathered and tracked and compared with expected
performance. Dashboards and other measurement reports are used to monitor the
improvement in real time and apply the data to the model for improvement.
Optimization: Using the monitoring data and the original design, the process manager
continues to refine the process. Improvements are selected and implemented.
© Becker Professional Education Corporation. All rights reserved. Module 1 B6–3

1 Process Management BEC 6
1.3 Plan, Do, Check, Act (PDCA)

Another common business process management methodology is the Deming Cycle, which has
four stages: plan, do, check, act (PDCA). These four steps also map to the business process
management activities and techniques above as follows:
Illustration 1 PDCA
Brakes-Only Co. (BOC) manufactures car brakes for each of the big three U.S. automakers.
Over the past several years there has been an increase in the return of new brake systems
by these automakers due primarily to the failure to meet all required design specifications.
In order to reverse this negative trend, the head of production at BOC has implemented
the PDCA approach at the company. In the first quarter of the operating year, he designed
a plan to ensure that all brake specifications are carefully reviewed prior to the production
and shipment processes as well as to improve the communication among internal
departments through enhanced internal reporting.
During the second quarter, the production manager implemented the process (do) at
the company.
At the end of each of the next two operating quarters, the production manager monitored
(check) the effectiveness of the process by comparing year-to-date brake returns with the
prior year.
This process continued the following operating year with BOC achieving a 10 percent
reduction in brake system returns over an 18-month period. To further reduce the number
of brake system returns, the production manager hired a full-time quality control manager.
As part of his ongoing responsibilities, the quality control manager will continue to monitor
(act) the effectiveness of the process and recommend any technological improvements to
the production manager.
B6–4 Module 1 Process

© Becker Professional Education Corporation. All Management
rights reserved.
BEC 6 1 Process Management
1.4 Performance Measures

Performance measures, often referred to as key performance indicators (KPIs), for assessing
processes can be financial or nonfinancial, quantitative or qualitative, and should correlate
directly to the managed process. These measures are compared with expectations to monitor
progress. Four common categories of KPIs with examples include the follolwing:
Financial Metrics: gross revenue margin, profit margin, costs as a percentage of revenue,
earnings per share, price-to-earnings ratio, and EBITDA (earnings before interest, taxes,
depreciation, and amortization).
Customer Metrics: number of new customers, customer satisfaction ratings, number
of repeat purchases, number of up-sell/cross-sell purchases, and customer order
fulfillment rates.
Internal Process Metrics: percentage of manufacturing waste, number of units
manufactured, number of service hours delivered, raw materials reorder times,
percentage change in units of carbon emissions, and percentage of costs attributed to
renewable energy.
Organizational Growth Metrics: number of training sessions completed, ratings on
employee satisfaction surveys, employee turnover rate, and employee growth rate.
1.5 Benefits
The benefits of a studied and systematic approach to process management allow the company
to monitor the degree to which process improvements have been achieved. The benefits often
mentioned for process management are:
Efficiency: Fewer resources are used to accomplish organizational objectives.
Effectiveness: Objectives are accomplished with greater predictability.
Agility: Responses to change are faster and more reliable.

1.6 Business Process Modeling Notation

Business Process Modeling Notation (BPMN) is a standardized system of diagrams, symbols, and
visuals used to depict business processes. This system enables people to use a common set of
concepts and principles to communicate business processes so that they can be documented,
improved, and managed.
While there are numerous notations within different categories, the following are some of the
most common.

rights reserved.
Illustration 2 BPMN
Online discount shoe retailer Nile Shoes is trying to improve its customer experience from
when a customer first orders a pair of shoes to when those shoes are finally delivered to
the customer.
The process starts with a customer placing an order on the website and entering payment
information. That info is sent in real time to the billing department for processing. If
the payment processes successfully then shipping is notified to ship the product and a
confirmation of the sale is sent to the customer, followed by the product. This process is
mapped as follows using BPMN diagramming.

2 Shared Services, Outsourcing, and Offshore Operations
2.1 Shared Services

Shared services refers to seeking out redundant services, combining them, and then sharing
those services within a group or organization. The distinguishing feature of shared services is
that they are shared within an organization or group of affiliates.
Illustration 3 Shared Services
Financial Group Inc. is a financial services company with three distinct lines of businesses
including accounting, tax, and consulting. Currently, each division operates as a separate
company with its own human resources, payroll, and legal departments. In order to more
effectively manage the organization and reduce costs, the new CEO implements a shared
services plan whereby all human resources, payroll, and legal department services will
be consolidated into one centralized function. The CEO thinks that this shared services
approach will eliminate redundant back-office functions and will reduce annual operating
costs by $750,000.
Consolidation of redundant services creates efficiency but might also result in the following issues:
Service Flow Disruption: The consolidation of work to a single location can create waste
in the transition, rework, and duplication as well as increases in the time it takes to deliver
a service.
Failure Demand: The demand for a shared service caused by a failure to do something
or to do something right for a customer is called failure demand. Failure demand results
when a task must be performed for a second time because it was incorrectly performed the
first time.
2.2 Outsourcing
Outsourcing is defined as the contracting of services to an external provider. Examples might
include a payroll service or even a call center to provide support or back-office services for a fee.
A contractual relationship exists between the business and its service provider.
Outsourcing can provide efficiencies, but there are also risks. Those risks include:
Quality Risk: An outsourced product or service might be defective. Suppliers might provide
substandard products or services.
Quality of Service: Poorly designed service agreements may impede the quality of service.
Productivity: Real productivity may be reduced even though service provider employees
are paid less.
Staff Turnover: Experienced and valued staff whose functions have been outsourced may
leave the organization.
Language Skills: Outsourced services may go offshore. Language barriers may reduce the
quality of service.
Security: Security of information with a third party might be compromised.

rights reserved.
Qualifications of Outsourcers: Credentials of service providers may be flawed. Offshore

degrees may not include the same level of training as domestic degrees.
Labor Insecurity: Labor insecurity increases when jobs move to an external service
provider or, as a result of globalization, out of the country.
2.3 Offshore Operations

Offshore operations relate to outsourcing of services or business functions to an external party in
a different country. A computer manufacturer in the United States, for example, might have its
call center in India. The most common types of offshore outsourcing are:
Information technology
Business process (call centers, accounting operations, tax compliance)
Software research and development (software development)
Knowledge process (processes requiring advanced knowledge and specialized skill sets,
such as reading x-rays, etc.)
Business risks of offshore outsourcing are generally the same as outsourcing, but with greater
emphasis on the lack of controls associated with proximity, as well as potential language issues.
3 Selecting and Implementing Improvement Initiatives
3.1 Selecting Improvement Initiatives

An organization may use either rational or irrational methods when launching an initiative to
improve company processes.
3.1.1 Irrational
Irrational methods are intuitive and emotional. They lack structure and systematic evaluation.
Irrational methods are based on fashion, fad, or trend. They may result from an immediate need
for cost reduction, and stem from a very short-term viewpoint.
3.1.2 Rational
Rational improvement initiatives are structured and systematic, and involve the following:
Strategic Gap Analysis: External (environmental) assessments and internal (organizational)
assessments performed to help determine the gap between an organization's objectives
and its status quo.
Review of Competitive Priorities: Review of price, quality, and other differentiators
required to have a competitive advantage.
Review of Production Objectives: Review of performance requirements needed to reach
production or service delivery objectives.
Selection of an Improvement Program: Decide how to proceed for improvement based
on the organization's objectives.

3.2 Implementing Improvement Initiatives

There are several crucial features of successful implementation activities.
Internal Leadership: Senior management must provide direction and commit resources to
the implementation.
Inspections: Ongoing implementation must be monitored and measured.
Executive Support: Executive management must be visibly supportive of the initiative.
Internal Process Ownership: The individuals most deeply involved with process
management must be committed to the need for process improvement and have the
resources to carry it out.
4 Business Process Reengineering
Business process reengineering (BPR) refers to techniques that organizations can implement that
radically reform business processes to achieve strategic objectives, such as improving customer
satisfaction and service, cutting operational costs, and enhancing competitiveness. Development of
sophisticated information technology systems and networks have driven many reengineering efforts.
Business process reengineering is not synonymous with business process management.
Business process management seeks incremental change, and business process reengineering
seeks atypical changes that result in revolutionary shifts in the way a company performs
a process.
4.1 Fresh Start

The basic premise of business process reengineering is the idea that management will "wipe the
slate clean" and reassess how business is done from the ground up without reference to existing
processes. Reengineering uses benchmarking and best practices to evaluate success.
4.2 Current Status

Reengineering is not as popular as it was when introduced in the mid-1990s. The technique has
been criticized for what some believe was overaggressive downsizing. In addition, the programs
have not produced the benefits that were originally anticipated.
Illustration 4 Business Process Reengineering
Decorations Inc. manufactures holiday ornaments and decorative lawn figurines.

Over the past several years, rising manufacturing costs have significantly eroded the
company's operating profit margins. Currently, the automated manufacturing process
and manual labor process represent 30 percent and 70 percent of the total production
costs, respectively.
In order to combat this negative operating trend, company management hired an outside
consulting firm that will consider both business process management and business
process reengineering.
(continued)

rights reserved.
(continued)
Business process management option

After performing due diligence, the consultants recommended a business process
management plan that involved cutting 10 percent of the production workforce over the
next three years and replacing 15 percent of the manual production process with newly
designed machines. After severance and machine upgrade costs, it is estimated that this
business process management program will reduce annual operating costs by $1,000,000
in three years.
Business process reengineering solution
The consulting firm also completed a business process reengineering study (plan) that
would eliminate 80 percent of the current production workforce over the next three
years and fully automate the production process, with the exception of the quality control
function and packaging supervision. Although the up-front costs to implement the business
process reengineering program are more significant than the BPM, the BPR plan is
expected to reduce annual operating costs by $2,500,000 in three years.
The consulting firm submits both plans to company management, which must decide
whether incremental change or radical change is more appropriate given the up-front costs
to execute the plans and the expected annual cost savings associated with each plan.
5 Management Philosophies and Techniques

for Performance Improvement
Performance improvement philosophies and techniques seek to provide the highest-quality

goods and services in the most efficient and effective manner possible.
5.1 Just-in-Time (JIT)

Just-in-time management anticipates achievement of efficiency by scheduling the deployment of
resources just-in-time to meet customer or production requirements.
5.1.1 Inventory Does Not Add Value

The underlying concept of JIT is that inventory does not add value. The maintenance of inventory
on-hand produces wasteful costs.
5.1.2 Benefits
The benefits of JIT implementation include:
Synchronization of production scheduling with demand.
Arrival of supplies at regular intervals throughout the production day.
Improved coordination and team approach with suppliers.
More efficient flow of goods between warehouses and production.
Reduced setup time.
Greater efficiency in the use of employees with multiple skills.

The limitations of JIT may be illuminated in times of supply chain shocks. A shortage of even one
key component within a manufacturing process, for example, could put the entire production
schedule at risk and cause product outages. Because of this, some companies are moving away
from JIT-based systems.
Also, many companies realize that inventory does in fact have value. Excess inventory reduces
the negative effects of stockouts, which is the inability of a consumer to purchase a product
in store or online. Stockouts may lead customers to competitors or reduce the likelihood a
customer returns.
5.2 Total Quality Management

Total quality management (TQM) represents an organizational commitment to customer‑focused
performance that emphasizes both quality and continuous improvement. Total quality
management identifies seven critical factors, outlined below.
5.2.1 Customer Focus

The TQM organization is characterized by the recognition that each function of the corporation
exists to satisfy the customer. Customers are identified as both external customers and
internal customers.
External Customers: The external customer is the ultimate recipient or consumer of an
organization's product or service.
Internal Customers: Each link in the value chain (and within the value chain) represents an
internal customer.
Illustration 5 TQM
Supplies inventory managers provide services to internal customers, such as production

managers. A TQM organization will demand that the supplies inventory manager value the
satisfaction of production managers in the timely delivery of supplies adequate to meet
production requirements.
5.2.2 Continuous Improvement

Quality is not viewed as an achievement in a TQM organization. The organization constantly
strives to improve its product and processes. Quality is not just the goal; it is embedded in
the process.
5.2.3 Workforce Involvement

TQM organizations are characterized by team approaches and worker input to process
development and improvement. Small groups of workers that use team approaches to process
improvement are called quality circles.
5.2.4 Top Management Support

Top management must actively describe and demonstrate support for the quality mission of the
organization. Management can communicate support by meaningful delegation of authority to
quality circles and involvement of suppliers.
5.2.5 Objective Measures

Measures of quality must be unambiguous, clearly communicated, and consistently reported.

rights reserved.
5.2.6 Timely Recognition

Acknowledgement of TQM achievements (in terms of compensation and general recognition)
must occur to encourage the ongoing involvement of the workforce.
5.2.7 Ongoing Training

TQM training should occur on a recurring basis to ensure workforce understanding and
involvement.
5.3 Quality Audits and Gap Analysis

5.3.1 Quality Audits
Quality audits are a technique used as part of the strategic positioning function in which
management assesses the quality practices of the organization. Quality audits produce
the following:
Analysis that identifies strengths and weaknesses.
A strategic quality improvement plan that identifies the improvement steps that will produce
the greatest return to the organization in the short term and long term.
5.4 Lean Manufacturing

Lean manufacturing or lean production requires the use of only those resources required to meet
the requirements of customers. It seeks to invest resources only in value-added activities.
5.4.1 Waste Reduction

The focus of lean is on waste reduction and efficiency. The concept of preserving value while
expending only the effort necessary is not uncommon and has a long history in business
and economics. Kaizen- and activity-based management initiatives are waste-reduction
methodologies that use empirical data to measure and promote efficiencies.
5.4.2 Continuous Improvement (Kaizen)

"Kaizen" refers to continuous improvement efforts that improve the efficiency and effectiveness of
organizations through greater operational control.
Kaizen occurs at the manufacturing stage, where the ongoing search for cost reductions takes
the form of analysis of production processes to ensure that resource usage stays within target
costs.
5.4.3 Process Improvements/Activity-Based Management

Activity-based costing (ABC) and activity-based management (ABM) are highly compatible with
process improvements and total quality management (TQM).
Cost Identification
Activity-based costing and management systems highlight the costs of activities. The
availability of cost data by activity makes the identification of costs of quality and
value‑added activities more obvious.
Implementation
Organizations with ABC and ABM programs are more likely to have the information they
need to implement a TQM program. Process improvement results from a detailed process
management program (sometimes referred to as an activity-based management system,
or ABM).

5.5 Demand Flow Systems

Demand flow systems, sometimes referred to as demand flow technology (DFT), manage resources
using customer demand as the basis for resource allocation instead of using sales forecasts
or master scheduling. This means manufacturing production is driven by customers, not an
organization's forecast.
5.5.1 Relationship to Just-in-Time

Demand flow is akin to just-in-time processes that focus on the efficient coordination of demand
for goods in production with the supply of goods in production. Kanban systems, which visually
coordinate demand requirements on the manufacturing floor with suppliers, are used to
coordinate demand flow.
5.5.2 Relationship to Lean

Demand flow is designed to maximize efficiencies and reduce waste, similar to lean
manufacturing practices like one-piece flow systems. One-piece flow manufacturing is different
from traditional batch manufacturing, which has stages of production or processes where
inventory in process can stagnate. In a one-piece flow manufacturing environment, inventory
moves in a continuous flow of work without stopping at different phases. The idea is that this
eliminates waste and resource downtime.
5.6 Theory of Constraints (TOC)

Theory of constraints states that organizations are impeded from achieving objectives by the
existence of one or more constraints or bottlenecks. The organization or project must be
consistently operated in a manner that either works around or leverages the constraint.
5.6.1 Constraints
A constraint is anything that impedes the accomplishment of an objective. Constraints for
purposes of TOC are limited in total and, sometimes, organizations may face only one constraint.
Internal Constraints
Internal constraints are evident when the market demands more than the system can produce.
y Equipment may be inefficient or used inefficiently.
y People may lack the necessary skills or mind-set necessary to produce required efficiencies.
y Policies may prevent the efficient use of resources.
External Constraints
External constraints exist when the system produces more than the market requires.
5.6.2 Five Steps

TOC generally involves five steps:
1. Identification of the Constraint: Use of process charts or interviews results in
identification of the constraint that produces suboptimal performance.
2. Exploitation of the Constraint: Planning around the constraint uses capacity that is potentially
wasted by making or selling the wrong products, improper procedures in scheduling, etc.
3. Subordinate Everything Else to the Above Decisions: Management directs its efforts to
improving the performance of the constraint.
4. Elevate the Constraint: Add capacity to overcome the constraint.
5. Return to the First Step: Reexamine the process to optimize the results. Remain cognizant
that inertia can be a constraint.

rights reserved.
5.6.3 Buffer
The concept of buffers is used throughout TOC. Managers add buffers before and after each
constraint to ensure that enough resources to accommodate the constraint exist. Buffers,
therefore, eliminate the effect of the constraint on work flow.
Illustration 6 Internal Constraints
Advanced Printing Co. purchased several state-of-the art printing presses in the fourth
quarter of last year. Despite this significant capital investment, the company's year-to‑date
production output and costs have not changed. Company management attributes this
production trend to several internal constraints, including a lack of sufficient training
for employees operating the new presses and the fact that the machines were used
inefficiently during the production process.
In order to improve the new machines' productivity and generate a positive return on
capital investment, management will begin scheduling periodic training sessions for
operating them and will hire an outside consultant to determine the most effective way
to maximize productivity. Once the study is completed, each machine line supervisor
will meet with the outside consulting firm to go over the study's results, share ways to
further improve productivity, and provide an effective way to monitor employees' ongoing
production performance. Each Saturday after a weekly production run is completed, every
machine line supervisor will be required to submit a weekly production report to the
production manager, explaining any negative cost and production variances greater than
2 percent from the plan. Management believes that these buffers will eliminate the internal
constraints identified from the current year's operating results.
5.7 Six Sigma

Six Sigma is a continuous quality-improvement program that strives to reduce product or service
defects to near zero levels, with 3.4 occurrences per million units of product (or other unit of
measure). This defect frequency is six standard deviations (6σ) from the mean. The program
expands on the Plan-Do-Check-Act model of process management described earlier, and outlines
methodologies to improve current processes and develop new processes.
Six Sigma uses two five-step processes. One is for existing products or processes (DMAIC—
define, measure, analyze, improve, control) and the other is for new products or processes
(DMADV—define, measure, analyze, design, verify).
5.7.1 Existing Product and Business Process Improvements (DMAIC)

Define the Problem: Based on customer comments, failed project goals, or other issues,
determine the existence of a problem.
Measure Key Aspects of the Current Process: Collect relevant data.
Analyze Data: Examine the relationships between data elements.
Improve or Optimize Current Processes: Use models and data to determine how the
process can be optimized.
Control: Develop a statistical control process to monitor results.

5.7.2 New Product or Business Process Development (DMADV)

Define Design Goals: Design goals that are consistent with customer demands.
Measure CTQ (Critical to Quality Issues): Analyze the value chain to determine
the features that provide value to the customer and the production capabilities that
are available.
Analyze Design Alternatives: Develop different methodologies to produce the
new product.
Design Optimization: Use modeling techniques to determine optimization of the
proposed process.
Verify the Design: Implement and test the plan.
Question 1 MCQ-03895
The benefits of a just-in-time system for raw materials usually include:

a. Elimination of non-value-adding operations.
b. Increase in the number of suppliers, thereby ensuring competitive bidding.
c. Maximization of the standard delivery quantity, thereby lessening the paperwork
for each delivery.
d. Decrease in the number of deliveries required to maintain production.

rights reserved.
2
MODULE
IT Governance BEC 6
1 The Importance of IT Governance
The role of information technology (IT) in organizations has evolved from a basic support
function and storage tool to a vital asset used in virtually all business processes. This evolution
has required organizations to develop new or modify existing IT governance policies to align IT
infrastructure with organizational strategies and goals.
A robust IT governance framework can help achieve this goal by providing a clear understanding of
all stakeholders and key functions involved, including people, processes, technology, performance
metrics, risk management, IT department operations, and the benefits that result from IT initiatives.
2 Understanding and Defining IT Governance
An IT governance framework outlines how leadership accomplishes the delivery of mission-critical

business capabilities using IT strategies, goals, and objectives. IT governance is the duty of the board
of directors and executive management, who create applicable policies and procedures as well as
determine the proper organizational structures to deploy to sustain those critical capabilities.
Although no standard IT governance model applies to all organizations, multiple governance
frameworks exist to help organizations create tailored models using standards as a guide. This is
accomplished through the synchronization of resources, such as people, controls, policies, and
processes that are necessary to achieve an organization's data governance goals. In general, a
strong IT governance model will have practices and policies with the following components:

2 IT Governance BEC 6
Availability: Systems and data must be available to users, have proper integrity, be in a
usable format, and be secure. While security may be a high priority, information must not be
secured in a way that creates unnecessary hurdles for those who need it.
Architecture: Job roles, IT applications, and the hardware supporting them should be
designed to enable the fulfillment of governance objectives.
Metadata: Data describing other data, known as metadata or data dictionaries, must be
robust in terms of the breadth and specificity. Vague or incomplete metadata may result in
the misuse of data or lead to improper business decisions.
Policy: IT governance policies should be in place to help companies translate management
and governance objectives into practice.
Quality: Data integrity and quality are crucial to ensure basic standards are met so there
are no anomalies, such as missing values, duplicate values, transposed values (phone
numbers in the address field), or mismatched records (e.g., Jane Doe's address is listed as
John Smith's address).
Regulatory Compliance and Privacy: Information collected, used, and stored by an
organization that is considered personally identifiable information (PII), personal health
information (PHI), or is otherwise subject to regulatory constraints, should be secured by
policies designed to ensure that the use of the data does not violate company policies or
privacy laws, such as the California Consumer Privacy Act (CCPA); General Data Protection
Regulation (GDPR); or the Health Information Portability and Accountability Act (HIPAA).
Security: IT governance strategy should include the secure preservation, storage, and
transmission of data by authorized system users in a way that safeguards an organization's
IT infrastructure.
2.1 Governance Frameworks

An IT governance framework that is comprehensive and dynamic allows organizations to
accommodate the rapidly changing technology landscape while also consistently meeting
stakeholder needs. The following lists the frameworks of three organizations that issue guidance
and best practices for establishing an effective IT governance system: COSO's Internal Control—
Integrated Framework, ISACA's Control Objectives for Information and Related Technology
(COBIT) framework, and Axelos' Information Technology Infrastructure Library (ITIL) framework.
These frameworks can be used collectively as a guide to align industry-leading IT governance
standards with organizational practices.
B6–18 Module 2 © Becker Professional Education Corporation. All rightsIT Governance

reserved.
BEC 6 2 IT Governance
2.1.1 COSO Internal Control—Integrated Framework

The Committee of Sponsoring Organizations (COSO), created by the Treadway Commission, has
developed guidance and a framework covering the areas of internal control, risk management,
and fraud deterrence. Within its five-point Internal Control—Integrated Framework (the
framework), there are two categories with principles that pertain specifically to internal control
over information technology.
Control Activities: Principle 11 of the framework states that there should be general
controls over technology to achieve organizational objectives. To establish these controls,
the company must understand the dependency between general controls over technology
and the use of technology in business processes. It must also establish controls over
relevant technology infrastructure, security management, technology, acquisition of
technology, and maintenance processes.
Information and Communication: Principle 13 of the framework states that organizations
should acquire, create, and use quality information to support internal controls. This
includes identifying the company's information needs, capturing both external and internal
sources of data, processing relevant data into useful information, and maintaining quality
when processing that data. The cost of performing these tasks should be compared with
their benefits.
Principle 14 states that effective communication of information is necessary to support
internal controls. This means communicating certain internal information to stakeholders,
including the board of directors; providing communication lines that are separate
from those directly accessible by management; and selecting appropriate methods for
that communication.
Illustration 1 COSO Principles
Spinal Surgery Clinic (SSC) P.A., a large group of physicians focusing on spinal surgery,
recently had an outside firm perform an IT audit as recommended by SSC's board of
directors. The findings resulted in recommendations that followed the COSO Internal
Control —Integrated Framework principles 11, 13, and 14. As such, SSC invested in new
technology that required user identities to be verified by multiple points of validation
other than just a password in order to access patient accounts (in line with principle 11).
Additionally, SSC adopted a state-of-the-art data cleansing system in an effort to acquire
and use error‑free data to enhance patient outcomes, which aligned with principle 13.
Lastly, to address principle 14, SSC began performing regular reviews of key IT functions
and started issuing monthly reports of internal control to the board of directors.
2.1.2 ISACA's Control Objectives for Information and Related Technology (COBIT)
Framework
The Information Systems Audit and Control Association (ISACA) is a not-for-profit organization
that was formed to help companies and technology professionals manage, optimize, and protect
information technology (IT) assets. To accomplish this, ISACA created the Control Objectives
for Information and Related Technology (COBIT) framework, which provides a road map that
organizations can use to implement best practices for IT governance and management.

Governance Stakeholders
y COBIT distinguishes between governance and management, recognizing them as
two unique disciplines that exist for different reasons and require different sets of
organizational resources. Organizational governance is typically the responsibility of a
company's board of directors, consisting of a chairperson and focused organizational
structures (e.g., audit committee, executive committee, marketing committee).
y Management is responsible for the daily planning and administration of company
operations, generally consisting of a chief executive officer (CEO), chief financial officer
(CFO), chief operations officer (COO), and other executive leaders. Management is
selected and guided by the board of directors.
y Governance and management each have their own objectives, which are grouped
into five domains. Governance objectives are all in a single domain that is centered
on evaluating, directing, and monitoring. Management objectives are grouped into
four domains that focus on supporting activities, integrating IT solutions into business
processes, delivering IT services in a secure fashion, and monitoring performance of IT
tasks with internal targets.
2.1.3 Information Technology Infrastructure Library (ITIL) Framework
The Information Technology Infrastructure Library (ITIL) is a framework originally created by the
British government that evolved into a joint venture between the government and the private
firm Axelos. It is now a globally recognized IT governance framework that is more focused on the
delivery of IT services across the following four domains:
Organizations and People: This domain focuses on developing excellence in labor
practices, morale, communication methods, and systems of authority.
Information and Technology: This domain covers the IT resources required to deliver
products and services, which include the data, hardware and software, and the relationship
between those components.
Partners and Suppliers: This dimension focuses on the role of third parties in IT service
delivery and their relationship with the organization. The scope includes continuous
improvement through supplier integration and partner strategy in designing, developing,
and deploying IT services.
Value Streams and Processes: This domain encompasses the way in which separate parts
of a business work together to deliver products and services, and create value for consumers.
3 Aligning IT Governance With Organizational Objectives
IT governance practices that are aligned with an organization's strategic goals and objectives will
empower IT resources so that the company effectively achieves those targeted results. The goals
and objectives of an organization are manifested in its overall vision and strategy.
3.1 Vision
A company's vision represents its aspirations and goals, and its strategy is what helps
the company reach those goals. These goals are typically described in a vision statement.
Accordingly, a company's IT governance policies should be designed in a way that facilitates the
achievement of that vision.

reserved.
Illustration 2 Vision Statement
Privacy Analytics Inc., a digital marketing firm, established the following vision statement:
Our organization strives to provide accurate and up-to-date customer insights using data
in a way that honors consumer privacy but delivers top-notch results to our clients.
The organization would then structure its IT governance practices so that this vision is
achieved. As an example, the company could structure its consumer collection algorithms
in a way that identifies personal or sensitive consumer information and filters it so that
it is never collected and stored from the original source data. Another option would be
to separate employees with access to sensitive consumer data from those designing
the marketing campaigns, so there is no bias or discrimination built into targeted
marketing efforts.
3.2 Corporate Strategy

A corporate strategy is the way in which an organization achieves the goals and objectives
established by its vision. The strategy shapes an organization's operations and business model,
which could take various forms such as a low-cost leadership strategy; a product-differentiation
strategy; or an environmental, social, and governance (ESG) strategy. The chosen corporate
strategy must then be supported by an appropriate IT strategy and IT governance.
3.3 IT Strategy
IT architecture design can have a significant effect on how a company executes its corporate
strategy. As such, aligning IT strategy with corporate strategy objectives will optimize an
organization's efforts in achieving those objectives. Documentation of this strategy and
architecture will give management a strong understanding of the company's capabilities which,
in turn, will play a key role in defining the activities in which the organization should engage. The
following IT factors may impact a company's corporate strategy:

Available IT Personnel: Staffing for IT needs can be insourced, outsourced, or a

combination. Companies with corporate strategies that heavily rely on IT may be more likely
to employ their own IT staff. Similarly, the faster the response time needed in a catastrophic
event, the more likely a company is to rely on insourcing or having its own IT staff. To
the degree that these are less important, then a combination of outsourced staff or fully
outsourcing IT staff to a managed services provider may be more appropriate.
Virtual/Physical Network Design: Networks can be physical or virtual, centralized or
decentralized, or a combination of any of these factors. The computing power of a company
will be a key element in determining this component of the IT strategy. For companies
that have consistent power needs, it would make sense to invest in a physical network
with equipment on-site (referred to as "on-premise" or "on-prem") as this is usually more
cost‑effective over the long term and demand needs could be reasonably estimated.
Conversely, for companies that have demands that intermittently experience sharp spikes, it
would be more appropriate to have access to virtual computing power to save costs and to
have as much computing power as a company needs during any given spike.
Cybersecurity: Regulatory burdens and compliance needs for each organization will vary,
which means that some companies may place more importance on the security of personal
and proprietary data in transit or at rest. For instance, health care organizations subject
to HIPAA regulations or IT firms concerned with PII usage will have privacy as a key part of
their corporate strategy. This means that cybersecurity practices will impact their ability
to achieve those goals within an organization and with external parties; therefore, the IT
strategy must be aligned with security controls.
Centralized/Decentralized Network Design: Organizations with multiple offices across
a wide range of locations may have different needs from those with one or a few closely
located offices. Those with a range of locations may prefer a decentralized network design
that permits other sites to continue to function in the event one site fails. If control is more
of a concern as opposed to temporary loss of connectivity, then a centralized design may be
more advantageous for a company's corporate strategy.
Disaster Recovery and Business Continuity: The speed at which a company can "spin
back up," or recover, its systems and applications after a loss of service will be more
important to certain organizations than others. Technology-based companies or those
providing IT services will have a shorter target recovery time frame than that of a company
not as heavily rooted in IT, such as an outpatient psychiatric clinic. Although the need to
access IT systems is important to any firm, it can vary greatly with companies based on the
industry in which they operate.
Support functions also play a key role in determining an organization's IT strategy because they
enable administrative functions in a business. These functions include human resources, marketing,
legal, internal audit, and finance, among others. The size of the company in terms of employees,
customers, and assets will determine the level of IT sophistication needed to service these support
functions. Companies with millions of customers will have very different IT needs from those with
hundreds. Likewise, organizations with hundreds of thousands of employees will have processes, IT
needs, and support functions that are very different from those with fewer than 100.
4 Structuring and Executing IT Governance
To execute and maintain effective IT governance practices over time, an organization requires
recurring input and participation from top leadership, middle managers, IT staff, end users, and
external stakeholders. Another part of a well-functioning IT governance structure is having the
right policies and procedures in place so that governance continues to remain relevant, provide
oversight, and align with organizational goals.

reserved.
4.1 People
The people within an organization are the decision makers and drivers of the way IT governance
is structured. The involvement of leaders and members at all levels of an organization is
necessary for IT governance to be executed effectively.
4.1.1 Board of Directors

The board of directors oversees and appoints executive positions, typically the CEO. Although
the ultimate responsibility of setting governance policies may be attributed to the board, the
daily planning and administration of these policies are the responsibility of management. The
board must evaluate IT governance policies to ensure they meet the strategic and operational
needs of an organization.
4.1.2 Executive Management

Executives make key strategic decisions and are responsible for ensuring an IT governance
structure is in place and executed effectively. Executives must also set a clear "tone at the top"
so that others will follow their lead.
Tone at the top is defined as the ethical climate or attitude toward policies demonstrated
by leadership. It acts as a guide for all members of the organization. This ideology applies to
technology as well, because one of the barriers to successfully executing an IT governance
structure is reluctance to change or adapt to evolving technology.
Executives who stress the importance of technology and its proper governance will deliver a
message to the organization that users should have the resources needed to perform daily
operations and that those resources must be used appropriately.

Illustration 3 Tone at the Top
The CEO of Lynn Financial Services, a large brokerage firm, sent a memo to management
and all employees concerning a new software application that will be implemented
for added security. The CEO noted that one of the key objectives of the firm is keeping
customers' information confidential and secure. As a result, the organization is now
requiring that all customer information that is transmitted or stored be done so using a
new encryption-based software application and that all employees will be enrolled in a
training program to ensure the software rollout is effective.
4.1.3 Middle Management

Management below executive management, often referred to as middle management, is
responsible for carrying out governance policies and making sure subordinates are doing the
same. This can be done by ensuring IT projects and processes have appropriate resources
and support. Because IT projects are often done by team members who have other core job
responsibilities, managers are responsible for ensuring team members are allocated sufficient
time, resources, and support. Management is also responsible for ensuring users are engaged
and adhering to established policies and procedures.
4.1.4 IT Support Staff

Whether the IT function is insourced or outsourced, the following roles are usually present in
modern organizations and are vital to IT governance:
Strategic or Executive-Level IT Staff: These employees may fall in the executive or middle
management category and will be responsible for daily planning of governance policies
and/or carrying out those policies. Example job titles are chief technology officer, chief
information security officer, and IT director.
Network Engineers: These IT staff members are responsible for designing and maintaining
a company's network, which involves the configuration of servers, routers, switches, internet
connectivity, and other network equipment and services.
Help Desk and Lower-Level IT Support: These employees are often the first responders
when end users need troubleshooting or have IT problems. They interface with the most
employees and provide useful feedback to management, which incorporates user needs
into new governance policies.
Cybersecurity Staff: IT security personnel ensure the safe and secure use of company
data and IT assets. These employees are often the sounding alarm when a breakdown in IT
governance occurs.
Function-Specific Staff: Larger organizations often have discipline-specific job roles
within IT, such as a person who focuses purely on telephony, application programming, or
database management. These employees serve as experts within a single domain so their
governance responsibilities will have a narrow focus.

reserved.
4.1.5 Accountants
Accountants play an important role in IT governance because much of the data they handle is
confidential in nature, including banking and financial records, sensitive employee records, and
patient or customer files. This means that accounting activities are some of the most important
to which governance principles should be applied. Accountants may also play a role in designing
new IT systems and governance processes including the following:
Stewards of Accounting Information Systems (AIS): As the primary user of AIS software,
accountants understand their information needs the best and thus, provide input to system
developers so that IT governance best practices are implemented while also providing
maximum application versatility.
Members of Project Development Teams: Participating in a project development team or
an information systems steering committee strategically places accountants in a role that
allows them to be involved in ongoing system development as it is being programmed in
real time, as opposed to providing one‑time input.
Testers: As high IT-system utilizers, accountants may be appointed to periodically test
certain systems to verify that controls are implemented and functioning properly. This
feedback is then communicated to the project development team to incorporate into
revisions of software in production or unreleased prototypes.
4.1.6 End Users

All system end users are important members of the governance development process because
they are best equipped to understand the day-to-day technology needs for organizational
activities. Users are also responsible for following processes and procedures that have been
established within the IT governance structure.
4.1.7 External Stakeholders

Stakeholders outside an organization also play a role in how IT governance is aligned with
organizational strategies. External stakeholders such as customers or vendors may drive how
organizations utilize online commerce platforms while external stakeholders such as auditors or
regulators may drive change in the IT governance structure to comply with existing or changing
regulatory standards.
Illustration 4 External Stakeholders and IT Governance Strategy
RKO, a large manufacturer, operates a continuous production facility in which it utilizes

a just-in-time supply chain ordering methodology. This system allows RKO to minimize
inventory on hand by only ordering exactly what it needs for production with very little
shipping lag time. One of its strategic objectives is to avoid shutting down production due
to stockouts of raw materials.
To meet this objective, it buys most of its raw materials from a vendor who has a digital
platform that synchronizes with RKO's inventory IT system, providing RKO with a live
view of its vendor's raw materials and quantities. The vendor receives order signals
that automatically trigger a shipment and invoice when RKO reaches a target level. RKO
is adding another manufacturing facility, which will require the installation of a new IT
system to be configured and synced with its vendor. Since RKO's vendor is a vital external
stakeholder, RKO involves the vendor in the system development process.

4.2 Processes for Governance Execution

Fostering robust governance processes and adequately equipping teams to govern IT-related
tasks can ensure the efficient use of organizational resources and continued alignment with
strategic objectives. Governance teams that meet these criteria will be well-positioned to assess
and evaluate organizational needs, direct management to address those needs, and effectively
monitor the outcomes on a continuous basis. Organizations often employ project development
teams for new projects and steering committees for ongoing oversight of the IT function.
4.2.1 Project Development Teams

Project development teams formed for new IT projects typically include members of
management, IT systems personnel, accountants, and system users. This team is responsible
for project planning and tracking, IT infrastructure design, change management, and monitoring
project performance. Team tasks include the following:
Monitoring the project to ensure timely and cost-effective completion
Managing the human element (e.g., resistance to change and innovation)
Frequently communicating with users and holding regular meetings to consider ideas and to
discuss progress so there are no surprises at project completion
Managing risk and escalating issues that cannot be resolved within the team
4.2.2 Steering Committees

An executive-level information systems steering committee, also known as the project steering
committee, is responsible for the oversight of the information systems function. This committee
consists of high-level management and experts, which may include executives such as the CIO,
the controller, IT department heads, and others in a position of authority to make change.
In its oversight role, the steering committee's responsibilities include the following:
Developing and communicating strategic goals
Reviewing the IT budget and allocating IT costs
Providing ongoing guidance and addressing big-picture issues that arise
Ensuring management engagement and participation
Monitoring the project development team's progress
Due to the authority level of its members, the steering committee has a more holistic view of the
enterprise than the project development team. This enables the committee to address concerns
that may go across business units and departments while also facilitating the coordination
and integration of information systems activities to increase goal congruence and reduce
goal conflict.
5 Assessing IT Governance Risks

Risk assessment is an extremely important component of the IT governance process. This
process involves assessing IT infrastructure periodically, prescribing any modifications to that
infrastructure, and considering new IT initiatives to identify risks.
Identifying and assessing risks can be done by performing a business impact analysis (BIA).
This analysis identifies the business units, departments, and processes that are essential to the
survival of an entity as well as the organizational impact in the event of failure or disruption.

reserved.
The BIA will identify how quickly essential business units and/or processes can return to full
operation following a disaster. The BIA will also identify the resources required to resume
business operations. For example, a specific department may utilize custom hardware/software,
operate in locations with challenging geographic or weather conditions, or there may be a
dependence on third-party vendors.
The objectives of a BIA are as follows:
Estimate the quantitative or financial impact to the organization, assuming a worst‑case
scenario.
Estimate the qualitative impact to the organization and the effect it could have on
operations, assuming a worst-case scenario.
Identify the organization's business unit processes and the estimated recovery time frame.
5.1 Identify IT Resources

The first step in assessing risk is to identify what IT resources and assets exist so that the
organization can determine the base resources it needs to sustain minimum operations. This
can be accomplished by inventorying all IT assets, including all computers, software applications,
network equipment, printers, copiers, scanners, and mobile devices with the following
items documented:
Date resource placed in service
Hardware specifications in use, including:
y Purpose or use case—network equipment, firewall servers, user machines, etc.
y Make and model
Software specifications in use, including:
y Purpose or use case—operating system, user applications, security applications, etc.
y Make, model, and licensing
Data repositories, locations, and metadata
Raw data and whether it is sensitive
Critical firmware
Assigned users, department, and access levels
Cost
Insurance or any associated warranties
5.2 Evaluate Impact and Likelihood of Risks

These identified resources should then be categorized by the impact of loss, then by likelihood
of that loss occurring.

5.2.1 Impact
Impact analysis helps determine the criteria for categorizing the list of information resources
as high, moderate, or low related to the effect on day-to-day operations. Criteria include
characteristics such as how critical the asset is to business operations, costs of a failure,
publicity, and any potential legal or ethical issues. Resources can be categorized as follows:
High Impact (H)
Under a high-impact category, the department:
y cannot operate without this resource;
y may experience a high recovery cost; or
y may fail to meet the organization's objectives or maintain its reputation.
Moderate Impact (M)
Under a medium-impact category, the department:
y could partially function temporarily for a period of days or a week;
y may experience some cost of recovery; or
y may fail to meet the organization's objectives or maintain its reputation.
Low Impact (L)
Under a low-impact category, the department:
y could operate for an extended period of time; or
y may notice an effect on achieving the organization's objectives or maintaining its reputation.
5.2.2 Likelihood
Within the business impact analysis, risks can also be categorized in terms of their likelihood of
occurrence. These probabilities can be categorized as follows:
High Likelihood (H)
The risk is highly probable, has occurred recently, can occur frequently, or controls to
prevent it are ineffective.
Medium Likelihood (M)
The risk could occur, but controls are in place that may impede successful exercise of the
vulnerability.
Low Likelihood (L)
The risk is improbable, or controls are in place to prevent or significantly impede successful
exercise of the vulnerability.
5.3 Evaluate Outcomes

A list detailing resources by their impact and likelihood allows management to determine the
appropriate response, including accepting the risk with no mitigation efforts, avoiding the risk
completely by removing the resource, or by implementing some form of mitigation, such as an
internal control or through sharing the risk via insurance.
Responses can be classified using the following risk actions:
Immediate Action (I): Take corrective action as soon as possible.
Delayed Action (D): Implement corrective actions within a reasonable time frame.
No Action (N): Take no corrective action. Accept the level of risk.

reserved.
A typical risk assessment responses summary:
Likelihood
Low Medium High
High Delayed action Immediate action Immediate action

Impact
Medium No action Delayed action Immediate action
Low No action No action Delayed action
5.4 Implement the Response

Once management has a list of categorized resources, risks, and actions, it can work to address
the areas that are most likely to harm the organization. Typically, management would review
all high-impact resources that have high- or medium-risk actions and evaluate the mitigation
strategy using the following steps:
1. Identify Mitigation Recommendations: Potential mitigation efforts inclusive of IT solutions,
personnel impacts, policies, and procedures must be compiled, reviewed, and documented.
2. Evaluate Mitigation Recommendations: Once mitigation recommendations have been
documented, they are reviewed to ensure the recommendation would appropriately
safeguard the asset by mitigating the associated risks.
3. Cost-Benefit Analysis: The next step is to perform a cost-benefit analysis by analyzing the
expected loss based on the impact and likelihood categories, then compare that loss with
the cost of implementing the proposed recommendations.
4. Choose, Plan, and Implement: After analyzing the proposed mitigation recommendations,
management has the following three options:
a) Accept the Risk: In some cases, the cost to address the risk outweighs the expense of
dealing with the risk itself. Therefore, the risk would simply be dealt with if it occurred.
b) Transfer the Risk: This involves assigning a risk to a third party, such as an insurance
company. Risk would either be fully or partially reduced.
c) Mitigate the Risk: Minimizing the risk can be done through preventative measures,
using safeguards, or otherwise taking action that would reduce the likelihood of an
event occurring or minimizing its effects if it does occur.

Illustration 5 Business Impact Analysis
Modern Computing Inc., a large managed services firm, has decided to run a business
impact analysis as part of its IT governance process. Because it is an IT firm selling virtually
hosted solutions, two resources it has identified as being high impact are its core data
servers and backup data servers. Two threats that exist to these large assets are the
threat of overheating, which has been categorized as a high-likelihood event, and damage
from an earthquake because it is located on a fault line, which has been categorized as a
low‑likelihood event.
Because the impact for these resources is high and at least one threat has a high likelihood,
the risk action has been denoted as high action. One recommendation is to relocate its
backup servers to a small, unused office at its other location, which is not in a seismic
hazard zone. While the office is not big enough for both the core servers and backup
servers, this will mitigate risk through preventative measures. A new air-conditioning unit
for both locations is also appropriate to prevent overheating.
Neither transferring nor accepting the risk would be reasonable in this case because a
prolonged outage would leave all of its customers without networking capabilities. This
would likely result in high customer attrition rates, putting the business' ability to continue
to operate and generate revenue at risk.
Which of the following is the responsibility of an information technology steering committee?

a. A steering committee plan shows how a project will be completed, including the
modules or tasks to be performed and who will perform them, the dates they
should be completed, and project costs.
b. A steering committee must develop clear specifications. Before third parties bid on
a project, clear specifications must be developed, including exact descriptions and
definitions of the system, explicit deadlines, and precise acceptance criteria.
c. A steering committee should be formed to guide and oversee systems
development and acquisition.
d. Steering committee must assess the operations of IT using system performance
measurements. Common measurements include: throughput (output per unit of
time), utilization (percentage of time the system is being productively used), and
response time (how long it takes the system to respond).

reserved.
3
MODULE
The Role of IT
in Business BEC 6
1 The Role of IT in Business
The application of information technology (IT) in an organization is the systematic

implementation of hardware and software so that data can be transmitted, modified, accessed,
and stored both securely and efficiently. As the field of information science advances, the speed
at which IT devices can perform these tasks has rapidly increased and organizations must
reevaluate their technology on a regular basis.
2 IT Infrastructure
The supporting IT architecture within most modern companies has multiple, interconnected
technological components, with the core infrastructure involving a combination of on-premise
and outsourced hardware, software, and specialized personnel. These IT assets strategically
interlace, enabling a network to operate with optimum efficiency.
2.1 Hardware
Organizations designing their IT infrastructure must decide what hardware will be utilized to
conduct business. The physical components of computers and computer-related accessories are
referred to as computer hardware (or just hardware). Hardware includes a wide array of internal
computer components as well as external peripheral devices.
2.1.1 Computer Hardware

Key hardware components within a computer include microprocessors, graphics and sound
cards, hard drives (permanent storage), random access memory or RAM (temporary storage),
the power supply, and the motherboard, which connects most of these critical pieces.
2.1.2 External Hardware Devices

Some hardware devices may be external peripheral devices and do not need to be integrated
into the machine itself. Computer mice, keyboards, speakers, microphones, disk drives, memory
devices, network cards, and monitors may be built in or may be external devices that connect
either wirelessly or directly to a computer through a wired connection. Other external devices
include printers, scanners, and networking equipment.
2.1.3 Infrastructure Housing

Although not hardware, the facilities and the safeguards on those facilities that contain
hardware, such as data centers or offices, are part of the broader IT infrastructure. This includes
advanced security systems to monitor and control access. It also includes ventilation and climate
control to keep temperatures down to prevent equipment from overheating.

3 The Role of IT in Business BEC 6
2.2 Networking Devices

Networking hardware enables connectivity and communication between devices on a
computer network. Those devices transmit information, or "packets," between devices in order
to communicate with each other. Packets are pieces of data that contain multiple layers of
information including headers (data preceding the main content, or body), the length or size
of the packet, its origin and destination, protocol (rules for communicating), and various other
pieces of information. Traditional networking equipment communicating these packets is
defined as follows:
2.2.1 Modem
Modems connect an organization's network to the internet. Early modems were referred to as
modulators-demodulators because they utilized landline phones and converted analog signals
to digital signals. Modern modems have replaced traditional ones with digital broadband
technology like cable modems, digital subscriber lines (DSL), and integrated services digital
network (ISDN).
2.2.2 Routers
Routers manage network traffic by connecting devices to form a network. They read the source
and destination fields in information packets to determine the most efficient path through the
network for the packet to travel. They also act as a link between a modem and the organization's
switches. If there are no switches, then the router will connect directly to a user's device.
2.2.3 Switches
Switches are similar to routers in that they connect and divide devices within a computer
network. However, switches do not perform as many advanced functions as a router, such as
assigning IP addresses. The same way a traditional power strip converts one electrical outlet
into multiple outlets, a network switch can turn one network jack into several network jacks so
multiple devices can share one network connection.
2.2.4 Gateway
A gateway is a computer or device that acts as an intermediary between different networks. It
transforms data from one protocol into another so that information can flow between networks.
A protocol is a rule or set of rules that governs the way in which information is transmitted, with
one of the most common protocols being that which is used for the internet, known as TCP/IP
(transmission control protocol/internet protocol). A gateway interprets these differing protocols
and converts them into the appropriate format to facilitate network movement, usually between
a company's network and the internet.
2.2.5 Servers
Servers are physical or virtual machines that coordinate the computers, programs and data that
are part of the network. Most business networks use a client/server model in which the client
sends a request to the server and it provides a response or executes some action. There are
various types of servers, including Web servers, file servers, print servers, and database servers.
2.2.6 Firewall
Firewalls are software applications or hardware devices that protect a person's or a company's
network traffic by filtering it through security protocols with predefined rules. For companies,
these rules may be aligned with company policies and access guidelines. Firewalls are intended
to prevent unauthorized access into the organization, block malicious programs or code, and to
prevent employees from downloading malicious programs or accessing restricted sites.
B6–32 Module 3 TheAll

© Becker Professional Education Corporation. Role of reserved.
rights IT in Business
BEC 6 3 The Role of IT in Business
Basic packet-filtering firewalls work by analyzing network traffic that is transmitted in packets
and determine whether that firewall software is configured to accept the data. If not, the firewall
blocks the packet. Firewalls can be set to only allow trusted sources (IP addresses) to transmit
across the network. Types of firewalls include:
Circuit-Level Gateways: Controls traffic traffic solely based on the source of origin, the
intended destination, the port (such as HTTP or FTP), and potentially some other very basic
information about a given session. A session is when a user from behind a firewall attempts
to access something outside the firewall. This type of gateway does not filter based on the
actual content, so a disadvantage is that any type of data that is requested will be allowed
through the firewall unless it is combined with some other filter.
Application-Level Gateways: Also referred to as proxy firewalls, these firewalls typically
perform the same function as circuit-level gateways, but they also inspect and filter the
contents of the packet based on predefined rules. Application-level gateways can be
expensive and burdensome to an organization's network due to the amount of processing
required for these firewalls to function.
Stateful Multilayer Inspection Firewalls: Combines the features of circuit-level and
application-level gateways, but also ensures that packets are validated at multiple layers of
the communication process through which those packets pass.
Next-Generation Firewalls: Provides more advanced protection than stateful multilayer
inspection. In addition to observing packets at multiple layers of the communication
process, next-gen firewalls further protect a network by applying more scrutiny to those
packets using more sophisticated techniques such as intrusion detection, user identification,
virtual private networks, and "deep packet inspection." Next-gen firewalls can also assign
different rules to specific applications as well as users. In this way, a low-threat application
has more permissive rules assigned to it while a high-security application may have highly
restrictive rules assigned.
Network Address Translation (NAT) Firewalls: Converts a group of private IP addresses
into a single public IP address prior to communicating with other devices outside of a
company's network. Every device that connects to a private or public network, like the
internet, is assigned an IP address so it can communicate with other devices and networks
using those addresses. By masking the addresses inside a private network, it is more
difficult for threats to reach any machine directly, providing an extra layer of security.
The following diagram depicts the functionality and way in which different network devices
support an organization's IT infrastructure.

2.3 Software
Software consists of the applications, procedures, or programs that provide instructions for a
computer to execute. Software is controlled by a user interacting with the program, which in
turn gives instructions to the physical computer's operating system.
Software that is embedded in hardware that instructs the hardware how to operate is known
as firmware. It operates like software but exists locally on the machine directing the function of
physical components, such as the motherboard and microprocessor. Firmware is not updated
frequently, or at all, which is very different from how often a typical software program is updated
on a frequent basis.
2.4 Networks
A network is a group of computers and other machines that are interconnected electronically
using a series of networking devices (i.e., routers, switches) so that one group of users may
securely share resources.
Networks can be wired or wireless and use a variety of hardware to enable connectivity.
Common types of networks include:
Local Area Networks (LANs) provide network access to a limited geographic area such as
a home or office. This is controlled by software-defined networking (SDN) applications and
uses a private IT infrastructure so that data is transported over private lines.
Wide-Area Networks (WANs) provide network access to a larger geographic area such as
cities, regions, or countries. WANs connect other networks such as LANs together to provide
broad coverage by also using an SDN. The network hardware may be a combination of
public and private lines, with configuration being distributed across the various locations.
Software-Defined Wide-Area Networks (SD-WAN) are similar to a traditional WAN,
but they are managed and deployed on the cloud (the internet) using a centralized
software application. Maintaining networking equipment, the lines that connect it, and
other expensive infrastructure components is minimized with this technology. SD-WAN is
essentially a network running on another network.
Edge-enabled devices, such as edge routers and firewalls, support an organization at "the
edge" or perimeter of a system's network. Instead of a centralized data center performing
the heavy lifting, much of the computer processing power is happening on local devices
spread across geographical locations. Less reliance on a central source means a faster,
more consistent network. SD-WAN runs on edge-enabled devices.
Virtual private networks (VPNs) are encrypted private networks that run on a public
network, namely the internet. User activity and device IP addresses are hidden, assuming
the identity of the VPN servers. Third parties can no longer see individual user traffic, which
provides a layer of security for organizations.

Illustration 1 SD-WAN and Next-Gen Firewall
Fast Corp. currently has a decades-old legacy network that is protected with only a basic
packet-filtering firewall, and Fast is looking to upgrade both the efficiency and security
of the network. Fast has 30 locations across the west and midwestern part of the United
States, and its employees use a combination of hosted applications and cloud-based
applications on the Web. Therefore, employees regularly interact with apps outside the
company's network.
The company needs a solution with a larger footprint than just a LAN due to the way
the company is spread geographically. A WAN could be an option, but rather than use a
combination of expensive network equipment and publicly available infrastructure, the
company opts for an SD-WAN architecture. Fast purchases 30 edge-enabled devices for
each of its locations that it will connect to the internet and be controlled by centralized SD-
WAN orchestration software. As such, the majority of computer processing will occur locally
on the edge devices instead of at a central hub, improving network efficiency and resiliency
if something happens to a single site.
Regarding potential security updates, the connection between these network edge devices
will all be securely encrypted. However, Fast wants to move well beyond encryption
and basic packet-filtering. It decides to implement a next-generation firewall with NAT
capabilities. This way, the company filters traffic using basic session-level information and
the content of the packets being transmitted across multiple layers of communication.
Also, all private IP addresses will be converted into a single public email address prior to
communicating with applications outside the network.
2.5 Mobile Technology

Mobile technology is wireless telecommunication that utilizes radio waves to transmit signals
between devices. This technology moves with users without wires for connectivity, supporting
remote work in real time and sustaining businesses that might otherwise collapse during a crisis
or a temporary inability to meet in person. Mobile technology combines hardware, such as
laptops, tablets, hot spots, and mobile phones, with mobile software applications and operating
systems that allow connectivity to networks. This connectivity is typically done with wireless
technology such as GPS, Wi-Fi, Bluetooth®, and 4G or 5G cellular technology. Note that 4G and
5G do not refer to two types of technology but rather multiple types for each classification. If a
type of technology meets the standards of 4G or 5G, then it is classified as such.
An extension of mobile technology is IoT (Internet of Things) devices, which refers to a class
of devices that is powered by a number of mobile technologies such as Wi-Fi, Bluetooth, and
cellular technology to access a larger network. IoT technology is used to transmit data about a
device or, in some cases, it is used to form its own network. The mobile range for connectivity
is usually more limited than first-generation (traditional) mobile technology and can be
found in artificially intelligent personal assistants, smartwatches, Bluetooth earphones and
speakers, lighting, electrical equipment, thermostats, and even appliances like refrigerators
and dishwashers.

3 The Role of Management Information Systems
Management information systems (MIS) enable companies to use data as part of their strategic
planning process as well as the tactical execution of that strategy. Management information
systems often have subsystems, such as accounting information systems (AIS), decision support
systems (DSS), and executive information systems (EIS).
A management information system provides users predefined reports that support effective
business decisions. MIS reports may provide feedback on daily operations and financial and
nonfinancial information to support both internal and external business decisions.
3.1 Accounting Information System (AIS)

The management information system that accountants and financial managers interact with the
most is the accounting information system (AIS). An AIS collects, records, and stores accounting
information, then compiles that information using accounting rules to report both financial and
nonfinancial information to decision makers in an enterprise.
A well-designed AIS creates an audit trail for accounting transactions. The audit trail allows a
user to trace a transaction from source documents to the ledger and to trace from the ledger
back to source documents. Tracing and vouching are important for auditing purposes.
3.1.1 AIS Subsystems

An AIS typically is made up of three main subsystems (or modules):
1. Transaction Processing System (TPS): A TPS converts economic events into financial
transactions (i.e., journal entries) and distributes the information to support daily operations
functions. A TPS typically covers three main transaction cycles: sales cycle, conversion cycle,
and expenditure cycle.
2. Financial Reporting System (FRS) or General Ledger System (GLS): The FRS/GLS
aggregates daily financial information from the TPS and other sources for infrequent events
such as mergers, lawsuit settlements, or natural disasters to enable timely regulatory and
financial reporting.
3. Management Reporting System (MRS): An MRS provides internal financial information to
solve day-to-day business problems, such as budgeting, variance analysis, or cost-volume-
profit analysis.
3.1.2 Functions of an AIS

An AIS typically has three main functions:
1. Collect, record, and store data and transactions
y Specialized journals allow for automated recording of repetitive business transactions.
y General journals are utilized for nonroutine and/or infrequent transactions.
y Recorded transactions are automatically assigned to the appropriate accounting period
and classified by transaction type.
2. Transform data into information through compilation and reporting
y As transactions are recorded, general ledger accounts are updated in real time, allowing
for quick summarization of data.
y AIS systems have built-in reporting functions that allow financial statements to be
automatically compiled and generated utilizing the data collected and processed.

3. Safeguard and maintain data integrity

y Input controls protect against errors occurring as transactions are recorded.
y Referential integrity maintains data accuracy in recorded transactions, which are stored
in a database even if portions of the transactions are stored in separate data tables
within the database.
3.1.3 Sequence of Events in an AIS

1. The transaction data from source documents is entered into the AIS by an end user, via the
internet by a customer, or automatically through readable technology such as bar codes or
radio frequency identification (RFID) tags.
2. Original source documents, if they exist, are filed.
3. Transactions are recorded in the appropriate journal.
4. Transactions are posted to the general and subsidiary ledgers.
5. Trial balances are prepared.
6. Adjustments, accruals, and corrections are entered as needed.
7. Financial statements and reports are generated.
Input Output
Source
Financial
document Trial
Journal Ledger statements
(invoice, balance
reports
time card)
Store file
File original
source
document
3.2 Decision Support System (DSS)

A decision support system is an extension of an MIS that provides interactive tools to support
day-to-day decision making. A DSS may provide information, facilitate the preparation of
forecasts, or allow modeling of various aspects of a decision.
"What-if" Scenarios: Decision support systems are important to achieving organizational
goals and strategies because they can model "what-if" scenarios and help drive
management decisions.
Artificial Intelligence: A DSS designed to rely heavily on artificial intelligence (AI) is
referred to as an expert system. Whereas a traditional DSS is designed to facilitate the
decision-making process, an expert system is designed to mimic the knowledge and
decision-making abilities of the users who employ them so that decisions can be automated.

Illustration 2 Basic DSS Business Examples
Examples of a DSS include systems that assist with production planning, revenue
forecasting, inventory control, bid preparation, revenue optimization, traffic planning, and
capital investment planning.
Illustration 3 DSS Example With "What If" Scenarios and AI
A college or university may utilize a DSS to help optimize the enrollment and tuition mix
by allowing the user employee to model different levels of enrollment and profitability
based on the number of scholarships offered, the amount awarded of those scholarships,
and expected student profiles (standardized test scores, GPAs, number and type of
extracurricular activities, etc.). The DSS uses historical data and past profitability levels to
help model different "what if" scenarios so the university can make the best choice. The
DSS software also has an AI bot that proposes suggestions to the user to consider different
variables during the decision-making process.
Pass Key
An AIS differs from a DSS and an EIS due to the high degree of precision and detail required
for accounting purposes (i.e., transaction processing). Data in an AIS is often processed
and aggregated to become inputs to a DSS and an EIS to enable management to make
data‑driven decisions.
3.3 Executive Information System (EIS)

Executive information systems provide senior executives with immediate and easy access to
internal and external information to assist in strategic decision making. An EIS usually comes
in the form of a dashboard that consolidates information so that senior executives can quickly
evaluate key statistics for an organization but provides the ability to drill down when necessary.
An EIS may be stand-alone or a subsystem of a larger management information system. These
systems often present data in high-level reports and visualizations that allow for big-picture
decision making to ensure alignment with overall strategic objectives.
3.4 Customer Relationship Management System (CRM)
Customer relationship management systems (CRMs) have become strategic drivers for
organizations. A CRM system is software that enables organizations to monitor and manage
interactions between the organization and its past, current, and potential customers.

3.4.1 CRM Objectives and Strategies

Organizations work to understand their clients and customers better to achieve the following
objectives:
Enhance existing customer satisfaction, which will:
y Improve customer retention
y Increase customer spending
Attract new customers.
Enhance targeted marketing and promotions to new and existing customers.
Enable cross-selling and upselling of products and services.
Forecast sales, and manage sales staff and sales leads.
Customer relationship management systems can achieve these objectives by collecting and
capturing information about customers to create customer profiles that can be used to tailor
marketing efforts and promotions. Companies can then use business intelligence functionality in
CRM software to automate recommendations and identify cross-selling opportunities, which can
be executed using direct offers or loyalty reward programs.
Illustration 4 CRM
Online shopping has been greatly enhanced by CRMs. When a customer creates an account
with an organization, the organization tracks information about that customer and shopping
preferences. CRMs allow organizations to help in the shopping experience by making real-
time product recommendations based on the customer's past shopping experiences and
shopping experiences of similar customers. A CRM also offers live support in the form of
real-time online chat features with customer support representatives who have access to the
customer's account to better serve his or her needs and anticipate problems.
3.5 Inventory Management System

Inventory management systems may be part of the broader management information system
or a stand-alone program that typically comprises software designed to assist with tracking,
procurement, and distribution of inventory items. These systems track item quantities and
trigger reordering when quantities fall below a predetermined level. These systems are usually
connected to a point-of-sale (POS) system so that each time an item is sold, one unit of that item
is removed from the inventory count.
3.6 Knowledge Management System (KMS)

A knowledge management system (KMS) refers to any IT system that acts as a resource
repository or disseminates knowledge about the organization in a way that supports the
organization through supplemental information about products or service delivery. This can
include sharing knowledge with external parties such as allowing customers to view frequently
asked questions (FAQs) or sharing knowledge with employees, for example, to provide training
guides or engagement with other employees in discussion forums.

3.7 Supply Chain Management (SCM)

3.7.1 SCM Characteristics
An integrated supply chain management (SCM) solution unifies business processes beginning
with the original supplier and ending with the customer, including activities such as purchasing,
materials handling, production planning and control, logistics and warehousing, inventory
control, and product distribution and delivery. SCM systems may perform some or all of
these functions.
An SCM system is concerned with the four important characteristics of every sale: what, when,
where, and how much. For example, customers, whether business or consumer, generally
expect all of the following:
The goods received should match the goods ordered.
The goods should be delivered on or before the date promised.
The goods should be delivered to the location requested.
The cost of the goods should be as low as possible or competitively priced.
3.7.2 Objectives and Functions
Common objectives of SCM include achieving flexibility and responsiveness in meeting
the demands of customers and business partners. SCM systems generally incorporate the
following functions:
Planning (e.g., demand forecasting, product pricing, and inventory management)
Sourcing (e.g., procurement, credit, and collections)
Manufacturing (e.g., product design, production scheduling, and facility management)
Delivering (e.g., order management and delivery scheduling)
3.7.3 SCM Benefits

The core benefits of an integrated SCM system include enhanced quality control due to
greater transparency and access to data. SCM systems reduce cash tied up in inventory, which
in turn increases cash flow and its predictability. SCM systems also improve forecasting for
procurement, delivery, and production due to better visibility of data from the start of the supply
chain to the end.
3.8 Enterprise Resource Planning (ERP)

Enterprise resource planning (ERP) systems are cross-functional systems that support different
business functions and integrate information across departments, such as accounting, customer
management, finance, human resources, inventory management, manufacturing, marketing,
and vendor management.
An ERP solution facilitates real-time communication between systems and typically operates
under a centralized database and user interface. This interface may offer a number of modules
that function independently or as an integrated system that allows data to be shared across
different departments or divisions of an organization.

3.8.1 ERP Benefits

Enterprise resource planning systems provide great benefits to an organization with a focus on
integration of all enterprise data into a single channel for simplification. An ERP system:
Stores information in a central repository so that data is only entered once and then
accessed by various departments.
Acts as the framework for integrating and improving an organization's ability to monitor and
track sales, expenses, customer service, distribution, and many other business functions.
Provides vital cross-functional information quickly to managers across the organization in
order to assist them in the decision-making process.
Improves customer service as information is easily accessed and shared.
Allows greater access controls so that user privileges for multiple systems can be
centrally managed.
3.8.2 ERP Disadvantages

Although enterprise resource planning systems provide many benefits, there are certain
disadvantages and barriers to implementation, including the following:
The time to successfully implement an ERP system can be significant.
ERP systems can be extremely cost prohibitive because the required hardware, software,
and training can include significant development and implementation costs as well as
ongoing maintenance costs.
Integration of all the business units can be complex because integration of disparate
systems may be difficult from a technology and process standpoint.
ERP implementation causes significant changes to business processes, which can lead to
errors, user resistance, and low adoption rates.
Illustration 5 ERP
A surgical hospital has consistently been unprofitable over the last few years but is
unable to determine the root cause. Labor accounts for most of the company's expense
but the cost of delivering treatment per patient is difficult to determine because its
accounting system, human resources system, and electronic health care records system
are all separate. The organization decided to subscribe to a cloud-based ERP system that
will link the data from all three systems into a single database and provide reporting.
This would allow the company to directly link all employees' job roles and costs to each
service that is delivered, helping to analyze profitability issues and make more informed
business decisions.

3.9 Enterprise Performance Management

Enterprise performance management (EPM) systems, also known as business performance
management (BPM) or corporate performance management (CPM) systems, are software
solutions designed to help executives make strategic decisions. From a finance perspective, an
EPM enables leaders to plan, budget, and forecast business performances and to consolidate
financial results. EPMs are useful for the analysis of high-level business strategies and translating
them into actionable plans or strategic objectives.
EPM systems are different from ERP systems in that EPM is more management-process focused,
whereas ERP is more focused on operational processes and information technology integration.
3.10 E-Commerce
Electronic commerce (commonly referred to as "e-commerce") platforms facilitate the sale of
goods and services using the internet.
The benefits of e-commerce are that it removes overhead costs, creates markets that might
not exist otherwise, promotes competitive pricing, allows for product comparison more quickly,
and provides parity in information among market participants. These benefits do come with the
drawback of lag times in shipping for physical products, system vulnerability, potential theft of
personal or financial information, and often there is less human customer support available.
3.10.1 Types of E-Commerce

There are five types of e-commerce:
1. Business-to-Business (B2B): B2B e-commerce involves the buying and selling of goods
and services between business entities. E-commerce allows businesses to seamlessly (and
sometimes automatically) interact with one another to streamline processes and establish
efficient and effective relationships.
2. Business-to-Consumer (B2C): B2C e-commerce allows businesses to interface and sell
goods to their customers. This is typically done online via retail websites that are often
integrated with a broader ERP system.
3. Consumer-to-Business (C2B): C2B e-commerce is a reversal of the traditional consumer
buying and retailer selling model. In this type of e-commerce, consumers sell their goods or
services to a business.
4. Consumer-to-Consumer (C2C): C2C e-commerce functions as an online marketplace in
which individual consumers buy and sell goods with each another. Often an intermediary
company hosts a platform for the execution of the transactions and the host usually charges
a fee for the service.
5. Government E-Commerce: Government e-commerce is the electronic exchange of goods
and services between a government and its citizens, be it an individual or an organization.
This type of commerce is broad, and it facilitates not only the payment/receipt of taxes,
but it also facilitates transactions in health care, education, and other industries financially
supported by the government.

3.10.2 E-Commerce Payment Methods

Within the e-commerce payment space, there are various forms of electronic means for
transferring funds, referred to as electronic funds transfer (EFT) systems. EFT systems use a variety
of technologies to transact, process, and verify money transfers by using a network of different
participants including commercial banks, government banks, businesses, and consumers.
The Federal Reserve's financial services systems play a key role in moving money from one bank
to another in many EFT processes, which reduces the time and expense required to process
checks and credit transactions. If a bank customer wants to transfer funds from one commercial
bank to another, the bank would do this through a settlement process with one of the federal
reserve banks as shown below.
The customer requests the transferring bank to move money to the receiving bank. The
transferring bank submits this request to a Federal Reserve bank that has a master database of
both banks' account balances. The Fed bank adjusts the balances in its database and notifies the
receiving bank, which then updates its records to successfully complete the funds transfer.

EFT services are also provided by third-party vendors, typically credit or debit card payment
processors, which act as an intermediary between a company and the banking system. When a
person makes a purchase at a store, that company initiates the transaction using a gateway that
routes the payment request to the company's bank, also referred to as the acquiring bank. The
acquiring bank submits the transaction to the third-party network, which acts as a clearinghouse
validating the transaction. The third-party network then sends net settlement amounts to the
issuing bank, that then settles directly with the acquiring bank or the Federal Reserve system
for the transfer of actual cash. The net settlement amount is the total amount that should be
transferred from the issuing bank to the acquiring bank.
The following shows how this process works:
The use of digital payments has continued to evolve and allow users to transfer funds directly to
each other without the use of a clearinghouse or bank. Several of these emerging technologies
gaining acceptance are based on blockchain technology. Blockchain networks use a distributed
ledger to account for transactions in digital currencies, rather than a traditional accounting
ledger where the ledger is located within a single company.

3.11 Summary of Management Information Systems

The following is a summary of the different information systems discussed in this section.
System Core Function Primary Users

Accounting Information Collects, stores, and records transactions; provides Accountants, managers
System (AIS) financial reporting
Decision Support Interactive tools supporting decision making; may Potentially all employees
System (DSS) leverage AI or scenario modeling
Executive Information Provides summarized data to executives for Executives, managers

System (EIS) strategic decision making
Customer Relationship Manages interactions between companies and Marketing managers,

Management System past, current, and potential customers customers
(CRM)
Inventory Management Assists with the tracking, purchasing, and distribution Managers, employees
Systems of inventory from point-of-sale to delivery handling goods for sale
Knowledge System that serves as a resource repository or Potentially all employees

Management Systems disseminates knowledge for product/service delivery and/or customers
(KMS)
Supply Chain Unifies supply chain processes beginning with Vendors, shipping/
Management (SCM) suppliers and ending with the customer purchasing personnel,
System customers
Enterprise Resource Comprehensive cross-functional system that Potentially all employees

Planning (ERP) System supports and integrates different departments
Enterprise Performance Management-process focus systems to help Executives, managers

Management (EPM) executives make strategic decisions
E-Commerce Platforms that facilitate the sale of goods and Businesses, consumers,
services via the internet (B2B, B2C, C2B, C2C) government employees

4 IT Outsourcing and Cloud Computing
Some organizations need IT resources beyond what their internal IT infrastructure can offer,
so they utilize third-party external service providers. This strategy is known as IT outsourcing
and may utilize a variety of IT solutions, including cloud computing, virtualization, and
application service providers. The range of services outsourced can include application
software, virtual hardware, data entry, data storage, data management, disaster recovery, and
network management. There are many advantages to IT outsourcing, however, there are also
disadvantages and risks.
4.1 Cloud Computing

Cloud computing is renting storage space, processing power, proprietary software, or a
combination of the three, on remote servers from another company rather than buying or
building those components. When a company acquires its own infrastructure as opposed
to renting it, the company must purchase enough resources to cover its peak usage so the
business can accommodate high-volume periods. During low-volume periods, this costly
infrastructure is idle. For the customers of cloud computing, the service offers infrastructure
elasticity, renting only as much as needed on a minute-to-minute basis. Processing and storage
are rented in increments of computing power used per units of time (e.g., 4 CPU cores with 8GB
of processing power will be less expensive than 8 CPU cores with 16GB of processing power, per
minute of use), so customers pay less during low-volume periods and more during high-volume
periods. Customers benefit because the cloud service provider performs all maintenance and
tech support on this hardware.
Cloud computing services are offered by some companies with large computing infrastructures
to either lease excess capacity during off-peak times or use purpose-built infrastructure to
support their customers. Cloud computing takes advantage of these companies' superior skills
and experience managing such infrastructure.
Additional efficiencies exist when a company's data is in one virtual location even if company
operations are in many locations. Data processing can be performed more efficiently from that
single location, and IT hardware support may be reduced throughout the company. Because the
companies providing cloud services provide distributed redundancy among many data centers,
having cloud data storage reduces the likelihood that data is lost in an attack or a disaster.
Infrastructure-as-a-Service (IaaS): IaaS, also known as Hardware-as-a-Service (HaaS), is
utilized when an organization outsources any of its servers, storage, hardware, networking
services, and networking components to third-party providers, and is generally billed
on a per-use basis. Managed service providers (MSPs) are companies that provide fully
outsourced IT departments to its customers, including personnel.
Platform-as-a-Service (PaaS): PaaS allows customers to rent tools or solutions remotely
that are used to fulfill a specific business purpose, such as pay for an online platform to sell
merchandise, advertise products, or build websites.
Software-as-a-Service (SaaS): SaaS is a business model in which a company delivers
and hosts subscription-based software services to customers through licensing or service
delivery. Companies offer access to software platforms via the internet and are responsible
for recurring upgrades, security enhancements, and other support functions. This term is
commonly used interchangeably with an application service provider (ASP).

Illustration 6 Cloud Computing
Morpheus Enterprises is looking to outsource several of its IT functions and meets

with a prospective Managed Services Provider (MSP), NetSpeed Inc. Morpheus recently
experienced a severe storm that caused damage to its data center, destroying its only
two servers that were used to host its domain controllers, email application, firewall, file
servers, and its custom-built online shopping software where customers could purchase
Morpheus products. The company's current two IT staff members are inexperienced and
do not have the expertise needed to source, design, and implement new infrastructure.
NetSpeed offers full IaaS and PaaS services. In its IaaS package, it provides help desk
services, access to field and tech engineers, cybersecurity experts, cloud computing
services, and a fractional Chief Information Systems Officer. Its PaaS is a turnkey web-based
application that allows users to upload pictures of products, create descriptions, set prices,
track orders, and engage with customers on order fulfillment as well as customer support.
Clients must provide their own shipping, supply chain logistics, and internet connection.
Morpheus decides to subscribe to both products. Instead of investing in expensive IT
hardware and software, the company gets access to state-of-the-art hardware virtually
through NetSpeed's IaaS, so Morpheus can run all of its applications except for its custom
online shopping software. For that, Morpheus will use NetSpeed's PaaS for its retailing
platform to integrate with its purchasing and distribution operation. Morpheus terminates
one of its IT staff, keeping one to be an on-site liaison with the outsourced help desk for
any work that cannot be resolved remotely.
4.2 IT Outsourcing Advantages

Advantages of outsourcing IT functions include:
Lower Costs: Organizations can pay for what they need without large investments in
hardware, software, or IT staff.
Expertise: Instead of purchasing training for internal employees, which can be costly and
time-consuming, outsourcing IT functions gives organizations access to IT experts on a
fractional cost basis. This is useful for smaller companies that periodically need advanced IT
expertise but cannot justify paying for full-time staff with those capabilities.
Resources: Organizations have access to specialized and high-quality resources.
Enhanced Focus on the Core Business: If an organization outsources its IT functions, it
can spend less time on the complexities of IT and more time on the organization's growth
and strategy.
4.3 IT Outsourcing Disadvantages

Disadvantages of outsourcing IT functions include:
Less Control: The outsourcing company loses some control over how the IT functions are
performed and grants the outsourced firm access to sensitive information.
Quality Control: Service providers may not perform up to the expectations and quality
desired by the outsourcing organization.
Immediate Access to IT Support: If the outsourced organization is not always on site, there may
be a perceived lack of access to IT personnel, even if most problems can be resolved remotely.

4.4 IT Outsourcing Risks

When IT is outsourced, risks exist that must be mitigated, including:
Security and Privacy Practices: The security implemented and maintained by the service
provider may not meet the standards maintained by the organization, potentially leading to
the following risks:
y Inadequate controls or ineffective implementation of controls
y Misuse or abuse of an organization's data by the service provider's employees
Data Accessibility: In addition to the risk of confidential and private data being leaked,
there is the concern that data will become inaccessible, overwritten, or lost either due to
malicious actions, unintentional behavior, or through some other type of event, such as a
natural disaster.
Data Disposal: IT outsourcing is typically in effect for a contractual period of time. Once the
contract is over, there is a possibility that a customer's confidential data is not effectively
deleted and can be inappropriately accessed in the future.
Vulnerability for Attacks: If multiple firms are sharing computing resources using an
outsourced firm, an attack on any one organization could impact the others who utilize the
same environment.
4.5 System and Organization Controls (SOC) Reports

The System and Organization Controls (SOC) reports are a collection of reports developed by the
American Institute of Certified Public Accountants (AICPA) to be issued by CPAs in connection
with the evaluation of "system-level controls" or "entity-level controls" for service-based firms.
There are three reports that these types of engagements can produce: SOC 1® report, SOC 2®
report, and SOC 3® report.
4.5.1 SOC 1®
Governed by the Statement on Standards for Attestation Engagements (SSAE) 18, the objective
of SOC 1® reports is to provide assurance that the service organization's controls are designed
and operating effectively so that the financial statements are not negatively impacted. The use of
SOC 1® reports assists in mitigating the inherent risks in outsourcing IT functions.
Two types of SOC 1® reports are provided by service organizations (as provided by the AICPA):
The Type 1 report focuses on the fairness of the presentation of management's description
of the service organization's system and the suitability of the design of the controls to
achieve the related control objectives included in the description as of a specified date.
The Type 2 report focuses on the fairness of the presentation of management's description
of the service organization's system and the suitability of the design and operating
effectiveness of the controls to achieve the related control objectives included in the
description throughout a specified period. The key difference from Type 1 being the time
period over which the attestation is being made.

Illustration 7 SOC 1® Use Example
Wyatt Co., a financial advising company, utilizes a third-party service provider named
Database Inc. to process its sales contracts and store information about its clients. Wyatt
Co.'s auditors want to ensure that the controls in place at Database Inc. are designed and
operating effectively because control deficiencies at Database Inc. would negatively affect
Wyatt Co. and its clients. Wyatt Co.'s auditors gain comfort by obtaining and reviewing
the attestation to fairness of the controls and their operations within the System and
Organization Controls (SOC 1®) Type 2 report because it gives them assurance that this has
been in place over the last six months.
4.5.2 SOC 2®
A SOC 2® report is also governed by SSAE 18 but is for users who need attestation concerning
controls as they relate to security, processing integrity, availability, and privacy. These reports
are important for vendor management, oversight of a company, risk management, corporate
governance, and regulatory oversight.
SOC 2® reports also have two types:
Type 1 is a report of management's explanation or description of a given service company's
system as well as the suitability of control design as of a single point in time.
Type 2 is also a report of management's explanation or description of a company's control
design and its operating effectiveness of internal controls over a period of time, with the key
difference being the time period of attestation, similar to SOC 1® Types 1 and 2.
4.5.3 SOC 3®
SOC 3® reports are also for users who need attestation concerning controls as they relate to
security, processing integrity, availability, and privacy. However, this report is for companies that
do not have the knowledge required to make an effective use of a SOC 2® report.
Which of the following is usually a benefit of using electronic funds transfer for
international cash transactions?
a. Improvement of the audit trail for cash receipts and disbursements
b. Creation of self-monitoring access controls
c. Reduction of the frequency of data entry errors
d. Off-site storage of source documents for cash transactions

An enterprise resource planning system is designed to:

a. Allow nonexperts to make decisions about a particular problem.
b. Help with the decision-making process.
c. Integrate data from all aspects of an organization's activities.
d. Present executives with the information needed to make strategic plans.

4
MODULE
Data Management
and Analytics BEC 6
1 The Evolving Role of Big Data

in the Decision-Making Process
Due to advances and rapid changes in technology, the type and volume of data being created
have increased at rates never before seen. These increases provide both challenges and
opportunities for individuals, governments, and companies alike. To leverage the power of
this data, companies must first identify a data point, then capture it, store it, protect it, and
eventually dispose of it, if appropriate.
1.1 Defining Data and Information

Data can be defined as a fact, occurrence, instance, or an otherwise measurable observation.
Data comes in many different forms such as numerical digits, alphanumeric text, images, video,
and audio recordings. At first, data may lack meaning but after organization, transformation, and
further processing, it acquires additional value that can then be used for decision making.
1.2 Defining Big Data

The term Big Data has been used in many forms and contexts but generally refers to the
corporate accumulation of massive amounts of data that can be used for analysis, commonly
referred to as data analytics. Utilizing Big Data has become the norm for most institutions due to
advances in applications' abilities to collect data as well as the increased availability of analytical
tools designed to handle large quantities of data. These advances have allowed organizations
to more easily collect intelligence on all aspects of operations, including customers, employees,
internal processes, and industry statistics.
Data is collected in a variety of ways and can be done so actively, passively, by a person, or
by using technology. Active collection typically refers to the capture of data from a device or
person who has given consent, such as a field survey or job application. Passive collection
is from sources that may be indirect, ancillary, or otherwise generated from some passive
activity a device or person engages in, such as the number of webpages viewed on a website.
Some common sources of data collection include purchasing behavior of participants in
loyalty/reward programs, customer focus groups, radio frequency identification (RFID tags),
barcodes, and activity detected from sensors on cameras linked to the internet (known as IoT,
or Internet of Things).

4 Data Management and Analytics BEC 6
1.3 Dimensions of Big Data

There are five dimensions of Big Data (often referred to as the Five Vs of Big Data):
1. Volume: Volume represents the quantity or amount of data points. Volume may also factor
in the size of the data in terms of its storage requirements. Some data points consume more
storage capacity than others. For example, data that is simply plain text can be transmitted more
quickly and requires less storage space than a video or audio file. Accordingly, these differences
impact which software should be used to transmit, store, and analyze an organization's data.
2. Velocity: Velocity refers to the speed of data accumulation or data processing. Some data
points are created on a continuous basis (more frequently) and, therefore, have a higher
velocity than other data points. An example of a high-velocity data point would be the price
of every transaction for a given stock, or the weather conditions of a particular location
constantly being measured in real time.
3. Variety: Variety references the range of data
types being processed or analyzed. Three general
categories exist that help define the different types of
data: unstructured, structured, and semi-structured.
y Structured data represents data with a defined
organizational format that has specific
parameters, such as numerical or alphabetical
figures only, a fixed field length and size, or some
other predefined parameter. An example would
be a relational database.
y Semi-structured data is a hybrid of these two
formats. A good example is a file that has
comma-separated values (referred to as a CSV
file). There is no restriction on the size or length
of the data points; however, each data point is
denoted or separated by a comma, which is the
structured piece of this format.
y Unstructured data is the exact opposite, with
a format that does not have predefined
parameters and generally lacks organization. This
could be a review post for a product online or the
text in an instruction guide, both of which may be
flagged by a ranking or a chapter but have little
to no restriction in terms of parameters.
4. Veracity: Veracity represents the reliability, quality,
or integrity of the data. High-quality information that
is both accurate and timely is optimal. This means
processes should be implemented so that data is
cleansed of irregularities, including duplicate fields,
missing fields, incorrect formats or characters (such
as an asterisk in a name field), transposed fields, or
incorrect labeling.
5. Value: Value refers to the insights Big Data can yield. This dimension is vital because not all data
translates into actionable insights, so it is important to understand the question or business
problem that needs to be solved because it will shape the transformation and analytics process.
Facts such as customer cancellation dates can be turned into cancellation rates when observed
in the aggregate, or product mix by customer can be combined with demographic data to form
a profile, which can be used for targeted marketing and promotions.
B6–52 Module 4 Data Management

© Becker Professional Education Corporation. and Analytics
All rights reserved.
BEC 6 4 Data Management and Analytics
Illustration 1 Incorporating the 5 Vs Into the Analytics Process
Huber, a large manufacturing company, regularly collects multiple data points on all of its
wholesale clients as a part of its standard contracting and credit check process, including
estimated annual order size and budget, annual sales, and retail locations. Once under
contract, Huber establishes direct connectivity with most of its clients' point-of-sale system.
This allows Huber to align its production schedule with client orders to minimize inventory
and optimize production. In the process, Huber also passively collects other data points
about end-customer transactions in its clients' stores, including payment method used,
time of purchase, and location of purchase. There are two streams of data that have
untapped value for Huber.
The first stream is the client data captured in the contracting process. Whereas the volume
and velocity are low (only captured periodically as new clients are onboarded), the veracity
and value are high. Veracity is high because data is of good quality due to credit checks
performed to confirm accuracy. Value is high because the intelligence that could be
extracted from this data is significant.
The second stream is the passive data collected on end-customer transactions. Both the
volume and velocity are high because of the massive number of individual transactions
continuously occurring. The quality of data is good because it is in real time, making
veracity high. The variety would be minimal as the type of transaction would be fixed, so
the data format/type will be limited. The potential value is very high to Huber because it
can determine which products are purchased using a credit card versus cash or debit card.
The time of purchase could also help Huber with optimizing its delivery schedule, making
sure shipments arrive prior to peak purchase times.
1.4 Big Data Governance

Although Big Data provides the ability to gain insights in many areas, it still comes with
challenges, such as ethical and legal concerns pertaining to the organization itself, employees,
customers, and stakeholders. An organization's governance program and policies should
address these issues in some manner, providing guidance on how sensitive data should be
captured, maintained, and disposed of during its life cycle within the company's possession.
1.4.1 Big Data Confidentiality

An organization's confidential information must be safeguarded to protect it from unauthorized
access and exploitation. Those within an organization responsible for collecting and maintaining
confidential data have a responsibility to ensure appropriate access controls are in place.
Examples of confidential information include employee records, banking and financial data,
marketing strategies, and other intellectual property related to products or work that is created
during the regular course of business. The four most common types of business intellectual
property include the following:
Copyrights: a form of original work of authorship that is protected by U.S. laws, such as
music, books, and movies. Companies must have the right to distribute such work by the
copyright holder or else be in violation of copyright laws.
Patents: protection by U.S. laws for an invention that is unique in design or utility. An example
would be a newly invented prescription medication or a specific type of manufacturing
process that is improved by a proprietary process. These patents only offer protection for a
certain number of years in the United States and can then be replicated by others.

Trademarks: words, symbols, phrases, designs, or a combination of these items that are
protected by U.S. laws. An example would be a company emblem, slogan, or image that is
unique enough to qualify for a trademark.
Trade Secrets: confidential information held by a limited group of individuals unique to an
organization that gives it a competitive advantage or commercial value in some way that other
companies do not know. Examples are client lists, formulas, business plans, or methods of
production. These are often protected by nondisclosure agreements, prohibiting a person
with whom a trade secret is shared from replicating the secret or divulging it to others.
1.4.2 Big Data Privacy

Customer and patient data must also be safeguarded from unauthorized access to meet
consumer privacy expectations as well as regulatory requirements. Privacy rights can be traced
to the Fourth Amendment, which provides U.S. citizens and their property basic protection
against unreasonable searches and seizures. Since then, many regulations in the United
States and abroad have been issued providing further privacy protection, starting with the
Privacy Act of 1974 in the United States, followed by HIPAA (Health Information Portability and
Accountability Act) in 1996 in the United States and GDPR (General Data Protection Regulation)
in Europe in 2018. To maintain compliance, organizations must implement strong governance
practices surrounding what type of data can be collected, what disclosures to make as the data
is collected, and what controls must be in place to protect that data.
1.4.3 Big Data Ethics
When collecting, analyzing, and making decisions using Big Data, it is important to understand
the ethical implications at every step of the data life cycle (capture, maintenance, synthesis,
analytics, usage, publication, archival, and purging). Organizations should make sure authorized
personnel are granted the minimum level of access to the data necessary to perform their
job functions. This includes assigning rights that limit users' ability to create, read, edit, and
delete data based on their organizational role and job function. Organizations should attempt
to eliminate bias in the algorithms applied in decision support models. Although it might be
appropriate to market only to women for a women's athletic retailer, organizations without a
niche focus may want to avoid making general exclusions on the basis of gender.
1.4.4 Governance Responsibility

An organization's governance program should be led by a designated individual, such as a chief
privacy officer, a corporate compliance officer, or a job role that is equivalent. The design of that
program, however, should have input from leaders across the organization, and the program
should be periodically updated as necessary. Although one individual may take ownership of the
program's management, it should ultimately involve all aspects of an organization that captures,
maintains, stores, and uses data of any kind.
Illustration 2 Ethics in Data Collection
A large financial services company wants to better understand its consumer base so it can
tailor promotional offers to specific consumers and increase overall sales. To do this, the
company decides to ask nonessential, self-identifying questions on all loan applications. The
questions seek to identify the following: stock brokerage provider, total value of all investment
accounts, political affiliations, amounts donated to political parties, ethnicity, and gender.
Customers filling out the loan application may feel uncomfortable responding but could
feel forced to comply in order to be approved for a loan. The intent of the organization
may be innocent, but because the information could be used in an unethical manner, the
organization should reconsider its approach.

2 Data Management
Data management is key for every organization. Ensuring that the data is maintained and stored
appropriately is vital to the decision-making process.
2.1 Storing Data in Relational Databases

Within an organization, data can be stored in a variety of ways; however, one of the most
efficient and effective methods for many use cases is to store data in a relational database.
Relational databases allow data to be stored in different tables, and the tables are linked through
relationships using key fields. This differs from more traditional methods of storage such as "flat
files," which are files that contain plain text with no structural interrelationships within that file.
2.2 Relational Database Concepts

Relational databases have many key concepts as follows:
2.2.1 Tables
Tables are organizational structures within relational databases that establish columns and rows
to store specific types of data records. For example, a Customer table would be the table where
an entity would store all the organization's customer records.
2.2.2 Attributes (Columns)

Attributes are the column headers of a table that describe the characteristics or properties
desired to be known about each entity. For example, an attribute (column) in the Customer table
may be "Last Name."
2.2.3 Records (Rows)

Records are the rows within a table in a relational database. Each record contains information
about one entity within the table. For example, a record in the Customer table would provide
certain information about a single customer.
2.2.4 Fields
A field is space created at the intersection of a column and row in a table in which data is
entered. The information placed inside the field is known as "data values."
2.2.5 Data Types

Data types represent the category of data set or data point. Data may be numerical in form,
such as an integer; text such as a single character or a string of characters; or Boolean, which
provides for a simple yes/no or true/false.

2.2.6 Database Keys

Keys act as unique identifiers and create relationships within relational databases. The two main
types of keys are primary keys and foreign keys:
Primary Key: Primary keys are unique identifiers for a specific row within a table and are
made up of one or more attributes. Each row in a table must have a unique primary key.
An example of a unique identifier would be social security numbers in the United States
because each one is unique to each citizen.
A primary key that is made up of one or more attributes results in what is referred to as a
composite, or concatenated, key.
Foreign Key: Foreign keys are attributes in one table that are also primary keys in another
table. For example, "Customer ID" may be the primary key in the Customer table; however,
it is a foreign key in the Sales table. The same Customer ID may appear multiple times in the
Sales table because a single customer can make more than one purchase. The link between
a primary key in one table and a foreign key in another table is what creates a "relationship"
between tables.
All other attributes that are not primary keys or foreign keys are considered "non-key" or
"descriptive" attributes.
2.2.7 Relationships
Relationships result from a link between a primary key in one table and a foreign key in another
table. This link relates the two tables, enabling users to simultaneously retrieve information from
both tables.
Orders
OrderID (Primary Key)

OrderDate
SKU (Foreign Key) Products (Table Name)
PaymentForm SKU (Primary Key)

CityID ProductCategory
WarehouseID (Foreign Key) WarehouseID (Foreign Key)
AccountNumb (Foreign Key) Sale
Shipments
Customer WarehouseID (Primary Key)
AccountNumb (Primary Key) StateID
Address ShipmentDate
DateofBirth AddressShipping
PhoneNumber AccountNumb (Foreign Key)
CreditLine
2.2.8 Data Dictionary

A data dictionary, also referred to as metadata, provides information about the data in a
database. A data dictionary typically lists each attribute and denotes the features and limitations
of that attribute. Features often include the data type (i.e., integer, date, text); description (i.e.,
Social Security number, date of hire, address); field size or length (i.e., variable, fixed); and
whether the data is a primary, foreign, or non-key attribute.

2.2.9 Database Views

Database views are ways in which a database, its contents, and/or structure can be depicted.
Views are broken into two broad types: logical and physical.
Logical Database View: The logical view represents the type of data that is stored in a
database and is intended to explain the contents as well as logical structure of a database
to users.
Physical Database View: The physical view represents how data is actually physically
stored, processed, and/or accessed within a database.
2.2.10 Data Queries and Reports

Extracting data is typically done via query tools, most commonly using programming languages
that are based on some form of structured query language (SQL). SQL was designed using
English sentence patterns so that the code would be relatively easy to write and interpret.
Common commands include SELECT, FROM, and WHERE. Once a query is designed and
executed, the results of the query can then be visually displayed in a database report. End users
utilize the reports to assist with data analysis and decision making.
Illustration 3 Example Query
A simple SQL statement would be written as follows:

SELECT Customer_First_Name FROM Customer_Table;
This statement would produce a list of all the customer names that the company has
recorded in that table. Incidentally, if several customers have the first name of Betty, then
ordinarily "Betty" will be listed once for each Betty in the table (there are optional adverbs
to change this behavior). If the analyst did not want all of the customer names, but only a
subset, then the WHERE command could be used to identify that subset as follows:
SELECT Customer_Last_Name FROM Customer_Table WHERE Customer_Name =
"Betty";
This statement would produce a list of all the last names of customers whose first name
is Betty.
3 Extract, Transform, and Load
When performing data analytics, it is important to understand the extract, transform, and
load process (ETL). Essentially, this is the process in which data is captured from its source and
transferred to an organization's custody so that it can then be further analyzed.
3.1 Data Extraction

Data extraction can take the form of an automated process, semiautomated process, or manual
extraction. No matter the form, the native source and the means of accessing the data must be
determined in the initial ETL setup phase. This will dictate the tools needed for designing the
overall process of extraction.

3.1.1 Data Identification

The first step in the extraction process is to understand the issue the business is trying to address to
ensure the data request has the proper scope to resolve it. This involves determining what attributes
to analyze, the time span to use when extracting those attributes, and what risks exist in the data.
Next, the storage destination of the extracted data needs to be determined. Storage may be in
data warehouses, data marts, data lakes, or flat files (e.g., spreadsheets).
3.1.2 Obtaining the Data

The source for obtaining data in an ETL process may be internal or external to an organization.
The process also may be automated, manual, or a combination of both.
Requesting the Data
If submitting a request for the data, the recipient of the request must be provided with full
details on what is needed, including the data file type, format, time period, and required
attributes. It is also helpful to have a process to validate the output to verify no data was lost
during the transmission.
Automated Extraction
Extraction that is automated will likely use an application programming interface (API) so
extraction is just a matter of a user application accessing the API to obtain the source data.
The API is the means by which two applications can communicate with each other and the
way a user can connect to the source application where data is housed. In some cases,
connecting to a data source's API is not necessary. The ETL engine may only need to scrape
data from a webpage to automatically pull that data into a repository.
Manual Extraction
If manually extracting the data, a person may have to use specialized data mining software
or write customized queries to obtain the data. Tools used must ensure the data is coming
from the correct location and is complete and accurate.
3.2 Transforming Data

One of the most time-consuming steps in the ETL process can be in the transformation step
because this entails taking the often-unstructured raw data, cleaning it, manipulating it, and
validating it to ensure it is accurate and ready for analysis.
3.2.1 Cleaning Data

Cleaning the data after extracting it typically involves the following steps:
Determine the desired output, which includes knowing what attributes are needed and the
formatting of those attributes.
Deduplicate data points, remove inaccurate data, and account for outliers.
Address missing fields. Determine whether a blank field should truly be blank or if the data
value is missing.
Remove unnecessary attributes that will not provide value to your analysis.
Ensure the data is accurate and complete after the cleaning process by performing spot-checks.
Remove sensitive information if it is not needed for analysis.
Split data for analysis, referred to as data parsing, such as splitting a full name attribute into
first name and last name attributes.
Ensure data points are properly formatted. Use trimming tools to remove unneeded or
extra spaces, which can affect data mining or other downstream processes.

Illustration 4 Issues in Transforming Data
An analyst opens a data file in a spreadsheet and observes that all data points are within
one column but span hundreds of thousands of rows. Each data point is delimited
(separated) by commas. As such, the analyst should transform the data into separate
columns every time a comma appears. Lastly, the analyst would need to review the data for
errors before any real analysis could begin.
3.2.2 Validating Data

Validation is needed after transformation to ensure data is not lost or inappropriately modified
in the cleaning process. Data validation may be a visual review for simple data sets. However,
if the data set is large then basic statistical tests may be required, such as the calculation of
minimums, maximums, averages, and sums to ensure the data has maintained integrity.
3.2.3 Manipulating Data

Once the data has been cleaned and validated, it can be supplemented, enhanced, or
otherwise manipulated in a way that adds value to the existing data points. Common
manipulations include:
Appending demographic and socioeconomic data to create profiles or analyze relationships
with existing variables
Creating new variables that are a function of existing variables (e.g., variable A times
variable C less variable B equals new variable D)
Creating new variables that classify or categorize existing variables (e.g., grouping customers
in a given location into geographical categories, such as Midwest or Southeast)
3.3 Loading the Data

The final step of the ETL process is to load the data into a software program for analysis or into a
data storage location. When loading the data into a software program, the main concern is that
the data has been extracted and transformed into a format that is compatible with the software
program or storage destination.
3.3.1 Data Storage

Data may be stored in a variety of locations/repositories, including the following:
Operational Data Store (ODS): An ODS is a repository of transactional data from multiple
sources and is often a source for data warehouses. Transactional data captured could be
related to operational activities such as customer orders, sales, or vendor payments. It
could also be system-related, measuring available storage, system latency, or the number of
records processed by a given system.
Data Warehouse: Data warehouses are very large data repositories that are centralized and
utilized for reporting and analysis rather than for transaction purposes. A data warehouse
pulls data either directly from enterprise systems with transactional data or from an ODS.
This data is then combined into a single repository that can be used for reporting, to create
data marts, or for a variety of other purposes.

Data Mart: A data mart is much like a data warehouse but is more focused on a specific
purpose such as marketing or logistics, and is often a subset of a data warehouse. Different
departments within a company may need tailored data marts to operate more effectively, so
they select highly relevant data points from a data warehouse to create their own data mart.
Data Lake: A data lake is a repository similar to a data warehouse, but it contains both
structured and unstructured data, with data mostly being in its natural or raw format. It
is unique from data warehouses because the structure of the data, also referred to as its
schema, is implemented when the data is first accessed by a user. This contrasts with a
data warehouse, which has a predefined schema that is in place to enable quick processing
and analysis.
3.3.2 Data Storage Requirements

When data is stored, especially in relational databases, several considerations must be
addressed and constraints factored, including the following:
Entity Integrity: Primary keys must be utilized for a database to establish and maintain
integrity. This means each table must have a unique primary key as a record identifier.
Referential Integrity: Because databases are relational in nature, a change to a primary
key in one table must also cause a change to any related foreign key in a table that is linked.
This maintains the relational and referential integrity of the database and the data points
within it.
Extract Data Transform and Load Data Analyze Data
Data Lake
End Users
Data Source
1000110001010100000101010100000111000111000010
10001100010101000001010101000001110001110000
10001100010101000001010101000001110001110000 Marketing Data Mart
10001100010101000001010101000001110001110000
10001100010101000001010101000001110001110000
Cleansing and Normalization ODS Warehouse
Purchasing Data Mart
Sales Data Mart

3.3.3 Data Storage Attributes

The following are key data storage attributes:
Relevance: Data repositories are created for specific purposes, so defining the purpose
helps users understand a repository's relevance. If the repository is a database, then part
of establishing relevance involves directly describing the attribute (or combination of
attributes) that has been labeled as the primary key.
Elements to Be Included and Excluded: Denoting which attributes are included outlines
the universe of data points housed within a repository. For more narrowly focused
repositories such as a data mart, the list of attributes will be more limited, potentially
allowing users easier access to a large amount of data without having to sift through
unneeded records. For larger data sets, more attributes are often needed because they feed
operational data stores, data warehouses, data marts, or data lakes.
Relationship Between Elements Include Validity, Completeness, and Accuracy: Validity
pertains to data being entered in the correct manner, for example, the units for a measure
of length are all entered in inches. Completeness simply means no required data is missing
from the data set. Accuracy means the data entered is true and free from errors.
3.4 Types of Loading

There are different types of loading that may occur when loading data into a repository:
Initial (Full) Loading: Initial loading occurs when the entire data set is loaded into a
repository. This is referred to as an initial load if the data being loaded does not have any
prior iterations in the repository.
Incremental Loading: Only the differences between existing data and new data are added
to the data repository. This would be done after an initial load has already been executed
and may be done in either real time (streaming) or in batches.
Full Refresh Loading: An entire data set is loaded into the repository, replacing the
previous load.
3.4.1 Load Verification

Once data is loaded into the data repository, it is vital to validate it to ensure no data was
lost in the process. This will mirror the validation exercises performed in the extraction and
transformation processes. The load should be visually inspected for discrepancies, the record
count reviewed to ensure it matches appropriately with what was expected, descriptive statistics
run on numerical values, and sample audits should be performed where appropriate to verify
accuracy and completeness.
4 Data Analytics
Data analytics is the process of taking raw data, identifying trends, and then transforming that
knowledge into insights that can help solve complex business problems. The applications used
to perform analytics can range from simple statistics like sums and averages to more advanced
functions such as statistical modeling or machine learning (self-learning computer algorithms).
Once the ETL process has been performed, data analytics can be utilized for a variety of tasks,
including validation, planning, insights, risk mitigation, and decision support.

4.1 Types of Data Analytics

There are four key applications in data analytics.
Value / Complexity
Descriptive analytics Describing or explaining

what has occurred
Backward-looking
Diagnostic analytics Diagnosing or explaining
why it occurred
Predictive analytics Predicting what will occur
Prescriptive Prescribing what could or Forward-looking
analytics should occur
4.1.1 Descriptive Analytics

Descriptive analytics indicate what happened. This form of analytics summarizes the activity that
has occurred within a given attribute or attributes. For instance, the number of click-throughs on
a link in a direct marketing email would be a form of descriptive analytics. Common descriptive
analytic techniques include the following:
Observing summary statistics such as a data set's minimum, maximum, mean, median,
mode, record count, and sum
Sorting the data to reveal ranges or patterns
Analyzing the data based on age, location, time, income, or other distinguishing characteristics
4.1.2 Diagnostic Analytics

Diagnostic analytics reveal why an event happened. It goes a step beyond descriptive analytics and
attempts to uncover correlations, patterns, and relationships within a data set to explain why an event
or result occurred. There may be a specific question that diagnostic analytics can solve, such as "Why
did a particular group of consumers have a higher response rate to an advertisement than others?"
Common diagnostic analytic techniques include the following:
Performing a "drill-down" analysis, which involves mining underlying data to answer
questions or better understand descriptive analytics
Performing a cluster or profile analysis to determine if any similar groupings of variables
reveal insights or unknown answers to questions
Performing a correlation analysis between two or more variables in a data set to determine
whether changes in one data point were related to changes in another variable
Performing sequence checks to see if there are any gaps or duplication issues in the event
of unexpected results
4.1.3 Predictive Analytics

Predictive analytics help forecast future data points by transforming insight into foresight,
projecting what will happen based on historical data. Common predictive analytic techniques
include the following:
Regression analysis utilizes a mathematical model to determine the relationship between
a dependent variable and one or more independent variables. Simple linear regression
only uses one independent variable whereas a model using two or more is referred to as
multiple regression. The resulting regression equation can be used to forecast future values.

Classification analysis utilizes already labeled data points and allocates them into similar
groups, which can then be used to make predictions about the future. Classification differs
from regression analysis because it works to predict a category (or class) using predefined
criteria that is based on past activities.
Decision trees are also useful tools in predictive analytics that rely on the probability of outcomes.
These models begin with a single decision node that can have two or more outcomes, then each
successive outcome can have two or more outcomes and when drawn out, it resembles a tree.
4.1.4 Prescriptive Analytics

Prescriptive analytics reveal how to achieve a desired event by "prescribing" what the next
course of action should be in order to reach that outcome. Prescriptive analytics take the
probability learned from predictive analytics and turn that into recommendations and optimal
paths to take with a high likelihood of favorable outcomes.
Common prescriptive analytic techniques use decision support systems to assist in strategic
decision making as follows:
Artificial intelligence and machine learning, which is a form of self-learning adaptive computer
model not reliant on continuous human input, can improve the way employees make decisions
by supplying them with the most likely outcome given any combination of circumstances.
Scenario modeling, or "what-if" analysis, is a form of decision support system that allows
users to make decisions with the knowledge that a range of outcomes will occur with a
probability assigned to each of those outcomes.
Illustration 5 Application of Analytics in Accounting
Below are examples of each type of data analytics:

Descriptive: An accountant working for a large manufacturer is tasked with determining
how much the organization needs to budget in its allowance for doubtful accounts for
the coming fiscal year. The first step should be to perform descriptive analytics on its
allowance over the past year, researching basic aging statistics such as the outstanding
accounts by period (30 days, 60 days, etc.), the average percentage or dollar amount of
outstanding receivables, and other relevant descriptive data points.
Diagnostic: Management wants to understand which suppliers are causing accounts
payable to spike and why. Because vendors must submit financial statements
periodically in order to transact on credit, management decides to perform a correlation
analysis to determine whether any financial statement line item is correlated with
delinquent payments. The results indicate that vendors repeatedly making late payments
also have a high balance of short-term debt and decreasing trends in operating cash
flows, potentially indicating cash flow problems as being the common root cause.
Predictive: An electric power company wants to project its outages over the winter
months. The company has performed a regression analysis using the last 20 years of
historical data and discovered a strong relationship between fall temperatures and
winter outages. Therefore, it uses predictive analytics and applies the current year's fall
temperatures to the model at the beginning of the winter season to forecast outages.
Prescriptive: A large corporation wants to expand internationally into multiple countries.
It wants to see which combination of locations would result in the highest profits with the
lowest tax implications. Tax policies are constantly changing, and the rate of change varies
by foreign nation. The company decides to employ a "what-if" scenario model in which it
projects a series of tax outcomes based on probability from historical tax policy shifts.

4.2 Uses of Data Analytics

Data analytics can be used in many aspects of business to optimize the decision-making process.
4.2.1 Customer and Marketing Analytics

Obtaining customer data to build consumer profiles and analyze spending preferences allows
organizations to optimize their marketing strategies. This, in turn, can lead to an increase in
sales and improved customer experience through timely offerings, promotions, and discounts.
4.2.2 Managerial and Operational Analytics

Managerial and operational analytics are usually run in real time to maximize efficiencies
and production within an organization. This can be done to monitor material and labor costs
and make decisions in real time. Organizations often incorporate analytics into their key
performance indicators.
4.2.3 Risk and Compliance Analytics

Organizations can monitor their transactions through continuous auditing, continuous
monitoring, and continuous reporting to ensure all transactions and activities meet all
compliance objectives, such as adherence to controls, covenants, and applicable regulations.
4.2.4 Financial Analytics

Financial analytics allow organizations and analysts to monitor financial performance through
data mining and ratio analysis on a continuous basis.
4.2.5 Audit Analytics

Analytics are key to an audit. Auditing typically involves four types of analytics: (a) assessing risk,
(b) providing assurance around certain operations, (c) establishing thresholds and expectations,
and (d) improving the quality of the audit by testing full populations.
4.2.6 Tax Analytics

Government entities, organizations, tax accountants, and analysts use tax analytics to organize
tax information and guidelines, improve tax planning, and monitor tax performance indicators.
5 Data Visualizations
Interpreting insights from Big Data analysis can be challenging but communicating those insights
effectively can be even more difficult. This makes it important to select the right communication
technique. Summarized outputs in the form of tables or statistics are insightful, however,
turning complex data sets into easily read and understood visualizations make the decision
process more accessible, efficient, and effective for decision makers.
5.1 Types of Data

The type of data being presented can impact the choice of data visualization utilized. There are
two broad categories of data.
5.1.1 Qualitative Data

Qualitative data is nonnumerical and considered to be categorical in nature. Qualitative data is
either nominal or ordinal. Nominal data is the simplest form of data that cannot be ordered or
ranked. Ordinal data is categorical and not quantitative, but it can be ranked in a meaningful
way, such as from cold, to cool, to warm, to hot.

5.1.2 Quantitative Data

Quantitative data is numerical in nature. Quantitative data may be discrete or continuous.
Discrete values are whole numbers and can only have certain values. Continuous data can take
on any value (including decimal values) within a given (finite or infinite) interval.
5.2 Types of Data Visualizations

There are several different visualization types and techniques, which are dictated by the purpose
of the visualization. Common visualization types and rationales include the following:
Line Charts: Line charts are best used when showing quantitative trends over time and can
help users discover hidden trends. Typically, line charts will show dates across the x-axis
and numeric values on the y-axis, with a line representing a certain attribute's values at
each date.
Line Chart
Column Charts: Column charts are effective at showing comparisons. Attributes are
typically listed along the x-axis while values are listed on the y-axis with vertical columns
emanating from each attribute to the appropriate value. Column charts easily show which
attributes are highest and lowest.
Bar charts are exactly the same as column charts, with the x-axis and y-axis values being
switched, causing the vertical columns to become horizontal bars.
Bar Chart
Growth
rate
Quarter

Stacked Column Charts: Stacked column charts are similar to column charts; however,
each column is stratified to show additional details. These are very effective when you want
to have total comparisons as well as percentage breakdowns of the whole.
Area/Stacked Chart
(in thousands)
Revenue
Jan Mar May Jul Sep Nov
Months
Scatter Plots: Scatter plots demonstrate relationships between two variables, with a marker
(usually a filled circle) and the intersection of the x and y values provided. When using
quantitative data, data can be plotted onto a scatter plot and a simple trendline can be
added as a form of simple regression to provide information on correlation.
Scatter Plot
Dollars spent per visit
Dollars spent

Boxplots: Boxplots are graphical displays that show lower and upper extremes, lower and
upper quartiles, as well as the median data point.
Boxplot
Scale
Outlier/single data point Median Upper extreme

Lower extreme Lower quar�le Upper quar�le
Whisker
Dot Plots: A dot plot is a two-dimensional mapping of observances onto a coordinate plane,
with one dimension representing the frequency of observations of the other dimension.
Dot Plot
3.5
3
2.5
Frequency
1.5
1
0.5
0
0 $100,000 $200,000 $300,000 $400,000 $500,000
Price

Geographic Maps: Geographic, or filled maps, demonstrate values on a geographic map

and are typically colored or shaded in a manner to signify numeric values.
Geographic Map
Symbol Maps: Symbol maps demonstrate data on a geographic map through the use of
symbols (typically, filled circles) to help users compare and contrast values.
Pie Charts: Pie charts show respective proportions of a whole value and are presented as a
circle representing 100 percent of a value, which is then subdivided into slices representing
a proportional breakdown.
Pie Chart
19% 23%
12%
46%
Percentage of Annual Revenue

Pyramid: Understanding underlying foundations or building blocks can be effectively

portrayed using a pyramid chart. This is most helpful when the bottom layer represents an
action or a target that must first be achieved before the next layer up can take place.
Pyramid
Knowledge
Information
Data Facts
Measurement
Flowcharts: Flowcharts map out a process that has beginning and ending steps and a series
of steps in between. These are commonly used in project management to show different
phases or milestones across a period of time.
Flowchart

Waterfall Chart: Waterfall charts show the cumulative effect of a series of data points that
make up a whole. The presentation is in a cascading form, with each incremental value
contributing to the total of all data points.
Waterfall Chart
Profit
change
%
Time
Directional Charts: Highlighting key events or milestones over time can be depicted using
directional charts, with the earliest data and event beginning on the left and the ending
event on the right.
Directional Charts
5.3 Visualization Tool Capabilities

The most important capabilities needed in visualization tools to support modeling and analysis
are those that promote versatility in using the data and allow multiple types of visualizations to
be created using one data set. In many cases, data is formatted in a way that is conducive only
to one type of visual. By transforming it into a form that can be fed into many visualizations, its
communication potential grows. For example, an income statement is presented with labels for
rows and tabs, and it also has totals, sums, and calculations. Although the data is presented in
this way to adhere to GAAP, there are actually more ways to report this data so that it can be
manipulated into other types of visuals.

5.4 Considerations for Design

The following is a list of best practices for data visualization when communicating key findings
from a data set:
Scale Appropriately: The scaling of the x-axis and y-axis should not be misleading.
Typically, numeric value scaling should start at 0.
Use Legends Appropriately: If there are more than four to five colors, then avoid using a
legend because it could be difficult to follow.
Avoid Bias: Do not present information in such a way that would direct the reader toward a
specific conclusion.
Use Consistent Time Periods: Do not compare results from a longer period with those
from a shorter period.
Use Colors That Can Be Easily Seen and Follow Cultural Norms: For example, showing an
upward trend in a line graph with the color red may be misinterpreted in the United States,
because red is typically associated with negative connotations.
Use Clear and Easy-to-Read Titles and Labels: Labels should be used sparingly—only
when accuracy is necessary.
Illustration 6 Visual Distortion
Messages from data can be manipulated by reframing parameters. The tables below show
the exact same data; however, the y-axis in Figure 1 has a minimum value of 0 percent.
The y-axis in Figure 2 has a minimum value set at about 25 percent, emphasizing the
incremental difference between Company X and Company Y's growth in annual revenue.
Figure 2 distorts the difference, which may be misleading for users.
Figure 1 Figure 2
Annual Annual
revenue growth revenue growth
% %
Y Y

Illustration 7 Importance of Scale
If pictures are used to represent data, be careful to scale them appropriately. In the
following images, the vertical axis is faithful, and Oscar has eaten twice as much pizza
as Shelly. However, the image of the pizza has been scaled in two dimensions, making it
appear that Oscar has eaten four times as much.
Slices of Pizza Eaten Slices of Pizza Eaten
5 5
Slices of pizza eaten
Slices of pizza eaten

4 4
3 3
2 2
1 1
0 0
Shelly Oscar Shelly Oscar
An organization has decided to analyze social media postings concerning the industry in
which it operates. The resulting data include text, numbers, images, and videos. Which
category of Big Data best describes these items?
a. Volume
b. Velocity
c. Veracity
d. Variety
If an organization decides to analyze sales by looking at the average sales by region, it

would be implementing which type of data analytic process?
a. Predictive analytics
b. Diagnostic analytics
c. Prescriptive analytics
d. Descriptive analytics

5
MODULE
System Development and

Change Management BEC 6
1 Evolving the IT Infrastructure
As information technology (IT) equipment reaches the end of its useful life and as technology
advances, organizations update their IT infrastructure over time to keep pace with these shifts
or to be early adopters. These updates may involve upgrading existing software and hardware,
acquiring, and changing to new hardware and software, or even developing infrastructure
components in-house. All of these approaches can be effective; however, they come with
potential risks that must be managed and controlled.
The need for change could be driven by many factors including the following:
Existing systems are no longer supported by vendors who provide technical support.
Existing systems are no longer compatible with modern software or hardware.
Advances in technology have resulted in more effective systems being available.
Competitive advantages to be gained through improvements in processes.
Growth or expansion of the organization, requiring more scalable solutions.
Shifts in consumer demand or preferences that require changes in the way
technology performs.
2 Change Management Overview
2.1 Defining Change Management

Change management is a term used to describe the policies, procedures, and resources
employed to govern change in an organization. These changes may be initiated from within the
organization or imposed from sources outside the organization, but they will usually have an
impact on IT infrastructure and governance no matter the source.
The scope of change to be managed can range from something as routine as implementing
a new marketing technique to an initiative more complex and infrequent as overhauling an
organization's IT infrastructure. Regardless of the scope or size of a change management
project, potential risks need to be mitigated to minimize disruption to core business functions
and operations.

5 System Development and Change Management BEC 6
2.2 The Change Management Process

A robust change management process is a key component for successfully ensuring that an
organization can keep up with changing needs without losing the ability to operate or achieve
its strategic objectives. The following steps can help a company chart its path from change
inception to implementation:
Identify and define the need for change.
Design a high-level plan including goals to be achieved as a result of the change.
Obtain approval from management for the change.
Develop an appropriate budget and time line.
Assign personnel responsible for managing the change.
Identify and address potential risks that could occur during the change or post implementation.
Provide an implementation road map.
Procure necessary resources, including IT, and train the appropriate personnel.
Test the change.
Execute the implementation plan.
Review and monitor change implementation and test as needed to verify effective
implementation.
3 Change Management Risks
A key component of change management is identifying the potential risks that could arise
as a result of the change. These risks are present in all steps of change from acquisition to
implementation and can affect existing systems, processes, and employees.
3.1 Selection and Acquisition Risks

Selecting and acquiring new IT resources is a fundamental area in which risks exist in the change
management process. Examples include:
Lack of Expertise: When selecting and acquiring software, there is a risk that the
purchasing agent does not have the expertise or organizational perspective to purchase
software that meets the needs of an organization. There is also a risk that the personnel
who will be using the software do not have the expertise or ability to operate it.
Lack of Formal Selection and Acquisition Process: There is a risk that an organization
either does not have, or does not follow, a formal selection and acquisition process as
it pertains to software. This could result in overspending, inappropriate related party
transactions or kickbacks, or software that does not align with the IT governance strategy.
Software/Hardware Vulnerability and Incompatibility: When selecting and acquiring
software and hardware packages, there is the risk that proper safeguards and security
features that are needed to adequately protect an organization from unauthorized use do
not exist. There is also the risk that newly acquired hardware and software are incompatible
with each other or with existing resources that will remain in production.
B6–74 Module 5 System

© Becker Professional Development
Education and All
Corporation. Change Management
rights reserved.
BEC 6 5 System Development and Change Management
3.2 Integration Risks

Once the software has been selected and acquired, it must be integrated into existing systems
and processes. This may prove to be one of the most difficult risks to manage, because there
are many nuances that are further complicated by employee perceptions and attitude toward
accepting change. Examples of integration risks include:
User Resistance: When change occurs (especially technology-related changes), there is
often resistance to adoption of the change by employees. As a result, there is a risk that
employees do not adapt to the change, ignore training, and ultimately do not follow through
with change appropriately.
Lack of Management Support: If management does not provide both resources and
adequate support, this could magnify existing employee resistance.
Lack of Stakeholder Support: The stakeholders involved in the change may range from
employees to suppliers to customers, any of which may have an adverse reaction or
disposition toward change.
Resource Concerns: Frequently, change can be resource-intensive from both financial and
labor perspectives. As a result, appropriate resources may not be made available for the
change, which may lead to ineffective implementation.
Business Disruption: When making major changes to IT infrastructure, there is the
potential for brief or even prolonged information system failures. This could cause
significant disruptions to core functions and could have long-term negative consequences
on the organization.
Lack of System Integration: Due to the ever-changing technological landscape,
organizations may operate many different systems, some of which may be legacy systems
(original or older software programs) that do not effectively adapt or integrate with more
modern systems.
Compliance Risk: To integrate multiple systems, organizations must adequately configure the
way applications interact, transmit data, and allow/deny access to users. Changes in the way
data flows through a system may put the integrated systems at risk for being noncompliant
with privacy regulations, internal standards, or other applicable standard‑setting entities.
3.3 Outsourcing Risks

When planning a significant IT change or system upgrade, some organizations choose to
outsource the change management process. This may be pursued as a cost-saving approach or
to leverage the expertise of an external agency. Along with the benefits of outsourcing change
management come risks. These risks include:
Lack of Organizational Knowledge: Outsourcing the change management process
could leave the organization vulnerable, because it must rely on the third party to fully
comprehend the organization's business model and needs so the third party integrates that
change into the organization without causing disruption.
Uncertainty of the Third Party's Knowledge and Management: When outsourcing
change management or any IT function, there is a risk that the external party has ineffective
or weak management, inexperienced or underqualified staff, and a lack of technology
expertise. These risks can cause the outsourcing of IT to fail.
Failure of the Third Party Delivering: If a key system within a process is outsourced, the
dependency of an entire function could be at risk. This makes it important to identify critical
components within an IT or business process so that risk can be mitigated.

Lack of Security: Outsourcing IT functions can lead to transmission of sensitive and

confidential data. As a result, there is a risk that an external organization does not
have sufficient or effective safeguards to make sure that client, customer, employee, or
operational information is kept secure.
Lack of Quality: Outsourced IT products and services do not always meet expected quality
standards. Likewise, outsourced products may function as expected but the ongoing
support for updates or maintenance of those products may be subpar.
Unexpected Costs: Not all costs are evident when implementing a system, or at least the
frequency of known costs may be unclear up front. Support fees could seem reasonable as
infrequent lump sums, but systems that require substantial support can drive up costs quickly.
Lack of Key Performance Indicators (KPI): If the organization and outsourcing agency
do not have a firm agreement on target KPIs or service delivery, the change management
process could get derailed.
4 Change Management Controls
4.1 Change Management and New Systems Controls

Once all risks in the change management process have been identified, controls are designed
to minimize the possibility that the inherent risks will cause business disruptions or negatively
impact IT systems. Change management controls that should be considered when implementing
new systems include the following:
Policies and Procedures: Clear change management guidelines are needed to outline
how the change management process should be executed, from selection to integration
and maintenance.
Emergency Change Policies: Separate contingency policies and procedures provide
direction for emergency change situations that allow for an expedited process that still
maintains an audit trail and appropriate controls. Emergency changes arise when a crisis
or time-sensitive threat requires a quick response, such as an operating system patch that
exposes a company to severe security threats.
Standardized Change Requests: Standardizing change requests by using consistent forms
and request protocols helps complete all required changes in a timely fashion.
Impact Assessments: Documentation noting the effect a change will have on the
organization's business activities as well as any potential disruptions will help prepare an
organization for successful change implementation.
Authorization: Requiring designated levels of authorization for changes, including material
modifications to the initial change plan, are necessary to protect against unauthorized
modification to a project's scope.
Separation of Duties: Properly separating job roles will help protect against assets or
information being utilized improperly. This would include, for example, distinguishing
team members who develop and design specific components from employees who are
responsible for placing those components into production.
Conversion Controls: When migrating from an existing system or process to the new ones,
conversion controls help minimize data conversion errors related to the affected IT assets
and resources.

Education and All
rights reserved.
Reversion Access: Some changes may cause unexpected complications; therefore, it is important
to have the ability to revert to the prior system or process that existed before the change.
y This can be accomplished through parallel implementation in which the organization
maintains two environments at the initial onset of the change, one with the change
implemented (development environment) and one without the change implemented
(production environment).
Pre-implementation Testing: Before moving the change into production, testing will help
determine if the change is functioning properly and there are no irregularities.
Post-implementation Testing: After the change is moved into production, reconciling
transactions processed in the new environment against the same transactions that
were processed in the previous environment will validate whether the change was
implemented properly.
Ongoing Monitoring: Continuous periodic reviews after implementation will promote
long-term success. This may commence at shorter intervals (weekly) but can move to
greater intervals (monthly/quarterly/annually) as the change proves successful over time.
5 Managing Risks of Systems Development
Organizations may acquire a new system or choose to develop a new system in-house. Both
processes have their own risks and concerns but still follow the general systems development
life cycle (SDLC).
The systems development life cycle is a framework that organizes tasks at each phase of
development and use of a business process. There are two strategies for managing the SDLC in
general use today. The first strategy is called the traditional method or the waterfall model. The
second method, called agile development, evolved from the waterfall model.
5.1 The Waterfall Model

The systems development life cycle provides a model for
organizations to create, modify, or acquire information
systems to meet the needs of organizations and their users. 1
Plan
2 Ana
The SDLC guides an organization through seven key steps:
7 Maintain
ly
ze
1) plan, 2) analyze, 3) design, 4) develop, 5) test, 6) deploy,

and 7) maintain.
3
Design
The waterfall model is characterized by different teams of Waterfall Model
employees performing separate tasks in sequence, with

ploy
each team beginning work from the prewritten authoritative

De
4D
agreement of the preceding team and then ending work

6
ev
when the business requirements for the team have been 5 elo
p
Test
met. The project then passes to the next team. The following
are some challenges associated with the waterfall model:
Requires a great deal of time to complete.
Benefits of the new system are not realized until complete.
There is no customer input and change can be difficult to manage.
Some employees may be idle before beginning or after completing their SDLC step.

5.1.1 Plan
During the planning phase, the organization evaluates the need for a new or improved
information system. Here the organization will establish and compile what business objectives
the information system should achieve as part of the broad overview of the project. Feasibility
analysis is also performed during this step to determine if it is economically, operationally, and
technically feasible to improve or replace the information system.
5.1.2 Analyze
During the analysis phase, information is gathered from all vital stakeholders to
comprehensively compile and analyze all the needs of the end users to establish specific and
detailed goals to be accomplished by the project. This will enable the project team to have a
clear understanding of the system requirements.
Pass Key
In some models, planning and analysis may be combined and called the requirements phase.
Less frequently, "development" is used for "plan and analyze" and "production" is used for
"develop." Regardless of the words used, planning what to build comes before building it.
Illustration 1 Planning and Analysis
A company is considering developing an app to sell tickets to the upcoming Olympic

Games. During the planning phase, management assesses the company's potential profit
from the app. If deemed profitable, management will submit the bid to the host country.
Submission of the bid ends the planning stage.
During the analysis phase, a business requirements document (BRD) is developed and
becomes the foundation for the development of the project. The BRD contains the
following specifications:
"Customers must be able to access the marketplace from their computer or mobile
device to see a real-time view of available offers and prices."
"Customers must be able to pay for tickets using local currency and reserve their
selections while payment is verified."
"The host country wants customers to be able to alter the price of unsold tickets daily
between the go-live date and two weeks prior to the ticketed event. Customers must also
be able to alter the price of unsold tickets hourly within two weeks of the event."
5.1.3 Design
Using the information gathered during the planning and analysis phases, the project team will
then start designing the system to meet the agreed-upon user needs. The process will start with
high-level conceptual designs usually represented by diagrams to reconcile big-picture goals
and system requirements. Next, the creation of the technical implementation plan occurs as
business requirements are translated into technical design documents. Individual technologies
are evaluated and selected, including logical data organization, physical data storage architecture,
programming languages, integration with third-party services, and/or deployed hardware.

Education and All
rights reserved.
The design phase can be subdivided into three parts:

Conceptual Design: broad translation of business requirements into technical requirements
Logical Design: hardware and software specifications
Physical Design: more granular platform and product specifications
Illustration 2 Design Stage
During the design phase, each business requirement is further developed and expanded. For
example, the requirement that "Customers must be able to pay for tickets using local currency
and reserve their selections while payment is verified" is expanded to specify credit cards
accepted for payment, fees charged, and the time line to complete the conceptual design.
Specification of data file formats for transmission to credit card vendors and data warehousing
systems are developed in the logical design phase. Physical design would include any
specialized hardware to comply with payment card industry standards, server hardware, cloud-
based hardware, and workstation software and hardware for developers and programmers.
5.1.4 Develop
The technical implementation plan created in prior phases is executed in the develop step.
Buildings and rooms are prepared, hardware is purchased and delivered, and programmers
create proprietary software to run the company's new product if applicable. The new system
is completely built or improved at this stage and most of the project budget is spent, having
committed dollars to employ experts and purchase assets. Changes to the plan become more
expensive in this stage because each step builds on the prior steps. For example, changes in the
develop stage may not be supported by the original architecture in the design stage or achieve
feasibility as outlined in the plan and analysis phases.
5.1.5 Test
The system is checked for adherence to the business requirements in this step. The new or improved
system must function as planned in the analysis and design stages. In addition to backward-looking
testing, which tests against the initial requirements, forward-looking testing is conducted to see how
well employees and customers can perform tasks (called user‑acceptance testing).
5.1.6 Deploy
After the system has been fully vetted and tested, the organization will choose and document an
implementation strategy to deliver the system to end users. There are several methods available
for deployment that depend on available time, cost, and the cost of failure to the business:
Plunge or Big Bang: The entire new system is immediately delivered to all users and
customers (lowest cost, highest risk).
Ramped (Rolling, Phased) Conversion: Portions of the new system replace corresponding
parts of the old system, one piece at a time (above-average cost, below-average risk).
A/B Testing (Pilot, Canary): A subset of users gets the new system while the old system is still
in use and assigned to current and new users or customers. After successful deployment to the
subset of users, the new system is deployed to the remaining users (average cost, average risk).
Blue/Green (or Other Pair of Colors), or Shadow: The new system is fully deployed in
parallel with the old system; a routing layer directs progressively more duplicated traffic
to the new system. Once the new system is handling all the traffic, the old system is
deactivated (highest cost, lowest risk).

5.1.7 Maintain
Ongoing adjustments and improvements occur during the maintenance stage, which begins as soon as
deployment is complete. Adaptations are made to the system to keep it operating at an optimal level.
Over a longer period of time, the new system grows older and eventually will need to be evaluated for
either modification or replacement. When it is time to replace the system, the SDLC repeats.
5.2 The Agile Method

The Agile framework was created to address issues with the waterfall model. Agile is
characterized by cross-functional teams, each dedicated to particular functions or improvements
of a system drawn from a prioritized list of the customer's remaining needs for the system.
Frequent, short meetings are required, and features are kept small enough to be accomplished
by teams during each sprint (usually two weeks) before the team moves on to the next feature.
Communication between teams, within teams, and with customers is crucial in an Agile
environment as the priority list and project backlog constantly change.
The Agile process can be characterized using the following steps:
Dev
elo
pm
e
ng nce
pt and
design Im
plem
nt
Co en
ni
tat
il ng ion
an
u
ed T
Pl
es
Sc
tin
g
on
ati
Do
ritiz
cum
Prio
entat
B acklo g
ments
uire
ion
q Agile Software
Estimation
Re Development Cycle
atio n
n str
mo
Bu
Rec
De
gf
ixi
w
ord
al
ng
ov
vie
r
pp
ra
an
o
re
Ad
jus b ack
nc tm en Feed
d
er
ts
or om Re
i
po st le a
rat
e ch Cu se
anges
Although the items below left are valuable, Agile promotes the items on the right.
Processes and tools

Individuals and interactions
Comprehensive
Working software
documentation are less valuable than
Customer collaboration
Contract negotiation
Responding to change
Following a plan

Education and All
rights reserved.
The Agile principles are as follows:

1. Satisfy the customer with early and continuous delivery of the highest-priority features.
2. Welcome change: A change request is an opportunity to be closer to the customer needs.
3. Deliver working software frequently; working software is the primary measure of progress.
4. Complete only the work requested by the customer.
5. Conduct short, frequent, and regular meetings to maintain focus and make adjustments.
5.3 Systems Development and New Systems Risks

When going through the systems development life cycle, an organization will face many risks.
These risks can be paramount for the project, because they can cause delays, inefficiencies, and
wasted resources. These risks are outlined below.
5.3.1 Resource Risk

System development is both expensive and time-consuming. There is a risk that allocation of
resources related to finance, labor, or time, is insufficient. This could cause projects to fail due
to incompletion, or it could be an incentive to take shortcuts that might be detrimental to the
development process. Insufficient resources could be caused by a downturn in the economy, the
developing organization's own subpar performance, underestimating of costs in the planning
phase, or even an expanded scope modified during the development process.
5.3.2 Scheduling Risk

The system development life cycle comes with uncertainty pertaining to the time line and
schedule. The project management team will typically establish a completion date and work
backward to establish milestones in the time line. If schedules are not met, if they do not factor
in uncertainties, or if a scope expansion happens along the way, the entire project will be
delayed. A delay at any point in the project will have a ripple effect on all downstream due dates.
5.3.3 Technical Risk

Technical risks are often a major factor when developing a new system. Systems development
is driven by the need for new or updated technology that requires technical knowledge, which
is something internal development teams often do not possess. This means companies may not
be adequately staffed to handle problems that require strong technical knowledge, leading to
system downtime or latency problems. Another technical risk is related to the project design. If
the technical design and functionality do not align with user needs and organizational strategies,
this misalignment may require significant rework, which would cause more delays and
additional, unplanned expense.
5.3.4 Project Management Risk

Systems development requires strong guidelines, leadership, and support throughout the
project. There is a risk that the project management team does not have clearly defined
leadership, team member roles, responsibilities, and project goals. These projects often come
with high stress and may cause employee turnover, dissention, or issues within the team that
can delay the project. Excessive turnover can lead to a loss in productivity, as knowledge and
labor is lost in team-member transition.

5.3.5 User Resistance Risk

When developing a new system, there is always a risk that employees will not accept the
system. Establishing effective communication of the system development process and including
employees as stakeholders in the design can reduce user resistance. Having a system champion
at the management level to promote and support the new system can help alleviate fears and
defiance. The project steering committee, which is made up of senior management, should be
kept informed of project progress and there should be occasional meetings to openly discuss
issues that arise, confirm that schedules are achievable, and address issues in a timely manner.
6 Managing Risks of Legacy Systems
Outdated technology or systems already in service (sometimes the first system ever established)
within an organization are referred to as legacy systems. Maintaining legacy systems is still
common at many organizations due to a number of factors, such as comfort with existing systems
and unwillingness to pay for upgrades. However, the benefits of maintaining a legacy system
versus phasing it out and replacing it usually do not outweigh the risks of keeping the system.
6.1 Reasons for Persistence of Legacy Systems

Many entities choose to continue to use legacy systems due to:
Costs: The cost to purchase or develop a new system can be extremely high. In addition,
organizations may view the sunk cost of money they have already invested in the current
system as a rationale to continue using it.
Time: Implementing a new system means allocation of employee time to assist with the
implementation and for system training.
User Resistance: Users within the organization may be comfortable with the existing
system and resistant to change.
Features and Customization: Existing systems may be customized to meet the
organizational needs or provide built-in features that may be difficult to replicate.
Risk of Information Loss: Moving from a legacy system to a new system includes the risks
of having existing data and information corrupted or lost in the transition.
6.2 Risks of Legacy Systems

Using legacy systems exposes an entity to the following risks:
Security Vulnerability: Some legacy systems may be extremely vulnerable regarding
security. The vulnerability to modern cyberattacks is driven by many factors, including:
y Hackers and other cybercriminals have become more advanced and educated as they
share flaws and openings that are discovered in systems. This is especially detrimental
to legacy systems, as the vulnerabilities are more widely known because the system has
been in production for a longer period.
y Legacy systems may have less sophisticated security measures and may have been
designed prior to the development of new types of cyberattacks.
y Organizations may be slow to install patches or new patches may not be available for
legacy systems, which creates more vulnerability for attacks.
y Legacy systems are sometimes paired with new systems or other legacy systems that
leave openings for attack at integration points.

Education and All
rights reserved.
Lack of Vendor Support: It costs money for a vendor to continue updating and providing
customer support for a product. Eventually, support will end, and new vulnerabilities may
not be discovered in a timely manner. Vendors concentrate more of their resources on
developing, updating, and promoting new products rather than maintaining old ones.
Compatibility Issues: Many legacy systems are incompatible with modern systems. This
can lead to a lack of innovation or it can cause a significant competitive disadvantage for an
organization because the legacy system may no longer meet customers' demands.
Lack of Efficiency and Effectiveness: Some legacy systems will not be able to compare
with the speed or reliability of a modern system and, as a result, will lead to user frustration
and potentially the inability for the organization to compete in its industry.
Illustration 3 Legacy System Risks
Shutters Computing has been operating for 30 years. It has maintained its original
operating system because management is comfortable with the interface and productivity.
The company that created the operating system is no longer in business and therefore
does not provide ongoing maintenance or support. This operating system is considered
a legacy system and is vulnerable to a variety of cyberattacks due to a lack of vendor
support, insufficient data security measures, and the likelihood of exposure to hackers with
knowledge of the system and its weaknesses.
6.3 Mitigating Risks of Legacy Systems

An entity can mitigate the risks related to its legacy systems by:
Isolating the System: Isolating a risky legacy system from other systems in a separate
physical or virtual environment can help limit potential damage in the event someone gains
unauthorized access. Although it may be possible to remove any direct connections of the
legacy system to other IT systems in a company's network, this type of siloed setup may
create problems with access or compatibility.
Hardening: This involves turning off any unnecessary features of the legacy system to
reduce potential exposure.
Virtual Patches: If no security patches are available to directly apply to the legacy software
or device, a virtual patch could be applied at the network level before it reaches the
legacy system.
Monitoring: Frequent review and monitoring of legacy system logs and changes help to
detect any unusual system activity.

7 Information System and Change Management

Testing Strategies
Establishing an ongoing testing plan for information technology is necessary to discover any
problem or functional issues. Testing should involve the acquired software, any developed
software, and the change management process.
7.1 Purpose of Testing

Testing software that was developed in-house accomplishes the following:
1. Determines whether the software is operating as expected.
2. Discovers errors, defects, missing components, and gaps in the software.
3. Verifies that the end product meets the business and user requirements.
7.2 Software Testing Process

The software testing process for change management generally follows these steps:
1. Establish a testing plan including roles, responsibilities, and a time line.
2. Identify and prioritize the key areas of the software to test.
3. Determine which type of test to run and specify the test objectives.
4. Execute the tests.
5. Log the results and identify defects.
6. Report the findings and fix the defects in a timely manner.
7.3 Guidelines for Successful Testing

The following steps represent best practices for testing:
Develop a test plan that emphasizes rapid cycle testing, which identifies major bugs early in
the development process.
Build robust software that allows for automated testing.
Conduct formal technical reviews to assess the test strategy and test cases.
Develop a continuous testing approach that allows development and operations to
work together through the entire life cycle of the software and identify defects earlier in
the process.

Education and All
rights reserved.
7.4 Types of Tests

Due to the complex nature of systems development, a need exists for a variety of types of
systems testing. An effective testing strategy includes automated, manual, and exploratory
tests to efficiently reduce risk and optimize the release of a system at different stages of its
development. The testing process works from the smallest units of the system to eventual full
system testing by end users. This sequence is typically as follows:
Step 1: Unit Testing Testing the smallest level of code or software program
Step 2: Integration Testing Testing the combination of two or more units of code or a program
Step 3: System Testing Testing the system as a whole once all parts have been combined
Step 4: Acceptance Testing Testing to see if the system works for users as intended and
meets all requirements
The various types of tests are unit tests, integration tests, system tests, and acceptance tests.
These tests are defined as follows.
7.4.1 Unit Tests

Unit tests are used to validate the smallest components (units) of the system. The goal of unit
testing is to isolate each part of the program and show that individual parts are functioning
properly and as designed.
7.4.2 Integration Tests

Integration testing determines if the units, once they are combined, function as designed
together. The goal is to discover if the components integrate effectively and do not create
defects after they are combined.
7.4.3 System Tests

System tests evaluate the system as a whole. Once all components are integrated, the
application as a whole is tested rigorously to determine whether it meets the functional and
technical specifications in addition to any specified quality standards. The application is tested
in an environment that is very close to the production environment in which the application will
be deployed. System testing enables quality assurance (QA) processes and personnel to test,
verify, and validate the business requirements as well as the application architecture. This type
of testing takes on many forms, including:
Functional Tests: These tests focus on testing the functions performed by the system.
Realistic business scenarios are run through the system to validate that they are working
effectively and efficiently.
Black-Box Testing: This is a type of functional test in which there is little information about
how the product is designed. Instead of focusing on design, testers focus on the end user's
perspective by evaluating interfaces and features in the same manner as an end user.
White-Box Testing: Converse to black-box testing, white-box testing involves evaluating
a system from a design perspective, with a focus on code and its design improvement as
opposed to testing functionality.
Gray-Box Testing: This approach combines both the black-box and white-box testing
techniques. A tester evaluates a system from both a user perspective and design
perspective. While evaluating user interfaces, the tester has access to source code but does
not analyze it. When the tester evaluates the design of the system, that person focuses on
the logical structure of the program instead of functionality.

Exploratory Tests: Whereas functional tests are designed to test the core business
functions of an organization, exploratory tests are utilized for the less-common or
exception-based situations with no specified test cases.
Performance Testing: This type of testing is designed to test the run-time (speed)
performance of software when processing the required workload.
Recovery Testing: This form of testing checks the system's ability to recover from failures.
Security Testing: Security testing verifies that system protection mechanisms prevent improper
penetration or data alteration and validate that authorized access levels function properly.
Regression Tests: Regression tests rerun previous test cases within the entire application
after new features or functionalities have been incorporated. This is to determine whether
the new features caused any breaks or modifications to functionality.
Stress Testing: During this test, the program is checked to see how well it deals with
abnormal and/or extreme resource demands (i.e., quantity, frequency, or volume).
Sanity Testing: A sanity test exercises the logical reasoning and behavior of the software to
determine whether system logic is functioning as designed.
7.4.4 Acceptance Tests

An acceptance test determines whether the software works correctly for the intended user
in the normal work environment. This is arguably the most important type of testing, as it is
conducted by a QA team that gauges whether the application meets the intended specifications
and satisfies the client's requirements. The QA team has a set of prewritten scenarios and test
cases that are used to test the application.
Alpha Test: This initial version of the completed software is tested by the customer under
the supervision of the developer at the developer's site.
Beta Test: This later version of the complete software is tested by the customer at his or her
own site without the developer being present.
7.5 Change Management Testing

Testing of the change management process and controls generally occur both within the
organization (compliance, management review, and internal audit) and outside the organization
(regulators and external auditors). These testing activities include:
Inspecting the change management policies and procedures to evaluate effectiveness.
Reviewing the change management controls and test to determine whether they are
designed and operating effectively. This step may include:
y Testing change-request documents and forms to discover if there is appropriate
documentation and authorization.
y Reviewing the roles and responsibilities of the employees responsible for change
management and verifying an appropriate level of separation of duties.
y Evaluating the conversion controls through reconciling input and outputs impacted by
the change to verify accuracy.
y Reviewing the policies and procedures that were affected by the change and
determining if they have been updated to reflect the change.
y Reviewing the documentation from the pre- and post-implementation testing.

Education and All
rights reserved.
7.5.1 Testing the Change

In addition to testing the change management process, organizations may test the actual
change. This could include:
Performance of controls testing and a review of results with follow-up.
A walk-through of the updated process.
A system test to determine if it is operating as intended and meets all specified criteria.
Review input and output to verify successful integration.
Incorporating a third-party review.
7.5.2 Testing Outsourced Changes

If the change management process was outsourced, then the same testing that would be
performed for an internally performed change should be executed. If IT functions were
outsourced, then the organization can perform and review established outsourcing controls as
well as test sample outputs provided by the outsourced functions.
Retailer Alex Co. recently purchased a new point-of-sale (POS) system to replace its legacy
system for transaction processing and is evaluating different approaches to integrate the
new software. Alex decided to take a parallel implementation approach as it wants to
be able to switch back to the legacy system if it encounters complications. Which of the
following change management controls does this reflect?
a. Reversion access
b. Post-implementation testing
c. Separation of duties
d. Standardized change requests
Which type of system test would best validate the logical reasoning of the system?
a. Security test
b. Stress test
c. Regression test
d. Sanity test

NOTES

Education and All
rights reserved.
6
MODULE
IT Risks and Responses BEC 6
1 Understanding IT Risks
A successful organization cannot operate without technology. As organizations integrate more
technology into their operations, new and greater risks materialize. Operations can be disrupted
by attackers thousands of miles away. The overall process for understanding how risks can be
identified and addressed is through the security life cycle.
1.1 Security Life Cycle

Organizations must identify the risks, assess the impact of those risks, develop a protection
strategy, and monitor the risks and mitigation efforts.
1. Identify: Determine what assets exist and identify and document the risks associated with
those assets.
2. Assess: Determine the likelihood of the risk materializing and the level of the impact of that
threat to the organization.
3. Protect: Mitigation strategies must be put in place. This includes developing and
communicating security policies and procedures and developing and implementing controls.
4. Monitor: The organization must continually monitor activities and acquisitions for new risks
and ensure that current risk mitigation efforts are still effective.
2 Identifying IT Risks
Understanding, identifying, assessing, and ultimately mitigating IT risks are now a core
component of the overall strategy an organization must employ. Fundamental risks inherently
exist in technology and are described below.
2.1 Technology Risk

The risk of disruption to business as a result of any information technology activity is known
as technology risk. This risk can be pervasive and can affect an organization's reputation,
operations, financial position, and overall strategy. The following are types of risks that are
associated with information technology.
2.1.1 Security Risk

Security risk comprises the risks associated with unauthorized access or use of an organization's
information technology. This includes external threats, such as hackers, and internal misuse
or breach by employees or management. Security risks can result in loss of operations,
information, assets, and reputation with stakeholders.

6 IT Risks and Responses BEC 6
2.1.2 Availability Risk

The risk that an organization will not be able to access and utilize its information technology as
needed is known as availability risk. This risk includes the inability to utilize hardware, software,
and networks, and access or recover data in a timely manner as a result of some type of system
failure or external event. This also includes access to customer support for software and
hardware. If an IT asset malfunctions and that product is no longer supported, the user cannot
call customer support for resolution, which increases availability risk.
2.1.3 Operational Risk

Operational risk is the risk that an organization is unable to operate effectively or efficiently
due to issues concerning information technology. This includes, but is not limited to, utilizing
software that does not meet the needs of the organization or having the correct software but
utilizing it ineffectively.
2.1.4 Financial Risk

The risk of losing financial resources as a result of them being misused, lost, wasted, or stolen
is known as financial risk. From a technology aspect, this could include employees using a
company printer for personal use, or the company purchasing and implementing a software
application that is never used by employees.
2.1.5 Compliance Risk

Compliance risk is focused on the issues related to information technology not sufficiently
meeting the requirements of regulatory bodies. Regulations vary by industry; however, typical
information technology compliance risks focus on securing and protecting information as well as
financial and performance reporting.
2.1.6 Strategic Risk

Alignment of strategic goals and information technology is a core fundamental of IT governance.
Strategic risk is the risk of misalignment of business and IT strategies. It is imperative that
business and IT goals and strategies are properly aligned for an organization to be successful.
2.2 Types of IT Threats

Generally, four types of threats face information technology at an organization:
1. Natural and Political Disasters: Natural disasters, such as fires and floods, as well as political
disasters, such as terrorist attacks, can damage or completely destroy information systems.
2. Errors in Software and Equipment Malfunctions: Hardware and/or software disruptions,
including power outages, can delay or interfere with the work of information systems.
3. Accidental Actions: Unintentional acts, such as accidental human errors or omissions, can
cause issues with information systems or inaccuracies in data input.
4. Intentional Actions: This includes fraud, sabotage, or other computer crime where
information systems are harmed or destroyed with malice and purposeful intent.
B6–90 Module 6 © Becker Professional Education Corporation.ITAll

Risks
rightsand Responses
reserved.
BEC 6 6 IT Risks and Responses
The following chart provides examples of each type of risk. Note that new threats constantly
arise, so the list is not considered to be complete:
Sample of Potential Threats to IT

Errors in Software
Natural and and Equipment Accidental
Political Disasters Malfunctions Actions Intentional Actions
Earthquakes, Software crashes Human error Fraud
volcanoes, fires, or viruses
Negligence Sabotage
storms, and floods
Hardware failure
Omitted data Corruption
Transportation
Power outages
accidents Data lost, Computer crimes such as
modified, or viruses, phishing, malware,
Events related
destroyed in social engineering, and
to hazardous
transmission computer hijacking
materials
or storage
Financial statement fraud
Terrorist attacks
Ineffective
Misappropriation of assets
Political uprisings software or
(theft)
or war training
2.3 Risk Management

After IT risks have been identified and assessed, they must be managed. There are many
approaches to IT risk management, but a common approach is utilizing the Risk IT Framework,
as defined by the Information Systems Audit and Control Association (ISACA). To successfully
manage risks, organizations must meet the following three objectives:
1. Integrate the management of IT risk into the overall risk management of the enterprise.
2. Make well-informed decisions about the nature and extent of the risk, the risk appetite, and
the risk tolerance of the enterprise.
3. Develop a response to the risk.
2.3.1 IT Risks Defined

As defined in the Risk IT Framework, IT risk is the business risk associated with the use,
ownership, operation, involvement, influence, and adoption of IT within an enterprise. It consists
of IT-related events that could potentially affect the business. Examples are:
Late project delivery
Not achieving enough value from IT
Compliance
Obsolete or inflexible IT architecture
IT service delivery problems
Security issues

2.4 IT Risk Mitigation Strategies and Roles

A common misconception is that IT risks can be mitigated through software and hardware-based
controls alone. Mitigation of IT risks starts with the people within the organization; specifically, risk
mitigation is a management concern. Management must determine what the overall risk appetite
is for the organization and in turn develop a security strategy that includes policies and procedures
to align that risk appetite with information systems and information technology.
2.4.1 Confidentiality, Integrity, and Availability Triangle

When designing controls to fully safeguard a system, an organization must include threat
identification controls designed to safeguard confidentiality, integrity, and availability of data.
These will include access and authorization controls, segregation of duties, data processing
controls, and business resiliency. An organization must consider all of these factors when
building an IT risk mitigation strategy.
2.4.2 Management's Risk Philosophy

An organization must determine its risk appetite in order to build its information security policies
and procedures. The risks an organization may take affect the way its IT infrastructure is used or
accessed, include pressuring employees to drive performance, setting unrealistic goals, potentially
unethical treatment of customer data, and undue business risks to drive profits.
2.4.3 Establishing a Security Policy

An organization's security policy is a document that defines how the company plans to protect
its IT infrastructure and resources, including its tangible and intangible information assets.
This includes the policies related to controls for IT infrastructure hardware and software,
as well as procedures for addressing necessary actions that must be taken by management
and employees.
2.4.4 Security Policy Goals

The goal of a good security policy is to require individuals to protect the IT infrastructure
and information, which in turn protects the organization, its employees, and its customers.
Security policies often address the issues of confidentiality, privacy, information integrity, and
system availability.
2.4.5 Security Communication

It is vital that the security policy is communicated to everyone within an organization. Receipt and
understanding of the security policy typically require either an assessment or acknowledgement of
responsibility and recognition. Ongoing periodic training and acknowledgement is vital to ensure
that any updates to the policy are addressed and should be part of new employee onboarding.
3 The Role and Categorization of IT Controls
IT controls play an increasingly important role in ensuring security at organizations. There are
two broad categories of controls: general IT controls and application IT controls. The nature
of these controls can be manual, IT-dependent manual, or automated. They also can perform
different functions in preventing, detecting, or correcting issues and deficiencies.
3.1 Categories of IT Controls

There are two categories of IT controls: general controls and application controls. General IT
controls focus on the broader IT infrastructure and environment, and application-based controls
focus on specific applications and transaction processing.

Risks
rightsand Responses
reserved.
3.1.1 General IT Controls (GITCs)

General controls are designed to ensure that an organization's control environment (people,
processes, and IT) is stable and well-managed. The controls apply to the overall IT environment
and infrastructure, and govern computer program architecture, security, and use, as well as data
security. Common components and controls of general IT controls include:
Systems development life-cycle standards and controls
Physical and logical controls over infrastructure
Business resiliency management
Change management procedures
Software acquisition, development, operations, and maintenance controls
3.1.2 Application Controls

Application controls are software-specific mechanisms within a computer program that manage
user access, permissions, and functionality. They implement preventive, detective, and corrective
controls around transactions to address errors, deficiencies, and fraud in applications. This
enables application controls to ensure that transactions and data processed through computer
applications are:
accurate;
complete;
valid; and
authorized.
3.2 Nature of IT Controls

Controls can be implemented and executed in many forms. The nature of IT controls can be
either manual, automated, or IT-dependent manual.
3.2.1 Manual Controls

A manual control is a control performed by a person without making direct use of automated
systems. This means that an individual does not rely on or utilize IT-generated reports or functions.
Illustration 1 Manual Control
When performing a quality assurance review, the reviewer evaluates the process and
related requirements in order to confirm that the entire process was executed correctly.
3.2.2 Automated Controls

An automated control is an action or process initiated automatically without the need for a
person to initiate that action or process, so that a system maintains integrity. These controls are
embedded within the IT infrastructure as an application or device that provides for continuous
controls based on established rules within the system. As a result of the nature of automated
controls and the lack of human involvement, they support system integrity by enhancing:
Accuracy
Timeliness
Efficiency
Security

Illustration 2 Automated Control
In a point-of-sale credit-limit check at a retail store:

Step 1: Customer swipes a credit card at the register.
Step 2: The retail point-of-sale (POS) terminal communicates with the credit card issuer to
verify credit limit and amount of available credit.
Step 3: If the transaction is within the credit limit, the system approves the transaction. If
the transaction is above the credit limit, the system declines the transaction.
3.2.3 IT-Dependent Manual Controls

An IT-dependent manual control relies on an individual performing a control function with some
use of an IT component, such as an IT-generated report. IT-dependent manual controls have
components of both manual and automated controls.
Illustration 3 IT-Dependent Manual Control
A reviewer receives a system-generated automated report each month that shows all of
the transactions that went against the administrative expense for the preceding month.
The reviewer takes the report and performs a manual reconciliation of the transactions to
supporting documentation.
3.3 Effectiveness of IT Controls

The effectiveness of IT controls should be evaluated regularly, and all organizations should have
the following as a part of their IT control environment:
Clearly defined roles and responsibilities
Control metrics, when appropriate
Documentation of prior testing of controls
Disciplinary actions and corporate compliance investigations
Training for new hires and recurring training for employees
Updated written policies and procedures, reviewed periodically
3.4 Function of IT Controls

When selecting and implementing controls, it is important to understand the function the control
is intended to serve. A control can serve one of three functions: preventive, detective, or corrective.

Risks
rightsand Responses
reserved.
3.4.1 Preventive Controls

The function of preventive controls is to take precautions to prevent problems in the future.
Such controls employ preventive actions such as:
Hiring qualified and competent personnel
Security awareness training
Segregation of duties
Physical access controls such as locks and guards
Technical controls such as:
y Firewalls and antivirus software to stop attacks from penetrating the network
y Security configuration management
y Automated patch management and updating antivirus software
3.4.2 Detective Controls

The function of detective controls is to find and reveal issues or deficiencies not averted by
preventive controls. As a result, detective controls are viewed as a second line of defense. They
employ detective actions such as:
Bank or account reconciliations
Physical security such as surveillance cameras
Intrusion detection systems
Antivirus protection to identify viruses that made it onto the system or network
Change controls
System monitoring and log management
Incident alerts to help track how and when system intrusions are attempted
3.4.3 Corrective Controls

Corrective controls have the ability to identify, repair, restore, and recover from issues that
cause damage to a system or process. They employ corrective actions such as:
Applying operating system upgrades
Maintaining data and system backups
Fixing data entry or transaction errors
4 System Access and Segregation of Duties
It is essential that information within an organization is both reliable and secure. To ensure that
this goal is met, it is vital that system access controls and segregation of duties exist to mitigate
risks of fraud and error. The security and reliability of information will typically need to take a
defense-in-depth approach, in which multiple layers of security controls are implemented to
ensure that mitigating controls are in place if other controls fail.
4.1 Logical Access Controls

Logical access controls utilize software and protocols to monitor and control access to
information and an organization's IT infrastructure. Logical access controls are typically built into
software packages and operating systems to enforce security measures for access rights from
local as well as remote locations for internal or external users.

4.1.1 User Access Controls

Controls must be put in place to identify which users access the system and to track their activity
while using this system. As a result, each system user needs a unique identity to ensure that if
error or fraud occurs within a system it can be traced to the perpetrator.
4.1.2 Authentication Controls

A robust user verification process must be in place when users access a system so that their
identity can be authenticated and specific access level or clearance granted based on their job
role. Authentication controls can take many forms, including:
Passwords: A combination of characters known only to the user.
Personal Identification Numbers (PIN): Numeric, or occasionally alphanumeric, code that
acts as an identifier.
Biometrics: A technique that utilizes either a behavioral or physical characteristic of a
human (the user), such as an iris scan, fingerprint, or voice recognition.
Smartcards or Physical Tokens: A physical device the user possesses that has either an
embedded chip or visual bar code that can be scanned for authentication. Alternatively, the
card or token will generate a code that changes in short intervals, which can be input for
authentication.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans
Apart): A challenge-response test used to determine whether a user is human or machine.
Push Notifications: Verification on a separate device owned by the user, such as a cell phone.
Multifactor Authentication: A technique that requires more than one form of
authentication and is a combination of the above methodologies (password, PIN, biometric,
and/or physical token)
Illustration 4 Multifactor Authentication
In order to log in to the customer relationship management system, the user has to type
in a user name and password on a laptop, which then prompts a push notification to a cell
phone to verify that the user is the one trying to access the system.
4.1.3 Managing Passwords

Passwords are designed to protect access to secure systems, applications, and information. A
strong password management policy must address the following password characteristics:
Password Requirement: Every account must have a password.
Password Length: Longer passwords are more effective. Many organizations require a
minimum length of eight characters.
Password Complexity: Complex passwords are more secure and generally feature a
combination of uppercase characters, lowercase characters, numeric characters, ASCII
characters (e.g., !, @, #, $, %, ^, &, *, or ?), and not include words found in a dictionary.
Password Age: Passwords should be changed frequently to be effective; every 90 days is
considered a good policy. Administrative passwords should be changed more frequently.
Password Reuse: Passwords should not be reused until a significant amount of time has passed.
The goal is to prevent users from alternating between their favorite two or three passwords.

Risks
rightsand Responses
reserved.
4.1.4 Access Control Lists

Access control lists are a form of authorization control. Although authentication verifies identity,
authorization restricts access and actions of authenticated users based on granted permissions.
Access control lists (sometimes built as matrices) list users, information (files or storage), and
applications, and provide the types of access and rights granted. Typical rights include the ability
to do the following to an application or file:
Create (or Write) Access: Users can add content.
Read Only: Users can only read information.
Update Access: Users can only update existing information.
Delete: Users can remove information.
4.1.5 Personnel Changes

When an individual is onboarded, changes position, is promoted, or is discharged from an
organization, it is important that his or her access, authentication, and authorization is modified
as appropriate. This typically involves coordination between human resources (HR) and IT.
This effort should be documented in procedures.
HR should generate the request for a user account, system access rights, and issue
any authentication requirements. Depending on the level of access being granted, the
information security officer also may need to approve the account.
There must be a mechanism to disable accounts when an employee leaves an organization.
The ideal scenario is for HR to alert IT prior to termination, or as soon as possible.
4.1.6 Network Security

An organization must have security in place to protect its private network from unauthorized
access. A firewall is a security measure that may be composed of both software and hardware
that prevent unauthorized access to an organization's private network.
Organizations may also employ intrusion detection systems (IDSs) to work in conjunction with
their firewalls. IDSs are devices or software programs that monitor network or system activities
for malicious activities or policy violations and alert management of perceived threats in addition
to producing reports for management.
4.1.7 Vulnerability Controls

Organizations use operating systems and software applications that need to be reviewed when
installed and on an ongoing basis to ensure proper authorization and usage. The controls include:
Hardening: When applications or systems are first installed, they should be hardened,
meaning they can reduce their surface vulnerability by turning off features or functions that
are not needed during operations.
Patch Management: As vulnerabilities are discovered in operating systems or applications,
they should be addressed by patches (fixes) before they are exploited.
Anti-malware Program: Malware consists of malicious programs such as worms
and viruses that have the ability to self-propagate and spread, allowing pathways for
unauthorized access to occur. Malware can enter networks and specific host computers
through websites, programs, and data files. An organization should protect itself from
malware by implementing robust procedures around the uses of external devices, accessing
certain websites, and executing suspicious programs, in addition to installing malware
controls to monitor and identify threats.

4.1.8 Data Encryption

Encryption is an essential foundation for electronic commerce. Encryption involves using a
password or a digital key to scramble a readable (plaintext) message into an unreadable
(ciphertext) message. The intended recipient of the message then uses another digital key to
decrypt or decipher the ciphertext message back into plaintext.
With encryption keys, the longer the length of the key, the less likely it is that the message or
transaction will be decrypted by the wrong party and that the key will be broken by a brute-force
attack. In a brute-force attack, the attacker simply tries every possible key until the right one is found.
The two types of encryption are symmetric and asymmetric:
Symmetric Encryption: The sender and the recipient use the same shared key.
Asymmetric Encryption: Two keys are used; one is public and the other private.
Illustration 5 Symmetric vs. Asymmetric Encryption
Rex sends Alexis a list of employees with names and salaries for each of their positions so
Alexis can append additional information to those records. Rex encrypts the email using
symmetric encryption so that they have a shared key that only he and Alexis have. Anyone
with the public key can access this message.
Alexis appends Social Security numbers and bank account information to the file Rex sent
and sends back to Rex. Given the additional sensitive data, she decides to add another
layer of security by using asymmetric encryption. This way, the only person who can open
the message is Alexis because she has the private key.

Risks
rightsand Responses
reserved.
4.1.9 Digital Certificates

Digital certificates, another form of data security, are electronic documents that are created
and digitally signed by a trusted party and that certify the identity of the owners of a particular
public key.
Digital certificates operate on what is known as a public key infrastructure (PKI), which is the
system and processes used to issue and manage asymmetric keys and digital certificates.
The organization that issues public and private keys and records the public key in a digital
certificate is called a certificate authority (CA). The requestor of a digital certificate would send
a CA the distinguished name (DN) of the owner, the owner's public key, and digital signature. In
return, the sender receives a digital certificate with the DN, dates of issue and expiration, public
key, the name of the issuing CA, and that CA's digital signature. The process works as follows:
Create DN,
Request digital
public key, digital Receive certificate OWNER
certificate
signature
Verify DN and
Create certificate Return certificate CUSTOMER
owner info
DN, dates, public

DIGITAL
key, CA, CA digital
CERTIFICATE CONTENT
signature
Digital certificates intended for e-business use are typically issued by commercial certificate
authorities, such as Sectigo Limited and Verisign, Inc. The certificate authority hashes (converts
plain text to another value) the information stored on a digital certificate and then encrypts that
hash with its private key. That digital signature is then appended to the digital certificate, which
provides the means for validating the authenticity of the certificate.
4.1.10 Digital Signatures vs. E-Signatures

Digital signatures use asymmetric encryption to create legally binding electronic documents.
Web-based e-signatures are an alternative and are provided by vendors as a software product.
The e-signature is a cursive-style imprint of an individual's name that is applied to an electronic
document. E-signatures are legally binding, just as if the user had really "signed" a paper copy of
the document.

4.2 Physical Controls

Physical controls are used to deter unauthorized access, monitor facilities, and control the
workplace environment. These controls are established to protect the entire facility; however,
they can be applied to specific areas or rooms within the facility as well. These controls include:
Locked doors requiring keys, access cards, pass codes, or biometric scanners
Secure pass-throughs called mantraps
Physical obstructions such as fencing and barricades
Security systems connected to local law enforcement
Monitoring safeguards such as security guards and cameras
Illumination measures like additional lighting or sensor-triggered lighting
Physical access controls can also be applied to specific assets that may be at risk if a building
breach occurs. These controls include using locking cables for laptops and other mobile
computing devices and locking away financial or easily liquidated assets.
4.3 Segregation of Duties

Segregation of duties is one of the most important controls in accounting and is particularly
important within the IT infrastructure. Segregation of duties reduces opportunities for anyone
to be in a position to both perpetrate and conceal errors or fraud in the normal course of
one's duties.
Many transactions and functions in an IT environment are actually performed by the application
software. Therefore, segregation of duties normally revolves around granting and/or restricting
access to production programs, production data, and execution activities.
The following areas within the IT infrastructure need to have a proper segregation of duties:
system programming; end user transaction/data entry; data custody and storage; and
authorization responsibility and monitoring.
The key is to avoid control failures, security breaches, infections from malware, and conflicts
of interest. In a well-structured IT department, no user should be allowed to authorize
a transaction, then record the transaction and receive physical custody of the assets.
Authorization, recording, and custody are duties that must always be segregated.
4.3.1 System Analysts vs. Computer Programmers

System analysts design an information system to meet user needs, whereas computer
programmers use that design to create an information system by writing computer programs.
Analysts often are in charge of hardware and programmers are in charge of application
software. Theoretically, if the same person is in charge of hardware and software, that
person could easily bypass security systems without anyone knowing and steal organizational
information or assets (e.g., embezzling of funds).
4.3.2 Security Administrators vs. Computer Operators and Computer Programmers

Security administrators are responsible for restricting access to systems, applications, or
databases to the appropriate personnel. If the security administrator were also a programmer
for that system, that individual could gain access to unauthorized areas as well give access
to another person. This security bypass also would allow that person to steal organizational
information or assets.

Risks
rightsand Responses
reserved.
5 Risks and Controls of Critical, Confidential,

and Private Information
Critical, confidential, and private information all needs to be safeguarded to ensure that the
organization, its employees, its customers, and other stakeholders are protected appropriately.
An understanding of each area below is important to understand how information should be
safeguarded:
Critical Information: Any information that is vital for the organization to perform its
essential functions and achieve its strategic objectives.
Confidentiality: The efforts to keep information within or about the organization from
being misused or accessed without authorization.
Privacy: The rights of employees and customers to keep their personal information safe
and to understand how their information will be collected, used, and disclosed to others.
5.1 Identifying and Classifying Information

Organizations must first identify what data and information is stored in all their data
repositories. Once the information is identified, the organization must categorize the data as
confidential, private, and/or critical, and determine what risks exist and how those risks will be
mitigated and controlled.
5.2 Critical Information

Critical information is any and all information that is vital for the operation of an organization
and this information must be properly safeguarded. The collection, storage, and analysis of
information has been growing at an exponential pace. As a result, organizations are becoming
reliant on this information for their core operations. There is an inherent risk that the loss of
an organization's critical information could lead to financial losses, operational inefficiencies,
and contractual and other legal issues. The controls used for both confidential and private
information can be used for critical information.
5.3 Confidentiality Risks

Confidential information poses many risks as data loss may cause reputational, operational
and/or financial harm to an organization. Risks to consider when performing threat
identification concerning confidentiality include the following.
5.3.1 Inappropriate and or Unauthorized Access

Confidential information could be accessed by unauthorized individuals through:
Accidental disclosure caused by negligence or breaking from defined processes.
Theft and exposure by existing or prior employees who have system access.
Theft from outside parties, such as hackers.
5.3.2 Misuse or Theft of Confidential Information

Any use of confidential information for purposes outside of explicitly permitted practices is data
misuse. This could include insider trading, sharing of trade secrets with competitors, or utilizing
data for malicious purposes. Theft of confidential information, such as intellectual property, can
lead an organization to lose competitive advantages and industry market share.

5.3.3 Legal and Regulatory Concerns

Organizations may be required to keep certain information confidential by law or regulatory
standards and any exposure could lead to penalties and fines.
5.4 Privacy Risks

Privacy risks directly impact the data of an organization's employees, customers, and users.
Private data is protected by many regulatory standards. Major risks associated with private data
include the following.
5.4.1 Insufficient Disclosure of Collection, or Collection Without Consent

There is a risk that information is being collected about customers of which they are unaware,
and this could be a violation of personal privacy and law. Organizations must disclose what
information they collect about their customers, have those customers consent to that collection,
and avoid collecting more than was agreed on.
5.4.2 Inappropriate Use or Disclosure of Private Information

Organizations must clearly and explicitly disclose what they will do with their customers' private
information. There is a risk that the information is not securely protected, could be stolen, or is
used for inappropriate purposes, such as discriminatory practices, unfair marketing schemes, or
selling without permission.
5.4.3 Risks of Not Fully Adhering to Regulations and Laws

Specific U.S. laws enforce the privacy rights of citizens. Some are general in nature, like anti‑SPAM
regulations, which restrict unsolicited marketing to consumers and businesses. Others are
industry-specific laws, such as the Health Insurance Portability and Accountability Act (HIPAA) for
health care and the Family Educational Rights and Privacy Act (FERPA) for educational settings.
Failure to adhere to these laws and regulations can result in significant penalties and fines.
5.4.4 Reputational Risks

When customers' private data is leaked or disclosed, there can often be irreparable harm
to the reputation of the organization. Users may move their business elsewhere for fear of
future leaks.
5.5 Safeguarding Information

The controls that address confidentiality and privacy risks are often similar, if not identical. Privacy
issues may go beyond confidentiality issues as they address specific guidelines on use and disclosure.
Some common ways confidential and private information are protected include the following.
5.5.1 Policy Management and Training

Policies must be put in place that require users within an organization to adhere to strict guidelines
concerning safeguarding confidential and private information. Organizations must have a robust
training program covering these policies for all users who have access to confidential or private data.
5.5.2 Document Physical Security Controls

A major issue in protecting confidential and private information is that those who work at an
organization may not properly protect physical documents. Leaving private and confidential
information in paper form or in visible digital output at a workspace during the evening or
anytime the employee is away from the workspace can result in unauthorized access. This also
applies to leaving mobile technology unlocked or leaving authorization credentials, such as
written passwords, PIN numbers, or security badges, in an unguarded location.

Risks
rightsand Responses
reserved.
5.5.3 Document Access Controls

Access controls should be put in place to ensure that only authorized users have access to and
the capability for reading, using, and modifying confidential and private information. Access
controls also include:
Encryption, which allows only users with the correct decryption keys to read information
found in encrypted documents. This applies to both storage and transmission.
Watermarking documents both physically and digitally, to ensure that they can be traced to
the original creators.
Information rights management software, which allows granting specific users both access
and rights to specific documents and files.
Data loss prevention (DLP) software, which monitors and precludes documents containing
specific content or content types from leaving an organization's private network.
5.5.4 Third-Party Controls

Any third-party relationships that involve the collection, sharing, storage, or use of confidential
and private data must have controls in place that meet the policy set forth by the organization.
If utilizing a service company, an organization may request a System and Organization Controls
(SOC 1®) report to verify that the appropriate controls are in place and operating effectively.
6 Business Resiliency
6.1 Business Resiliency

Business resiliency is the integration of system availability controls, crisis management, disaster
recovery plans, and business continuity plans into a central set of procedures to ensure that a
business can continue to operate or quickly return to operations without irreparable harm to its
people, information, or assets. The following graphic depicts the integration of these components:
Business Resiliency
Strategic ability to rebound
Business System Crisis Disaster Recovery

Continuity Availability Management
Strategic recovery
Controls
Ability to continue Overall response after a disaster
delivering products Ability to prevent to a dire situation;
and services; systems disruptions broader than DR
operations focused
Physical and IT Uninterrupted Redundancy Incident

Infrastructure Power Supply and Backup Response Plan
Controls
Backup power Ability to restore Specific recovery after
Physical and virtual supply in the event IT operations an event; part of a DR
controls in place of a power outage to from replicated or CM plan
so all systems sustain IT operations environments and
continue to be backup
available for normal
business operations

6.2 System Availability Controls

System availability controls include activities to prevent system disruptions and loss of
information as well as procedures to continue operations or provide quick recovery from
an incident. Crisis management, disaster recovery, and business continuity plans are all
components of system availability controls. In addition to these plans, system availability
controls include the following.
6.2.1 Physical Controls

A major threat to system availability is damage caused to physical hardware components. As a
result, controls must be put in place to deter damage to the IT infrastructure, including:
Physical access controls (i.e., door locks, security guards, cameras, etc.)
Fire alarms and sprinklers
Facility design to protect against flooding and overheating, such as raised floors and air-
conditioning systems
6.2.2 IT Infrastructure Controls

Controls around the IT infrastructure including hardware, software, and network components
can provide mitigation of malicious attacks and other actions that can compromise systems.
These controls include:
Continuously using anti-malware software and patch management to fix vulnerabilities
Periodic reviews of IT infrastructure components to ensure that they are not outdated
Network security controls
Access and authorization logical controls
6.2.3 Uninterrupted Power Supply

An uninterrupted power supply (UPS) is a device that maintains a continuous supply of electrical
power to connected equipment. A UPS, also called battery backup, is used to prevent a system
from shutting down inappropriately during an outage. A UPS can prevent data loss and can
protect the integrity of a backup while it is being performed. When a power failure occurs, the
UPS switches to its own power source instantaneously so that there is no interruption in power
to the system. A UPS is not a backup standby generator; the battery will run out sooner or later.
6.2.4 Redundancy
Organizations may choose to have redundant hardware, software, and storage as a normal part
of their operations. This allows them to easily switch from a failed unit, such as a malfunctioning
router or switch, to another unit already in operation.
Having redundant IT assets can also apply to data storage and backup. Redundant arrays of
independent drives (RAID) allow organizations to record data on multiple disk drives at one time
for the purpose of data redundancy in the event one disk drive fails.
6.2.5 Backup Files

Data backups are necessary both for recovery in a disaster scenario and for recovery from
processing problems. Encrypted copies of important master files and records should be stored
in safe places located off-site, such as a remote data center, or to a cloud provider. Copies of
files kept on-site should be stored in fireproof containers or rooms.

Risks
rightsand Responses
reserved.
In addition to determining the location of backing up data, organizations also must decide what
types of backups to perform in order to recover lost data.
Full back up is an exact copy of the entire database. Full backups are time consuming, so most
organizations only do full backups weekly and supplement them with daily partial backups.
Two types of partial backups are possible:
y An incremental backup involves copying only the data items that have changed since the
last backup. This produces a set of incremental backup files, each containing the results
of one day's transactions. Restoration involves first loading the last full backup and then
installing each subsequent incremental backup in the proper sequence.
y A differential backup copies all changes made since the last full backup. Thus, each new
differential backup file contains the cumulative effects of all activity since the last full
backup. Consequently, except for the first day following a full backup, daily differential
backups take longer than incremental backups. Restoration is simpler, however,
because the last full backup needs to be supplemented with only the most recent
differential backup, instead of a set of daily incremental backup files.
A final type of backup is known as an archive. An archive moves entire sets of data that are
no longer actively used from software outputs, databases, or master files to a location that
is separate from the main operations as a way to indefinitely store them.
6.3 Crisis Management Plans

In terms of business operations, a crisis is an unexpected, large-scale incident that can cause
major negative effects on an organization and its stakeholders. Crisis management policies are
vital, as a crisis presents stressful situations that involve important decisions that must be made
quickly. These decisions can be difficult if an organization does not have clearly defined roles,
responsibilities, and procedures. The goals of a crisis management plan should be to lessen the
impact of the crisis, protect people, organizational reputation, and return to normal operations
as soon as possible.
Crisis management policies should address the following:
Risk assessment of what potential crises the organization could face and how to properly respond.
Procedures for implementation include the steps management and employees must
perform to put the plan into operation.
The crisis response command center is where the directives come from during a crisis. This
may be a physical or virtual location.
Crisis management roles and responsibilities must be set so the organization understands
who is in charge of all final decisions and the roles and responsibilities of each individual.
Internal and external communication lines must be established so parties can communicate
during a crisis.
Employees must be properly trained on the crisis management policies and procedures, so
they understand all necessary courses of action during a crisis.

6.4 Disaster Recovery Plans

A major component of a business resiliency program is disaster recovery. Disaster recovery
consists of an entity's plans for restoring and continuing its information technology function in
the event of the destruction of not only program and data files, but also computer processing
capability. Short-term problems or outages do not normally constitute disasters. If processing
cannot be quickly reestablished at the original processing site (possibly because the original
processing site no longer exists), then disaster recovery is necessary.
6.4.1 Steps in Disaster Recovery

The steps in a disaster recovery plan are to:
1. Assess the risks.
2. Identify mission-critical applications and data.
3. Develop a plan for handling the mission-critical applications.
4. Determine the responsibilities of the personnel involved in disaster recovery.
5. Test the disaster recovery plan.
6.4.2 Use of Alternative Processing Facilities

In the event of a disaster, an organization has three main options for how to maintain IT operations:
1. Cold Site: A cold site is an off-site location that has all the electrical connections and other
physical requirements for data processing, but it does not have the actual equipment. Cold
sites usually require one to three days to be made operational because equipment has to be
acquired. Organizations that utilize a cold-site approach normally utilize generic hardware
that can be readily (and quickly) obtained from hardware vendors. Cold sites are the
cheapest form of off-site location.
2. Warm Site: A warm backup site falls somewhere between a cold site and a hot site. It is a
facility that already has hardware installed but will fall short of the processing capabilities
typically found in a hot site or at the actual business during normal operations due to
a lack of fully operational computer and office equipment. The warm backup site is the
compromise between the hot backup site and the cold backup site.
3. Hot Site: A hot site is an off-site location that is equipped to take over the company's data
processing as these locations are not only pre-wired for use but also include the necessary
hardware and office equipment to perform the functions of the organization. Backup copies
of essential data files and programs may also be maintained at the location or a nearby data
storage facility. Hot sites are more expensive than cold sites.
The following matrix depicts key characteristics of each of these sites:
Connections Equipment Days to Be

Location in Place? in Place? Operational Cost
Cold Site Off-site Yes No 1–3 days Cheapest
Moderately
Warm Site Off-site Yes/No Yes/No 0–3 days
expensive
Hot Site Off-site Yes Yes Immediately Most expensive

Risks
rightsand Responses
reserved.
6.5 Incident Response

Any breach of access that is unauthorized or theft or misuse of critical, confidential, or private
data is typically referred to as an incident. As a result, organizations must ensure that they have
an incident program in place to address the incident and implications.
The team that is alerted and handles responses is often referred to as the Cyber Incident
Response Team (CIRT) and is responsible for discovering issues, stopping the spread of the
impact, implementing recovery steps, and tracking the outcomes.
When an incident occurs that causes confidential or private data to be exposed, it is important to
do the following:
Determine the source of the breach and ensure that mitigation measures are put in place
immediately to stop the breach and avoid additional breaches.
Try to secure the information lost by removing it from public postings if applicable.
Assess the magnitude of the breach to determine what processes, organizations, or people
are impacted by the breach.
Privacy breaches could result in the need to notify specific entities, such as the state or
federal government and those who are impacted. This will be based on existing state and
federal laws that apply to the organization's industry.
Revisit the cause of the breach and ensure that long-term, effective controls are put in place
to avoid future breaches.
6.6 Business Continuity Plans

Disaster recovery plans are focused on restoring the IT infrastructure during a disaster while
business continuity plans are focused on keeping the business operational. Business continuity
plans are more comprehensive than disaster recovery plans and contain contingency and
mitigation procedures around all business processes, including relocating facilities, human
resource tasks, and managing relationships with customers and suppliers. The overall goal
of the business continuity plan will be how to continue operations or restore operations in
the most efficient and effective manner possible with consideration given to all aspects of
the organization.
Business continuity plans must consider the following:
Identify the organization's key business processes.
Identify the risks that exist in key business processes.
Determine the acceptable downtime for key business processes.
Implement mitigation and contingency plans to address risks and downtimes.
6.7 Business Resiliency Services

Organizations are relying more heavily on cloud computing and software as a service (SaaS) to
operate their core business processes. In line with this, service providers offer multiple business
resiliency services such as disaster recovery as a service, backup as a service, and business
continuity as a service. These options allow organizations to utilize companies with specialized
knowledge and resources to take on their resiliency efforts. The disadvantages, however, can
come in the form of over reliance, loss of control, higher cost, and risks of effectiveness.

Computing Corp. just hired Janice Thompson as its new security administrator. This role
will allow Janice to grant access to the system for the appropriate personnel. Janice is also a
talented computer programmer, and because Computing Corp. needs a new programmer, it
has agreed to pay Janice more to take on that role as well. This violates what type of control?
a. Vulnerability control
b. Authentication control
c. Segregation of duties
d. Access control lists
An organization houses its network servers at a facility within a known floodplain. It

decided to raise the floors in the room where the network servers reside to avoid flood
damage. This is an example of what type of control?
a. Logical access control
b. System availability control
c. Physical access control
d. Data encryption control

Risks
rightsand Responses
reserved.
Financial Risk Management: Part 1
Define interest rate risk.
FC-01991 BEC 1-59

© Becker Professional Education Corporation. All rights reserved.
Interest rate risk is the potential for investment losses due to changes
in interest rates.
BEC 1-59
Define market risk.
FC-01971 BEC 1-60

Market risk refers to the risk that an investment may face due to
fluctuations in the market; this risk is nondiversifiable.
BEC 1-60
Define credit risk.
FC-01972 BEC 1-61

Credit risk is the risk that an entity will be unable to secure financing
on favorable terms due to the firm's poor credit history/ratings.
BEC 1-61
Define default risk.
FC-01973 BEC 1-62

Default risk is the risk that the debtor will not pay interest or principal
on a timely basis.
BEC 1-62
Define liquidity risk.
FC-01974 BEC 1-63

Liquidity risk is the risk that a security cannot be sold on a timely basis
or that a sale will require the need to make material price concessions.
BEC 1-63
Name the trade-related factors influencing exchange rates.
FC-01992 BEC 1-70

Trade-related factors influencing exchange rates:
1. Relative inflation rates
2. Relative income levels
3. Government controls
BEC 1-70
Name the financial factors influencing exchange rates.
FC-01975 BEC 1-71

Financial factors influencing exchange rates:
1. Relative interest rates
2. Capital flows
BEC 1-71
Capital Structure: Part 1
How does a lessee account for an operating lease?
FC-01977 BEC 2-8

With an operating lease, the lessee will record a right-of-use
(ROU) asset and a lease liability on the balance sheet. The
ROU asset will be amortized as the lease liability is paid down
over the life of the lease. On the income statement, lease
expense will be recognized each lease over the lease term.
BEC 2-8
Capital Structure: Part 1
How does a lessee account for a finance lease?
FC-01978 BEC 2-9

With a finance lease, the lessee will record both an ROU asset
and a lease liability on its balance sheet. Each lease payment
will consist of interest and principal pay down. Interest expense
will be shown on the income statement and the reduction of the
liability will be reflected on the balance sheet.
BEC 2-9
Financial Valuation Methods: Part 1
Explain how price multiples are used in valuation.
FC-01979 BEC 2-32

A price multiple represents a ratio of a stock's market price to
another measure of fundamental value on a per-share basis.
Investors use price multiples to determine the intrinsic (true)
value of stock and ultimately to decide whether the stock is
undervalued, fairly valued, or overvalued.
BEC 2-32
List four price multiple ratios used for stock valuation.
FC-01980 BEC 2-33

Four commonly used price multiples include:
1. Price-to-earnings (P/E) ratio
2. Price-to-sales ratio
3. Price-to-cash-flow ratio
4. Price-to-book ratio
BEC 2-33
Explain how discounted cash flow analysis is used in valuation.
FC-01981 BEC 2-34

Discounted cash flow analysis attempts to determine the
intrinsic (true) value of a stock by determining the present
value of its expected future cash flows. Once the DCF stock
price is determined, it is compared with the stock's market
value to determine whether it is undervalued, fairly valued, or
overvalued.
BEC 2-34
List common discounted cash flow absolute models

used for valuation.
FC-01982 BEC 2-35

Absolute DCF models used for valuation include:
• Dividend discount model (DDM)
• Free cash flow to the firm (FCFF)
• Free cash flow to equity (FCFE)
• Residual income (RI)
BEC 2-35
Process Management
Define and describe the purpose of

business process management.
FC-01321 BEC 6-1

Business process management (BPM) seeks to coordinate the
functions of a business to achieve customer satisfaction as
efficiently as possible.
BEC 6-1
Process Management
Define outsourcing.
FC-00495 BEC 6-5

Outsourcing is defined as the contracting of services to
external providers.
BEC 6-5
Process Management
Define JIT and the underlying concept of JIT.
FC-00496 BEC 6-7

Just-in-time (JIT) management anticipates achievement of
efficiency by scheduling the deployment of resources just in
time to meet customer or production requirements.
BEC 6-7
The Role of IT in Business
What are the basic technological components

of IT infrastructure?
FC-01759 BEC 6-18

IT infrastructure components include:
• Hardware
• Networking devices
• Software
• Networks
• Mobile technology
BEC 6-18
Data Management and Analytics
Define diagnostic data analytics.
FC-01777 BEC 6-36

Diagnostic analytics indicate what happened. This form of
analytics summarizes the activity that has occurred within a
given attribute or attributes.
BEC 6-36
System Development and Change Management
Name types of integration risk.
FC-01784 BEC 6-43

Integration risks include user resistance, lack of management
support, lack of stakeholder support, resource concerns,
business disruptions, lack of system integration, and
compliance risk.
BEC 6-43
Name types of outsourcing risk.
FC-01785 BEC 6-44

Outsourcing risks include lack of organizational knowledge,
uncertainty of the third party's knowledge and management,
failure of the third party delivering, lack of security, lack of
quality, unexpected costs, and lack of key performance
indicators (KPI).
BEC 6-44
Name common change management controls.
FC-01786 BEC 6-45

Change management controls include policies and procedures,
emergency change policies, standardized change requests,
impact assessments, authorizations, separation of duties,
conversion controls, reversion access, per-implementation
testing, post-implementation testing, and ongoing monitoring.
BEC 6-45
Why do legacy IT systems persist?
FC-01788 BEC 6-47

Legacy IT systems persist for reasons of cost, time, user
resistance, customization, and fear of information loss.
BEC 6-47
IT Risks and Responses
Name common types of technology risk.
FC-01793 BEC 6-52

Technology risks include security risk, availability risk, operational
risk, financial risk, compliance risk, and strategic risk.
BEC 6-52
Final Review Replacement Textbook Pages
Details on the replacement textbook pages are provided below.
V4.1 Location V4.0 Location Description of Update
BEC IV Same The text of unit BEC IV was updated and expanded to
All topics include more details on the covered topics.
BEC V Same The text of unit BEC V Module C (Process Management)

Topic C was updated to include more details.
IV Information Technology
A Information Technology (IT) Governance
B The Role of IT in Business
C Data Management and Analytics
D System Development and Change Management
E IT Risks and Responses

Notes
Business Final Review © Becker Professional Education Corporation. All rights reserved.
Topic
Information Technology (IT) Governance XX
Information Technology (IT) Governance A
1 The Importance of IT Governance

Information technology (IT) governance is a management discipline that
serves as a formal structure for how organizations should align IT practices
and business strategies. This is accomplished through the synchronization
of resources, such as people, controls, policies, and processes that are
necessary to achieve an organization's data governance goals.
2 Understanding and Defining

IT Governance
IT governance frameworks outline how leadership accomplishes the
delivery of mission-critical business capabilities using IT strategies, goals,
and objectives. IT governance is the duty of the board of directors and
executive management, who create applicable policies and procedures to
deploy resources to sustain those capabilities.
2.1 Key Principles for Governing IT

Strong data governance models should adapt to rapidly changing
technology, and will have the following components:
Availability: Systems and data must be available to users, have proper
integrity, be in a usable format, and be secure.
Architecture: Hardware, software, applications, and how people use
them should be structured in a way that meets governance objectives.
Metadata: Data describing other data must be robust in terms of
breadth and specificity.
Policy: IT governance practices and policies should be documented,
followed, and updated regularly by management as governance
objectives change over time.
Quality: Information quality and integrity standards should be in place
so that data has no anomalies, such as missing values, duplicate values,
transposed values, or mismatched records.
Regulatory Compliance and Privacy: Information collection, storage,
and use practices should comply with regulatory requirements for
personally identifiable information (PII), personal health information (PHI),
and other information subject to privacy laws or regulatory standards.
Security: Systems should only be accessed by authorized users in a way
that safeguards an organization's IT infrastructure.
Three common frameworks are COSO's Internal Control—Integrated

Framework, ISACA's Control Objectives for Information and Related
Technology (COBIT) framework, and Axelos' Information Technology
Infrastructure Library (ITIL) framework.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV A-1
3 Aligning IT Governance With

Organizational Objectives
IT governance practices allow an organization to achieve its goals and
objectives as described in its overall vision and strategy.
3.1 Vision
A company's vision represents its aspirations and goals and is typically
described in a vision statement. IT governance policies should be designed
to facilitate the achievement of that vision.
3.2 Corporate Strategy

A corporate strategy shapes an organization's operations and business
model. Corporate strategy must be supported by an appropriate IT
strategy and IT governance.
3.3 IT Strategy
IT strategy should align with corporate strategy to achieve its objectives.
The following IT factors may affect a company's corporate strategy:
Network design
Cybersecurity
Disaster recovery and business continuity
Available IT personnel
4 Structuring and Executing

IT Governance
Effective IT governance requires participation from all levels of an
organization. In addition, a well-functioning IT governance structure has
the right policies and procedures in place to remain relevant, provide
oversight, and align with organizational goals.
4.1 People
The board of directors is responsible for setting governance policies.
Executives ensure that an IT governance structure is in place and
executed effectively.
Middle management is responsible for carrying out governance policies.
IT support staff include network engineers, help desk, and
cybersecurity staff.
Accountants play an important role handling confidential information.
A-2 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
Information Technology (IT) Governance A
End users are responsible for following processes and procedures.
External stakeholders such as customers and vendors affect how
organizations utilize online commerce platforms.
Auditors and regulators may drive changes in IT governance to comply
with changing regulations.
4.2 Processes for Governance Execution

Governance teams must be well-positioned to assess and evaluate an
organization's needs, direct management to address those needs, and
effectively monitor the outcomes on a continuous basis.
Project development teams monitor projects, manage the human

element (resistance to change), communicate with users, and manage
risk and escalating issues that cannot be resolved within the team.
Steering committees develop and communicate strategic goals; review
the IT budget and the allocation of IT costs; provide ongoing guidance;
ensure management engagement and participation; and monitor the
project development team's progress.
5 Assessing IT Governance Risks

Risk assessment is an extremely important component of the IT governance
process. Identifying and assessing risks can be done by performing a
business impact analysis (BIA). The objectives of a BIA are to:
Identify IT Resources: Identify business units, departments, and

processes essential to sustain minimum operations.
Evaluate Impact and Likelihood of Risks: Categorize the identified
resources by the impact of loss, then by likelihood of that loss occurring.
Evaluate Outcomes: Determine the appropriate response based on
potential outcomes, categorizing responses into the following risk
actions: immediate action, delayed action, or no action.
Provide Quantitative Risk Analysis: Apply quantitative measures to
estimate the financial impact of a given risk. This is done by calculating a
risk's annualized loss expectancy (ALE).
Implement the Response: Identify and evaluate mitigation
recommendations. Perform a cost-benefit analysis and decide whether
to accept the risk, transfer it, or mitigate the risk.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV A-3
Which of the following is responsible for carrying out IT governance

policies?
1. Board of directors
2. Executives
3. Middle management
4. End users
Which of the following represents a company's aspirations and goals?

1. Vision statement
2. Corporate strategy
3. IT strategy
4. Steering committee
A-4 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
Topic
The Role of IT in Business XX
The Role of IT in Business B
1 The Role of IT in Business

The application of information technology (IT) in an organization is the
systematic implementation of hardware and software so that data can be
transmitted, modified, accessed, and stored.
2 IT Infrastructure
The supporting IT architecture within most companies has multiple,
interconnected technological components, with the core infrastructure
involving a combination of on-site and outsourced hardware, software, and
specialized personnel.
2.1 Hardware
The physical components of computers and computer-related accessories
are referred to as computer hardware. Hardware includes computer
components as well as external peripheral devices.
Computer Hardware: This includes microprocessors, graphics and

sound cards, hard drives, random access memory, the power supply, and
the motherboard.
External Hardware Devices: These include computer mice, keyboards,
speakers, microphones, disk drives, memory devices, network cards,
monitors, printers, scanners, and networking equipment.
Infrastructure Housing: This includes advanced security systems to
monitor and control access as well as ventilation and climate control.
2.2 Networking Devices

Networking hardware enables connectivity and communication between
devices on a computer network.
Modems: Modems connect an organization's network to the internet.

Routers: Routers manage network traffic by connecting devices to form
a network.
Switches: Switches connect and divide devices within a computer
network.
Gateway: A gateway is a computer or device that acts as an
intermediary between different networks.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV B-1
Servers: Servers are physical or virtual machines that provide
functionality by executing commands requested by computer
applications within the same or separate hardware.
Firewall: Firewalls are software applications or hardware devices that
protect a computer network by filtering traffic through security protocols.
2.3 Software
Software consists of the applications, procedures, or programs that provide
instructions for a computer to execute. Software that is embedded in
hardware that instructs the hardware how to operate is known as firmware.
2.4 Networks
A network is a group of computers and other machines that are
interconnected electronically using a series of networking devices.
Common types of networks include local area networks (LANs) and wide
area networks (WANs).
2.5 Mobile Technology

Mobile technology is technology that travels with the user and can allow
organizational activities to occur in real time. Mobile technology combines
hardware, such as laptops, tablets, hot spots, and mobile phones, with
mobile applications and operating systems that allow connectivity to
networks.
3 The Role of Management

Information Systems
Management information systems (MIS) enable companies to use data as
part of their strategic planning process as well as the tactical execution
of that strategy. MIS reports provide feedback on daily operations and
financial and nonfinancial information to support both internal and external
business decisions.
3.1 Accounting Information System (AIS)

The system that accountants and financial managers interact with the most
is the AIS. An AIS typically has three subsystems.
Transaction Processing System (TPS): A TPS converts economic events

into financial transactions. A TPS typically covers three main transaction
cycles: sales cycle, conversion cycle, and expenditure cycle.
Financial Reporting System (FRS) or General Ledger System (GLS):
The FRS/GLS aggregates daily financial information from the TPS to
enable timely reporting.
Management Reporting System (MRS): An MRS provides internal
financial information to solve day-to-day business problems.
B-2 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
An AIS has three main functions:
1. Collect, record, and store data and transactions

2. Transform data into information through compilation and reporting
3. Safeguard and maintain data integrity
3.2 Decision Support System (DSS)

A DSS is an extension of an MIS that provides interactive tools to support
day-to-day decision making. A DDS may provide information, facilitate the
preparation of forecasts, or allow modeling of various aspects of a decision
to create "what if" scenarios.
3.3 Executive Information System (EIS)

Executive information systems provide senior executives with immediate
and easy access to internal and external information to assist in strategic
big-picture decision making. An EIS usually is in the form of a dashboard
that consolidates information so that senior executives can quickly evaluate
key statistics with visualizations in a format and level of detail appropriate
for senior executives, but also with the ability to drill down when necessary.
3.4 Customer Relationship Management

System (CRM)
Customer relationship management systems are designed to focus on
customer needs by capturing information about customers to create
profiles that can be used to tailor marketing efforts and promotions.
Companies can then use business intelligence functionality in CRM
software to automate recommendations and identify cross-selling
opportunities, which can be executed using direct offers or loyalty reward
programs.
3.5 Inventory Management

Inventory management systems track item quantities and trigger
reordering when quantities fall below a predetermined level.
3.6 Knowledge Management System (KMS)

A KMS refers to any IT system that acts as a resource repository or
disseminates knowledge in a way that supports the organization through
supplemental information about products or service delivery.
3.7 Supply Chain Management (SCM)

An integrated supply chain management system unifies several supply
chain functions, such as purchasing, materials handling, production
planning and control, logistics and warehousing, inventory control, and
product distribution and delivery.
3.8 Enterprise Resource Planning (ERP)

An ERP system is utilized to support different business functions and
integrates information across departments.
3.9 Enterprise Performance Management (EPM)

EPM systems are software programs designed to help executives make
strategic decisions. An EPM enables leaders to plan, budget, and forecast
business performance and to consolidate financial results.
EPM systems differ from ERP systems. EPM is more management-process

focused, whereas ERP is more focused on operational processes and
information technology integration.
3.10 E-Commerce
Electronic commerce platforms facilitate the sale of goods and services
using the internet. There are five types of e-commerce:
Business-to-Business (B2B): B2B e-commerce involves the buying and

selling of goods and services between business entities.
Business-to-Consumer (B2C): B2C e-commerce involves businesses
selling goods to customers.
Consumer-to-Business (C2B): In this type of e-commerce model,
consumers sell goods or services to businesses.
Consumer-to-Consumer (C2C): C2C e-commerce functions as an online
marketplace in which individual consumers buy and sell goods with
each other.
Government E-Commerce: Government e-commerce is the electronic
exchange of goods and services between a government and its
constituents (a consumer or a business).
3.11 Communication
Email is utilized by most companies. Other communication options used
are telephone networks, videoconferencing, instant messaging, texting,
and social media platforms.
4 IT Outsourcing and Cloud

Computing
Some organizations expand beyond their internal IT infrastructure and
utilize third-party external service providers. This strategy is known as
IT outsourcing and utilizes a variety of IT solutions, including cloud
computing, virtualization, and application service providers. Outsourced
services include application software, data entry, data storage, data
management, disaster recovery, and network management.
4.1 Cloud Computing

Cloud computing is renting storage space, processing power, proprietary
software, or a combination of the three, on remote servers of another
company rather than buying or building those components. For the customers
of cloud computing, the service offers infrastructure elasticity, renting only as
much as needed. Customers also benefit because the cloud service provider
performs all maintenance and tech support on this hardware.
4.2 IT Outsourcing Advantages

IT outsourcing advantages include lower costs, easy access to IT experts,
access to specialized resources, and enhanced focus on the core business.
4.3 IT Outsourcing Disadvantages

The disadvantages of IT outsourcing include less control over IT
operations, potential quality control issues, and delayed access to IT
personnel.
4.4 IT Outsourcing Risks

IT outsourcing risks include concerns about security and privacy, the
possibility that data will become inaccessible or inadvertently deleted, and
vulnerability to attacks.
4.5 System and Organization Controls (SOC)

The System and Organization Controls (SOC) reports are a collection
of reports developed by the American Institute of Certified Public
Accountants (AICPA) to be issued in connection with the evaluation of
"system-level controls" or "entity-level controls" for service-based firms.
There are three reports that these types of engagement can produce: a
SOC 1® report, a SOC 2® report, and a SOC 3® report.
SOC 1®: The objective of SOC 1® reports is to provide assurance

that the service organization's controls are designed and operating
effectively so that the financial statements are not negatively impacted.
The use of SOC 1® reports assists in mitigating the inherent risks in
outsourcing IT functions. Two types of SOC 1® reports can be provided
by service organizations:
• The Type 1 report focuses on the fairness of the presentation of
management's description of the service organization's system and
the suitability of the design of the controls to achieve the related
control objectives included in the description as of a specified date.
• The Type 2 report focuses on the fairness of the presentation of
management's description of the service organization's system
and the suitability of the design and operating effectiveness of the
controls to achieve the related control objectives included in the
description through a specified period. The key difference from
Type 1 is the time period over which the attestation is being made.
SOC 2®: A SOC 2® report is for users who need attestation concerning
controls as they relate to security, processing integrity, availability, and
privacy. These reports are important for vendor management, oversight
of a company, risk management, corporate governance, and regulatory
oversight. SOC 2® reports also have two types:
• Type 1 is a report of management's explanation or description of a
given service company's system as well as the suitability of control
design, as of a single point in time.
• Type 2 is also a report of management's explanation or description of
a company's control design and its operating effectiveness of internal
controls over a period of time.
SOC 3®: SOC 3® reports are also for users who need attestation
concerning controls as they relate to security, processing integrity,
availability, and privacy. However, this report is for companies that
do not have the knowledge required to make an effective use of a
SOC 2® report.
Which of the following is a disadvantage of outsourcing?

1. Access to specialized resources
2. Enhanced focus on the core business
3. Less control
4. Reduced costs
A large retail company employs an e-commerce system through which

customers can buy directly from the company via the company's
website. What business model is the company using?
1. Business-to-business (B2B)
2. Business-to-consumer (B2C)
3. Consumer-to-business (C2B)
4. Consumer-to-consumer (C2C)
Topic
Data Management and Analytics XX
Data Management and Analytics C
1 The Evolving Role of Big Data

in the Decision-Making Process
Due to rapid advancements in technology, the type and volume of data
being created are continually increasing at unprecedented rates. To
leverage the power of this data, companies must first identify a data
point, then capture it, store it, protect it, and eventually dispose of it,
if appropriate.
1.1 Defining Data

Data can be defined as a fact, occurrence, instance, or other measurable
observation. Data can be in a variety of forms, such as numerical digits,
alphanumeric text, images, video, or audio recordings.
1.2 Defining Big Data

Big Data refers to the corporate accumulation of massive amounts of data
that can be used for analysis (data analytics).
1.3 Dimensions of Big Data

There are five dimensions of Big Data, often referred to as the Five Vs of
Big Data:
Volume: Volume represents the quantity or amount of data points.

Velocity: Velocity refers to the speed of data accumulation or data
processing.
Variety: Variety refers to the range of data types being processed
or analyzed. Three general categories of data are structured data,
unstructured data, or semi-structured data.
Veracity: Veracity represents the reliability, quality, or integrity of the data.
Value: Value refers to the insights Big Data can yield.
1.4 Big Data Governance

Big Data comes with challenges, such as ethical and legal concerns
pertaining to the organization itself, employees, customers, and
stakeholders. An IT governance program should provide guidance on how
sensitive data should be captured, maintained, and disposed of during its
life cycle.
Big Data Confidentiality: Confidential information must be

safeguarded to protect it from unauthorized access and exploitation.
Big Data Privacy: Customer and patient information must also be
safeguarded from unauthorized access to meet consumer privacy
expectations as well as regulatory requirements.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV C-1
Big Data Ethics: Organizations should make sure authorized personnel
are granted the minimum level of access to the data necessary to perform
their job functions. This includes assigning rights that limit users' ability to
create, read, edit, and delete data based on role and job function.
Governance Responsibility: An organization’s governance program
should be led by a designated individual. Management of the program
should involve all aspects of an organization that captures, maintains,
stores, and uses data of any kind.
2 Data Management
Data management is key for every organization. Ensuring that the data is
maintained and stored appropriately is vital to the decision-making process.
2.1 Storing Data in Relational Databases

One of the most efficient and effective methods for data storage and
retrieval is a relational database. Relational databases allow data stored
in different tables to be linked through relationships using key fields.
Relational database key concepts include tables, attributes (columns),
records (rows), fields, data types, and database keys.
Primary keys are unique identifiers for a specific row in a table made up
of one or more attributes. Foreign keys are attributes in one table that
are primary keys in another.
A data dictionary, also referred to as metadata, provides information
about the data in a database. A data dictionary typically lists each
attribute as well as features and limitations of that attribute. Features
include the data type, field size of length, and whether the data is a
primary, foreign, or non-key attribute.
Database views are of two broad types: logical and physical.
• Logical Database View: The logical view is how the data appears to
a user. It is what the user sees.
• Physical Database View: The physical view pertains to how the data
is actually stored within the database.
Extracting data can be done with query tools. Once a query is designed
and executed, the results of the query can be visually displayed in a
database report. End users utilize the reports to assist with data analysis
and decision making.
3 Extract, Transform, and Load

It is important to understand the extract, transform, and load process
(ETL). This is the process in which data is captured from its source and
manipulated in a way that allows it to be transferred to a format readable
by another system so that it can be used or further analyzed.
C-2 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
3.1 Data Extraction

Data extraction can be an automated process, semiautomated process,
or manual extraction. The source and means of accessing the data must
be determined in the initial ETL setup phase. This will dictate the tools
needed for designing the extraction process.
3.2 Transforming the Data

One of the most time-consuming steps in the ETL process is the
transformation step because it requires that unstructured data be cleaned,
formatted, enhanced, and validated so that it is accurate and ready for
analysis.
3.3 Loading the Data

The final step of the ETL process is to load the data into a destination
application or database for analysis or storage.
Storing Data: Data can be stored in a variety of locations/repositories,

including an operational data store, a data warehouse, a data mart, or a
data lake.
Data Storage Requirements: Special considerations and constraints
apply to relational databases. Primary keys must be utilized for a
database to establish and maintain entity integrity. In a relational
database, a change to a primary key in one table must also cause a
change to any related foreign key in a linked table. This maintains the
referential integrity of the database.
Data Storage Attributes: The purpose of a data repository must be
defined to help users understand a repository's relevance. Defining
which attributes are included will outline the universe of data points
housed within a repository. The relationships among data must be
maintained to ensure validity, completeness, and accuracy.
Types of Loading: Data loading can take several forms, including initial
(full) loading, incremental loading, and full refresh loading.
4 Data Analytics
Data analytics is the process of taking raw data, identifying trends, and
then transforming that knowledge into insights that can help solve complex
business problems. There are four key applications in data analytics.
4.1 Descriptive Analytics

Descriptive analytics indicate what happened. This form of analytics
summarizes the activity that has occurred within a given data set by
observing measures such as the minimum, maximum, mean, or by sorting
data to reveal patterns.
4.2 Diagnostic Analytics

Diagnostic analytics reveal why an event happened. This goes a step
beyond descriptive analytics and attempts to uncover correlations,
patterns, and relationships within a data set to explain why an event or
result occurred.
4.3 Predictive Analytics

Predictive analytics help forecast future data points by transforming
insight into foresight, and project what will happen based on historical
data. Common predictive analytic techniques include regression analysis,
classification analysis, and decision trees.
4.4 Prescriptive Analytics

Prescriptive analytics reveal how to achieve a desired event by
"prescribing” what the next course of action should be in order to reach
that outcome. Prescriptive analytics take the probability learned from
predictive analytics and turn that into recommendations and optimal paths
with a high likelihood of favorable outcomes. Common prescriptive analytic
techniques include artificial intelligence and scenario modeling.
Data analytics can be used in many aspects of the decision-making

process: customer and marketing analytics, managerial and operational
analytics, risk and compliance analytics, financial analytics, audit analytics,
and tax analytics.
5 Data Visualizations
It is important to select the right communication technique when
interpreting insights from Big Data analysis. Turning complex data sets into
easily read and understood visualizations make the decision process more
accessible, efficient, and effective for decision makers.
5.1 Types of Data

The type of data being presented can determine the choice of data
visualization utilized. There are two broad categories of data.
Qualitative Data: Qualitative data is nonnumerical and categorical

in nature. Nominal qualitative data is the simplest form and cannot
be ordered or ranked. Ordinal qualitative data can be ranked in a
meaningful way, such as from cold to hot.
Quantitative Data: Quantitative data is numerical in nature and may
be discrete or continuous. Discrete values represent a finite number of
figures within a given range, whereas continuous values can have an
infinite number of values within a range.
5.2 Types of Data Visualizations

There are many different visualization types and techniques.
Line charts
Column charts
Stacked column charts
Scatter plots
Boxplots
Dot plots
Geographic maps
Symbol maps
Pie charts
Pyramid
Flowcharts
Waterfall charts
Directional charts
5.3 Visualization Tool Capabilities

One of the most important capabilities needed in visualization tools to
support modeling and analysis are those that promote versatility in using
the data and allow multiple types of visualizations to be created using one
data set.
Transforming raw data into a form that can be fed into many visualizations
improves that data's communication potential.
5.4 Design Considerations for Data

Visualizations
Scale Appropriately: The scaling of the axes should not be misleading.
Typically, numeric value scaling should start at zero.
Use Legends Appropriately: If there are more than four or five colors,
avoid using a legend.
Avoid Bias: Do not present data in such a way that would direct the
reader toward a specific conclusion.
Use Consistent Time Periods: Do not compare results from a longer
period with those from a shorter period.
Use of Color: Use colors that can be easily seen and follow
cultural norms.
Use Clear and Easy-to-Read Titles and Labels: Labels should be used
sparingly or only when accuracy is necessary.
An organization has decided to analyze social media postings

concerning the industry in which it operates. The resulting data
includes text, numbers, images, and videos. Which Big Data dimension
best describes this data?
1. Volume
2. Velocity
3. Veracity
4. Variety
If an organization is analyzing sales by looking at the average sales by

region, which type of data analytics process is it implementing?
1. Predictive analytics
2. Diagnostic analytics
3. Prescriptive analytics
4. Descriptive analytics
System Development Topic
System Development and Change Management XX
and Change Management D
1 Evolving the IT Infrastructure

As information technology (IT) equipment reaches the end of its useful life
and as technology advances, organizations update their IT infrastructure
over time to keep pace with these shifts or to be early adopters.
Organizations can update existing software and hardware, acquire new
hardware and software, or develop infrastructure in-house. All of these
approaches can be effective and come with potential risks that must be
managed.
2 Change Management Overview

Change management is used to describe policies, procedures, and
resources employed to govern change in an organization. With any
change, potential risks need to be mitigated to minimize disruption to core
business functions and operations.
A robust change management process should involve steps that identify

and define the need for change, create design goals, obtain proper
approval, develop a budget and time line, assign resources, identify risk,
test the change, implement the change, and review and monitor post-
implementation.
3 Change Management Risks

A key component of change management is identifying potential risks that
could occur as a result of the change. These risks are present in all steps of
change from acquisition to implementation and can affect existing systems,
processes, and employees.
3.1 Selection and Acquisition Risks

Lack of Expertise: This is the risk that those acquiring or implementing
software or hardware do not understand organizational needs. There is
also the risk that personnel using the software do not have the expertise
or ability to operate it.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV D-1
Lack of Formal Selection and Acquisition Process: This is the risk
that an organization either does not have, or does not follow, a formal
selection and acquisition process. This could result in overspending,
inappropriate related party transactions or kickbacks, or software that
does not align with the IT governance strategy.
Software/Hardware Vulnerability and Incompatibility: There is the
risk that proper safeguards and security features do not exist or that
newly acquired hardware and software are incompatible with existing
resources.
3.2 Integration Risks

User Resistance: There is a risk that employees do not adapt to
change, ignore training, and ultimately do not follow through with
change appropriately.
Lack of Management Support: If management does not provide both
resources and adequate support, employee resistance is magnified.
Lack of Stakeholder Support: Stakeholders, including employees,
suppliers, and customers, may have an adverse reaction or disposition
toward change.
Resource Concerns: Appropriate resources may not be made available
for the change, which may lead to ineffective implementation.
Business Disruptions: Change could cause significant disruptions to
core functions and could have long-term negative consequences on
the organization.
Lack of System Integration: Organizations operate many different
systems, some of which may not effectively adapt or integrate with more
modern systems.
Compliance Risk: Organizations must adequately configure the way
applications manage data so that information flows through a system in
a way that is compliant with regulations.
3.3 Outsourcing Risks

Outsourcing change management saves costs but comes with risks.
Lack of Organizational Knowledge: Disruptions could occur if a third

party does not comprehend the organization's business model.
Uncertainty of the Third Party's Knowledge and Management: There
is a risk that the external party has ineffective or weak management,
inexperienced or underqualified staff, or a lack of technology expertise.
Failure of the Third Party Delivering: If a key system within a process
is outsourced, the dependency of an entire function could be at risk.
Critical process components should be identified to mitigate this risk.
Lack of Security: There is a risk that an external organization does not
have sufficient or effective safeguards to make sure that client, customer,
employee, or operational information is kept secure.
Lack of Quality: Outsourced IT products and services do not always
meet expected quality standards.
D-2 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
System Development and Change Management D
Unexpected Costs: Not all costs are evident when implementing a
system. Systems that require substantial support can drive up costs.
Lack of Key Performance Indicators (KPIs): If there are no agreed-
upon KPIs or service delivery targets, operations could be derailed.
4 Change Management Controls
4.1 Change Management and New

Systems Controls
Once all risks in the change management process have been identified,
controls are designed to minimize the possibility that risks will cause
business disruptions or negatively impact IT systems. Change management
controls include the following:
Policies and procedures

Emergency change policies
Standardized change requests
Impact assessments
Authorization controls
Separation of duties
Conversion controls
Reversion access
Pre-implementation testing
Post-implementation testing
Ongoing monitoring
5 Managing Risks of Systems

Development
Organizations may acquire a new system or choose to develop a new
system in-house. Both processes have their own risks and concerns but still
follow the general systems development life cycle.
The system development life cycle (SDLC) is a framework that organizes

tasks at each phase of development and use of a business process. There
are two strategies for managing the SDLC in general use today. The first
strategy is called the traditional method or the waterfall model. The second
method, called agile development, evolved from the waterfall model.
5.1 The Waterfall Model

The waterfall method has the following seven steps:
1. Plan: Evaluate the need for a new or improved information system.

2. Analyze: Gather information from all vital stakeholders.
3. Design: Start designing the system to meet agreed-upon user needs.
4. Develop: Execute the technical implementation plan created in
prior phases.
5. Test: Check the system for adherence to the business requirements.
6. Deploy: Document an implementation strategy to deliver the system to
end users.
7. Maintain: Make ongoing adjustments and improvements to keep the
system operating at an optimal level.
5.2 The Agile Method

Agile is characterized by cross-functioning teams, each dedicated to
particular functions or improvements of a system drawn from a prioritized
list of the customer's remaining needs for the system. The Agile principles
are as follows:
1. Satisfy the customer with early and continuous delivery of the highest-
priority features.
2. Welcome change: A change request is an opportunity to be closer to
the customer needs.
3. Deliver working software frequently: Working software is the primary
measure of progress.
4. Complete only the work requested by the customer.
5. Conduct short, frequent, and regular meetings to maintain focus and
make adjustments.
5.3 Systems Development and

New Systems Risks
An organization faces many risks in the systems development life cycle.
These risks can cause delays, inefficiencies, and wasted resources.
Resource Risk: This is the risk that allocation of resources related to

finance, labor, or time is insufficient.
Scheduling Risk: If schedules are not met, if they do not factor in
uncertainties, or if a scope expansion happens, the entire project will be
delayed.
Technical Risk: This is the risk that the development team does not
have the required technical knowledge or that the technical design and
functionality do not align with user needs.
Project Management Risk: This is the risk that the project management
team does not have clearly defined leadership, team member roles,
responsibilities, and project goals.
User Resistance Risk: This is the risk that employees will not accept the
new system.
6 Managing Risks of Legacy Systems

Maintaining legacy systems is common at many organizations due to many
factors, such as comfort with existing systems and unwillingness to pay
for upgrades.
6.1 Reasons for Persistence of Legacy Systems

Costs: The cost to purchase or develop a new system can be
extremely high.
Time: Implementing a new system means allocation of employee time.
User Resistance: Users may be comfortable with the old system and
resistant to change.
Features and Customization: Existing systems may have features that
are difficult to replicate.
Risk of Information Loss: Transferring data to a new system risks having
data and information corrupted or lost.
6.2 Risks of Legacy Systems

Security Vulnerability: Legacy systems may be vulnerable regarding
security, including hacking and cyberattacks.
Lack of Vendor Support: Eventually support for legacy systems will end.
Compatibility Issues: Legacy systems may be incompatible with
modern systems.
Lack of Efficiency and Effectiveness: Legacy systems may not be able
to compare with the speed or reliability of a modern system.
6.3 Mitigating Risks of Legacy Systems

Isolate the System: Isolating a high-risk legacy system from other
systems in a separate physical or virtual environment can help limit the
potential in the event someone gains unauthorized access.
Hardening: This involves turning off any unnecessary features of the
legacy system to reduce potential exposure.
Virtual Patches: If no security patches are available for legacy software
or hardware, a virtual patch could be applied at the network level before
it reaches the legacy system.
Monitoring: Frequent review and monitoring of legacy system logs and
changes help to detect any unusual system activity.
7 Information System and Change

Management Testing Strategies
An ongoing testing plan for information technology is necessary to detect
problems or functional issues.
7.1 Purpose of Testing

Testing software that was developed in-house determines whether the
software is operating as expected; discovers errors, defects, and gaps in
the software; and verifies that the end product meets the business and
user requirements.
7.2 Software Testing Process

The software testing process generally follows these six steps:
1. Establish a testing plan including roles, responsibilities, and a time line.

2. Identify and prioritize the key areas of the software to test.
3. Determine which type of test to run and specify the test objectives.
4. Execute the tests.
5. Log the results and identify defects.
6. Report the findings and fix the defects in a timely manner.
7.3 Guidelines for Successful Testing

The following steps represent best practices for testing:
Develop a test plan that identifies major bugs early in the

development process.
Build robust software that allows for automated testing.
Conduct formal technical reviews to assess the test strategy and
test cases.
Develop a continuous test approach over the life cycle of the software.
7.4 Type of Tests

The complex nature of systems development requires a variety of
systems testing.
Unit Tests: Unit tests are used to validate the smallest components of
the system.
Integration Tests: Integration testing determines if the units function
together as designed.
Systems Tests: Systems tests evaluate the system as a whole and take
on many forms.
• Functional tests focus on testing the functions performed by the system.
• Black-box testing focuses on testing the system as an end user would
validate outcomes.
• White-box testing focuses on code and design improvement as
opposed to testing functionality.
• Gray-box testing combines both black-box and white-box testing
techniques with the tester evaluating from both a user and designer
perspective.
• Exploratory tests are utilized for the less-common or exception-based
situations.
• Performance testing is designed to test the run-time performance
of software.
• Recovery tests check the system's ability to recover from failures.
• Security testing verifies that authorized access levels function properly.
• Regression tests rerun test cases within the entire application.
• Stress testing checks the program to see how well it deals with
abnormal resource demands.
• Sanity testing exercises the logical reasoning and behavior of
the software.
Acceptance Tests: An acceptance test determines whether the software

works correctly.
• Alpha Test: The initial version of the completed software is tested
by the customer under the supervision of the developer at the
developer's site.
• Beta Test: A later version of the complete software is tested at the
customer's own site without the developer being present.
7.5 Change Management Testing

Testing of the change management process and controls generally occur
both within the organization (compliance, management review, and internal
audit) and outside the organization (regulators and external auditors).
This includes testing for changes that involve functions performed by
outsourced companies.
In which step of the systems development process does an organization

evaluate the need for a new or improved information system?
1. Analyze
2. Design
3. Develop
4. Plan
Which type of test checks the system to see how well it deals with
abnormal resource demands?
1. Sanity test
2. Stress test
3. Regression test
4. Security test
Topic
IT Risks and Responses XX
IT Risks and Responses E
1 Understanding IT Risks
As organizations integrate more technology into their operations, new and
greater risks materialize. The security life cycle is the process for identifying
and addressing risks.
1. Identify: Identify and document risks associated with technology assets.

2. Assess: Determine the likelihood of the risk and the level of impact.
3. Protect: Develop security policies and mitigation strategies.
4. Monitor: Continually monitor activities and acquisitions for new risks.
2 Identifying IT Risks
2.1 Technology Risk

Technology risk is the risk of disruption to business due to information
technology activity.
Security Risk: The risk associated with unauthorized access or use of an

organization's information technology.
Availability Risk: The risk that an organization is not able to access and
utilize its information technology.
Operational Risk: The risk that an organization is unable to operate
effectively or efficiently due to IT issues.
Financial Risk: The risk of losing financial resources as a result of misuse.
Compliance Risk: The risk of not meeting the requirements of
regulatory bodies.
Strategic Risk: The risk of misalignment of business and IT strategies.
2.2 Types of IT Threats

Natural and political disasters
Errors in software and equipment malfunctions
Accidental actions
Intentional actions
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV E-1
2.3 Risk Management

To successfully manage risk, organizations must meet the following
three objectives:
1. Integrate the management of IT risk into the overall risk management of

the enterprise.
2. Make well-informed decisions about the nature and extent of the risk,
the risk appetite, and the risk tolerance of the enterprise.
3. Develop a response to the risk.
2.4 IT Risk Mitigation Strategies and Roles

IT risks cannot be mitigated through software and hardware-based controls
alone. Management must determine what the overall risk appetite is for
the organization and develop a security strategy that includes policies
and procedures to align that risk appetite with information systems and
information technology.
Confidentiality, Integrity, and Availability Triangle: These risks are

addressed with access and authorization controls, segregation of duties,
and data processing controls.
Management's Risk Philosophy: Risk appetite must be determined to
build appropriate information security policies and procedures.
Establishing a Security Policy: A security policy defines how an
organization plans to protect its IT infrastructure and resources.
Security Policy Goals: The goal of a good security policy is to protect
the IT infrastructure and information.
Security Communication: The security policy should be communicated
to everyone within an organization.
3 The Role and Categorization

of IT Controls
IT controls fall into two broad categories: general IT controls and
application IT controls. Their functions are to prevent, detect, or correct
issues and deficiencies.
3.1 Categories of IT Controls

General IT Controls (GITCs): General controls are designed to ensure
that an organization's control environment is stable and well-managed.
Application Controls: Application controls are software-specific
mechanisms that are typically within a computer program that manage
used access, permissions, and functionality.
Software/Hardware Vulnerability and Incompatibility: There is the
risk that proper safeguards and security features that are needed do not
exist. There is also the risk that newly acquired hardware and software
are incompatible with existing resources that will remain in production.
E-2 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
3.2 Nature of IT Controls

Manual Controls: A control performed by a person without making
direct use of automated systems.
Automated Controls: A control initiated automatically without the need
for a person to initiate the control action or process.
IT-Dependent Manual Controls: A control that has components of both
manual and automated controls.
3.3 Effectiveness of IT Controls

The effectiveness of IT controls should be evaluated regularly to ensure
that there are clearly defined roles and responsibilities, control metrics,
documentation of prior testing controls, disciplinary actions, compliance
investigations, training for employees, and updated policies and
procedures reviewed periodically.
3.4 Function of IT Controls

Preventive Controls: The function of preventive controls is to take
precautions to prevent problems in the future.
Detective Controls: The function of detective controls is to find issues
or deficiencies not averted by preventive controls.
Corrective Controls: Corrective controls are designed to identify,
repair, restore, and recover from issues that cause damage to a system
or process.
4 System Access and Segregation

of Duties
4.1 Logical Access Controls

Logical access controls utilize software and protocols to monitor and
control access to information and an organization's IT infrastructure.
Use Access Controls: These controls identify user access and track
user activity.
Authentication Controls: These controls verify the unique identity of
individuals accessing the system.
• Passwords: A combination of characters known only to the user.
• Personal Identification Numbers (PINs): Numeric or alphanumeric
code that acts as an identifier to authenticate a user.
• Biometrics: Physical characteristics such as an iris scan, fingerprint, or
voice recognition.
• Smartcards or Physical Tokens: A physical device that has an
embedded chip or bar code that can be scanned for authentication.
• Authentication Codes: A set of dynamic figures which change at set
intervals to serve as a form of secondary validation of a user's identity.
• CAPTCHA (Completely Automated Public Turing test to tell
Computers and Humans Apart): A challenge-response test used to
determine whether a user is a human or a machine.
• Multifactor Authentication: A technique that requires more than
one form of authentication.
Managing Passwords: Passwords protect access to secure systems and

may include the following characteristics:
• Password Requirement: Every account must have a password.
• Password Length: Longer passwords are more effective.
• Password Complexity: Strong passwords are a combination of
uppercase, lowercase, numeric, and ASCII characters.
• Password Age: Passwords should be changed frequently
to be effective because it increases the number of character
combinations.
• Password Reuse: Passwords should not be reused.
Access Control Lists: A list of users and applications with rights

granted (create or write access; read-only access, update access; and
delete permission).
Personnel Changes: Controls implemented when individuals are
onboarded, promoted, or discharged.
Network Security: A firewall prevents unauthorized access to an
organization's network.
Vulnerability Controls: Controls to ensure proper authorization
and usage.
• Hardening: Turning off features or functions that are not needed
during operations.
• Patch Management: Addressing vulnerabilities with patches (fixes)
before they are exploited.
• Anti-Malware Programs: Software to monitor and identify threats.
Data Encryption: Use of a password or a digital key to scramble a

readable message into an unreadable message. The intended recipient
uses another digital key to decrypt the ciphered message.
Digital Certificates: Electronic documents that are digitally signed by a
trusted party.
Digital Signatures vs. E-Signatures: Digital signatures use asymmetric
encryption to create legally binding electronic documents. E-signature
is a cursive-style imprint of an individual's name that is applied to an
electronic document.
4.2 Physical Controls

Physical controls deter unauthorized access, monitor facilities, and control
the workplace environment that houses IT assets. They include:
Locked doors requiring keys, access cards, pass codes, or biometric

scanners.
Secure pass-throughs called mantraps.
Physical obstructions such as fencing and barricades.
Security systems connected to local law enforcement.
Monitoring safeguards such as security guards and cameras.
Illumination measures such as additional lighting or sensor-triggered
lighting.
4.3 Segregation of Duties

Segregation of duties reduces opportunities for anyone to both perpetrate
and conceal errors or fraud. The following are examples of roles that
should be performed by different employees.
System Analysts vs. Computer Programmers: System analysts

design an information system to meet user needs, whereas computer
programmers use that design to create an information system by writing
computer programs. If the same person is responsible for hardware and
software, that person could easily bypass security systems and steal
organizational information or assets.
Security Administrators vs. Computer Operators and Computer
Programmers: Security administrators are responsible for assigning
and restricting access to systems, applications, or databases to
the appropriate personnel. If the security administrator were also
a programmer for that system, that individual could gain access to
unauthorized areas or give access to another person.
5 Risks and Controls of Critical,

Confidential, and Private Information
Critical, confidential, and private information all need to be safeguarded
to ensure that the organization, its employees, its customers, and other
stakeholders are protected appropriately.
Critical information is any information that is vital for the organization to

perform its essential functions and achieve its strategic objectives.
Confidentiality refers to the efforts to keep information within or about
the organization from being misused or accessed without authorization.
Privacy involves the rights of employees and customers to keep their
personal information safe.
Organizations must ensure that they have an incident program in
place to address unauthorized access or the theft or misuse of critical,
confidential, or private data.
6 Business Resiliency
Business resiliency is the integration of system availability controls, crisis
management, disaster recovery plans, and business continuity plans.
System availability controls are activities to prevent system disruptions
and loss of information.
Crisis management plans define roles, responsibilities, and procedures
to deal with crisis situations.
Disaster recovery plans are plans for restoring and continuing
the information technology function in the event of a disaster. An
organization has three main options for maintaining IT operations: cold
site, hot site, and warm site.
Business continuity plans focus on keeping the business operational
during a disaster.
Business resiliency services are offered by companies with specialized
knowledge and resources and include disaster recovery as a service,
backup as a service, and business continuity as a service.
Which of the following is an example of a physical control?

1. Authentication controls
2. Data encryption
3. Digital certificates
4. Security systems connected to local law enforcement
What IT risk is defined as the risk of not meeting the requirements of

regulatory bodies?
1. Availability risk
2. Compliance risk
3. Financial risk
4. Strategic risk
Topic
Process Management XX
Process Management C
1 Business Process Management

Business process management (BPM) promotes continuous
improvement in business processes.
There are many generic BPM methodologies, but the most recognized
methods group management activities into five categories: design,
modeling, execution, monitoring, and optimization.
Another common BPM methodology is the Deming Cycle, which has

four stages: Plan, Do, Check, Act (PDCA).
Performance measures, commonly referred to as key performance

indicators (KPIs), can be financial or nonfinancial, quantitative or
qualitative, and should correlate directly to the managed process to
determine progress toward expectations.
Four common categories of KPIs include financial metrics, customer

metrics, internal process metrics, and organizational metrics.
Benefits of process management include improved efficiency,

effectiveness, and agility for the organization.
Business Process Modeling Notation (BPMN) is a standardized system of

diagrams, symbols, and visuals used to depict business processes. Some
of the most common categories are flow objects (events, activities,
gateways); connecting objects (sequence flows, message flows); and
swim lanes (pools, lanes).
2 Shared Services, Outsourcing,

and Offshore Operations
The concept of shared services refers to the consolidation of redundant
functions or operations in an organization (or group of affiliates) to
optimize those functions so they can be efficiently shared across the
organization. Although consolidation of redundant services leads to
efficiency, it may result in service flow disruption or failure demand.
Outsourcing services involves contracting with a third party to provide

a service. Risks of outsourcing include inferior product or service
quality, lack of control over productivity, language barriers, security of
information, and staff turnover due to labor insecurity.
Offshore operations refers to outsourcing services to providers outside

of the country. All outsourcing risks plus lack of control caused by
proximity issues are potential risks.
© Becker Professional Education Corporation. All rights reserved. Business Final Review V C-1
C Process Management
3 Selecting and Implementing

Improvement Initiatives
Rational and irrational methods may be used when launching initiatives
to improve company processes.
Rational assessments are structured and systematic; irrational methods

are intuitive and emotional.
Rational improvement initiatives involve a strategic gap analysis, a

review of competitive priorities, a review of production objectives, and
the selection of an improvement program.
4 Business Process Reengineering

Business process reengineering (BPR) seeks radical change by entirely
changing the design and operation of business processes.
BPR is different from business process management (BPM). BPM seeks
incremental rather than radical changes.
The basic idea behind BPR is to create a fresh start by effectively
“wiping the slate clean” and reassessing the process from the ground
up without referencing existing processes.
Failure demand is:

1. The concept that some modest amount of failure is allowed in
a manufacturing process because the cost of zero-error-rate is
too high.
2. Demand for a company’s product due to the inferior quality
and subsequent failure of a competitor’s product.
3. Demand for services in a shared-service environment due to
failure to provide quality service to the customer the first time.
4. Demand for parts and supplies inventory to support the
provision of warranty repairs.
C-2 V Business Final Review © Becker Professional Education Corporation. All rights reserved.
5 Management Philosophies and

Techniques for Performance Improvement
5.1 Just-in-Time (JIT)

Just-in-time (JIT) management is an ideology of supply chain management
that seeks to deploy resources (inventories) only as they are needed for
production requirements. An item is produced only when it is requested
further downstream in the production cycle. JIT systems serve to make
organizations more efficient and better managed.
JIT assumes that maintaining inventory does not add value. However,
the limitations of JIT may become evident in times of global supply chain
shocks. Shortages of key components in the manufacturing process could
jeopardize production schedules and cause product outages.
5.2 Total Quality Management

Total quality management (TQM) represents an organizational commitment
to customer-focused performance that emphasizes both quality and
continuous improvement.
TQM identifies the following seven critical factors: customer focus

(external and internal), continuous improvement, workforce involvement,
top management support, objective measures, timely recognition, and
ongoing training.
5.2.1 Conformance Costs

Conformance costs are incurred to ensure quality standards are being met
and are classified as either prevention costs or appraisal costs.
Appraisal costs are costs incurred to discover and remove defective

parts before shipment. Examples include statistical quality checks,
testing, and inspection.
Prevention costs are costs incurred to prevent the production of
defective units. Examples include employee training, inspection,
redesigning products and processes, and searching for higher-quality
suppliers.
5.2.2 Nonconformance Costs

Nonconformance costs are the costs associated with not conforming to
quality standards and are classified as internal failure costs or external
failure costs.
Internal failure costs are necessary to cure a defect discovered before

the product is sent to the customer. Examples include rework labor
costs, scrap, tooling changes, disposal costs, cost of a lost unit, and
downtime.
External failure costs are necessary to cure a defect discovered after
the product is sent to the customer. Examples include warranty costs,
costs for returning the good, liability claims, lost customers, and
reengineering.
5.3 Quality Audits and Gap Analysis

Quality audits are a technique used to help management assess quality
practices in an organization. This helps identify organizational strengths
and weaknesses and identifies improvement steps that will produce the
greatest long-term and short-term return.
A gap analysis determines the difference between industry benchmarks
or best practices and current practices. The main goal of a gap analysis
is to target areas for quality improvement.
5.4 Lean Manufacturing

Lean manufacturing uses only those resources that are necessary to meet
customer requirements or that add value to the production process.
The focus is also on waste reduction and efficiency.

Kaizen is a pillar of lean manufacturing which refers to continuous
improvement efforts that improve the efficiency and effectiveness of
organizations through greater operational control. Kaizen occurs at the
manufacturing stage, where the ongoing search for cost reductions takes
the form of analysis of production processes to ensure that resource
utilization stays within target costs.
An organization may implement process improvements by using activity-

based costing (ABC) and activity-based management (ABM), which are
both compatible with TQM and assist with identifying the costs of value-
added activities as well as the costs of quality.
5.5 Demand Flow Systems

Demand flow systems, or demand flow technology (DFT), reduce waste
by bringing resources into production as they are demanded rather than
as they are scheduled for production. This means production is driven by
customers, not a company’s forecast.
Demand flow blends the efficiencies of JIT with the effectiveness

(customer-focused, value-added) goals of lean manufacturing.
One-piece flow manufacturing moves inventory in a continuous workflow

without stopping at different phases as it does in traditional batch
manufacturing. This eliminates waste and lowers resource downtime.
5.6 Theory of Constraints

The theory of constraints (TOC) states that organizations are impeded
from achieving objectives by the existence of one or more bottlenecks.
Constraints can be internal or external, and require an organization to
consistently work around or leverage the constraint. There are five steps to
applying the TOC:
1. Identification of the constraint
2. Exploitation of the constraint
3. Subordinate everything else to the above decisions
4. Elevate the constraint
5. Return to the first step
5.7 Six Sigma

Six Sigma is a continuous quality-improvement program that strives to
reduce product or service defects to near zero levels, with 3.4 occurrences
per million units of product (or other unit of measure). This defect
frequency is six standard deviations (6s) from the mean.
Six Sigma uses two five-step processes, one for existing products and the
other for new products.
Existing product and business process improvements (DMAIC)

• Define the problem
• Measure key aspects of the current process
• Analyze data
• Improve or optimize current processes
• Control
New product or business process development (DMADV)
• Define design goals

• Measure CTQ (critical to quality issues)
• Analyze design alternatives
• Design optimization
• Verify the design
Jordan Inc. has adopted a new manufacturing management philosophy

that requires that an item is produced only when it is requested
downstream in the production cycle. Jordan has adopted which of
the following?
1. Business process outsourcing
2. Shared services
3. Just-in-time inventory systems
4. DMAIC

Course Updates

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Course Updates

Uploaded by

Copyright:

Available Formats

Becker Professional Education

Business Course Updates—June 2022

CPA Exam Review Replacement Textbook Pages ..................................................................... 2

V4.1 B6 Modules 1—6 pages 1—108 ................................................................................ 3—110

V4.1 BEC updated flash cards ....................................................................................... 111—156

Final Review Replacement Textbook Pages ........................................................................... 157

V4.1 Final Review BEC IV ............................................................................................. 158—189

V4.1 Final Review BEC V Topic C ................................................................................. 190—195

CPA Exam Review Replacement Textbook Pages

Details on the replacement textbook pages are provided below.

V4.1 Location V4.0 Location Description of Update

3 The Role of IT in Business 31

4 Data Management and Analytics 51

5 System Development and Change Management 73

6 IT Risks and Responses 89

B6–2 © Becker Professional Education Corporation. All rights reserved.

Process Management BEC 6

1 Introduction to Business Process Management

© Becker Professional Education Corporation. All rights reserved. Module 1 B6–3

1.3 Plan, Do, Check, Act (PDCA)

B6–4 Module 1 Process

1.4 Performance Measures

© Becker Professional Education Corporation. All rights reserved. Module 1 B6–5

1.6 Business Process Modeling Notation

B6–6 Module 1 Process

© Becker Professional Education Corporation. All rights reserved. Module 1 B6–7

2 Shared Services, Outsourcing, and Offshore Operations

2.1 Shared Services

Illustration 3 Shared Services

B6–8 Module 1 Process

Qualifications of Outsourcers: Credentials of service providers may be flawed. Offshore

2.3 Offshore Operations

3 Selecting and Implementing Improvement Initiatives

3.1 Selecting Improvement Initiatives

© Becker Professional Education Corporation. All rights reserved. Module 1 B6–9

3.2 Implementing Improvement Initiatives

4 Business Process Reengineering

4.1 Fresh Start

4.2 Current Status

Illustration 4 Business Process Reengineering

Decorations Inc. manufactures holiday ornaments and decorative lawn figurines.

B6–10 Module 1 Process

Business process management option

5 Management Philosophies and Techniques

Performance improvement philosophies and techniques seek to provide the highest-quality

5.1 Just-in-Time (JIT)

5.1.1 Inventory Does Not Add Value

© Becker Professional Education Corporation. All rights reserved. Module 1 B6–11

5.2 Total Quality Management

5.2.1 Customer Focus

Supplies inventory managers provide services to internal customers, such as production

5.2.2 Continuous Improvement

5.2.3 Workforce Involvement

5.2.4 Top Management Support

5.2.5 Objective Measures

B6–12 Module 1 Process

5.2.6 Timely Recognition

5.2.7 Ongoing Training

5.3 Quality Audits and Gap Analysis

5.4 Lean Manufacturing

5.4.1 Waste Reduction

5.4.2 Continuous Improvement (Kaizen)

5.4.3 Process Improvements/Activity-Based Management

© Becker Professional Education Corporation. All rights reserved. Module 1 B6–13