Professional Documents
Culture Documents
The purpose of this document is to provide you with a list of items that have been updated in the June
2022 Business textbook version (V4.1). All other text is unchanged from V4.0.
Becker students who have a version 4.0 Business textbook may purchase the new version 4.1 textbook
for a nominal cost. Please the Becker website for more details.
Table of Contents
B6 All modules Same The text of unit B-6 was updated and expanded to include
more details and more graphics on the covered topics.
BEC Flash Cards Same 23 BEC flash cards were updated for V4.1 in units B-1 (6),
Various B-2 (7), and B-6 (10).
BEC
6
Process Management
and Information Technology
Module
1 Process Management 3
2 IT Governance 17
1.1 Approaches
Business process management (BPM) is a management approach that seeks to coordinate the
functions of an organization toward an ultimate goal of continuous improvement in customer
satisfaction. Customers may be internal or external to an organization. Process management
seeks effectiveness and efficiency through promotion of innovation, flexibility, and integration
with technology.
Business process management attempts to improve processes continuously. By focusing
on processes, an organization becomes more nimble and responsive than hierarchical
organizations that are managed by function.
1.2 Activities
Business process management activities can be grouped into five categories: design, modeling,
execution, monitoring, and optimization.
Design: The design phase involves the identification of existing processes and
the conceptual design of how processes should function once they have been improved.
The original process is defined as a baseline for current processing.
Modeling: Modeling introduces variables to the conceptual design for what-if analysis.
Various simulations or models are used to determine the targeted or optimal improvement.
Execution: Design changes are implemented and key indicators of success are developed.
Indicators that will show a change to the process (e.g., reduced time, increased customer
contacts, etc.) are determined.
Monitoring: Information is gathered and tracked and compared with expected
performance. Dashboards and other measurement reports are used to monitor the
improvement in real time and apply the data to the model for improvement.
Optimization: Using the monitoring data and the original design, the process manager
continues to refine the process. Improvements are selected and implemented.
Illustration 1 PDCA
Brakes-Only Co. (BOC) manufactures car brakes for each of the big three U.S. automakers.
Over the past several years there has been an increase in the return of new brake systems
by these automakers due primarily to the failure to meet all required design specifications.
In order to reverse this negative trend, the head of production at BOC has implemented
the PDCA approach at the company. In the first quarter of the operating year, he designed
a plan to ensure that all brake specifications are carefully reviewed prior to the production
and shipment processes as well as to improve the communication among internal
departments through enhanced internal reporting.
During the second quarter, the production manager implemented the process (do) at
the company.
At the end of each of the next two operating quarters, the production manager monitored
(check) the effectiveness of the process by comparing year-to-date brake returns with the
prior year.
This process continued the following operating year with BOC achieving a 10 percent
reduction in brake system returns over an 18-month period. To further reduce the number
of brake system returns, the production manager hired a full-time quality control manager.
As part of his ongoing responsibilities, the quality control manager will continue to monitor
(act) the effectiveness of the process and recommend any technological improvements to
the production manager.
1.5 Benefits
The benefits of a studied and systematic approach to process management allow the company
to monitor the degree to which process improvements have been achieved. The benefits often
mentioned for process management are:
Efficiency: Fewer resources are used to accomplish organizational objectives.
Effectiveness: Objectives are accomplished with greater predictability.
Agility: Responses to change are faster and more reliable.
Illustration 2 BPMN
Online discount shoe retailer Nile Shoes is trying to improve its customer experience from
when a customer first orders a pair of shoes to when those shoes are finally delivered to
the customer.
The process starts with a customer placing an order on the website and entering payment
information. That info is sent in real time to the billing department for processing. If
the payment processes successfully then shipping is notified to ship the product and a
confirmation of the sale is sent to the customer, followed by the product. This process is
mapped as follows using BPMN diagramming.
Financial Group Inc. is a financial services company with three distinct lines of businesses
including accounting, tax, and consulting. Currently, each division operates as a separate
company with its own human resources, payroll, and legal departments. In order to more
effectively manage the organization and reduce costs, the new CEO implements a shared
services plan whereby all human resources, payroll, and legal department services will
be consolidated into one centralized function. The CEO thinks that this shared services
approach will eliminate redundant back-office functions and will reduce annual operating
costs by $750,000.
Consolidation of redundant services creates efficiency but might also result in the following issues:
Service Flow Disruption: The consolidation of work to a single location can create waste
in the transition, rework, and duplication as well as increases in the time it takes to deliver
a service.
Failure Demand: The demand for a shared service caused by a failure to do something
or to do something right for a customer is called failure demand. Failure demand results
when a task must be performed for a second time because it was incorrectly performed the
first time.
2.2 Outsourcing
Outsourcing is defined as the contracting of services to an external provider. Examples might
include a payroll service or even a call center to provide support or back-office services for a fee.
A contractual relationship exists between the business and its service provider.
Outsourcing can provide efficiencies, but there are also risks. Those risks include:
Quality Risk: An outsourced product or service might be defective. Suppliers might provide
substandard products or services.
Quality of Service: Poorly designed service agreements may impede the quality of service.
Productivity: Real productivity may be reduced even though service provider employees
are paid less.
Staff Turnover: Experienced and valued staff whose functions have been outsourced may
leave the organization.
Language Skills: Outsourced services may go offshore. Language barriers may reduce the
quality of service.
Security: Security of information with a third party might be compromised.
3.1.1 Irrational
Irrational methods are intuitive and emotional. They lack structure and systematic evaluation.
Irrational methods are based on fashion, fad, or trend. They may result from an immediate need
for cost reduction, and stem from a very short-term viewpoint.
3.1.2 Rational
Rational improvement initiatives are structured and systematic, and involve the following:
Strategic Gap Analysis: External (environmental) assessments and internal (organizational)
assessments performed to help determine the gap between an organization's objectives
and its status quo.
Review of Competitive Priorities: Review of price, quality, and other differentiators
required to have a competitive advantage.
Review of Production Objectives: Review of performance requirements needed to reach
production or service delivery objectives.
Selection of an Improvement Program: Decide how to proceed for improvement based
on the organization's objectives.
Business process reengineering (BPR) refers to techniques that organizations can implement that
radically reform business processes to achieve strategic objectives, such as improving customer
satisfaction and service, cutting operational costs, and enhancing competitiveness. Development of
sophisticated information technology systems and networks have driven many reengineering efforts.
Business process reengineering is not synonymous with business process management.
Business process management seeks incremental change, and business process reengineering
seeks atypical changes that result in revolutionary shifts in the way a company performs
a process.
(continued)
(continued)
5.1.2 Benefits
The benefits of JIT implementation include:
Synchronization of production scheduling with demand.
Arrival of supplies at regular intervals throughout the production day.
Improved coordination and team approach with suppliers.
More efficient flow of goods between warehouses and production.
Reduced setup time.
Greater efficiency in the use of employees with multiple skills.
The limitations of JIT may be illuminated in times of supply chain shocks. A shortage of even one
key component within a manufacturing process, for example, could put the entire production
schedule at risk and cause product outages. Because of this, some companies are moving away
from JIT-based systems.
Also, many companies realize that inventory does in fact have value. Excess inventory reduces
the negative effects of stockouts, which is the inability of a consumer to purchase a product
in store or online. Stockouts may lead customers to competitors or reduce the likelihood a
customer returns.
Illustration 5 TQM
5.6.1 Constraints
A constraint is anything that impedes the accomplishment of an objective. Constraints for
purposes of TOC are limited in total and, sometimes, organizations may face only one constraint.
Internal Constraints
Internal constraints are evident when the market demands more than the system can produce.
y Equipment may be inefficient or used inefficiently.
y People may lack the necessary skills or mind-set necessary to produce required efficiencies.
y Policies may prevent the efficient use of resources.
External Constraints
External constraints exist when the system produces more than the market requires.
5.6.3 Buffer
The concept of buffers is used throughout TOC. Managers add buffers before and after each
constraint to ensure that enough resources to accommodate the constraint exist. Buffers,
therefore, eliminate the effect of the constraint on work flow.
Advanced Printing Co. purchased several state-of-the art printing presses in the fourth
quarter of last year. Despite this significant capital investment, the company's year-to‑date
production output and costs have not changed. Company management attributes this
production trend to several internal constraints, including a lack of sufficient training
for employees operating the new presses and the fact that the machines were used
inefficiently during the production process.
In order to improve the new machines' productivity and generate a positive return on
capital investment, management will begin scheduling periodic training sessions for
operating them and will hire an outside consultant to determine the most effective way
to maximize productivity. Once the study is completed, each machine line supervisor
will meet with the outside consulting firm to go over the study's results, share ways to
further improve productivity, and provide an effective way to monitor employees' ongoing
production performance. Each Saturday after a weekly production run is completed, every
machine line supervisor will be required to submit a weekly production report to the
production manager, explaining any negative cost and production variances greater than
2 percent from the plan. Management believes that these buffers will eliminate the internal
constraints identified from the current year's operating results.
Question 1 MCQ-03895
IT Governance BEC 6
The role of information technology (IT) in organizations has evolved from a basic support
function and storage tool to a vital asset used in virtually all business processes. This evolution
has required organizations to develop new or modify existing IT governance policies to align IT
infrastructure with organizational strategies and goals.
A robust IT governance framework can help achieve this goal by providing a clear understanding of
all stakeholders and key functions involved, including people, processes, technology, performance
metrics, risk management, IT department operations, and the benefits that result from IT initiatives.
Availability: Systems and data must be available to users, have proper integrity, be in a
usable format, and be secure. While security may be a high priority, information must not be
secured in a way that creates unnecessary hurdles for those who need it.
Architecture: Job roles, IT applications, and the hardware supporting them should be
designed to enable the fulfillment of governance objectives.
Metadata: Data describing other data, known as metadata or data dictionaries, must be
robust in terms of the breadth and specificity. Vague or incomplete metadata may result in
the misuse of data or lead to improper business decisions.
Policy: IT governance policies should be in place to help companies translate management
and governance objectives into practice.
Quality: Data integrity and quality are crucial to ensure basic standards are met so there
are no anomalies, such as missing values, duplicate values, transposed values (phone
numbers in the address field), or mismatched records (e.g., Jane Doe's address is listed as
John Smith's address).
Regulatory Compliance and Privacy: Information collected, used, and stored by an
organization that is considered personally identifiable information (PII), personal health
information (PHI), or is otherwise subject to regulatory constraints, should be secured by
policies designed to ensure that the use of the data does not violate company policies or
privacy laws, such as the California Consumer Privacy Act (CCPA); General Data Protection
Regulation (GDPR); or the Health Information Portability and Accountability Act (HIPAA).
Security: IT governance strategy should include the secure preservation, storage, and
transmission of data by authorized system users in a way that safeguards an organization's
IT infrastructure.
Spinal Surgery Clinic (SSC) P.A., a large group of physicians focusing on spinal surgery,
recently had an outside firm perform an IT audit as recommended by SSC's board of
directors. The findings resulted in recommendations that followed the COSO Internal
Control —Integrated Framework principles 11, 13, and 14. As such, SSC invested in new
technology that required user identities to be verified by multiple points of validation
other than just a password in order to access patient accounts (in line with principle 11).
Additionally, SSC adopted a state-of-the-art data cleansing system in an effort to acquire
and use error‑free data to enhance patient outcomes, which aligned with principle 13.
Lastly, to address principle 14, SSC began performing regular reviews of key IT functions
and started issuing monthly reports of internal control to the board of directors.
2.1.2 ISACA's Control Objectives for Information and Related Technology (COBIT)
Framework
The Information Systems Audit and Control Association (ISACA) is a not-for-profit organization
that was formed to help companies and technology professionals manage, optimize, and protect
information technology (IT) assets. To accomplish this, ISACA created the Control Objectives
for Information and Related Technology (COBIT) framework, which provides a road map that
organizations can use to implement best practices for IT governance and management.
Governance Stakeholders
y COBIT distinguishes between governance and management, recognizing them as
two unique disciplines that exist for different reasons and require different sets of
organizational resources. Organizational governance is typically the responsibility of a
company's board of directors, consisting of a chairperson and focused organizational
structures (e.g., audit committee, executive committee, marketing committee).
y Management is responsible for the daily planning and administration of company
operations, generally consisting of a chief executive officer (CEO), chief financial officer
(CFO), chief operations officer (COO), and other executive leaders. Management is
selected and guided by the board of directors.
y Governance and management each have their own objectives, which are grouped
into five domains. Governance objectives are all in a single domain that is centered
on evaluating, directing, and monitoring. Management objectives are grouped into
four domains that focus on supporting activities, integrating IT solutions into business
processes, delivering IT services in a secure fashion, and monitoring performance of IT
tasks with internal targets.
2.1.3 Information Technology Infrastructure Library (ITIL) Framework
The Information Technology Infrastructure Library (ITIL) is a framework originally created by the
British government that evolved into a joint venture between the government and the private
firm Axelos. It is now a globally recognized IT governance framework that is more focused on the
delivery of IT services across the following four domains:
Organizations and People: This domain focuses on developing excellence in labor
practices, morale, communication methods, and systems of authority.
Information and Technology: This domain covers the IT resources required to deliver
products and services, which include the data, hardware and software, and the relationship
between those components.
Partners and Suppliers: This dimension focuses on the role of third parties in IT service
delivery and their relationship with the organization. The scope includes continuous
improvement through supplier integration and partner strategy in designing, developing,
and deploying IT services.
Value Streams and Processes: This domain encompasses the way in which separate parts
of a business work together to deliver products and services, and create value for consumers.
IT governance practices that are aligned with an organization's strategic goals and objectives will
empower IT resources so that the company effectively achieves those targeted results. The goals
and objectives of an organization are manifested in its overall vision and strategy.
3.1 Vision
A company's vision represents its aspirations and goals, and its strategy is what helps
the company reach those goals. These goals are typically described in a vision statement.
Accordingly, a company's IT governance policies should be designed in a way that facilitates the
achievement of that vision.
Privacy Analytics Inc., a digital marketing firm, established the following vision statement:
Our organization strives to provide accurate and up-to-date customer insights using data
in a way that honors consumer privacy but delivers top-notch results to our clients.
The organization would then structure its IT governance practices so that this vision is
achieved. As an example, the company could structure its consumer collection algorithms
in a way that identifies personal or sensitive consumer information and filters it so that
it is never collected and stored from the original source data. Another option would be
to separate employees with access to sensitive consumer data from those designing
the marketing campaigns, so there is no bias or discrimination built into targeted
marketing efforts.
3.3 IT Strategy
IT architecture design can have a significant effect on how a company executes its corporate
strategy. As such, aligning IT strategy with corporate strategy objectives will optimize an
organization's efforts in achieving those objectives. Documentation of this strategy and
architecture will give management a strong understanding of the company's capabilities which,
in turn, will play a key role in defining the activities in which the organization should engage. The
following IT factors may impact a company's corporate strategy:
To execute and maintain effective IT governance practices over time, an organization requires
recurring input and participation from top leadership, middle managers, IT staff, end users, and
external stakeholders. Another part of a well-functioning IT governance structure is having the
right policies and procedures in place so that governance continues to remain relevant, provide
oversight, and align with organizational goals.
4.1 People
The people within an organization are the decision makers and drivers of the way IT governance
is structured. The involvement of leaders and members at all levels of an organization is
necessary for IT governance to be executed effectively.
The CEO of Lynn Financial Services, a large brokerage firm, sent a memo to management
and all employees concerning a new software application that will be implemented
for added security. The CEO noted that one of the key objectives of the firm is keeping
customers' information confidential and secure. As a result, the organization is now
requiring that all customer information that is transmitted or stored be done so using a
new encryption-based software application and that all employees will be enrolled in a
training program to ensure the software rollout is effective.
4.1.5 Accountants
Accountants play an important role in IT governance because much of the data they handle is
confidential in nature, including banking and financial records, sensitive employee records, and
patient or customer files. This means that accounting activities are some of the most important
to which governance principles should be applied. Accountants may also play a role in designing
new IT systems and governance processes including the following:
Stewards of Accounting Information Systems (AIS): As the primary user of AIS software,
accountants understand their information needs the best and thus, provide input to system
developers so that IT governance best practices are implemented while also providing
maximum application versatility.
Members of Project Development Teams: Participating in a project development team or
an information systems steering committee strategically places accountants in a role that
allows them to be involved in ongoing system development as it is being programmed in
real time, as opposed to providing one‑time input.
Testers: As high IT-system utilizers, accountants may be appointed to periodically test
certain systems to verify that controls are implemented and functioning properly. This
feedback is then communicated to the project development team to incorporate into
revisions of software in production or unreleased prototypes.
The BIA will identify how quickly essential business units and/or processes can return to full
operation following a disaster. The BIA will also identify the resources required to resume
business operations. For example, a specific department may utilize custom hardware/software,
operate in locations with challenging geographic or weather conditions, or there may be a
dependence on third-party vendors.
The objectives of a BIA are as follows:
Estimate the quantitative or financial impact to the organization, assuming a worst‑case
scenario.
Estimate the qualitative impact to the organization and the effect it could have on
operations, assuming a worst-case scenario.
Identify the organization's business unit processes and the estimated recovery time frame.
5.2.1 Impact
Impact analysis helps determine the criteria for categorizing the list of information resources
as high, moderate, or low related to the effect on day-to-day operations. Criteria include
characteristics such as how critical the asset is to business operations, costs of a failure,
publicity, and any potential legal or ethical issues. Resources can be categorized as follows:
High Impact (H)
Under a high-impact category, the department:
y cannot operate without this resource;
y may experience a high recovery cost; or
y may fail to meet the organization's objectives or maintain its reputation.
Moderate Impact (M)
Under a medium-impact category, the department:
y could partially function temporarily for a period of days or a week;
y may experience some cost of recovery; or
y may fail to meet the organization's objectives or maintain its reputation.
Low Impact (L)
Under a low-impact category, the department:
y could operate for an extended period of time; or
y may notice an effect on achieving the organization's objectives or maintaining its reputation.
5.2.2 Likelihood
Within the business impact analysis, risks can also be categorized in terms of their likelihood of
occurrence. These probabilities can be categorized as follows:
High Likelihood (H)
The risk is highly probable, has occurred recently, can occur frequently, or controls to
prevent it are ineffective.
Medium Likelihood (M)
The risk could occur, but controls are in place that may impede successful exercise of the
vulnerability.
Low Likelihood (L)
The risk is improbable, or controls are in place to prevent or significantly impede successful
exercise of the vulnerability.
Likelihood
Modern Computing Inc., a large managed services firm, has decided to run a business
impact analysis as part of its IT governance process. Because it is an IT firm selling virtually
hosted solutions, two resources it has identified as being high impact are its core data
servers and backup data servers. Two threats that exist to these large assets are the
threat of overheating, which has been categorized as a high-likelihood event, and damage
from an earthquake because it is located on a fault line, which has been categorized as a
low‑likelihood event.
Because the impact for these resources is high and at least one threat has a high likelihood,
the risk action has been denoted as high action. One recommendation is to relocate its
backup servers to a small, unused office at its other location, which is not in a seismic
hazard zone. While the office is not big enough for both the core servers and backup
servers, this will mitigate risk through preventative measures. A new air-conditioning unit
for both locations is also appropriate to prevent overheating.
Neither transferring nor accepting the risk would be reasonable in this case because a
prolonged outage would leave all of its customers without networking capabilities. This
would likely result in high customer attrition rates, putting the business' ability to continue
to operate and generate revenue at risk.
Question 1 MCQ-06442
The Role of IT
in Business BEC 6
2 IT Infrastructure
The supporting IT architecture within most modern companies has multiple, interconnected
technological components, with the core infrastructure involving a combination of on-premise
and outsourced hardware, software, and specialized personnel. These IT assets strategically
interlace, enabling a network to operate with optimum efficiency.
2.1 Hardware
Organizations designing their IT infrastructure must decide what hardware will be utilized to
conduct business. The physical components of computers and computer-related accessories are
referred to as computer hardware (or just hardware). Hardware includes a wide array of internal
computer components as well as external peripheral devices.
2.2.1 Modem
Modems connect an organization's network to the internet. Early modems were referred to as
modulators-demodulators because they utilized landline phones and converted analog signals
to digital signals. Modern modems have replaced traditional ones with digital broadband
technology like cable modems, digital subscriber lines (DSL), and integrated services digital
network (ISDN).
2.2.2 Routers
Routers manage network traffic by connecting devices to form a network. They read the source
and destination fields in information packets to determine the most efficient path through the
network for the packet to travel. They also act as a link between a modem and the organization's
switches. If there are no switches, then the router will connect directly to a user's device.
2.2.3 Switches
Switches are similar to routers in that they connect and divide devices within a computer
network. However, switches do not perform as many advanced functions as a router, such as
assigning IP addresses. The same way a traditional power strip converts one electrical outlet
into multiple outlets, a network switch can turn one network jack into several network jacks so
multiple devices can share one network connection.
2.2.4 Gateway
A gateway is a computer or device that acts as an intermediary between different networks. It
transforms data from one protocol into another so that information can flow between networks.
A protocol is a rule or set of rules that governs the way in which information is transmitted, with
one of the most common protocols being that which is used for the internet, known as TCP/IP
(transmission control protocol/internet protocol). A gateway interprets these differing protocols
and converts them into the appropriate format to facilitate network movement, usually between
a company's network and the internet.
2.2.5 Servers
Servers are physical or virtual machines that coordinate the computers, programs and data that
are part of the network. Most business networks use a client/server model in which the client
sends a request to the server and it provides a response or executes some action. There are
various types of servers, including Web servers, file servers, print servers, and database servers.
2.2.6 Firewall
Firewalls are software applications or hardware devices that protect a person's or a company's
network traffic by filtering it through security protocols with predefined rules. For companies,
these rules may be aligned with company policies and access guidelines. Firewalls are intended
to prevent unauthorized access into the organization, block malicious programs or code, and to
prevent employees from downloading malicious programs or accessing restricted sites.
Basic packet-filtering firewalls work by analyzing network traffic that is transmitted in packets
and determine whether that firewall software is configured to accept the data. If not, the firewall
blocks the packet. Firewalls can be set to only allow trusted sources (IP addresses) to transmit
across the network. Types of firewalls include:
Circuit-Level Gateways: Controls traffic traffic solely based on the source of origin, the
intended destination, the port (such as HTTP or FTP), and potentially some other very basic
information about a given session. A session is when a user from behind a firewall attempts
to access something outside the firewall. This type of gateway does not filter based on the
actual content, so a disadvantage is that any type of data that is requested will be allowed
through the firewall unless it is combined with some other filter.
Application-Level Gateways: Also referred to as proxy firewalls, these firewalls typically
perform the same function as circuit-level gateways, but they also inspect and filter the
contents of the packet based on predefined rules. Application-level gateways can be
expensive and burdensome to an organization's network due to the amount of processing
required for these firewalls to function.
Stateful Multilayer Inspection Firewalls: Combines the features of circuit-level and
application-level gateways, but also ensures that packets are validated at multiple layers of
the communication process through which those packets pass.
Next-Generation Firewalls: Provides more advanced protection than stateful multilayer
inspection. In addition to observing packets at multiple layers of the communication
process, next-gen firewalls further protect a network by applying more scrutiny to those
packets using more sophisticated techniques such as intrusion detection, user identification,
virtual private networks, and "deep packet inspection." Next-gen firewalls can also assign
different rules to specific applications as well as users. In this way, a low-threat application
has more permissive rules assigned to it while a high-security application may have highly
restrictive rules assigned.
Network Address Translation (NAT) Firewalls: Converts a group of private IP addresses
into a single public IP address prior to communicating with other devices outside of a
company's network. Every device that connects to a private or public network, like the
internet, is assigned an IP address so it can communicate with other devices and networks
using those addresses. By masking the addresses inside a private network, it is more
difficult for threats to reach any machine directly, providing an extra layer of security.
The following diagram depicts the functionality and way in which different network devices
support an organization's IT infrastructure.
2.3 Software
Software consists of the applications, procedures, or programs that provide instructions for a
computer to execute. Software is controlled by a user interacting with the program, which in
turn gives instructions to the physical computer's operating system.
Software that is embedded in hardware that instructs the hardware how to operate is known
as firmware. It operates like software but exists locally on the machine directing the function of
physical components, such as the motherboard and microprocessor. Firmware is not updated
frequently, or at all, which is very different from how often a typical software program is updated
on a frequent basis.
2.4 Networks
A network is a group of computers and other machines that are interconnected electronically
using a series of networking devices (i.e., routers, switches) so that one group of users may
securely share resources.
Networks can be wired or wireless and use a variety of hardware to enable connectivity.
Common types of networks include:
Local Area Networks (LANs) provide network access to a limited geographic area such as
a home or office. This is controlled by software-defined networking (SDN) applications and
uses a private IT infrastructure so that data is transported over private lines.
Wide-Area Networks (WANs) provide network access to a larger geographic area such as
cities, regions, or countries. WANs connect other networks such as LANs together to provide
broad coverage by also using an SDN. The network hardware may be a combination of
public and private lines, with configuration being distributed across the various locations.
Software-Defined Wide-Area Networks (SD-WAN) are similar to a traditional WAN,
but they are managed and deployed on the cloud (the internet) using a centralized
software application. Maintaining networking equipment, the lines that connect it, and
other expensive infrastructure components is minimized with this technology. SD-WAN is
essentially a network running on another network.
Edge-enabled devices, such as edge routers and firewalls, support an organization at "the
edge" or perimeter of a system's network. Instead of a centralized data center performing
the heavy lifting, much of the computer processing power is happening on local devices
spread across geographical locations. Less reliance on a central source means a faster,
more consistent network. SD-WAN runs on edge-enabled devices.
Virtual private networks (VPNs) are encrypted private networks that run on a public
network, namely the internet. User activity and device IP addresses are hidden, assuming
the identity of the VPN servers. Third parties can no longer see individual user traffic, which
provides a layer of security for organizations.
Fast Corp. currently has a decades-old legacy network that is protected with only a basic
packet-filtering firewall, and Fast is looking to upgrade both the efficiency and security
of the network. Fast has 30 locations across the west and midwestern part of the United
States, and its employees use a combination of hosted applications and cloud-based
applications on the Web. Therefore, employees regularly interact with apps outside the
company's network.
The company needs a solution with a larger footprint than just a LAN due to the way
the company is spread geographically. A WAN could be an option, but rather than use a
combination of expensive network equipment and publicly available infrastructure, the
company opts for an SD-WAN architecture. Fast purchases 30 edge-enabled devices for
each of its locations that it will connect to the internet and be controlled by centralized SD-
WAN orchestration software. As such, the majority of computer processing will occur locally
on the edge devices instead of at a central hub, improving network efficiency and resiliency
if something happens to a single site.
Regarding potential security updates, the connection between these network edge devices
will all be securely encrypted. However, Fast wants to move well beyond encryption
and basic packet-filtering. It decides to implement a next-generation firewall with NAT
capabilities. This way, the company filters traffic using basic session-level information and
the content of the packets being transmitted across multiple layers of communication.
Also, all private IP addresses will be converted into a single public email address prior to
communicating with applications outside the network.
Management information systems (MIS) enable companies to use data as part of their strategic
planning process as well as the tactical execution of that strategy. Management information
systems often have subsystems, such as accounting information systems (AIS), decision support
systems (DSS), and executive information systems (EIS).
A management information system provides users predefined reports that support effective
business decisions. MIS reports may provide feedback on daily operations and financial and
nonfinancial information to support both internal and external business decisions.
Source
Financial
document Trial
Journal Ledger statements
(invoice, balance
reports
time card)
Store file
File original
source
document
Examples of a DSS include systems that assist with production planning, revenue
forecasting, inventory control, bid preparation, revenue optimization, traffic planning, and
capital investment planning.
A college or university may utilize a DSS to help optimize the enrollment and tuition mix
by allowing the user employee to model different levels of enrollment and profitability
based on the number of scholarships offered, the amount awarded of those scholarships,
and expected student profiles (standardized test scores, GPAs, number and type of
extracurricular activities, etc.). The DSS uses historical data and past profitability levels to
help model different "what if" scenarios so the university can make the best choice. The
DSS software also has an AI bot that proposes suggestions to the user to consider different
variables during the decision-making process.
Pass Key
An AIS differs from a DSS and an EIS due to the high degree of precision and detail required
for accounting purposes (i.e., transaction processing). Data in an AIS is often processed
and aggregated to become inputs to a DSS and an EIS to enable management to make
data‑driven decisions.
Customer relationship management systems (CRMs) have become strategic drivers for
organizations. A CRM system is software that enables organizations to monitor and manage
interactions between the organization and its past, current, and potential customers.
Illustration 4 CRM
Online shopping has been greatly enhanced by CRMs. When a customer creates an account
with an organization, the organization tracks information about that customer and shopping
preferences. CRMs allow organizations to help in the shopping experience by making real-
time product recommendations based on the customer's past shopping experiences and
shopping experiences of similar customers. A CRM also offers live support in the form of
real-time online chat features with customer support representatives who have access to the
customer's account to better serve his or her needs and anticipate problems.
Illustration 5 ERP
A surgical hospital has consistently been unprofitable over the last few years but is
unable to determine the root cause. Labor accounts for most of the company's expense
but the cost of delivering treatment per patient is difficult to determine because its
accounting system, human resources system, and electronic health care records system
are all separate. The organization decided to subscribe to a cloud-based ERP system that
will link the data from all three systems into a single database and provide reporting.
This would allow the company to directly link all employees' job roles and costs to each
service that is delivered, helping to analyze profitability issues and make more informed
business decisions.
3.10 E-Commerce
Electronic commerce (commonly referred to as "e-commerce") platforms facilitate the sale of
goods and services using the internet.
The benefits of e-commerce are that it removes overhead costs, creates markets that might
not exist otherwise, promotes competitive pricing, allows for product comparison more quickly,
and provides parity in information among market participants. These benefits do come with the
drawback of lag times in shipping for physical products, system vulnerability, potential theft of
personal or financial information, and often there is less human customer support available.
The customer requests the transferring bank to move money to the receiving bank. The
transferring bank submits this request to a Federal Reserve bank that has a master database of
both banks' account balances. The Fed bank adjusts the balances in its database and notifies the
receiving bank, which then updates its records to successfully complete the funds transfer.
EFT services are also provided by third-party vendors, typically credit or debit card payment
processors, which act as an intermediary between a company and the banking system. When a
person makes a purchase at a store, that company initiates the transaction using a gateway that
routes the payment request to the company's bank, also referred to as the acquiring bank. The
acquiring bank submits the transaction to the third-party network, which acts as a clearinghouse
validating the transaction. The third-party network then sends net settlement amounts to the
issuing bank, that then settles directly with the acquiring bank or the Federal Reserve system
for the transfer of actual cash. The net settlement amount is the total amount that should be
transferred from the issuing bank to the acquiring bank.
The following shows how this process works:
The use of digital payments has continued to evolve and allow users to transfer funds directly to
each other without the use of a clearinghouse or bank. Several of these emerging technologies
gaining acceptance are based on blockchain technology. Blockchain networks use a distributed
ledger to account for transactions in digital currencies, rather than a traditional accounting
ledger where the ledger is located within a single company.
Decision Support Interactive tools supporting decision making; may Potentially all employees
System (DSS) leverage AI or scenario modeling
Inventory Management Assists with the tracking, purchasing, and distribution Managers, employees
Systems of inventory from point-of-sale to delivery handling goods for sale
Supply Chain Unifies supply chain processes beginning with Vendors, shipping/
Management (SCM) suppliers and ending with the customer purchasing personnel,
System customers
E-Commerce Platforms that facilitate the sale of goods and Businesses, consumers,
services via the internet (B2B, B2C, C2B, C2C) government employees
Some organizations need IT resources beyond what their internal IT infrastructure can offer,
so they utilize third-party external service providers. This strategy is known as IT outsourcing
and may utilize a variety of IT solutions, including cloud computing, virtualization, and
application service providers. The range of services outsourced can include application
software, virtual hardware, data entry, data storage, data management, disaster recovery, and
network management. There are many advantages to IT outsourcing, however, there are also
disadvantages and risks.
4.5.1 SOC 1®
Governed by the Statement on Standards for Attestation Engagements (SSAE) 18, the objective
of SOC 1® reports is to provide assurance that the service organization's controls are designed
and operating effectively so that the financial statements are not negatively impacted. The use of
SOC 1® reports assists in mitigating the inherent risks in outsourcing IT functions.
Two types of SOC 1® reports are provided by service organizations (as provided by the AICPA):
The Type 1 report focuses on the fairness of the presentation of management's description
of the service organization's system and the suitability of the design of the controls to
achieve the related control objectives included in the description as of a specified date.
The Type 2 report focuses on the fairness of the presentation of management's description
of the service organization's system and the suitability of the design and operating
effectiveness of the controls to achieve the related control objectives included in the
description throughout a specified period. The key difference from Type 1 being the time
period over which the attestation is being made.
Wyatt Co., a financial advising company, utilizes a third-party service provider named
Database Inc. to process its sales contracts and store information about its clients. Wyatt
Co.'s auditors want to ensure that the controls in place at Database Inc. are designed and
operating effectively because control deficiencies at Database Inc. would negatively affect
Wyatt Co. and its clients. Wyatt Co.'s auditors gain comfort by obtaining and reviewing
the attestation to fairness of the controls and their operations within the System and
Organization Controls (SOC 1®) Type 2 report because it gives them assurance that this has
been in place over the last six months.
4.5.2 SOC 2®
A SOC 2® report is also governed by SSAE 18 but is for users who need attestation concerning
controls as they relate to security, processing integrity, availability, and privacy. These reports
are important for vendor management, oversight of a company, risk management, corporate
governance, and regulatory oversight.
SOC 2® reports also have two types:
Type 1 is a report of management's explanation or description of a given service company's
system as well as the suitability of control design as of a single point in time.
Type 2 is also a report of management's explanation or description of a company's control
design and its operating effectiveness of internal controls over a period of time, with the key
difference being the time period of attestation, similar to SOC 1® Types 1 and 2.
4.5.3 SOC 3®
SOC 3® reports are also for users who need attestation concerning controls as they relate to
security, processing integrity, availability, and privacy. However, this report is for companies that
do not have the knowledge required to make an effective use of a SOC 2® report.
Question 1 MCQ-03682
Which of the following is usually a benefit of using electronic funds transfer for
international cash transactions?
a. Improvement of the audit trail for cash receipts and disbursements
b. Creation of self-monitoring access controls
c. Reduction of the frequency of data entry errors
d. Off-site storage of source documents for cash transactions
Question 2 MCQ-07012
Data Management
and Analytics BEC 6
Due to advances and rapid changes in technology, the type and volume of data being created
have increased at rates never before seen. These increases provide both challenges and
opportunities for individuals, governments, and companies alike. To leverage the power of
this data, companies must first identify a data point, then capture it, store it, protect it, and
eventually dispose of it, if appropriate.
Huber, a large manufacturing company, regularly collects multiple data points on all of its
wholesale clients as a part of its standard contracting and credit check process, including
estimated annual order size and budget, annual sales, and retail locations. Once under
contract, Huber establishes direct connectivity with most of its clients' point-of-sale system.
This allows Huber to align its production schedule with client orders to minimize inventory
and optimize production. In the process, Huber also passively collects other data points
about end-customer transactions in its clients' stores, including payment method used,
time of purchase, and location of purchase. There are two streams of data that have
untapped value for Huber.
The first stream is the client data captured in the contracting process. Whereas the volume
and velocity are low (only captured periodically as new clients are onboarded), the veracity
and value are high. Veracity is high because data is of good quality due to credit checks
performed to confirm accuracy. Value is high because the intelligence that could be
extracted from this data is significant.
The second stream is the passive data collected on end-customer transactions. Both the
volume and velocity are high because of the massive number of individual transactions
continuously occurring. The quality of data is good because it is in real time, making
veracity high. The variety would be minimal as the type of transaction would be fixed, so
the data format/type will be limited. The potential value is very high to Huber because it
can determine which products are purchased using a credit card versus cash or debit card.
The time of purchase could also help Huber with optimizing its delivery schedule, making
sure shipments arrive prior to peak purchase times.
Trademarks: words, symbols, phrases, designs, or a combination of these items that are
protected by U.S. laws. An example would be a company emblem, slogan, or image that is
unique enough to qualify for a trademark.
Trade Secrets: confidential information held by a limited group of individuals unique to an
organization that gives it a competitive advantage or commercial value in some way that other
companies do not know. Examples are client lists, formulas, business plans, or methods of
production. These are often protected by nondisclosure agreements, prohibiting a person
with whom a trade secret is shared from replicating the secret or divulging it to others.
A large financial services company wants to better understand its consumer base so it can
tailor promotional offers to specific consumers and increase overall sales. To do this, the
company decides to ask nonessential, self-identifying questions on all loan applications. The
questions seek to identify the following: stock brokerage provider, total value of all investment
accounts, political affiliations, amounts donated to political parties, ethnicity, and gender.
Customers filling out the loan application may feel uncomfortable responding but could
feel forced to comply in order to be approved for a loan. The intent of the organization
may be innocent, but because the information could be used in an unethical manner, the
organization should reconsider its approach.
2 Data Management
Data management is key for every organization. Ensuring that the data is maintained and stored
appropriately is vital to the decision-making process.
2.2.1 Tables
Tables are organizational structures within relational databases that establish columns and rows
to store specific types of data records. For example, a Customer table would be the table where
an entity would store all the organization's customer records.
2.2.4 Fields
A field is space created at the intersection of a column and row in a table in which data is
entered. The information placed inside the field is known as "data values."
2.2.7 Relationships
Relationships result from a link between a primary key in one table and a foreign key in another
table. This link relates the two tables, enabling users to simultaneously retrieve information from
both tables.
Orders
Shipments
Address ShipmentDate
DateofBirth AddressShipping
CreditLine
When performing data analytics, it is important to understand the extract, transform, and
load process (ETL). Essentially, this is the process in which data is captured from its source and
transferred to an organization's custody so that it can then be further analyzed.
An analyst opens a data file in a spreadsheet and observes that all data points are within
one column but span hundreds of thousands of rows. Each data point is delimited
(separated) by commas. As such, the analyst should transform the data into separate
columns every time a comma appears. Lastly, the analyst would need to review the data for
errors before any real analysis could begin.
Data Mart: A data mart is much like a data warehouse but is more focused on a specific
purpose such as marketing or logistics, and is often a subset of a data warehouse. Different
departments within a company may need tailored data marts to operate more effectively, so
they select highly relevant data points from a data warehouse to create their own data mart.
Data Lake: A data lake is a repository similar to a data warehouse, but it contains both
structured and unstructured data, with data mostly being in its natural or raw format. It
is unique from data warehouses because the structure of the data, also referred to as its
schema, is implemented when the data is first accessed by a user. This contrasts with a
data warehouse, which has a predefined schema that is in place to enable quick processing
and analysis.
Data Lake
End Users
Data Source
1000110001010100000101010100000111000111000010
10001100010101000001010101000001110001110000
10001100010101000001010101000001110001110000 Marketing Data Mart
10001100010101000001010101000001110001110000
10001100010101000001010101000001110001110000
4 Data Analytics
Data analytics is the process of taking raw data, identifying trends, and then transforming that
knowledge into insights that can help solve complex business problems. The applications used
to perform analytics can range from simple statistics like sums and averages to more advanced
functions such as statistical modeling or machine learning (self-learning computer algorithms).
Once the ETL process has been performed, data analytics can be utilized for a variety of tasks,
including validation, planning, insights, risk mitigation, and decision support.
Value / Complexity
Classification analysis utilizes already labeled data points and allocates them into similar
groups, which can then be used to make predictions about the future. Classification differs
from regression analysis because it works to predict a category (or class) using predefined
criteria that is based on past activities.
Decision trees are also useful tools in predictive analytics that rely on the probability of outcomes.
These models begin with a single decision node that can have two or more outcomes, then each
successive outcome can have two or more outcomes and when drawn out, it resembles a tree.
5 Data Visualizations
Interpreting insights from Big Data analysis can be challenging but communicating those insights
effectively can be even more difficult. This makes it important to select the right communication
technique. Summarized outputs in the form of tables or statistics are insightful, however,
turning complex data sets into easily read and understood visualizations make the decision
process more accessible, efficient, and effective for decision makers.
Line Chart
Column Charts: Column charts are effective at showing comparisons. Attributes are
typically listed along the x-axis while values are listed on the y-axis with vertical columns
emanating from each attribute to the appropriate value. Column charts easily show which
attributes are highest and lowest.
Bar charts are exactly the same as column charts, with the x-axis and y-axis values being
switched, causing the vertical columns to become horizontal bars.
Bar Chart
Growth
rate
Quarter
Stacked Column Charts: Stacked column charts are similar to column charts; however,
each column is stratified to show additional details. These are very effective when you want
to have total comparisons as well as percentage breakdowns of the whole.
Area/Stacked Chart
(in thousands)
Revenue
Months
Scatter Plots: Scatter plots demonstrate relationships between two variables, with a marker
(usually a filled circle) and the intersection of the x and y values provided. When using
quantitative data, data can be plotted onto a scatter plot and a simple trendline can be
added as a form of simple regression to provide information on correlation.
Scatter Plot
Dollars spent per visit
Dollars spent
Boxplots: Boxplots are graphical displays that show lower and upper extremes, lower and
upper quartiles, as well as the median data point.
Boxplot
Scale
Dot Plots: A dot plot is a two-dimensional mapping of observances onto a coordinate plane,
with one dimension representing the frequency of observations of the other dimension.
Dot Plot
3.5
3
2.5
Frequency
1.5
1
0.5
0
0 $100,000 $200,000 $300,000 $400,000 $500,000
Price
Geographic Map
Symbol Maps: Symbol maps demonstrate data on a geographic map through the use of
symbols (typically, filled circles) to help users compare and contrast values.
Pie Charts: Pie charts show respective proportions of a whole value and are presented as a
circle representing 100 percent of a value, which is then subdivided into slices representing
a proportional breakdown.
Pie Chart
19% 23%
12%
46%
Pyramid
Knowledge
Information
Data Facts
Measurement
Flowcharts: Flowcharts map out a process that has beginning and ending steps and a series
of steps in between. These are commonly used in project management to show different
phases or milestones across a period of time.
Flowchart
Waterfall Chart: Waterfall charts show the cumulative effect of a series of data points that
make up a whole. The presentation is in a cascading form, with each incremental value
contributing to the total of all data points.
Waterfall Chart
Profit
change
%
Time
Directional Charts: Highlighting key events or milestones over time can be depicted using
directional charts, with the earliest data and event beginning on the left and the ending
event on the right.
Directional Charts
Messages from data can be manipulated by reframing parameters. The tables below show
the exact same data; however, the y-axis in Figure 1 has a minimum value of 0 percent.
The y-axis in Figure 2 has a minimum value set at about 25 percent, emphasizing the
incremental difference between Company X and Company Y's growth in annual revenue.
Figure 2 distorts the difference, which may be misleading for users.
Figure 1 Figure 2
Annual Annual
revenue growth revenue growth
% %
Y Y
If pictures are used to represent data, be careful to scale them appropriately. In the
following images, the vertical axis is faithful, and Oscar has eaten twice as much pizza
as Shelly. However, the image of the pizza has been scaled in two dimensions, making it
appear that Oscar has eaten four times as much.
5 5
Slices of pizza eaten
3 3
2 2
1 1
0 0
Shelly Oscar Shelly Oscar
Question 1 MCQ-14510
An organization has decided to analyze social media postings concerning the industry in
which it operates. The resulting data include text, numbers, images, and videos. Which
category of Big Data best describes these items?
a. Volume
b. Velocity
c. Veracity
d. Variety
Question 2 MCQ-14511
As information technology (IT) equipment reaches the end of its useful life and as technology
advances, organizations update their IT infrastructure over time to keep pace with these shifts
or to be early adopters. These updates may involve upgrading existing software and hardware,
acquiring, and changing to new hardware and software, or even developing infrastructure
components in-house. All of these approaches can be effective; however, they come with
potential risks that must be managed and controlled.
The need for change could be driven by many factors including the following:
Existing systems are no longer supported by vendors who provide technical support.
Existing systems are no longer compatible with modern software or hardware.
Advances in technology have resulted in more effective systems being available.
Competitive advantages to be gained through improvements in processes.
Growth or expansion of the organization, requiring more scalable solutions.
Shifts in consumer demand or preferences that require changes in the way
technology performs.
A key component of change management is identifying the potential risks that could arise
as a result of the change. These risks are present in all steps of change from acquisition to
implementation and can affect existing systems, processes, and employees.
Reversion Access: Some changes may cause unexpected complications; therefore, it is important
to have the ability to revert to the prior system or process that existed before the change.
y This can be accomplished through parallel implementation in which the organization
maintains two environments at the initial onset of the change, one with the change
implemented (development environment) and one without the change implemented
(production environment).
Pre-implementation Testing: Before moving the change into production, testing will help
determine if the change is functioning properly and there are no irregularities.
Post-implementation Testing: After the change is moved into production, reconciling
transactions processed in the new environment against the same transactions that
were processed in the previous environment will validate whether the change was
implemented properly.
Ongoing Monitoring: Continuous periodic reviews after implementation will promote
long-term success. This may commence at shorter intervals (weekly) but can move to
greater intervals (monthly/quarterly/annually) as the change proves successful over time.
Organizations may acquire a new system or choose to develop a new system in-house. Both
processes have their own risks and concerns but still follow the general systems development
life cycle (SDLC).
The systems development life cycle is a framework that organizes tasks at each phase of
development and use of a business process. There are two strategies for managing the SDLC in
general use today. The first strategy is called the traditional method or the waterfall model. The
second method, called agile development, evolved from the waterfall model.
ly
ze
4D
ev
when the business requirements for the team have been 5 elo
p
Test
met. The project then passes to the next team. The following
are some challenges associated with the waterfall model:
Requires a great deal of time to complete.
Benefits of the new system are not realized until complete.
There is no customer input and change can be difficult to manage.
Some employees may be idle before beginning or after completing their SDLC step.
5.1.1 Plan
During the planning phase, the organization evaluates the need for a new or improved
information system. Here the organization will establish and compile what business objectives
the information system should achieve as part of the broad overview of the project. Feasibility
analysis is also performed during this step to determine if it is economically, operationally, and
technically feasible to improve or replace the information system.
5.1.2 Analyze
During the analysis phase, information is gathered from all vital stakeholders to
comprehensively compile and analyze all the needs of the end users to establish specific and
detailed goals to be accomplished by the project. This will enable the project team to have a
clear understanding of the system requirements.
Pass Key
In some models, planning and analysis may be combined and called the requirements phase.
Less frequently, "development" is used for "plan and analyze" and "production" is used for
"develop." Regardless of the words used, planning what to build comes before building it.
5.1.3 Design
Using the information gathered during the planning and analysis phases, the project team will
then start designing the system to meet the agreed-upon user needs. The process will start with
high-level conceptual designs usually represented by diagrams to reconcile big-picture goals
and system requirements. Next, the creation of the technical implementation plan occurs as
business requirements are translated into technical design documents. Individual technologies
are evaluated and selected, including logical data organization, physical data storage architecture,
programming languages, integration with third-party services, and/or deployed hardware.
During the design phase, each business requirement is further developed and expanded. For
example, the requirement that "Customers must be able to pay for tickets using local currency
and reserve their selections while payment is verified" is expanded to specify credit cards
accepted for payment, fees charged, and the time line to complete the conceptual design.
Specification of data file formats for transmission to credit card vendors and data warehousing
systems are developed in the logical design phase. Physical design would include any
specialized hardware to comply with payment card industry standards, server hardware, cloud-
based hardware, and workstation software and hardware for developers and programmers.
5.1.4 Develop
The technical implementation plan created in prior phases is executed in the develop step.
Buildings and rooms are prepared, hardware is purchased and delivered, and programmers
create proprietary software to run the company's new product if applicable. The new system
is completely built or improved at this stage and most of the project budget is spent, having
committed dollars to employ experts and purchase assets. Changes to the plan become more
expensive in this stage because each step builds on the prior steps. For example, changes in the
develop stage may not be supported by the original architecture in the design stage or achieve
feasibility as outlined in the plan and analysis phases.
5.1.5 Test
The system is checked for adherence to the business requirements in this step. The new or improved
system must function as planned in the analysis and design stages. In addition to backward-looking
testing, which tests against the initial requirements, forward-looking testing is conducted to see how
well employees and customers can perform tasks (called user‑acceptance testing).
5.1.6 Deploy
After the system has been fully vetted and tested, the organization will choose and document an
implementation strategy to deliver the system to end users. There are several methods available
for deployment that depend on available time, cost, and the cost of failure to the business:
Plunge or Big Bang: The entire new system is immediately delivered to all users and
customers (lowest cost, highest risk).
Ramped (Rolling, Phased) Conversion: Portions of the new system replace corresponding
parts of the old system, one piece at a time (above-average cost, below-average risk).
A/B Testing (Pilot, Canary): A subset of users gets the new system while the old system is still
in use and assigned to current and new users or customers. After successful deployment to the
subset of users, the new system is deployed to the remaining users (average cost, average risk).
Blue/Green (or Other Pair of Colors), or Shadow: The new system is fully deployed in
parallel with the old system; a routing layer directs progressively more duplicated traffic
to the new system. Once the new system is handling all the traffic, the old system is
deactivated (highest cost, lowest risk).
5.1.7 Maintain
Ongoing adjustments and improvements occur during the maintenance stage, which begins as soon as
deployment is complete. Adaptations are made to the system to keep it operating at an optimal level.
Over a longer period of time, the new system grows older and eventually will need to be evaluated for
either modification or replacement. When it is time to replace the system, the SDLC repeats.
Dev
elo
pm
e
ng nce
pt and
design Im
plem
nt
Co en
ni
tat
il ng ion
an
u
ed T
Pl
es
Sc
tin
g
on
ati
Do
ritiz
cum
Prio
entat
B acklo g
ments
uire
ion
q Agile Software
Estimation
Re Development Cycle
atio n
n str
mo
Bu
Rec
De
gf
ixi
w
ord
al
ng
ov
vie
r
pp
ra
an
o
re
Ad
jus b ack
nc tm en Feed
d
er
ts
or om Re
i
po st le a
rat
e ch Cu se
anges
Although the items below left are valuable, Agile promotes the items on the right.
Outdated technology or systems already in service (sometimes the first system ever established)
within an organization are referred to as legacy systems. Maintaining legacy systems is still
common at many organizations due to a number of factors, such as comfort with existing systems
and unwillingness to pay for upgrades. However, the benefits of maintaining a legacy system
versus phasing it out and replacing it usually do not outweigh the risks of keeping the system.
Lack of Vendor Support: It costs money for a vendor to continue updating and providing
customer support for a product. Eventually, support will end, and new vulnerabilities may
not be discovered in a timely manner. Vendors concentrate more of their resources on
developing, updating, and promoting new products rather than maintaining old ones.
Compatibility Issues: Many legacy systems are incompatible with modern systems. This
can lead to a lack of innovation or it can cause a significant competitive disadvantage for an
organization because the legacy system may no longer meet customers' demands.
Lack of Efficiency and Effectiveness: Some legacy systems will not be able to compare
with the speed or reliability of a modern system and, as a result, will lead to user frustration
and potentially the inability for the organization to compete in its industry.
Shutters Computing has been operating for 30 years. It has maintained its original
operating system because management is comfortable with the interface and productivity.
The company that created the operating system is no longer in business and therefore
does not provide ongoing maintenance or support. This operating system is considered
a legacy system and is vulnerable to a variety of cyberattacks due to a lack of vendor
support, insufficient data security measures, and the likelihood of exposure to hackers with
knowledge of the system and its weaknesses.
Establishing an ongoing testing plan for information technology is necessary to discover any
problem or functional issues. Testing should involve the acquired software, any developed
software, and the change management process.
Step 1: Unit Testing Testing the smallest level of code or software program
Step 2: Integration Testing Testing the combination of two or more units of code or a program
Step 3: System Testing Testing the system as a whole once all parts have been combined
Step 4: Acceptance Testing Testing to see if the system works for users as intended and
meets all requirements
The various types of tests are unit tests, integration tests, system tests, and acceptance tests.
These tests are defined as follows.
Exploratory Tests: Whereas functional tests are designed to test the core business
functions of an organization, exploratory tests are utilized for the less-common or
exception-based situations with no specified test cases.
Performance Testing: This type of testing is designed to test the run-time (speed)
performance of software when processing the required workload.
Recovery Testing: This form of testing checks the system's ability to recover from failures.
Security Testing: Security testing verifies that system protection mechanisms prevent improper
penetration or data alteration and validate that authorized access levels function properly.
Regression Tests: Regression tests rerun previous test cases within the entire application
after new features or functionalities have been incorporated. This is to determine whether
the new features caused any breaks or modifications to functionality.
Stress Testing: During this test, the program is checked to see how well it deals with
abnormal and/or extreme resource demands (i.e., quantity, frequency, or volume).
Sanity Testing: A sanity test exercises the logical reasoning and behavior of the software to
determine whether system logic is functioning as designed.
Question 1 MCQ-14512
Retailer Alex Co. recently purchased a new point-of-sale (POS) system to replace its legacy
system for transaction processing and is evaluating different approaches to integrate the
new software. Alex decided to take a parallel implementation approach as it wants to
be able to switch back to the legacy system if it encounters complications. Which of the
following change management controls does this reflect?
a. Reversion access
b. Post-implementation testing
c. Separation of duties
d. Standardized change requests
Question 2 MCQ-14513
Which type of system test would best validate the logical reasoning of the system?
a. Security test
b. Stress test
c. Regression test
d. Sanity test
NOTES
1 Understanding IT Risks
A successful organization cannot operate without technology. As organizations integrate more
technology into their operations, new and greater risks materialize. Operations can be disrupted
by attackers thousands of miles away. The overall process for understanding how risks can be
identified and addressed is through the security life cycle.
2 Identifying IT Risks
Understanding, identifying, assessing, and ultimately mitigating IT risks are now a core
component of the overall strategy an organization must employ. Fundamental risks inherently
exist in technology and are described below.
The following chart provides examples of each type of risk. Note that new threats constantly
arise, so the list is not considered to be complete:
IT controls play an increasingly important role in ensuring security at organizations. There are
two broad categories of controls: general IT controls and application IT controls. The nature
of these controls can be manual, IT-dependent manual, or automated. They also can perform
different functions in preventing, detecting, or correcting issues and deficiencies.
When performing a quality assurance review, the reviewer evaluates the process and
related requirements in order to confirm that the entire process was executed correctly.
A reviewer receives a system-generated automated report each month that shows all of
the transactions that went against the administrative expense for the preceding month.
The reviewer takes the report and performs a manual reconciliation of the transactions to
supporting documentation.
It is essential that information within an organization is both reliable and secure. To ensure that
this goal is met, it is vital that system access controls and segregation of duties exist to mitigate
risks of fraud and error. The security and reliability of information will typically need to take a
defense-in-depth approach, in which multiple layers of security controls are implemented to
ensure that mitigating controls are in place if other controls fail.
In order to log in to the customer relationship management system, the user has to type
in a user name and password on a laptop, which then prompts a push notification to a cell
phone to verify that the user is the one trying to access the system.
Rex sends Alexis a list of employees with names and salaries for each of their positions so
Alexis can append additional information to those records. Rex encrypts the email using
symmetric encryption so that they have a shared key that only he and Alexis have. Anyone
with the public key can access this message.
Alexis appends Social Security numbers and bank account information to the file Rex sent
and sends back to Rex. Given the additional sensitive data, she decides to add another
layer of security by using asymmetric encryption. This way, the only person who can open
the message is Alexis because she has the private key.
Create DN,
Request digital
public key, digital Receive certificate OWNER
certificate
signature
Verify DN and
Create certificate Return certificate CUSTOMER
owner info
Digital certificates intended for e-business use are typically issued by commercial certificate
authorities, such as Sectigo Limited and Verisign, Inc. The certificate authority hashes (converts
plain text to another value) the information stored on a digital certificate and then encrypts that
hash with its private key. That digital signature is then appended to the digital certificate, which
provides the means for validating the authenticity of the certificate.
Critical, confidential, and private information all needs to be safeguarded to ensure that the
organization, its employees, its customers, and other stakeholders are protected appropriately.
An understanding of each area below is important to understand how information should be
safeguarded:
Critical Information: Any information that is vital for the organization to perform its
essential functions and achieve its strategic objectives.
Confidentiality: The efforts to keep information within or about the organization from
being misused or accessed without authorization.
Privacy: The rights of employees and customers to keep their personal information safe
and to understand how their information will be collected, used, and disclosed to others.
6 Business Resiliency
Business Resiliency
Strategic ability to rebound
6.2.4 Redundancy
Organizations may choose to have redundant hardware, software, and storage as a normal part
of their operations. This allows them to easily switch from a failed unit, such as a malfunctioning
router or switch, to another unit already in operation.
Having redundant IT assets can also apply to data storage and backup. Redundant arrays of
independent drives (RAID) allow organizations to record data on multiple disk drives at one time
for the purpose of data redundancy in the event one disk drive fails.
In addition to determining the location of backing up data, organizations also must decide what
types of backups to perform in order to recover lost data.
Full back up is an exact copy of the entire database. Full backups are time consuming, so most
organizations only do full backups weekly and supplement them with daily partial backups.
Two types of partial backups are possible:
y An incremental backup involves copying only the data items that have changed since the
last backup. This produces a set of incremental backup files, each containing the results
of one day's transactions. Restoration involves first loading the last full backup and then
installing each subsequent incremental backup in the proper sequence.
y A differential backup copies all changes made since the last full backup. Thus, each new
differential backup file contains the cumulative effects of all activity since the last full
backup. Consequently, except for the first day following a full backup, daily differential
backups take longer than incremental backups. Restoration is simpler, however,
because the last full backup needs to be supplemented with only the most recent
differential backup, instead of a set of daily incremental backup files.
A final type of backup is known as an archive. An archive moves entire sets of data that are
no longer actively used from software outputs, databases, or master files to a location that
is separate from the main operations as a way to indefinitely store them.
Moderately
Warm Site Off-site Yes/No Yes/No 0–3 days
expensive
Question 1 MCQ-14514
Computing Corp. just hired Janice Thompson as its new security administrator. This role
will allow Janice to grant access to the system for the appropriate personnel. Janice is also a
talented computer programmer, and because Computing Corp. needs a new programmer, it
has agreed to pay Janice more to take on that role as well. This violates what type of control?
a. Vulnerability control
b. Authentication control
c. Segregation of duties
d. Access control lists
Question 2 MCQ-14515
BEC 1-59
© Becker Professional Education Corporation. All rights reserved.
Financial Risk Management: Part 1
BEC 1-60
© Becker Professional Education Corporation. All rights reserved.
Financial Risk Management: Part 1
BEC 1-61
© Becker Professional Education Corporation. All rights reserved.
Financial Risk Management: Part 1
BEC 1-62
© Becker Professional Education Corporation. All rights reserved.
Financial Risk Management: Part 1
BEC 1-63
© Becker Professional Education Corporation. All rights reserved.
Financial Risk Management: Part 2
BEC 1-70
© Becker Professional Education Corporation. All rights reserved.
Financial Risk Management: Part 2
BEC 1-71
© Becker Professional Education Corporation. All rights reserved.
Capital Structure: Part 1
BEC 2-8
© Becker Professional Education Corporation. All rights reserved.
Capital Structure: Part 1
BEC 2-9
© Becker Professional Education Corporation. All rights reserved.
Financial Valuation Methods: Part 1
BEC 2-32
© Becker Professional Education Corporation. All rights reserved.
Financial Valuation Methods: Part 1
BEC 2-33
© Becker Professional Education Corporation. All rights reserved.
Financial Valuation Methods: Part 1
BEC 2-34
© Becker Professional Education Corporation. All rights reserved.
Financial Valuation Methods: Part 1
BEC 2-35
© Becker Professional Education Corporation. All rights reserved.
Process Management
BEC 6-1
© Becker Professional Education Corporation. All rights reserved.
Process Management
Define outsourcing.
BEC 6-5
© Becker Professional Education Corporation. All rights reserved.
Process Management
BEC 6-7
© Becker Professional Education Corporation. All rights reserved.
The Role of IT in Business
• Hardware
• Networking devices
• Software
• Networks
• Mobile technology
BEC 6-18
© Becker Professional Education Corporation. All rights reserved.
Data Management and Analytics
BEC 6-36
© Becker Professional Education Corporation. All rights reserved.
System Development and Change Management
BEC 6-43
© Becker Professional Education Corporation. All rights reserved.
System Development and Change Management
BEC 6-44
© Becker Professional Education Corporation. All rights reserved.
System Development and Change Management
BEC 6-45
© Becker Professional Education Corporation. All rights reserved.
System Development and Change Management
BEC 6-47
© Becker Professional Education Corporation. All rights reserved.
IT Risks and Responses
BEC 6-52
© Becker Professional Education Corporation. All rights reserved.
Becker Professional Education
Business Course Updates—June 2022
BEC IV Same The text of unit BEC IV was updated and expanded to
All topics include more details on the covered topics.
Business Final Review © Becker Professional Education Corporation. All rights reserved.
Topic
Information Technology (IT) Governance XX
Information Technology (IT) Governance A
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV A-1
A Information Technology (IT) Governance
3.1 Vision
A company's vision represents its aspirations and goals and is typically
described in a vision statement. IT governance policies should be designed
to facilitate the achievement of that vision.
3.3 IT Strategy
IT strategy should align with corporate strategy to achieve its objectives.
The following IT factors may affect a company's corporate strategy:
Network design
Cybersecurity
Disaster recovery and business continuity
Available IT personnel
4.1 People
The board of directors is responsible for setting governance policies.
Executives ensure that an IT governance structure is in place and
executed effectively.
Middle management is responsible for carrying out governance policies.
IT support staff include network engineers, help desk, and
cybersecurity staff.
Accountants play an important role handling confidential information.
A-2 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
Information Technology (IT) Governance A
End users are responsible for following processes and procedures.
External stakeholders such as customers and vendors affect how
organizations utilize online commerce platforms.
Auditors and regulators may drive changes in IT governance to comply
with changing regulations.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV A-3
A Information Technology (IT) Governance
Question 1 MCQ-14518
Question 2 MCQ-14519
A-4 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
Topic
The Role of IT in Business XX
The Role of IT in Business B
2 IT Infrastructure
The supporting IT architecture within most companies has multiple,
interconnected technological components, with the core infrastructure
involving a combination of on-site and outsourced hardware, software, and
specialized personnel.
2.1 Hardware
The physical components of computers and computer-related accessories
are referred to as computer hardware. Hardware includes computer
components as well as external peripheral devices.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV B-1
B The Role of IT in Business
Servers: Servers are physical or virtual machines that provide
functionality by executing commands requested by computer
applications within the same or separate hardware.
Firewall: Firewalls are software applications or hardware devices that
protect a computer network by filtering traffic through security protocols.
2.3 Software
Software consists of the applications, procedures, or programs that provide
instructions for a computer to execute. Software that is embedded in
hardware that instructs the hardware how to operate is known as firmware.
2.4 Networks
A network is a group of computers and other machines that are
interconnected electronically using a series of networking devices.
Common types of networks include local area networks (LANs) and wide
area networks (WANs).
B-2 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
The Role of IT in Business B
An AIS has three main functions:
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV B-3
B The Role of IT in Business
3.10 E-Commerce
Electronic commerce platforms facilitate the sale of goods and services
using the internet. There are five types of e-commerce:
3.11 Communication
Email is utilized by most companies. Other communication options used
are telephone networks, videoconferencing, instant messaging, texting,
and social media platforms.
B-4 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
The Role of IT in Business B
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV B-5
B The Role of IT in Business
SOC 2®: A SOC 2® report is for users who need attestation concerning
controls as they relate to security, processing integrity, availability, and
privacy. These reports are important for vendor management, oversight
of a company, risk management, corporate governance, and regulatory
oversight. SOC 2® reports also have two types:
• Type 1 is a report of management's explanation or description of a
given service company's system as well as the suitability of control
design, as of a single point in time.
• Type 2 is also a report of management's explanation or description of
a company's control design and its operating effectiveness of internal
controls over a period of time.
SOC 3®: SOC 3® reports are also for users who need attestation
concerning controls as they relate to security, processing integrity,
availability, and privacy. However, this report is for companies that
do not have the knowledge required to make an effective use of a
SOC 2® report.
Question 1 MCQ-14520
Question 2 MCQ-14521
B-6 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
Topic
Data Management and Analytics XX
Data Management and Analytics C
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV C-1
C Data Management and Analytics
Big Data Ethics: Organizations should make sure authorized personnel
are granted the minimum level of access to the data necessary to perform
their job functions. This includes assigning rights that limit users' ability to
create, read, edit, and delete data based on role and job function.
Governance Responsibility: An organization’s governance program
should be led by a designated individual. Management of the program
should involve all aspects of an organization that captures, maintains,
stores, and uses data of any kind.
2 Data Management
Data management is key for every organization. Ensuring that the data is
maintained and stored appropriately is vital to the decision-making process.
C-2 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
Data Management and Analytics C
4 Data Analytics
Data analytics is the process of taking raw data, identifying trends, and
then transforming that knowledge into insights that can help solve complex
business problems. There are four key applications in data analytics.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV C-3
C Data Management and Analytics
5 Data Visualizations
It is important to select the right communication technique when
interpreting insights from Big Data analysis. Turning complex data sets into
easily read and understood visualizations make the decision process more
accessible, efficient, and effective for decision makers.
C-4 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
Data Management and Analytics C
Line charts
Column charts
Stacked column charts
Scatter plots
Boxplots
Dot plots
Geographic maps
Symbol maps
Pie charts
Pyramid
Flowcharts
Waterfall charts
Directional charts
Transforming raw data into a form that can be fed into many visualizations
improves that data's communication potential.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV C-5
C Data Management and Analytics
Question 1 MCQ-14522
Question 2 MCQ-14523
C-6 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
System Development Topic
System Development and Change Management XX
and Change Management D
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV D-1
D System Development and Change Management
Lack of Formal Selection and Acquisition Process: This is the risk
that an organization either does not have, or does not follow, a formal
selection and acquisition process. This could result in overspending,
inappropriate related party transactions or kickbacks, or software that
does not align with the IT governance strategy.
Software/Hardware Vulnerability and Incompatibility: There is the
risk that proper safeguards and security features do not exist or that
newly acquired hardware and software are incompatible with existing
resources.
D-2 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
System Development and Change Management D
Unexpected Costs: Not all costs are evident when implementing a
system. Systems that require substantial support can drive up costs.
Lack of Key Performance Indicators (KPIs): If there are no agreed-
upon KPIs or service delivery targets, operations could be derailed.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV D-3
D System Development and Change Management
1. Satisfy the customer with early and continuous delivery of the highest-
priority features.
2. Welcome change: A change request is an opportunity to be closer to
the customer needs.
3. Deliver working software frequently: Working software is the primary
measure of progress.
4. Complete only the work requested by the customer.
5. Conduct short, frequent, and regular meetings to maintain focus and
make adjustments.
D-4 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
System Development and Change Management D
Project Management Risk: This is the risk that the project management
team does not have clearly defined leadership, team member roles,
responsibilities, and project goals.
User Resistance Risk: This is the risk that employees will not accept the
new system.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV D-5
D System Development and Change Management
Unit Tests: Unit tests are used to validate the smallest components of
the system.
Integration Tests: Integration testing determines if the units function
together as designed.
Systems Tests: Systems tests evaluate the system as a whole and take
on many forms.
• Functional tests focus on testing the functions performed by the system.
• Black-box testing focuses on testing the system as an end user would
validate outcomes.
D-6 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
System Development and Change Management D
• White-box testing focuses on code and design improvement as
opposed to testing functionality.
• Gray-box testing combines both black-box and white-box testing
techniques with the tester evaluating from both a user and designer
perspective.
• Exploratory tests are utilized for the less-common or exception-based
situations.
• Performance testing is designed to test the run-time performance
of software.
• Recovery tests check the system's ability to recover from failures.
• Security testing verifies that authorized access levels function properly.
• Regression tests rerun test cases within the entire application.
• Stress testing checks the program to see how well it deals with
abnormal resource demands.
• Sanity testing exercises the logical reasoning and behavior of
the software.
Question 1 MCQ-14524
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV D-7
D System Development and Change Management
Question 2 MCQ-14525
Which type of test checks the system to see how well it deals with
abnormal resource demands?
1. Sanity test
2. Stress test
3. Regression test
4. Security test
D-8 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
Topic
IT Risks and Responses XX
IT Risks and Responses E
1 Understanding IT Risks
As organizations integrate more technology into their operations, new and
greater risks materialize. The security life cycle is the process for identifying
and addressing risks.
2 Identifying IT Risks
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV E-1
E IT Risks and Responses
E-2 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
IT Risks and Responses E
Use Access Controls: These controls identify user access and track
user activity.
Authentication Controls: These controls verify the unique identity of
individuals accessing the system.
• Passwords: A combination of characters known only to the user.
• Personal Identification Numbers (PINs): Numeric or alphanumeric
code that acts as an identifier to authenticate a user.
• Biometrics: Physical characteristics such as an iris scan, fingerprint, or
voice recognition.
• Smartcards or Physical Tokens: A physical device that has an
embedded chip or bar code that can be scanned for authentication.
• Authentication Codes: A set of dynamic figures which change at set
intervals to serve as a form of secondary validation of a user's identity.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV E-3
E IT Risks and Responses
• CAPTCHA (Completely Automated Public Turing test to tell
Computers and Humans Apart): A challenge-response test used to
determine whether a user is a human or a machine.
• Multifactor Authentication: A technique that requires more than
one form of authentication.
E-4 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
IT Risks and Responses E
Physical obstructions such as fencing and barricades.
Security systems connected to local law enforcement.
Monitoring safeguards such as security guards and cameras.
Illumination measures such as additional lighting or sensor-triggered
lighting.
© Becker Professional Education Corporation. All rights reserved. Business Final Review IV E-5
E IT Risks and Responses
6 Business Resiliency
Business resiliency is the integration of system availability controls, crisis
management, disaster recovery plans, and business continuity plans.
System availability controls are activities to prevent system disruptions
and loss of information.
Crisis management plans define roles, responsibilities, and procedures
to deal with crisis situations.
Disaster recovery plans are plans for restoring and continuing
the information technology function in the event of a disaster. An
organization has three main options for maintaining IT operations: cold
site, hot site, and warm site.
Business continuity plans focus on keeping the business operational
during a disaster.
Business resiliency services are offered by companies with specialized
knowledge and resources and include disaster recovery as a service,
backup as a service, and business continuity as a service.
Question 1 MCQ-14526
Question 2 MCQ-14527
E-6 IV Business Final Review © Becker Professional Education Corporation. All rights reserved.
Topic
Process Management XX
Process Management C
There are many generic BPM methodologies, but the most recognized
methods group management activities into five categories: design,
modeling, execution, monitoring, and optimization.
© Becker Professional Education Corporation. All rights reserved. Business Final Review V C-1
C Process Management
Question 1 MCQ-09722
C-2 V Business Final Review © Becker Professional Education Corporation. All rights reserved.
Process Management C
JIT assumes that maintaining inventory does not add value. However,
the limitations of JIT may become evident in times of global supply chain
shocks. Shortages of key components in the manufacturing process could
jeopardize production schedules and cause product outages.
© Becker Professional Education Corporation. All rights reserved. Business Final Review V C-3
C Process Management
C-4 V Business Final Review © Becker Professional Education Corporation. All rights reserved.
Process Management C
Six Sigma uses two five-step processes, one for existing products and the
other for new products.
© Becker Professional Education Corporation. All rights reserved. Business Final Review V C-5
C Process Management
Question 2 MCQ-09721
C-6 V Business Final Review © Becker Professional Education Corporation. All rights reserved.