EIS Full Notes - MAY 2022

Self Study Notes on EIS 2
Commerce Harbour’s
Svadhyaya Series
Edition 1 • Jan 2022
4-43 Automated Business Processes

1. Introduction.
2. Enterprise Business Processes
3. Automated Business Processes
4. Risks Management
5. Enterprise Risks Management
6. Controls
7. Diagrammatic representation of business processes.
8. Regulatory and compliance requirements
44-71 Financial and Accounting system

1. Introduction.
2. Integrated & Non- Integrated systems
3. Risks and controls in ERP environment
4. Audit of ERP systems
5. Business process module and its integration
6. Reporting system and Management Information System (MIS)
7. Data Analytics and Business Intelligence
8. Business Reporting and Fundamental of XBRL
9. Regulatory and compliance requirements.
72-125 Information systems and its components

1. Information systems.
2. Components of Information systems.
3. Information systems controls
4. Information systems Auditing
5. Auditing of Information systems controls
6. Data related concepts
7. Organizational structure and responsibilities.
CA AKHIL KUMAR MITTAL

Commerce Harbour’s
Svadhyaya Series
Edition 1 • Jan 2022
126-167 E-Commerce, M-Commerce & Emerging Technology

1. Introduction to E-commerce.
2. Components of E-commerce.
3. Architecture of networked systems & Work flow diagram for E-commerce
4. Risks and controls
5. Guidelines and laws governing E-Commerce
6. Digital payments
7. Computing Technologies
168-196 Core Banking System

1. Overview of Banking.
2. Banking & Financial services.
3. Overview of core banking system (CBS)
4. Component and architecture of CBS
5. CBS risks, security policy and controls
6. Core business process flow and relevant risks and controls
7. Reporting system and MIS, data analytics and Business Intelligence.
8. Applicable regulatory and compliance requirements.

AUTOMATED BUSINESS PROCESSES
1. Introduction:
A company has several types of information systems built
in and around diverse functions and business processes
that automatically exchange information. However, due to
size of the business it is rather difficult for a company
person to gather all information. It is imperative to know
the availability of a product, stock status of the product
etc.
In order to solve this problem, EIS (Enterprise
Information system) plays an important role. This system
collects the data from various verticals of the business i.e.,
finance, production, manufacturing, sales and marketing and storing the data in single central
data repository. As such EIS helps in smooth functioning of business processes by integrating
these processes.
EIS provides platform to the organisation to integrate and coordinate their business
processes on a robust (मजबूत)foundation. An EIS provides a single system that is central to the
organisation that ensures information can be shared all across all functional level of organisation.
2. Enterprise Business Processes:

A business process is an activity that will accomplish a specific business goal. Business process
management (BPM) is a systematic approach to improvise all the business processes.

2.1 Categories of Business Processes:

A business process is activity or a set of activities that will accomplish specific organizational
goals. Business Process Management is a systematic approach to improvise various business
activities.
Operational • Deals with core business and value chain. These
Processes processes deliver values to its customers.
Supporting • These processes back core processess and functions

Processes with an organisation.
Management • It measures, monitor and control activities related to

Processes business procedures and systems
• Operational/Primary Processes
Deals with core business and value chain. These processes deliver values to its customers.
It represents essential business activities that accomplish business objectives. For
instance, order to cash cycle, purchase to pay cycle etc.
Customer Order : Customer order received is documented.

Order Fulfillment : Order is fulfilled or service is scheduled.
Delivery Note : Order is shipped to customer or service is provided.
Invoicing : Invoice is created and sent to customer.
Collections : Customer sends payment/collection.
Accounting : Collection is accounted for in general ledger & applied.
• Supporting Processes
This process backs core processes and functions with an organisation. One of the major
differences between operational & supporting process is that supporting process don’t
provide the values to the customer. Some of the support processes are HRM (Human
Resource Management), accounting and workplace safety.
• Management Processes
These processes monitor and control activities related to business procedures and
systems. Example of management processes includes internal communications,
governance, strategic planning, budgeting, infrastructure etc.

Example representing all categories of business process:
S.N. Nature of Description of Decision

Business Decision
1 Vision and Mission One of Asia’s largest dairy product companies decided in 2005 to increase
its turnover by 2X in next ten years. The present turnover was 10,000/-
Crores.
2 Management Top management listed the activities to achieve said turnover:
Process (a) It was decided to have an all-India presence. At present company
products were being sold across 20 out of 25 states and all state
capital excluding the four metros, namely Delhi, Mumbai, Chennai
and Kolkata.
(b) Launch new products. In addition to dairy product, they are planning
to sell Biscuits, Toast, Atta and packaged drinking water in near
future.
(c) Acquire existing dairies in markets where company had no presence.
3 Support Process For all activities to be done as envisioned by top management, a huge
effort was needed on human resources front. This included:
(a) Defining and creating a new management structure
(b) Performing all human resource activities as listed above.
4 Operational Managers to implement the decisions in actual working form. It is here

Process where the whole hard job is done.
3. Automated Business Processes:

In the days of manual accounting, all the activities related to sales of product or service were done
manually. Right from raising invoices till the accounting of the transactions. But with the
introduction of technology, now-a-days almost all the processes of business have become
automated. This helps enterprises to handle voluminous data.
Business process automation (BPA) is technology enabled automation of activities
or services that accomplish a specific person and can be implemented for different business
functions. It consists of integrating applications and using software applications throughout the
organisation.
3.1 Factors affecting business process:

Success of any Business Process Automation shall only be achieved when BPA ensure the
following-
Confidentiality : To ensure that data is available to persons who have right to access.
Integrity : To ensure no unauthorized amendment can be made in the data.
Availability : To ensure that data is available at the right time.
Timeliness : To ensure that data is made available at the right time.

3.2 Benefits of BPA:

Code to Remember  T.V. - Q. - G.I.R2
[ TV quality GIR (low)]
1. Time Saving:
Automation reduces number of tasks employees would otherwise need to do manually.
2. Visibility:
Automated processes are controlled & consistently operating accurately within timeline.
3. Quality & Consistency:
Ensure that every transaction is performed identically.
4. Governance & Reliability:
Consistency of automated process means stakeholders can rely on business processes to
operate & offer reliable processes to customers.
5. Improved Operational Efficiency:
Automation reduces time it takes to achieve a task. By automation, errors are eliminated
and that best practices are constantly leveraged.
6. Reduce Costs:
Manual tasks cost more. Hence automation allows accomplishing tasks faster.
7. Reduce Turnaround Times:
Eliminate unnecessary tasks and realign process steps to optimize the flow of information
throughout production, service, billing and collection.
3.3 Which business Processes should be automated:

Code to Remember  H.I.M.A.T.
[ HIMAT का काम है to automate complex process]
 High-volume of tasks or repetitive tasks:
Many business processes such as making purchase orders involve high-volume of repetitive
tasks. Automating these processes results in cost and work effort reductions.
 Impact of processes on other processes and systems:
Some processes are cross-functional and have significant impact on other processes and
systems. In cross functional processes, different departments within the same company
work hand in hand to achieve a common goal. For example - the marketing department may
work with sales department. Automating these processes results in sharing information
resources and improving the efficiency and effectiveness of business processes.
 Multiple people required to execute tasks:
A business process which requires multiple people to execute tasks often results in waiting
time that can lead to increase in costs.
 Audit trail compliances:
With business process automation, every detail of a particular process is recorded. These
details can be used to demonstrate compliance during audits.
 Time-sensitive processes:
Business process automation results in streamlined processes and faster turnaround times.
The streamlined processes eliminate wasteful activities and focus on enhancing tasks that
add value. Time-sensitive processes such as online banking system, railway/aircraft
operating and control systems etc. are best suited to automation.

3.4 Challenges involved in Business process Automation:

Code to Remember  R2.I.D. [Get rid of these challenges]
• Automating Redundant Processes:
 Few organizations start off an automation project by automating processes they find
suitable for automation without considering the necessity of processes.
 In other cases, some business processes and tasks require high amount of tacit
knowledge that cannot be documented and transferred from one person to another and
therefore seek employees to use their personal judgment and cannot be hard coded.
• Staff Resistance:
 Human factor issues are the main obstacle to the acceptance of automated processes.
 Due to automation process, management has a greater visibility of the process and
decisions are being taken by management, that used to be made by the staff earlier.
 Moreover, the staff may perceive automated processes as threat to their jobs.
• Implementation Cost:
 Implementation of automated processes may be an expensive proposition in terms of
acquisition/development cost & also special skill is required to operate & maintain these
systems.
• Defining Complex Processes:
 BPA requires reengineering of some business processes that requires significant amount
of time to be allocated and spent at this stage. This requires a detailed understanding of
the underlying business processes to develop an automated process.
3.5 Implementation of BPA:

Following are Following are the steps involved in implementing business process automation.
However before proceeding further, it is to be noted that not all processes can be automated at
a time. It involves a series of thoughts that will ultimately lead to complete automation.
(a) Step 1Define why we plan to implement a BPA:

The purpose for which an enterprise implements automation may vary from one company to
another. Following are good reason to go for BPA
Code to Remember: L. - E. P. I. C.
o Lack of management understanding of business processes.
o Errors in manual processes leading to higher cost.
o Poor debtor management leading to high invoices aging and poor cash inflows.
o Ineffective audit since documents are not easily traceable and available when needed.
o Poor Customer services.
(b) Step 2 Understand rules/regulations under which enterprise needs to comply with:
This is one of the most important steps to be kept in mind. This includes understanding and
following the rules and regulations & document retention requirement. This governance is
formulated by a combination of internal corporate policies, external industry regulations, and
local laws. In this case it is imperative to understand the requirement of law in respect of
retention of records for specified number of years.

(c) Step 3  Document the process, we wish to automate:

At this step, all documents that are currently being used need to be documented.
Considerable aspects:
1. What documents to be captured?
2. Where do they come from?
3. What format are they in: pdf, excel, word etc.
4. Who processes the documents?
5. Impact of regulations on processing of the documents.
6. Can there be a better way to the job?
(d) Step 4  Define the objectives/goals to be achieved by implementing BPA:

Once the above steps have been completed, entity needs to determine key objectives of
process improvement activities. When determining goals, goals need to be SMART.
o Specific : Clearly defined;
o Measurable : Easily Quantifiable in monetary terms;
o Attainable : Achievable through best efforts;
o Relevant : Entity must be in need of those;
o Timely : Achieved within a given time frame.

(e) Step 5  Engage the business process consultant:

In order to ascertain with whom to partner with, following things to be kept in mind:
o Consultant’s objective in understanding the entity.
o Does consultant have experience with entity business process?
o Is the consultant experienced?
o Whether consultant is capable of recommending & implementing a combination of
hardware, software and services.
(f) Step 6 Calculate the ROI for project:

The right stakeholders need to be engaged and involved to ensure that the benefits of
BPA are clearly communicated and implementation is successful. However, it is Hercules
effort to convince the senior management about the implementation of BPA. Some of
justification points to be kept in mind
(g) Step 7 Developing the BPA:

Once the documentation of requirement, ROI has been computed and top management
approval to go ahead has been received, consultant develops the requisite BPA.
(h) Step 8  Testing the BPA:

Once developed, it is important to test new process to determine how well it works. The
process of testing is an iterative process, the objective being to remove all problems.
Provide room for improvements prior to final launch.
o It helps in increasing user acceptance and decrease in resistance to change.
o Documenting final version of process will help in training people & for quick reference.
4. Risks Management:
Risk Management is the process of assessing risk, taking steps to reduce risk to an acceptable level and
maintaining that level of risk. Risk management involves identifying, measuring, and minimizing uncertain
events affecting resources.
4.1 Definitions:
ASSETS:
Asset can be defined as something of value to the organisation. Example information in e-form,
software system, employees. Following are the characteristics of the assets:
1. Recognized to be value to the organisation.
2. Assets can’t be replaced without cost, skills and time.
3. They form the part of organization’s corporate identity.
4. They are capable of distinguishing the information level i.e., confidential, proprietary etc.
VULNERABILITY:
(a) It is the weakness in the system safeguard that exposes system to THREATS. E.g.:
1. Leaving door unlocked makes the house vulnerable to theft.
2. Use of short passwords which are prone to cracking or hacking.
3. We have studied about the vulnerability and examples. But why vulnerabilities arise...!!!

THREATS:
(a) Any entity, circumstances with the potential to harm the software system or component
through unauthorized access, destructions or modifications
(b) It is an action, event or condition where there is compromise in the quality and ability to
harm the organisation
(c) Threats exists where there is asset. Asset is nothing but the data contained in information
system. CHARACTERISTICS OF THE THREAT:
 It is action/event/condition where there is a compromise in the system
 Negative impact on the quality of the system.
 Threat has the capability to attack on the system with the intent to harm it.
EXPOSURE:
(a) It is the extent of the loss to the organisation when a risk materialized (occurs).
(b) For instance, loss of business, loss of reputation, violation of the privacy etc.
LIKELIHOOD: (संभावना)
It is the estimation of probability that threat will succeed in achieving undesirable threat.
ATTACK:
(a) It is the set of action designed to compromise confidentiality, integrity & availability of an
information system.
(b) It is an attempt to gain unauthorized access to the system services. In software terms, an
attack is a malicious intentional fault that has intent of exploiting vulnerabilities.
COUNTERMEASURE:
a) An action, device, procedure, technique that reduces the vulnerability of a system or
Component is referred as counter measure.
b) It is an attempt to gain unauthorized access to the system services. In software terms, an
attack is a malicious intentional fault that has intent of exploiting vulnerabilities.
RISK:
Risk is any event that may result in a significant deviation from a planned objective resulting in
an unwanted negative consequence. The planned objective could be any aspect of an
enterprise’s strategic, financial, regulatory and operational processes, products or services. The
degree of risk associated with an event is determined by the likelihood (uncertainty,
probability) of the event occurring, the consequences (impact) if the event were to occur and
it’s timing.

4.2 Sources of Risk:

The most important step in risk management process is to identify the sources of risk, the areas
from where risks can occur. This will give information about the possible threats, vulnerabilities
and accordingly appropriate risk mitigation strategy can be adapted. Some of the common
sources of risk are:
 Commercial and Legal Relationships
 Economic Circumstances
 Human Behavior
 Natural Events
 Technology and Technical Issues
 Management Activities and Controls
Risk has the following characteristics-
 Potential loss that exists as the result of threat/vulnerability process.
 Uncertainty of loss expressed in terms of probability of such loss
 The probability/likelihood that a threat agent mounting a specific attack against a particular
system.
4.3 Types of Risk:
Data
Business Technology TYPES OF
related
Risks Risks RISKS
risks

• Business Risks
Business risk is a broad category which applies to any event or circumstances related to
business goals.
Code to remember: C.H.O.R - S.F.
(Since CHOR is not SaFe for homes, similarly risks are not safe for businesses)
• Compliance Risks:
 Includes risk could expose organization to fines & penalties from a regulatory agency.
 Due to non-compliance of with laws and regulations such as environmental, employee
health and safety, lack of due diligence, protection of personal data etc.
• Hazards Risks:
 Hazard risks include risks that are insurable, such as natural disasters; various insurable
liabilities; impairment of physical assets; terrorism etc.
• Operational Risks:
 Implementation of automated processes may be an expensive proposition in terms of
acquisition/development cost & also special skill is required to operate & maintain
these systems.
• Residual Risks:
 This includes any risk remaining even after the counter measures are analyzed and
implemented.
 An organization’s management of risk should consider these two areas - Acceptance of
residual risk and Selection of safeguards. The risk can be minimized, but it can seldom
be eliminated even if proper safeguards are applied by the organisation.
• Strategic Risks:
 These are the risks that would prevent an organization from accomplishing its
objectives (meeting its goals).
 Examples - risks related to strategy, political, economic relationship issues with
suppliers and global market conditions, reputation risk, leadership risk etc.
• Financial Risks:
 Financial risks are those risks that could result in a negative financial impact to the
organization (waste or loss of assets).
 Examples - risks from volatility in foreign currencies, interest rates, liquidity risk etc.
• Technology Risk
The dependence on technology in BPA for most of the key business processes has led to various
challenges. As Technology is taking new forms and transforming as well, the business processes
and standards adapted by enterprises should consider these new set of IT risks and challenges:
Code to Remember: V.G. - S.A.D.- C.O.M.E.T

V.G. Sir Is S.A.D. since C.O.M.E.T. will destroy their satellite classes view (Type of Technology Risk)
1. Vendor related concentration risk:

 There may not be one but multiple vendors providing different services.
 For example, hardware and system software services may be provided by different
vendors or provided by a single vendor.
 Both these situations result in higher risks due to heavy dependence on vendors.

2. Governance processes requirement:

 Controls in system should be implemented from macro (broad) and business
perspective.
 As Technology, has become key enabler for bank & is implemented across organization,
senior management should be involved in directing how technology is deployed.
 This requires governance process to implement security as required.
3. Segregation of Duties (SoD):

 Organizations may have a highly-defined organization structure with clearly defined
roles, authority and responsibility.
 The SoD as per organization structure should be clearly mapped. This is a high-risk area
since any SoD conflicts can be a potential vulnerability for fraudulent activities.
 For example, if a single employee can initiate, authorize and disburse a loan, the
possibility of misuse cannot be ignored.
4. Alignment with business objectives:

 Organizations must ensure that the systems implemented, cater to all the business
objectives and needs, in addition to the legal/regulatory requirements envisaged.
5. Dependence on vendors due to outsourcing of IT services:

 In a systems environment, the organization requires staff with specialized domain skills
to manage IT deployed.
 Hence, these services could be outsourced which lead to dependency on vendors and
gives rise to vendor risks.
6. Complexity of systems:
 The Technology architecture used for services could include multiple digital platforms
and is quite complex.
 This calls for the personnel to have knowledge about requisite technology skills or the
management of the technology.
7. Obsolescence or frequent changes of technology:

 Technology keeps on evolving and changing constantly and becomes obsolete very
quickly.
 Because of the above investment in the technology need to be planned carefully.
8. Multiple types of controls:

 Deployment of technology gives rise to new types of risks.
 These risks need to be mitigated by relevant controls as applicable to technology/
information systems deployed.
9. Employee Actions:
 Fraudsters use new social engineering techniques such as socializing with employees to
extract relevant information about company to commit fraud.
 For example: extracting information about passwords from staff acting as genuine
customer and using it to commit frauds.

10. Threats leading to cyber frauds/ crime:

 The system environment provides access to customers anytime, anywhere using
internet. Consequently, information system is now exposed as it is open to be accessed
by anyone from anywhere.
 Making the information available is business imperative but this is also fraught with risks
of increased threats from hackers.
• Data related Risk

All data and applications are susceptible to disruption, damage & theft. Data related risks include
unauthorized implementation or modification of data and software and are discussed below:
1. Data Diddling:
 This involves the change of data before or after they entered the system.
 A limited technical knowledge is required to data diddle and the worst part with this is
that it occurs before computer security can protect the data.
2. Bomb:
 Bomb is a piece of bad code deliberately planted by an insider or supplier of a program.
 An event triggers a bomb or it is time based. The bombs explode when conditions of
explosion get fulfilled causing damage immediately, but cannot infect other programs.
3. Christmas Card:
 On typing word ‘Christmas’, it will draw the Christmas tree as expected, but in addition, it
will send copies of similar output to all other users connected to the network.
 It was detected on internal E-mail of IBM system and because of the above message,
other users cannot save their half-finished work.
4. Worm:
 A Worm program copies itself to another machine on the network.
 Since, worms are stand-alone programs and can be detected easily in comparison to
Trojans and computer viruses.
 Alarm clock worm- A worm that reaches out through the network to an outgoing terminal
(one equipped with a modem), and places wake-up calls to a list of users.
5. Rounding Down:
 This refers to rounding of small fractions of a denomination and transferring these
small fractions an authorized account. As the amount is small, it gets rarely noticed.
6. Salami Technique:
 This involves slicing of small amounts of money from a computerized transaction or
account.
 A Salami technique is slightly different from a rounding technique in the sense a fix
amount is deducted. E.g., amount of ₹ 21,446.39 is written as ₹ 21,446.30.

7. Trap Doors:
 Trap doors allow insertion of specific logic such as program interrupts that permit a
review of data. They also permit insertion of unauthorized logic.
8. Spoofing:
 A spoofing attack involves forging one’s source address. One machine is used to
impersonate the other in spoofing technique. Spoofing occurs only after a particular
machine has been identified as vulnerable.
 A penetrator makes the user think that s/he is interacting with the operating system.
Spoofing is a cyberattack that occurs when a scammer is disguised as a trusted source to
gain access to important data or information.
9. Asynchronous Attacks:
 They occur in many environments where data can be moved synchronously across
telecommunication lines.
 Such attack uses the timing difference between the input time of data and processing
time. Data that is waiting to be transmitted are liable to unauthorized access called
Asynchronous Attack.
 Such attacks are very small (pin like insertion) and hence hard to detect. Some of the
asynchronous attacks-
o Data Leakage: This involves leaking information out of the computer by means of
dumping files to paper or stealing computer reports and tape.
o Subversive Attacks: These can provide intruders with important information
about messages being transmitted and the intruder may attempt to violate the
integrity of some components in the sub-system.
o Wire-Tapping: This involves spying on information being transmitted over
communication network.
o Piggybacking: This is the act of following an authorized person through a secured
door or electronically attaching to an authorized telecommunication link that
intercepts and alters transmissions. This involves intercepting communication
between the operating system and the user and modifying them or substituting
new messages. Piggybacking also refers to someone allowing another person to
follow right after them into a restricted area.
4.4 Risk Management Strategies:

Risk Analysis is defined as the process of identifying security risks and determining
their magnitude and impact on an organization. Effective risk management begins with a clear
understanding of an enterprise’s risk appetite and identifying high-level risk exposures.
Risk Management is the process of assessing risk, taking steps to reduce risk to an
acceptable level and maintaining that level of risk. Risk management involves identifying,
measuring, and minimizing uncertain events affecting resources. After defining risk appetite and
identified risk exposure, strategies for managing risk can be set and responsibilities clarified.
Below are the strategies which can be followed by the company in respect of risks identified-

 Tolerate/Accept the risk : जो�खम को स्वीकार करना

 Terminate/Eliminate the risk : जो�खम को समाप्त करना
 Transfer/Share the risk : जो�खम शेयर करना
 Treat/mitigate the risk : जो�खम को कम करना
1. Accept the Risk: (जो�खम को स्वीकार करना)

(a) Some of the risks are so minor that their impact & probability of occurrence is low.
(b) In this case it is desirable to run the business instead of establishing costly procedure to
mitigate the risk (minor).
2. Eliminate the Risk: (जो�खम को समाप्त करना)

(a) Some of the risks are so minor that their impact & probability of occurrence is low.
(b) It is possible to associate risk with particular technology or vendor. So, it is advisable to
replace the technology and to seek more capable suppliers.
3. Share the Risk: (जो�खम शेयर करना)

(a) One way to manage the risk is to share the risk with the trading partner or the suppliers.
(b) Example: Supplier mitigates the risks associated with IT infrastructure management by
outsourcing it to company having expertise in the IT infrastructure management.
4. Mitigate the Risk: (जो�खम को कम करना)

(a) Where other options are not available it is advisable to devise suitable controls.
(b) To prevent the risk from manifesting (reveal) itself and to minimize the impact.
5. Enterprise Risks Management:

The Sarbanes Oxley Act (SOX)
This act focuses on implementation and review of internal controls related to financial statement. In
an IT environment it is important to understand whether the relevant IT controls are implemented.
Degree of control desired depends in the risk appetite of the business.
Enterprise Risk Management (ERM) may be defined as a process affected by an entity’s Board of
Directors, management and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement of entity objectives.
ERM in business includes the methods and processes used by organizations to manage risks and
seize opportunities related to the achievement of their objectives. ERM is a common framework
applied by business management and other personnel to identify potential events that may affect
the enterprise, manage the associated risks and opportunities, and provide reasonable assurance
that an enterprise’s objectives will be achieved.

5.1 Benefits of Risk Management:

Code to Remember: R3 - M. - C. O. L. A.
a) Risk Response Decision:
ERM provides the rigor to identify & select among alternative risk responses – risk avoidance,
reduction, sharing & acceptance.
b) Rationalize capital:
More robust information on entity’s risk allows management to access capital requirement
more effectively and also improvise capital allocation.
c) Response to multiple risks:

Business processes carry many inherent risks and ERM enables to provide integrated solution to
manage it.
d) Minimize operational surprises & Losses:

Entities have capabilities to identify potential threats, assess risk and to put controls to mitigate
or eliminate them. Such proactive actions help in reducing losses or cost if such risks remain
undetected.
e) Cross-Enterprise risk identification & management:

Management not only needs to manage individual risks but also understand interrelated
impacts.
f) Opportunities:
Business processes carry many inherent risks and ERM enables to provide integrated solutions.
g) Link growth, risk and return:

Entities accept risk as part of value creation and they expect return commensurate (अनु�प) with
risk. ERM provides framework which indicates the organisation with acceptable levels of risks.
h) Align risk appetite & strategy:

Risk appetite is the degree of risk acceptable by an entity. Management considers the risk
appetite first in evaluating strategic alternatives, then setting objectives, aligned with selected
strategy.
5.2 Enterprise Risk management framework:

Code to Remember: E - M.I2.C.R2.O.
1. Event Identification:
Potential events that might have an impact on entity should be identified. This includes –
internal and external factors that influence how potential events may affect strategy
implementation and achievement of objectives.

2. Monitoring:
Entire ERM process should be monitored and modified wherever necessary. This ensures
that the system can react dynamically. Monitoring is accomplished through ongoing
management activities.
3. Internal Environment:
This encompasses tone of an organisation & sets the basis of how risk is viewed and
addressed by an entity’s people including risk management, risk appetite, integrity and
ethical values.
4. Information and communication:

Relevant information is identified, captured and communicated in a form and time frame
that enable people to carry out the responsibilities. Such information is required at all levels
of management.
5. Control Activities:
Policies and procedures that are established by the company ensures that risk responses
that management selected are effectively carried out.
6. Risks Assessment:
Risks which are identified are analyzed to form basis of determining how they should be
managed. Risks are assessed on both an inherent and a residual basis and assessment
considers both risk likelihood and impact.
7. Risks Response:
Management selects an approach to align assessed risk with entity’s risk tolerance and risk
appetite. Personnel identify and evaluate possible response to risks (Avoidance, accepting,
reduction & sharing).
8. Objective Setting:
ERM should ensure that management has a process in place to set objectives and that
chosen objectives support and align with overall objectives of the company.
6. Controls:
Controls are defined as policies, procedures, practices and organizational structure that are
designed to provide reasonable assurance that
 Business objectives are achieved and;
 Undesired events are prevented or detected and corrected.
The system of internal control extends beyond those matters which relates directly to the functions
of the accounting system. Below is the diagrammatic representation of purchase to pay controls.
There are 4 stages:

(a) Purchases
(b) Good Receipt
(c) Invoice Processing
(d) Payment
Purchases Good Receipt Invoice Processing Payment

Employee of the PO is sent to vendor Vendor sends the
company shall who will deliver the invoice to the accounts If there is no
submit a purchase goods as per the payable department mismatch
requsition to terms of PO. When who will punch in the between invoice,
manager for goods are received system. Checking of PO and GRN,
staff checks the invoice with PO is done payment is
approval. Upon for the rates & with the
delivery note, PO released to vendor
approval, Purchase GRN for the quantity.
number and based on the
order is raised. PO
acknowledges receipt credit period
may be raised
of material. A Good decided
manually or by
receipt number (GRN)
system.
is raised
Based on the implementation of the above controls, it can be categorized under manual, semi-
automated and automated. The objective of these controls is to mitigate the risk associated with the
business. Below are the 3 categories can be explained:
Manual Manual verifying the goods received as per PO and checking with vendor
invoice.
Semi-Automated Verification of goods receipt (E) with PO (D) could be automated, but the
vendor invoice could be done manually in reconciliation process.
Automated Automation can be done by the computer system by comparing D, E and F.
6.1 Importance of IT controls:

“A statement of the desired result or purpose to be achieved by implementing control procedures
within a particular IT activity”. Implementing right type of controls is responsibility of
management. Controls provide a clear policy and good practice for directing and monitoring
performance of IT to achieve enterprise objectives. Below are the functions that are performed by
IT controls–
- Objective Achievements - Mitigating Risks

6.2 Applying IT controls:

There are different options for implementing controls as per risk management strategy. The
foremost consideration while applying IT controls is the “nature of organisation structure”. Here
example can be taken of a “public bank” and “private bank”, where later has organized structure
around customers and focused on relationship banking.
A very common classification of IT controls is General Controls and Application Controls.
General Controls are macro in nature and are applicable to all applications and data resources.
Application Controls are controls which are specific to the application software such as payroll,
accounts payable, and billing, etc.
Now will study about the GENERAL CONTROLS (Illustrative List as per Institute material)-
Code to Remember: S2I.M.B.A. - D.U.M. – V.C.C. (SIMBA म� DUM है – Very Cool Cop)
1. Security Policy (Information):

 The security policy is a set of laws, rules, and practices that regulates how assets including
sensitive information are managed, protected, and distributed within user organization.
 The security policy is approved by the senior management and encompasses all areas of
operations and drives access to information across the enterprise.
2. Separation of key IT functions:

Secure deployment of IT requires, organization to have separate IT organization structure
with key bifurcation of duties for different personnel within IT department.
3. Incident response and management:

 There may be various incidents created due to failure of IT. These incidents need to be
appropriately responded and managed as per pre-defined policies and procedures.
4. Management of Systems Acquisition and Implementation:

 Management should establish acquisition standards that address security, functionality,
and reliability issues related to systems acquisition.
5. Backup, Recovery and Business Continuity:

 Heavy dependence on IT & criticality makes it imperative that resilience (flexibility) of
organization operations should be ensured by having appropriate business continuity
including backup, recovery and off-site data center.
 Business continuity controls ensure that an organization can prevent interruptions
(violations) and processing can be resumed in an acceptable period of time.
6. Administration, Access, and Authentication:

 Access controls are measures taken to ensure that only the authorized persons have
access to the system and the actions they can take.
 Policies & procedures should clearly define the levels of access to information &
authentication.

7. Development and Implementation of Application Software:

 Application software drives business processes of the organizations and implementation
must be properly controlled by using standard software development process.
 Controls over software development and implementation ensure that the software is
developed according to the established policies and procedures of the organization.
These controls also ensure that the systems are developed within budgets.
8. User training and qualification of Operations personnel:

 The personnel deployed have required competencies and skill sets to operate and
monitor the IT environment. Moreover, training may be used as a tool to develop the
competencies and skill sets to work in IT environment.
9. Monitoring of Applications and supporting Servers:

 Servers & applications running on them are monitored to ensure that servers, network
connections and application software along with the interfaces are working continuously.
10. Value Added areas of Service Level Agreements (SLA):

 SLA with vendors is regularly reviewed to ensure that the services are delivered as per
specified performance parameters.
11. Change Management:

 Deployed IT solutions and its various components must be changed in tune with changing
needs as per changes in technology environment, business processes, regulatory,
compliance requirements and changing needs of the users.
 Change management process should be implemented to ensure smooth transition to new
environments covering all key changes including hardware, software and business
processes.
 All changes must be properly approved by management & tested before implementation.
12. Confidentiality, Integrity and Availability of Software and data files:

 Security is implemented to ensure Confidentiality, Integrity and Availability (CIA) of
information.
 Confidentiality refers to protection of critical information to ensure that information is
only available to persons who have right to see the same.
 Integrity refers to ensuring that no unauthorized amendments can be made in data in all
stages of processing.
 Availability refers to ensuring availability of information to users when required.

Now will study about the APPLICATION CONTROLS-

Application Controls are controls which are implemented in an application to prevent or detect
and correct errors. These controls are in-built in the application software to ensure accurate
and reliable processing. Some examples of Application controls are as follows:
 Data edits (editing of data is allowed only for permissible fields);
 Separation of business functions (e.g., transaction initiation versus authorization);
 Balancing of processing totals (debit and credit of all transactions are tallied);
 Transaction logging (all transactions are identified with unique id and logged);
 Error reporting (errors in processing are reported); and
 Exception Reporting (all exceptions are reported).
6.3 Key Indicators of effective IT controls (Criteria of effective IT controls)-

Code to Remember: C.A.R2.E2.S.
1. Clear communication to management of key indicators of effective controls.
2. Availability and reliability of information and IT services across the organization and for
customers, business partners, and other external interfaces.
3. Resources allocation predictably by IT controls.
4. Recovery from new vulnerabilities and threats and to recover from any disruption of IT
services quickly and efficiently.
5. Execution of new work such as IT infrastructure upgrades required to support new products
and services.
6. Effective development of projects that are delivered on time and within budget, resulting in
cost-effective and better product and service offerings compared to competitors.
7. Security awareness on the part of the users and a security conscious culture.
6.4 Framework for internal control as per standard on auditing-

SA315 defines system of Internal Control as “the process designed, implemented and maintained
by those charged with governance, management and other personnel to provide reasonable
assurance about the achievement of an entity’s objectives regarding reliability of financial
reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with
applicable laws and regulations.
As per SA315, 5 components of any internal control as they relate to a financial statement audit
are explained below.
All these components must be present to conclude that internal control is effective.

♫ Monitoring of functioning of all the 5 components. ♫ Information is necessary for every business.
♫ Going or separate evaluation or combination of ♫ Mgmt. collects information from external &
both may be required for monitoring. internal sources to support functioning of
♫ Findings are evaluated by management & shared. internal controls.
♫ Such information’s’ are vital.
General Controls: Control Activities:

♫ Control over Information ♫ Actions established through
technology management. policies that help to ensure
♫ Acquisition of the software, that management directives
develop, maintenance. to mitigate risks.
Application Controls: Segregation of Duties:
♫ Ensures the completeness, ♫ Assigning responsibilities.
accuracy and validity of data ♫ This includes recording,
captured & processing. custody of assets etc.
♫ Supporting applications are ♫ Prevents control of complete
available. process by 1 person.
♫ Risk may be defined as the possibility that an event ♫ Set of standards & Processes that provides
will occur and adversely effects the organisation. basis for carrying out internal controls
♫ Risk assessment involves a dynamic and iterative across the business.
process for identifying & assessing risks. ♫ Control environment comprises integrity &
♫ Such assessment forms basis for determining how ethical values of organisation.
risks are managed. ♫ Helps top management in carrying out its
♫ Risk assessment requires management to consider governance responsibilities.
impact of possible changes in external
6.5 Framework for internal control as per standard on auditing-

Code to Remember: C.R.A.M.P. (Bad thing, hence limitations)
1. Management’s consideration that Cost doesn’t exceed benefits.
2. Risk of undetected unusual transactions.
3. A person may Abuse the responsibilities for exercising an internal control.
4. Manipulations by Management with respect to transactions & judgments.
Possibility of circumvention of internal controls through collision with employees or with
parties outside the entity.
6.6 Risk and controls for specific business processes-

Suitable controls should be implemented to meet the requirement of the control objectives. These
controls may be manual, automated or semi-automated. There is further categorization of controls
based on the scenario. These are preventive, detective or corrective.
In computer system, controls should be checked at 3 levels namely configuration, master and
transaction level.

•It refers to a way •Refers to way various •Implementation or

software system is set parameters are set up review of specific
Configuration
Master
Transaction
up. It is methodogical for all the modules of business process can be
process of defining software like done from risk or
options that are control perspective. In
purchase, inventory, case of risk perspective,
provided. finance etc. we need to consider
each of the key sub-
•When any software is •The masters are first processes or activities
updated, values for set up during performed in a business
various perimeters installation & these process and look at
should be set up & existing and related
are changed control objectives and
business process work whenever business existing controls and the
flow and business parameters are residual risks after
process rules of the changed. application of controls.
enterprise.
Mapping of accounts to Vendor Master Sales transactions

front end transactions Credit period Purchase transactions
|| User Activation & Customer Master Stock transfer
De-activation Credit Limit Journal entries
|| Password Material Master Payment transactions
Management Measure Unit
6.1.1 Procure to pay (P2P) – Risk and controls

It Is the process of obtaining and managing the raw materials needed for manufacturing a
product or providing a service. Using automation, it should be possible to have a seamless
procure to pay process covering the complete life-cycle from point of order to payment.
Risk MASTER Control Objective

Unauthorized changes to supplier master file. Valid changes are made to the supplier master
file.
All valid changes to the supplier master file are All valid changes to the supplier master file are
not input & processed. input & processed.
Changes to the supplier master file are delayed Changes to the supplier master file are processed
and not processed in a timely manner. in a timely manner.
Supplier master file data is not up to date. Supplier master file data remain up to date.
Risk TRANSACTIONS Control Objective

Unauthorized purchase requisitions are Purchase orders are placed only for approved
ordered. requisitions.
Purchase orders are not entered correctly in Purchase orders are accurately entered.
system.
Purchase orders issued are not input and All purchase orders issued are input &
processed. processed.

6.1.2 Order to Cash (O2C) – Risk and controls

It is a set of business processes that invlve receiving and fulfilling customer requests for
goods or services.

The customer master file is not maintained The customer master file is maintained properly
properly and the information is not accurate. and the information is accurate.
Invalid changes are made to the customer Only valid changes are made to the customer
master file. master file.
All valid changes to the customer master file are All valid changes to the customer master file are
not input and processed. input and processed.
Changes to customer master file not accurate. Changes to customer master file are accurate.

Orders are processed exceeding customer Orders are processed only within approved
credit limits without approvals. customer credit limits.
Orders are not approved by management as to Orders are approved by management as to
prices and terms of sale. prices and terms of sale.
Orders and cancellations of orders are not input Orders and cancellations of orders are input
accurately. accurately.
Order entry data are not transferred completely Order entry data are transferred completely
& accurately to shipping and invoicing activities. & accurately to shipping and invoicing activities.
6.1.3 Inventory Cycle – Risk and controls

The Inventory Cycle is a process of accurately tracking the on-hand inventory levels for an
enterprise. An inventory system should maintain accurate record of all stock movements to
calculate the correct balance of inventory.

Invalid changes are made to the inventory Only valid changes are made to the inventory
management master file. management master file.
Invalid changes to the inventory management All valid changes to the inventory management
master file are input and processed. master file are input and processed.
Changes to the inventory management master Changes to the inventory management master
file are not accurate. file are accurate.
Inventory management master file data is not Inventory mgmt. master file data remain up to
up to date. date.

Adjustments to inventory prices or quantities Adjustments to inventory prices or quantities
are not recorded accurately. are recorded accurately.
Raw materials are received and accepted Raw materials are received and accepted only if
without valid purchase orders. they have valid purchase orders.
Raw materials received are in accurately Raw materials received are recorded
recorded. accurately.

6.1.4 Human Resources – Risk and controls

The Human Resources life cycle refers to human resources management and covers all the
stages of an employee’s time within a specific enterprise. Typical stage of HR cycle.
1. Recruiting and On-boarding: Recruiting is the process of hiring a new employee. The role of the
human resources department in this stage is to assist in hiring. This might include placing the job
ads, selecting candidates whose resumes look promising, conducting employment interviews.
2. Orientation and Career Planning: Orientation is the process by which the employee becomes
a member of the company’s work force through learning her new job duties, establishing
relationships with co-workers and supervisors and developing a niche. Career planning is the
stage at which the employee and her supervisors work out her long-term career goals with the
company.
3. Career Development: Career development opportunities are essential to keep an employee
engaged with the company over time. After an employee, has established himself at the
company and determined his long-term career objectives.
4. Termination or Transition: Some employees will leave company through retirement after a
long & successful career. The role of HR in this process is to manage the transition by ensuring
that all policies and procedures are followed, carrying out an exit interview if that is company
policy and removing the employee from system.
Risk CONFIGURATION Control Objective

Employees who have left the company continue System access to be immediately removed
to have system access. when employees leave the company.
Employees have system access in excess of their Employees should be given system access
job requirements. based on a “need to know” basis.
Risk MASTERS Control Objective

Additions to the payroll master files do not Additions to the payroll master files
represent valid employees. represent valid employees.
New employees are not added to the payroll All new employees are added to the payroll
master files. master files.
Invalid changes are made to payroll master files. Only valid changes are made to payroll
master files.
Payroll master file data is not up to date. Payroll master file data remain up to date.

6.1.5 Fixed assets– Risk and controls

The Fixed Assets process ensures that all the fixed assets of the enterprise are tracked for
the purposes of financial accounting, preventive maintenance, and theft deterrence. Fixed
assets process ensures that all fixed assets are tracked and fixed asset record maintains
details of location, quantity, conditions and maintenance. Fixed assets process includes: -
Risk Control Objective
Procuring an asset An asset is most often entered into accounting system; when the invoice for
the asset is entered; into accounts payable; or purchasing module of system
Registering or Most of the information needed to set up the asset for depreciation is
adding an asset available at the time the invoice is entered. Information entered at this
stage could include; acquisition date, placed-in-service date, description,
asset type, cost basis, depreciable basis etc.
Adjusting the Assets Adjustments to existing asset information is often needed to be made.
Events may occur that can change the depreciable basis of an asset.
Further, there may be improvements or repairs made to assets.
Transferring the fixed asset maybe sold or transferred to another subsidiary, reporting
Assets entity, or department within the company. These inter- company and intra-
company transfers may result in changes that impact the asset’s
depreciable basis, depreciation, or other asset data. This needs to be
reflected accurately in the fixed assets management system
Depreciating the The decline in an asset’s economic and physical value is called depreciation.
Assets Depreciation is an expense which should be periodically accounted on a
company’s books, and allocated to the accounting periods, to match
income and expenses. Sometimes, the revaluation of an asset, may also
result in appreciation of its value
Disposing the Assets When a fixed asset is no longer in use, becomes obsolete, is beyond repair;
the asset is typically disposed. When an asset is taken out of service,
depreciation cannot be charged on it. There are multiple types of
disposals, such as abandonments, sales, and trade-ins. Any difference
between the book value, and realized value, is reported as a gain or loss
Risk MASTERS Control Objective

Invalid changes are made to the fixed asset Only valid changes are made to the fixed asset
register and/or master file. register and/or master file.
Valid changes to the fixed asset register and/ or All valid changes to the fixed asset register
master file are not input and processed. and/or master file are input and processed.
Changes to the fixed asset register and/or Changes to the fixed asset register and/or
master file are not accurate. master file are accurate.
System access to fixed asset master file / System access to fixed asset master file /
system configuration is not restricted to the system configuration is restricted to the
authorized users. authorized users.

Fixed asset acquisitions are not accurately Fixed assets are accurately recorded.
recorded.
Fixed asset acquisitions are not recorded in the Fixed asset acquisitions are recorded in the
appropriate period. appropriate period.
Depreciation charges are not accurately Depreciation charges are accurately
calculated & recorded. calculated and recorded.

6.1.6 General Ledger– Risk and controls

General Ledger (GL) process refers to the process of recording the transactions in the system
to finally generating the reports from financial transactions entered in the system. The input
for GL Process Flow is the financial transactions and the outputs are various types of
financial reports such as balance sheet, profit and loss a/c, funds flow statement, ratio
analysis, etc. Following steps in general ledger process-
1. Entering financial transactions into the system
2. Reviewing Transactions
3. Approving Transactions
4. Posting of Transactions
5. Generating Financial Reports
Risk CONFIGURATION Control Objective

Unauthorized general ledger entries could be Access to general ledger entries is appropriate
passed. and authorized.
System functionality does not exist to System functionality exists to segregate the
segregate the posting and approval functions. posting and approval functions.
Non-standard journal entries are not tracked All non-standard journal entries are tracked and
and are inappropriate. are appropriate.
Out-of-balance entries are not prohibited. Out-of-balance entries are prohibited.
System controls are not in place for approval of System controls are in place for appropriate
write-offs. approval of write-offs.

General ledger master file change reports are not General ledger master file change reports are
generated by system and are not reviewed as generated by the system and reviewed as
necessary by an individual who does not input the necessary by an individual who does not input the
changes. changes.
Standard chart of accounts has not been approved Standard chart of accounts has been approved by
by management and is not utilized within all management and is not utilized within all entities
entities of the corporation. of the corporation.

Entries booked in the close process are not Entries booked in the close process are complete
complete and accurate. and accurate.
Account codes and transaction amounts are not Account codes and transaction amounts are
accurate and not complete, and exceptions are accurate and complete, with exceptions reported.
not reported.

7. Diagrammatic representation of business processes:

7.1.1 FLOWCHARTS
Flowcharts are used to design and document simple processes or programs. There are
different types of flowcharts and each one has its different boxes. The most 2 common types
of boxes in flowchart are as follows:
• A processing step; usually called ACTIVITY and denoted as RECTANGULAR BOX.
• A decision; usually denoted as .
Below are the steps for creating flowcharts for business purposes-
Identify the business processes that are to be documented with a flowchart

and establish the overall goals of business processes.
Based on the inputs from the business process, owner obtain a complete
understanding.
Prepare initial rough diagram & discuss with business process owner to
confirm your understanding of the process flow.
Obtain additional information from other stakeholders about the business

processes. Any deviation should be highlighted and corrective steps to be
Identify activities in each step and who is responsible for each activity.
Identify the starting point of the process. The starting point of a business
process should be what triggers the process to action.
Separate the different steps in process. Analyze how one step is connected to
next step. Generally, we have events, activities & decision gateways which are
showed using connectors, arrows.
In traditional business process model, steps are represented by different shapes
depending on their functionalities i.e., events (Customer order), activity (process
order), action & decision.

Advantages of Flowchart Disadvantages of Flowchart
Code to Remember
Code to Remember
D.M.R.C. - C.A.D.R.E.
(a) Documentation: It serves as a good documentation C.M. - L.S.R.
which helps in reference & training new staff. (a) Complex Logics: Where problem logic is
(b) Maintenance of program: Flowcharts help complex, flowchart usage becomes difficult.
programmer to concentrate attention on that part of (b) Modifications: If modifications to a
information which is to be modified. flowchart are required, it may require
(c) Responsibilities Identification: Business process complete re-drawing.
can be identified to functional department thereby fixing (c) Link B/w condition & Actions: It is
responsibilities. difficult to establish conditions & actions to
(d) Communication: Flowchart communicates facts of be taken for a condition, sometimes.
business problem to solution seekers. (d) Standardization: Flowcharts, though
(e) Control Establishment: Business process conflicts & easy to understand are not natural way of
risks can be easily identified for recommending solutions. expressing problems and obtaining
(f) Analysis: Flowchart becomes blueprint of a system that solutions.
is broken into parts for detailed study. (e) Reproduction: Reproduction of
(g) Debugging of program: Flowcharts help in detecting, flowcharts is a problem since symbols used
locating and removing mistakes. in flowchart cannot be typed.
(h) Relationship understanding: Flowchart helps in
identification of relationship between program/processes.
(i) Effective Coding: Flowcharts act as a guide during
system analysis & program preparation phase.
7.1.2 DATA FLOW DIAGRAM

Data FLOW Diagram shows the flow of data from one place to another DFDs’ describe the
process showing how these processes are linked through data stores and how processes relate to
the user and the outside world. Example, book is borrowed from the library which is returned
and fine collects due to delay.
• A library loans system identifies each book in its stock by a unique Book ID.
• The Book ID is encoded in a barcode attached to the book.
• When a borrower returns a book, it is scanned and any fine that is due is calculated by
extracting from the library database the date that the book was due back.

• DFD is mainly used by technical staff for graphically communicating between systems
analysts and programmers. Main symbols used in DFD are provided in Table below-
Process Step-by-step instructions are followed that transform inputs
into outputs (a computer or person or both doing the work).
Data flow Data flowing from place to place, such as an input or output to
a process.
External The source or destination of data outside the system. The
Agent people and organizations that send data to or receive data
from are represented by this symbol called external agent.
Data Store Data at rest, being stored for later use. Usually corresponds to a
data entity on an entity-relationship diagram.
Real- time Communication back & forth between an external agent & a
link process as the process is executing.
• Below is the example of DFD:

Customer Order Fulfilment
1. Process start with customer placing the order and the sales department creating sales order.
2. The sales order goes through the credit and invoicing proces to check is it OK?
3. If customer’s credit check found to be NOT OK, will move to next step “ credit problem
addressed” followed by decision “OK”. If “NO” order will stop.
4. If customer’s credit check found to be OK and if stock is available, an invoice is prepared,
goods are shipped & an invoice is sent to customer. If stock not available, order is passed to
“production” for manufacture & then goods shipped and invoices send to customer.
Order To cash
(a) Sales and Marketing:
• Advertise and markets the compnay’s product and book sales orders from the customer.
(b) Order Fulfilment:
• Receive order from SM ( sales & Marketing).
• Check inventory level to confirm availibility of the product. If available, transportation is
arranged and is sent to customer.
(c) Manufacturing:
• In case product is not available, this inforamtion is sent to manufacturing department so
that product is manufactured and subsequently sent to customer.
(d) Receivables:
• Invoice raised, sned to customer. Amount received and that invoice get closed.

Procure to Pay
Below illustration indicates different processes identified specially to department/entity through
“swimlanes” so that responsibilities are clearly defined.
(a) User Department:

• A user in an enterprise may require some material/service. Based on requirement, he/she
rasie a PR (Purchase Requsition) to the procurement department.
(b) Procurement Department (PD):
• PD receives PR and accordingly priortise request based on the need of the user.
• It is responsibility of PD to choose the best supplier of material for the material or services
requested. PD calls for quotes from the potential vendors and negotiate thereafter.
• PO wil be realeased to selected vendor.
(c) Vendor:
• Vendor receives PO and carries out his own internal checks.
• Matches PO with the quotation sent and in case of discrepancy, seek clarification.
• If no discrepanices, vendor will raise sales order p& material is shipped to buyer.
• Vendor invoice is them send to accounts payable department, based on the address
indicated in PO.
(d) Stores:
• Receive the material.
• Checks the quantity of material received with PO and qaulity with the user.
• Goods Received Notes (GRN) is prepared based on actual receipt of material & stores
update stock . Then GRN is sent to accounts department for payment.
(e) Account Payable:
• AP will do the necessary checking at their end. This will ensure that material received is
matching with PO quantity.
• If there is discrepancy, the same is sent for further clarification. In case no discrepancy,
payment process starts.
• Finally, payment is made to vendor.
8. Regulatory and compliance requirements:

8.1.1 Companies Act 2013:
The efficiency of an enterprise depends on the quick flow of information across the complete
supply chain i.e., from the customer to manufacturers to the suppliers. With the globalization
of the market place coupled with competition and increasing customer expectations
enterprises should address certain fundamental areas like lowering costs in the supply chain,
reducing throughput times, optimizing stock levels, improving product quality, improving
service to the customer, efficiently handling cross border data flow etc.
An entity should have an efficient and effective financial information system to support
decision-making and monitoring. The Companies Act, 2013 has 2 very important Section 134
and Section 143, which have a direct impact on the audit and accounting profession-

Directors’ Responsibility Statement Section 143(3) contains the auditor’s report

The Directors had taken proper and sufficient “whether the company has adequate internal
care for the maintenance of adequate financial controls system in place and the
accounting records in accordance with the operating effectiveness of such controls”;
provisions of this Act for safeguarding the When we talk in terms of “adequacy and
assets of the company and for preventing and effectiveness of controls”; it refers to the
detecting fraud and other irregularities; the adequacy of the control design and whether the
directors, in the case of a listed company, had control has been working effectively during the
laid down internal financial controls to be relevant financial year. The impact of this
followed by the company and that such statement is that it involves continuous control
internal financial controls are adequate and monitoring during the year and not a review “as
were operating effectively. at” a particular date.
Management’s responsibility Auditors’ responsibility

♫ The 2013 Act has significantly expanded the ♫ The auditor’s objective in an audit of internal
scope of internal controls to be considered by financial controls over financial reporting is to
the management of the companies to cover express an opinion on the effectiveness of the
all aspects of the operations of the company’s internal financial controls over
company. financial reporting.
♫ Sec-134(5)(e) requires directors’ responsibility ♫ The auditor should plan and perform the audit
statement to state that the directors, in the to obtain sufficient appropriate evidence to
case of a listed company, had laid down obtain reasonable assurance about whether
internal financial controls to be followed by the material weakness exists as of the date
company and that such internal financial specified in management’s assessment
controls are adequate and were operating ♫ A material weakness in internal financial
effectively. controls may exist even when the financial
♫ “Internal financial controls” are policies & statements are not materially misstated.
procedures adopted by company for ensuring
the orderly and efficient conduct of its
business, including adherence to company’s
policies, safeguarding of its assets, the
prevention and detection of frauds and errors,
the accuracy and completeness of the
accounting records, and timely preparation of
reliable financial information.”
Corporate governance requirement Auditors’ responsibility
Corporate Governance is framework of rules & Enterprise Risk Management (ERM) in
practices by which a board of directors ensures business includes methods and processes used by
accountability, fairness, and transparency in a organizations to manage risks and seize
company’s relationship with its all stakeholders. The opportunities related to achievement of their
corporate governance framework consists of: objectives. Risk response strategy may include: -
1. Explicit and implicit contracts between the 1. Reduction: Taking action to reduce the
company and the stakeholders for distribution likelihood or impact related to the risk.
of responsibilities, rights, and rewards. 2. Alternative Actions: deciding and considering
2. Procedures for reconciling conflicting interests other feasible steps to minimize risks.
of stakeholders in accordance.

8.1.2 Information Technology Act:

The Act also aims to provide for the legal framework so that legal sanctity is accorded to all
electronic records and other activities carried out by electronic means. The Act states that
unless otherwise agreed, an acceptance of contract may be expressed by electronic means of
communication and the same shall have legal validity and enforceability.
Cyber Crime
The only difference is that in Cyber Crime the computer technology is involved and thus it is a
computer related crime. It involves “hacking” i.e., Mr. A, a cyber-criminal while sitting in his
own house, through his computer hacks the computer of Mr. B and steals the data saved in
Mr. B’s computer without physically touching the computer or entering in B’s house.
Computer Related Offences

Code to Remember: V. - F.I.N.D. - P.A.T.H.
(In commando movie, Vikcy chaddha FIND PATH to hack computers of dead people)
• Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, Bugs:

These are malicious programs which are used to destroy or gain access to some electronic
information.
• Credit Card Fraud:
Unsuspecting victims would use infected computers to make online transactions
• Hiding illicit business:
Terrorists use virtual (Drive, FTP sites) and physical storage media (USB’s, hard drives)
for hiding information and records of their illicit business
• Negative Image i.e. Harassment:
A fake profile of a person in social media to harness image of that person.
• Web Defacement:
The homepage of a website is replaced with a defamatory (Bad) page.
• Phishing and Email Scams:
Phishing involves fraudulently acquiring sensitive information through masquerading.
• Sale of illegal Article:
Where sale of narcotics, drugs weapons and wildlife is facilitated by the Internet.
• Theft of Confidential Information:
Information stored in computers is targeted by rivals, criminals and disgruntled
employees.
• Email Account Hacking:
If victim’s email account is hacked and obscene emails are sent to people in victims
address book.
Key provisions of IT Act

The IT Act, 2000 defines the terms Access in Section 2(a), computer in Section 2(i), computer
network in Section (2j), data in Section 2(o) and information in Section 2(v). These are all the
necessary ingredients that are useful to technically understand the concept of Cyber Crime-

Name Description
“Access” means gaining entry into, instructing or communicating with the logical,
arithmetical, or memory function resources of a computer, computer system or
computer network
“Computer” Means any
 Electronic, magnetic, optical or other high-speed data processing device;
 Or system which performs logical, arithmetic, and memory functions by
manipulations of electronic, magnetic or optical impulse;
 And includes all input, output, processing, storage, computer software;
 Or communication facilities which are connected or related to the computer
in a computer system or computer network.
“Computer Means the interconnection of one or more Computers or computer systems or
Network” Communication device through:
(i) the use of satellite, microwave, terrestrial line, wire, wireless or other
communication media; and
(ii) Terminals or a complex consisting of two or more interconnected
computers or communication device whether or not the interconnection
is continuously maintained
“Information” Includes data, message, text, images, sound, voice, codes, computer
program, software and databases or micro film or computer-generated micro
fiche.
“Data” Means:
1. A representation of information, knowledge, facts, concepts or
instructions which are being prepared or have been prepared in a
formalized manner
2. Intended to be processed, is being processed or has been processed in
a computer system or computer network and may be in any form
(including computer printouts magnetic or optical storage media,
punched cards, punched tapes) or stored internally in the memory of the
computer.
Privacy:
The main principles on data protection and privacy enumerated under the IT Act, 2000 are:
• Defining ‘data’, ‘computer database’, ‘information’, ‘electronic form’, ‘originator’, ‘addressee’ etc.
• Creating civil liability if any person accesses or secures access to computer, computer system or
computer network
• Creating criminal liability if any person accesses or secures access to computer, computer system or
computer network.
• Declaring any computer, computer system or computer network as a protected system.
• Imposing penalty for breach of confidentiality and privacy.
• Setting up of hierarchy of regulatory authorities, namely adjudicating officers, the Cyber Regulations
Appellate Tribunal etc.
Sensitive Personal Data Information (SPDI):

Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules
2011 formed under section 43A of the Information Technology Act 2000 define a data protection
framework for the processing of digital data by Body Corporate.

Personal Information-
Personal information as “information that relates to a natural person which either directly or
indirectly, in combination with other information available or likely to be available with a body
corporate, is capable of identifying such person.” Below are treated to be under the definition
of personal information-
♫ Passwords
♫ Financial information
♫ Physical/physiological/mental health condition
♫ Sexual orientation
♫ Medical records and history; and
♫ Biometric information
Rule 5(1) requires that Body Corporate should, prior to collection, obtain consent in writing
through letter or fax or email from the provider of sensitive personal data regarding the use of
that data.
Penalty under IT Act, 2000

Section 43  Penalties & Compensation for damage to computers, computer system
If any person without permission of the owner / any other person who is in-charge of
computer, computer resources-
• Accesses or secure access to such computer, computer resources, computer network.
• Destroys, deletes or alters any information in the computer resources, or use it in such a
manner that it diminishes/reduces the value of the information.
• Steals, conceals, destroy / or cause any person to steals, conceals, destroy any computer
source code with an intention to cause damage.
• Downloads copies or extracts any data, database from such computer, computer resources
or computer network.
• Introduces, or cause to introduce any computer virus/any computer contaminant into any
computer system or computer network.
• Disrupts or cause disruption of any computer, computer system or computer network.
Section 65 to 67B Computer crimes and penalties for Offences
Sec Kind of offence Penalties of offences

65 • Intentionally Concealment, destroy, Imprisonment  3 years
alteration any source code, computer Fine ₹ 2,00,000 or BOTH.
program, computer system, network,
resources etc.
66 • Damage to the computer, computer Imprisonment  3 years
resources, by doing acts defined in Sec-43 Fine ₹ 5,00,000 or BOTH
66B Receiving dishonestly any stolen computer Imprisonment  3 years
resources or communication devices Fine ₹ 1,00,000 or BOTH
66C Identification theft fraudulently by making Imprisonment  3 years
use of the electronic signature, password Fine ₹ 1,00,000 or BOTH

Sec Kind of offence Penalties of offences

66D Cheating by personation by using Imprisonment  3 years
computer resources. Fine ₹ 1,00,000 or BOTH
66E Violation of the privacy of any person Imprisonment  3 years
Fine ₹ 2,00,000 or BOTH
66F Cyber Terrorism done with:
Intent to threaten integrity of India LIFETIME
Penetrates computer resources result IMPRISONMENT
in damage to property (Intentional)
67 Punishment for publishing or Conviction Imprisonment Fine
transmitting obscene material in 1st 3 YEARS 5,00,000
electronic form Subsequent 3 YEARS 10,00,000
67A Punishment for publishing or transmitting Conviction Imprisonment Fine

of material contain sexually explicit act 1st 5 YEARS 5,00,000
etc. in electronic form Subsequent 7 YEARS 10,00,000
67B Punishment for publishing or transmitting Conviction Imprisonment Fine

of material depicting children in sexually 1st 5 YEARS 5,00,000
explicit act etc. in electronic form. Subsequent 7 YEARS 10,00,000

TEST YOUR KNOWLEDGE
Ques 1-Draw a Flowchart for finding the sum of first 100 odd numbers
Solution 1
The flowchart is drawn as under and is explained step by step below. The step numbers are shown
in the flowchart in circles and as such are not a part of
the flowchart but only a referencing device
Our purpose is to find the sum of the series 1, 3, 5, 7, 9

(100 terms). The student can verify that the 100th term
would be 199. We propose to set A = 1 and then go on
incrementing it by 2 so that it holds the various terms of
the series in turn. B is an accumulator in the sense that
A is added to B whenever A is incremented. Thus, B will
hold
1+3=4
4 + 5 = 9,
9 + 7 = 16, etc. in turn
Step 1 - All working locations are set at zero. This is necessary because if they are holding some
data of the previous program, that data is liable to corrupt the result of the flowchart.
Step 2 - A is set at 1 so that subsequently by incrementing it successively by 2, we get the wanted
odd terms: 1,3,5,7 etc.
Step 3 - A is poured into B i.e., added to B. B being 0 at moment & A being 1, B becomes 0 + 1 = 1.
Step 4 - Step 4 poses a question. “Has A become 199?” if not, go to step 5, we shall increment A by
2. So, that although at the moment A is 1, it will be made 3 in step 5, and so on. Then go back to
Step 3 by forming loop.
Since we must stop at the 100th term which is equal to 199. Thus, A is repeatedly incremented in
step 5 and added to B in step 3. In other words, B holds cumulative sum up to the latest terms held
in A.
Question 2
A bank has 500 employees. The salary paid to each employee is sum of his Basic Pay (BP),
Dearness Allowance (DA) and House Rent Allowance (HRA). For computing HRA, bank has
classified his employees into three classes A, B and C. The HRA for each class is computed at the
rate of 30%, 20% and 10% of the BP Pay respectively. The DA is computed at a flat rate of 60% of
the Basic Pay. Draw a flow chart to determine percentage of employee falling in the each of
following salary slabs.
• Above ₹ 30,000
• ₹ 15,001 to ₹ 30,000
• ₹ 8,001 to ₹ 15,000
• Less than or equal to ₹ 8,000

Solution 2
P1, P2, P3 and P4: Percentage of employees falling in salary slab (salary<=8,000); salary slab
(8,001<= salary<=15,000); salary slab (15,001<= salary<=30,000) and salary slab (salary >=30,000)
respectively.
C1, C2, C3 and C4 are the number employees falling in salary slab (salary<=8,000); salary slab
(8,001<= salary<=15,000); salary slab (15,001<= salary<=30,000) and salary slab (salary >=30,000)
respectively.
Question 3
ABC Ltd. is engaged in the business of producing consumer durable products. It is facing the
problem of poor customer service due to its broken, inefficient, and manual processes. The
customers of the company are becoming more demanding with respect to higher quality of
products and delivery time.
To remain competitive in market & to overcome issues faced by its customers, the company
decided to optimize & streamline its essential business processes using latest technology to
automate the functions involved in carrying out these essential processes. The management of
company is very optimistic that with automation of business processes, it will be able to extract
maximum benefit by using the available resources to their best advantage. Moreover, with
automation the company will be able to integrate various processes and serve its customers
better and faster. The management is aware that automation of business processes will lead to
new types of risks in the company’s business.

The failure or malfunction of any critical business process will cause significant operational
disruptions and materially impact its ability to provide timely services to its customers. The
management of ABC Ltd. adopted different Enterprise Risk Management (ERM) strategies to
operate more effectively in environment filled with risks. To reduce impact of these risks,
company also decided to implement necessary internal controls. Answer the following Questions-
1. The processes automated by ABC Ltd. are susceptible to many direct and indirect
challenges. Which of the following factor cannot be considered valid in case the company
fails to achieve the desired results?
(a) Business processes are not well thought or executed to align with business objectives.
(b) The staff may perceive automated processes as threat to their jobs.
(c) The documentation of all the automated business processes is not done properly.
(d) Implementation of automated processes in company maybe an expensive proposition.
2. The processes automated by ABC Ltd. are technology driven. The dependence on
technology in key business processes exposed the company to various internal as well as
external threats. According to you, external threats leading to cyber-crime in BPA is
because:
(a) Organizations may have a highly-defined organization structure with clearly defined
roles, authority and responsibility.
(b) There may not be one but multiple vendors providing different services.
(c) System environment provides access to customers anytime, anywhere using internet.
(d) The dependence on technology is insignificant.
3. Management of ABC Ltd. adopted a holistic & comprehensive approach of Enterprise Risk
Management (ERM) framework by implementing controls across the company. Identify
the false statement w.r.t. components of ERM framework.
(a) As a part of event identification, potential events that might have an impact on the
entity should be identified.
(b) As a part of risk assessment component, identified risks are analyzed to form a basis for
determining how they should be managed.
(c) As a part of monitoring, the entire ERM process should be monitored with no further
modifications in the system.
(d) As a part of control activities, policies and procedures are established and executed to
help ensure that the risk responses that management selected are effectively carried
out.
4. The management of ABC Ltd. implemented different Information Technology General

Controls (ITGCs) across different of IT environment with an objective to minimize impact of
risks associated with automated processes. Which of the following is not an example of
ITGC?
(a) Information Security Policy
(b) Processing Controls
(c) Backup, Recovery and Business Continuity
(d) Separation of key IT functions

Solution 3
Q. Answer Answer Description
1 C The documentation of all automated business processes is not done properly.
2 C System environment provides access to customers anytime, anywhere using
internet
3 C As a part of monitoring, the entire ERM process should be monitored with no
further modifications in the system.
4 B Processing Control
Question 4
DXN Ltd. is engaged in manufacturing consumer products for women. Company released a new
product recently which met with unexpected success. The company was established as a market
leader in that product. The growing volume of sales transactions started to put a strain on
company’s internal processes. The company employed 300 more employees to ensure that the
customers are served better and faster. But with the increase in number of monthly transactions
to 1.5 million, the manual processes which were being followed by the company at present, were
holding it back. The company was not able to meet consumer demands even after employing
addition 300 employees. The management consultant Mr. X of DXN Ltd. advised to automate the
key business processes of the company to handle large volume of transactions to meet the
expectations of its customers and maintain its competitive edge in the market.
Mr. X gathered extensive information about the different activities involved in the current
processes followed by DXN Ltd. like what the processes do, the flow of various processes, the
persons who are in-charge of different processes etc. The information so collected helped him in
understanding the existing processes such as flaws, bottlenecks, and other less obvious features
within the existing processes. Based on the information gathered about the current processes,
Mr. X prepared various flowcharts depicting how various processes should be performed after
automation and submitted his report to the management covering the following points:
♦ The major benefits of Business Process Automation.
♦ The processes that are best suited to automation.
♦ Challenges that DXN Ltd. may face while implementing automated processes
♦ Risks involved in Business Process Automation and how management should manage risks.
Answer the following Questions-

1. As the DXN Ltd. was implementing the automated processes for the first time, the consultant
suggested not to automate all the processes at a time and automate only critical processes
which would help the company to handle large volume of transactions. Which of the
following business processes are not best suited to automation?
(a) Processes involving repetitive tasks
(b) Processes requiring employees to use personal judgment
(c) Time sensitive processes
(d) Processes having significant impact on other processes and systems

2. While understanding the criticality of various business processes of DXN Ltd., the consultant
Mr. X documented the current processes and identified the processes that needed
automation. However, documentation of existing processes does not help in_.
(a) providing clarity on the process
(b) determining the sources of inefficiency, bottlenecks, and problems
(c) controlling resistance of employees to the acceptance of automated processes
(d) designing the process to focus on the desired result with workflow automation
3. When DXN Ltd. decided to adopt automation to support its critical business processes, it
exposed itself to number of risks. One risk that the automated process could lead to
breakdown in internal processes, people and systems is a type of _.
(a) Operational Risk
(b) Financial Risk
(c) Strategic Risk
(d) Compliance Risk
4. Mr. X of DXN Ltd. prepared various flowcharts depicting how various processes should be
performed after automation and submitted his report to the management. The flowcharting
symbol that he used to depict processing step is _.
(a) Rectangular Box
(b) Diamond
(c) Oval
(d) Line
Solution 4
1 B Processes requiring employees to use personal judgment.
2 C Controlling resistance of employees to the acceptance of automated processes
3 A Operational Risk
4 A Rectangle Box

FINANCIAL AND ACCOUNITNG SYSTEMS
1. Introduction:
Financial and Accounting Systems forms an integral part of any business and acts as a backbone for
it. In the process of learning about Financial and Accounting systems, there can be different views
for a similar thing. These different views may be of:
• Accountants View – Balance Sheet and Profit & Loss Account must be prepared easily without putting
much time / efforts.
• Auditors View – Balance Sheet and Profit & Loss Account must be correct at any point of time.
• Business Manager / Owner’s View – I need right information at right point of time for right decision
making.
2. Integrated (ERP) And Non-Integrated Systems:
2.1. ERP and non-integrated system:

Below are the dictionary meaning of “system”:
• A set of principles or procedures per which something is done; an organized scheme or method”
OR
• A set of things working together as parts of a mechanism or an interconnecting network; a complex
whole”
• A set of detailed methods, procedures and routines created to carry out a specific activity, perform
a duty, or solve a problem”.
In systems there are various elements which are inter-related and inter-dependent and
interact with each other to achieve the goals of the system. All systems generally have:
 Inputs, outputs and feedback mechanisms,
 Maintain an internal steady-state despite a changing external environment,
 Have boundaries that are usually defined by the system observer.
A system includes defined methods and process to perform a activity. So basically, processes
are important components in any system.
2.2. What is a process:

A Process is defined as a sequence of events that uses inputs to produce outputs. From a
business perspective, a Process is a coordinated and standardized flow of activities performed
by people or machines, which can traverse functional or departmental boundaries to achieve a
business objective and creates value for internal or external customer.

2.3. Concepts in Computerized Accounting System:

2.3.1. Types of Data-
Every accounting system stores data in 2 ways:
∞ Master Data
∞ Non-Master Data
Master Data
 Master data is permanent data that is not expected to change again and again.
 It may change, but not again and again.
 Below are types of master data:
Master Data
Accounting Inventory Payroll Statutory

Master Data Master Data Master Data Master Data
Accounting Master Data Inventory Master Data

This includes names of ledgers, groups, cost This includes stock items, stock groups,
centers, accounting voucher types, etc. E.g., godowns, inventory voucher types, etc.
Capital Ledger is created once and not Stock item is something which bought
expected to change frequently. Similarly, all and sold for business purpose, trading
other ledgers like, sales, purchase, expenses goods.
and income ledgers are created once and
not expected to change again and again.
Payroll Master Data Statutory Master Data
Payroll is a system for calculation of salary This is a master data relating to
and recoding of transactions relating to statute/law. It may be different for
employees. Master data in case of payroll different type of taxes. E.g. Goods and
can be names of employees, group of Service Tax (GST), Nature of Payments
employees, salary structure, pay heads, etc. for Tax Deducted at Source (TDS), etc.
These data are not expected to change
frequently.
Non-Master Data
 It is a data which is expected to change frequently and not a permanent data.
 Example: Amount covered under transactions differs each time. Date recorded in each
transaction is expected to change again and again and will not be constant in all the
transactions.

2.3.2. Voucher Type-

In accounting language, a Voucher is documentary evidence of a transaction. There may be
different documentary evidences for different types of transactions. Following are types of
transactions and documentary evidences of such transactions-
Receipt Given to a customer after making payment by him/her.
Sales invoice Given to a customer for goods sold.
Journal voucher Evidence of a non-cash/bank transaction
Generally following types of vouchers are used in accounting systems as shown in the Table
S.N. Voucher Type Module Use
Name
2 Payment Accounting For recording of all types of payments. Whenever the
money is going out of business by any mode
(cash/bank)
3 Receipt Accounting For recording of all types of receipts. Whenever money
is being received into business from outside by any
mode (cash/bank).
4 Journal Accounting For recording of all non-cash/bank transactions.
E.g., Depreciation, Provision, Write-off, Write-back,
discount given/received, Purchase/Sale of fixed assets on
credit, etc.
5 Sales Accounting For recording all types of trading sales by any mode
(cash/bank/credit).
6 Purchase Accounting For recording all types of trading purchase by any
mode (cash/bank/credit).
7 Credit/ Debit Accounting For making changes/corrections in already
Note recorded sales/purchase transactions.
8 Purchase Inventory For recording of a purchase order raised on a vendor.
Order
9 Sales Order Inventory For recording of a sales order received from a customer.
10 Stock Journal Inventory For recording of physical movement of stock from
one location to another.
11 Physical Stock Inventory For making corrections in stock after physical counting.
12 Delivery Note Inventory For recording of physical delivery of goods sold to a
customer.
13 Receipt Note Inventory For recording of physical receipt of goods purchased
from a vendor.
14 Memorandum Accounting For recording of transaction which will be in the system
but will not affect the trial balance.
15 Attendance Payroll For recording of attendance of employees.
16 Payroll Payroll For salary calculations.

2.3.3. Voucher Number -

A Voucher Number or a Document Number is a unique identity of any voucher/ document.
A voucher may be identified or searched using its unique voucher number. Following may
be key features of voucher number-
 Voucher number must be unique.
 Every voucher type shall have a separate numbering series
 A voucher number may have prefix or suffix or both, E.g., MSIL/XXXX/18-19. Here,
“MSIL” is the prefix, “18-19” is the suffix and “XXXX” is the actual number of the
voucher.
 All vouchers must be numbered serially.
 All vouchers are recorded in chronological order and hence voucher recorded earlier
must have an earlier number.
2.3.4. Accounting Flow-

Please refer to below flowchart where accounting flow has been summarized and also
extent of human interference:
2.3.5. Type of Ledgers-

Under financial and accounting systems are concerned, ledgers may be classified in 2 broad
types. Ledger has debit balance and ledger having credit balance.

Important points to be noted:

• Basic objective of accounting software is to generate to two primary accounting reports,
i.e., Profit & Loss Account and Balance Sheet. Income and Expense ledgers are considered
in Profit & Loss Account and Asset and Liability ledgers are considered in Balance Sheet.
Hence every ledger is classified in one of the four categories, i.e., Income, Expense, Asset or
Liability.
• Difference between Total Income and Total Expenses, i.e., Profit or Loss as the case may
be, is taken to Balance Sheet.
• Any ledger can be categorized in any one category only, i.e., Asset, Liability, Income or
Expense. It cannot be categorized in more than one category
2.3.6. Grouping of Ledgers-

At the time of creation of any new ledger, it must be placed under a particular group. There are four
basic groups in accounting, i.e., Income, Expense, Asset, Liability. For example, machinery
account is an asset and has to classified or categorized under ASSETS in balance sheet.
2.4. Technical Concept:

2.4.1. Working of a software:
Front End
It is part of the overall software which actually interacts with the user who is using the software
Back End
It is a part of the overall software which does not directly interact with the user, but interact with
Front End only
Now will study with the help of an example, what is

front end and back end:-
There is a table within your restaurant- a place

where a controlled interaction happens between
customers and the restaurant staff. (Front End).
Waiter will receive the order and pass it on to the

cook in the kitchen. Cook will process the food as
per requirement and had it over to the waiter. (Back End)
2.4.2. Application Software-

Application software performs many functions such as receiving the inputs from the user,
interprets the instructions and performs logical functions so a desired output is achieved.
There are mainly 3 layers which together form an application and as such called Three Tier
architecture. These 3 layers are-
• Application layer: Receives the inputs from the users and performs certain validations
like, if the user is authorized to request the transaction.
• Operating system layer: Carries these instructions and processes them using the data
stored in the database and returns the results to the application layer.
• Database layer stores the data in a certain form.

Installed Application-
These are programs that are installed on the hard disc of the user’s computer
Cloud-Based Application
Organizations increasingly are hosting their applications on Internet and outsource the IT
functions. There are many methods through which this can be achieved. Most common
among them being SaaS – Software as a Service or IaaS – Infrastructure as a Service
POD Installed Application Web Application

Code to Remember: M.F. - P.A.I.D.S. (Mutual fund खर�दा hence installed)
Mobile Using the software through mobile Mobile application becomes very easy as
Application application is difficult in this case. data is available 24x7.
Flexibility It shall have more flexibility and Success of cloud-based applications is

controls as compared to web that they allow flexibility against both
application. It is very easy to write Capital Expenditure (CAPEX) & Operating
desktop applications Expense (OPEX) to the user.
Performance A well written installed application Access is dependent on speed of internet.
shall always be faster than web Slow internet slows access to information
application, reason being data is and may slow operations.
picked from local server.
Accessibility As software is installed on the hard As software is available through online

disc of the user’s computer, user access, to use the software a browser and
needs to go to the computer in which an internet connection are needed.
the software is installed to use the
software. It cannot be used from any
other computer.
Installation & As software is installed on hard disc of Installation on user computer is not
Maintenance the computer used by user, it needs to required. Update and maintenance are
be installed on every computer one by defined responsibility of service provider.
one. This may take lot of time. Also,
maintenance & updating of software
may take lot of time and efforts.
Data Storage Data is physically stored in the Data is not stored in the user’s server
premises of the user, i.e., on the hard computer. It is stored on a web server.
disc of the user’s server computer. Ownership of data is defined in Service
Hence user will have full control over Level Agreement (SLA). SLA defines
the data. responsibilities & authority of both
service provider & service user.
Security of As the data is in physical control of the Data is not in control of user or owner of
Data user, user shall have the full physical data. As time evolves; SLAs provide for
control over the data and he/she can details of back-up, disaster recovery
ensure that it is not accessed without alternatives being used by service
proper access. provider.

2.5. Non-integrated System:

Non-Integrated System is a system of maintaining data in a decentralized way. Each
department shall maintain its own data separately and not in an integrated way. This is the
major problem with non-integrated systems. All the departments are working independently
and using their own set of data. They need to communicate with each but still they use their
own data. This would result in 2 major problems:
a. Communication Gaps
b. Mismatched Data
2.6. Enterprise Resource Planning (ERP)System:

Every organization uses variety of resources in achieving its organization goals. ERP is an
enterprise-wide information system designed to coordinate all the resources, information, and
activities needed to complete business processes.
Some of the ERP features in today’s era:

1. An ERP system is based on a common database and a modular software design
2. Common database can allow every department of a
business to store & retrieve information in real-time.
3. ERP system may comprise a set of discrete
applications, each maintaining a discrete data store
within one physical database.
4. Today’s ERP systems can cover a wide range of
functions & integrate them into one unified
database.
5. Various functions such as Human Resources,
Customer Relations Management, Financials,
Manufacturing functions etc. were all once stand-alone software applications, and they can
all fit under one name – the ERP system.
Following are the advantages of ERP system:

Code to Remember : C – T.O.U.R. – F.A.I.L.
(If no ERP, management office tour will fail, you C)
1. Customer satisfaction enhancement:

• Means meeting or exceeding customers ‘requirement for a product or service. With the help
of web-enabled ERP systems, customers can place an order, track the status of the order and
make the payment while sitting at home.
• Since all the details of the product and the customer are available to the person at the
technical support department also, the company is able to better support the customer.

2. Technology usage:
• ERP packages are adapted to utilize the latest developments in Information Technology
such as open systems, client/server technology, Cloud Computing, Mobile computing etc.
• It is this adaptation of ERP to the latest changes in IT makes the adaptation to changes in
future development environments possible.
3. Ontime Shipment:
• Since ERP encompasses integration and automation of all functions of the business, hence
chances of errors are minimal and the production efficiency is high.
• Thus, by integrating the various business functions and automating the procedures and
tasks, the ERP system ensures on-time delivery of goods to the customers.
4. Utilization of resources efficiently:

• The efficient functioning of different modules in the ERP system like manufacturing,
material management, plant maintenance, sales and distribution ensures that the
inventory is kept to a minimum level, the machine down time is minimum etc.
• Thus, ERP systems help the organization in drastically improving the capacity and resource
utilization.
5. Reduction in cycle time:

• The Cycle time is the time between placement of the order and delivery of the product.
• In an ERP System all the data is updated to the minute and is available in centralized
database and all procedures are automated.
6. Flexibility:
• ERP Systems help companies to remain flexible by making company information available
across the departmental barriers and automating most of the processes and procedures,
thus enabling the company to react quickly to the changing market conditions
7. Better Analysis and planning capabilities:

• By enabling comprehensive and unified management of related business functions such as
production, finance, inventory management etc. and their data;
• It becomes possible to utilize fully various types of Decision Support Systems (DSS), what-if
analysis and so on. Hence, enabling decision-makers to make better and informed
decisions.
8. Information Integration:
• The reason ERP systems are called integrated is because they possess the ability to
automatically update data between related business functions and components.
• For example - one needs to only update the status of an order at one place in the order-
processing system and all the other components will automatically get updated;

9. Low Cost:
• An ERP System’s central database eliminates redundant specifications and ensures that a
single change to standard procedures takes effect immediately throughout the
organization.
• It also provides tools for implementing total quality management programs within an entity.
3. Risk and Controls in ERP Environment:

In case of integrated system, the data can be accessed from any place. As such, chance of loss of
data is a big challenge. These risks can be summarized in below manner:
(a) All the persons in the organization access the same set of data on a day to basis. This
again poses the risk of leakage of information.
(b) all users shall use the same data for recording of transactions. Hence there is one more
risk of putting incorrect data in the system by unrelated user.
ERP system implementation is a huge task and requires lot of time, money and above all
patience. The success or failure of any ERP or saying it in terms of payback or ROI of an ERP, is
dependent on its successful implementation and once implemented proper usage. It provides
extensive discussion on the risks related to various aspects including – People, Process,
Technological, Implementation and Post implementation issues that arise during
implementation and related controls respectively. Below is the tabular presentation of risk
associated and control required on
PEOPLE ASPECT
Aspects Risk Associated Control Required
Change The way in which entity functions will Project requirements are to be
Management change, the planning, forecasting and properly documented and signed by
decision-making capabilities will the users and senior management.
improve.
Training Since, greater part of the training takes Training is a project-managed activity
place towards end of ERP & shall be imparted to users in an
implementation cycle, mgmt. may entity by skilled consultants and
curtail the training because of budget. representatives of hardware vendors.
Staff Employee Turnover  Qualified and This can be controlled and minimized
Turnover skilled personnel leaving company by allocation of employees to tasks
during the implementation and matching their skill-set; fixing of
transition phases can affect the compensation package and other
schedules and this results in delayed benefits accordingly.
implementation and cost overrun.
Top Mgmt. ERP implementation will fail if top ERP implementation shall be started
Support management doesn’t support and only after the top management is fully
grant permission for the availability of convinced & assure of providing full
the huge resources. support.
Consultants These are experts in implementation The consultants should be assigned a
of the ERP package and might not be liaison officer - a senior manager –
familiar with the internal workings and who can familiarize them with the
organizational culture. company and its working.

PROCESS ASPECT
Program There could be a possibility of Requires bridging the information gap
Management information gap between day-to- between traditional ERP-based function
day. & operational mgmt. functions.
Business Process BPR means not just change but Requires overhauling of organizational
Reengineering dramatic change and dramatic structure, management structure and
(BPR) improvements. systems, job descriptions etc.
TECHNOLOGICAL ASPECT
Software Implementing all the functionality Care should be taken to incorporate
Functionality and features just for the sake of it the features that are required by the
can be dangerous for an organization. organization and supporting additional
features and functionality that might
be required at a future date.
Technological With launch of efficient technologies Requires critical choice of technology,
Obsolescence every day, the ERP system also architecture of product, easy
becomes obsolete as time goes on. enhancements and upgrading, quality
of vendor support.
Enhancement ERP Systems are not upgraded and Care must be taken while selecting the
and Upgrades kept up-to date. Patches & upgrades vendor and upgrade/support contracts
are not installed should be signed to minimize the risks.
Application Processes focus on the selection of IT organizations can begin to reduce
Portfolio new business applications and the duplication and complexity.
Management projects required in delivering them.
IMPLEMENTATION ASPECT
Lengthy ERP projects are lengthy that Care must be taken to keep the momentum
implementation takes between 1 to 4 years high and enthusiasm live amongst the
time depending upon size of entity. employees, so as to minimize the risk.
Insufficient Budget for ERP implementation It is necessary to allocate necessary funds
Funding is allocated without consulting for the ERP implementation project and
the experts & then then allocate some more for contingencies.
implementation is stopped due
to lack of funds.
Speed of Centralized database leads to This can be controlled by removing the
Operation heavy size and thereby reducing redundant data, use of warehouse etc.
speed of operations.
POST IMPLEMENTATION ASPECT

Lifelong There will always be new This requires a strong level of commitment
Commitment modules to install, new persons and consistency by the management and
to be trained, new technologies users of the system.
to be embraced etc.

3.1. Role Based Access Control (RBAC) in ERP system:

Role-based access control is an approach to restricting system access to authorized users. It is
used by most enterprises and can implement mandatory access control or discretionary
access control. Some of the features of RBAC:
(a) RBAC is a policy neutral access control mechanism defined around roles and privileges
(b) The components of RBAC such as role-permissions, user-role and role-role relationships make it
simple to perform user assignments.
(c) RBAC can be used to facilitate administration of security in large organizations.
(d) Roles for staff are defined in organization and access to the system can be given according to the
role assigned.
3.2. Role Based Access Control (RBAC) in ERP system:

While assigning access to different users, following options are possible.
♫ Create – Allows to create data
♫ Alter – Allows to alter data
♫ View – Allows only to view data
♫ Print – Allows to print data
4. Audit of ERP system:

ERP systems should produce accurate, complete, and authorized information that is supportable and
timely. All these can be accomplished or achieved by combination of various controls in ERP system.
Controls are divided into General Controls and Application Controls. Below is the diagrammatic
representation of controls:
Controls
Management controls deal
with organizations, policies,
procedures, planning, and so on
Environmental controls
General Application are operational controls
Controls Controls
administered through the
computer centre
/computer operations
Management Environmental group and the built-in
controls controls operating system controls
Some of the queries may be made by the auditor during ERP audit:
Does the system process according to GAAP Does it meet needs for reporting?
Are effective system operations and Does system protect confidentiality & integrity of
support functions provided information assets?
Are there adequate audit trails and Is there an ERP system administrator with clearly
monitoring of user activities defined responsibilities?
Are users trained? Do they have completed Is there a problem-escalation process?
and current documentation?

Auditing aspects in case of any ERP system can be summarized as under:
AUDIT OF
Physical Safety
DATA
Ensuring physical Access Control
control over data Ensuring access to the system
is given on “need to know” and
“need to do basis”
AUDIT OF
PROCESSES
Functional Audit
This includes testing of different
functions / features in the system
Input Validations
and testing of overall process or
part of process in the system and its This stands for checking of rules for
comparison with actual process input of data into the system. Input
validations shall change according to
each data input form.
5. Business process modules and integration with financial and

accounting system:
5.1. What is business process:
It consists of set of activities that are performed in an organizational and technical
environment. Each business process is enacted by a single organization, but it may interact
with business processes performed by other organizations. In order to understand and
manage a task, we
(a) Should define the process first. This involves process of defining the tasks in the process
and mapping the tasks to the roles involved in the process.
(b) Once the process is mapped and implemented, performance measures can be established.
(c) Organizational setup that enables standardization of & adherence to process throughout
the organization. Assigning enterprise process owners and aligning employees’
performance reviews and compensation to the value creation of the processes could
accomplish this.
5.2. Business process flow:

Business Process is a prescribed sequence of work steps performed to produce a desired result
for the organization. Each of the business processes has either a direct or indirect effect on the
financial status of the organization.
Accounting or Book keeping cycle covers the business processes involved in recording and
processing accounting events of a company. It begins when a transaction or financial event
occurs and ends with its inclusion in the financial statements.

1. Source Document: A document that captures data from transactions and events.
2. Journal: Transactions are recorded into journals from the source document.
3. Ledger: Entries are posted to the ledger from the journal.
4. Trial Balance: Unadjusted trial balance containing totals from all account heads is prepared.
5. Adjustments: Appropriate adjustment entries are passed.
6. Adjusted Trial balance: The trial balance is finalized post adjustments.
7. Closing Entries: Appropriate entries are passed to transfer accounts to financial statements.
8. Financial statement: The accounts are organized into the financial statements.
5.3. ERP-Business Process Modules:

In today’s time, there are mainly 3 types of industries working. These are manufacturing,
trading and service industries. Each type of
business has distinctive features.
• Trading Business – Trading simply means buying
and selling goods without any modifications, as
it is. Hence inventory accounting is a major
aspect in this case. This industry requires
accounting as well as inventory modules
• Manufacturing Business – This type of business
includes all aspects of trading business plus
aspect of manufacturing also. Manufacturing is
simply buying raw material, changing its form
and selling it as a part of trading. This type of
industry requires accounting and complete inventory along with manufacturing module.
• Service Business – This type of business does not have any inventory. It is selling of skills /
knowledge/Efforts/time. E.g., Doctors, Architects, Chartered Accountants, are professionals
into service business. This industry does not require inventory module.
There may be different business units within a business. Hence different modules are
possible in an integrated system. Diagram on next page denotes types of modules in ERP
system:
Financial Accounting Module:
This module is the most important module of the overall ERP System and it connects all the
modules to each other. Following are the features of this module:
o Tracking of flow of financial data across the organization in a controlled manner.
o General Ledger Accounting
o Tax Configuration
o Account Payables (Creation of Vendor Master data).
o Account Receivables (Creation of Customer Master data).
o Asset Accounting.
o Integration with Sales and Distribution and Materials Management.

Controlling Module:
This module facilitates coordinating, monitoring, & optimizing all processes in an organization.
It controls the business flow in an organization. Two kinds of elements are managed in
Controlling −Cost Elements and Revenue Elements. Following are the key features of this
module:
o Overview of the costs and revenues that occur in an organization.
o Cost Center Accounting;
o Activity-Based-Accounting
o Internal Orders;
o Product Cost Controlling
Sales and Distribution Module:

Sales and Distribution is used by organizations to support sales and distribution activities of
products and services, starting from enquiry to order and then ending with delivery. Key Features:
• Setting up Organization Structure;
• Assigning organizational units.
• Defining Pricing Components.
• Setting up sales document types, billing types & tax related.
• Setting up customer master data records and configuration.
Human Resource Module:

This module enhances work process and data management within HR department of
enterprises. The task of managing the details and task flow of the most important resource i.e.,
human resource is managed using this module. The most important task in HR is to maintain
the employee related information.
(a) Payroll & Personnel departments deal with Human Resource of the organization.
(b) This department maintains total employee database.
(c) Wage and attendance related information comes to this department.
(d) Handle Provident Fund, ESI related formalities.
(e) Concerning manpower, its requirement and utilization is one of the major chunks of
profit for an organization.
Production Planning Module:

PP Module is another important module that includes software designed specifically for
production planning and management. This module also consists of master data, system
configuration and transactions in order to accomplish plan procedure for production. PP
module collaborates with master data, sales and operations planning, distribution resource
planning, material requirements planning, product cost planning.
Conversion into Work in Process (WIP) may include more than one steps. Also, conversion
into Finished Goods may include packing process also.

Material Management Module:

MM Module manages materials required, processed and produced in enterprises. Some of the
popular sub-components in MM module are vendor master data, consumption-based planning,
purchasing, inventory management, invoice verification and so on. Material Management also
deals with movement of materials via other modules like logistics, Supply Chain Management,
sales and delivery, warehouse management, production and planning.
1. Purchase Requisition from Production Department:

Production department sends a request to purchase department for purchase of raw material required
for production.
2. Evaluation of Requisition:
Production department sends a request to purchase department for purchase of raw material required
for production.
3. Asking for Quotation:
If requisition is accepted, quotations shall be asked to approve vendors for purchase of material.
4. Evaluation of Quotations:
Quotations received shall be evaluated and compared.
5. Purchase Order:
This is a transaction for letting an approved vend or know what we want to purchase, how much we
want to purchase etc. A purchase order contains the following details:
6. Material Receipt:
This is a transaction of receipt of material against purchase order. This is known as Material Receipt
Note (MRN) or Goods Receipt Note (GRN). This transaction shall have a linking with Purchase Order.
7. Issue of Material:
Material received by stores shall be issued to production department as per requirement.
8. Purchase Invoice:
This is a financial transaction. This transaction shall have a linking with Material Receipt and all the
details of material received shall be copied automatically in purchase invoice.
9. Payment to vendor:
Payment shall be made to vendor based on purchase invoice recorded earlier. Payment transaction
shall have a linking with purchase invoice.

Quality Management Module:

It helps in management of quality in productions across processes in an organization. This quality
management module helps an organization to accelerate their business by adopting a structured and
functional way of managing quality in different processes.
• Master data & standards are set for quality mgmt.
• Set Quality Targets to be met;
• Quality management plan is prepared;
• Take the actions needed to measure quality;
• Identify quality issues and improvements and
changes to be made;
• In case of any change is needed in the product,
change requests are sent;
• Report on the overall level of quality achieved; and
• Quality is checked at multiple points, e.g., inwards
of goods at warehouse, manufacturing, returns.
Plant Maintenance Module:

This is a functional module which handles the maintaining of equipment and enables efficient
planning of production & generation schedules. Plant Maintenance (PM) application
component provides you with a comprehensive software solution for all maintenance activities
that are performed within a company.
Project system Module:

This is an integrated project management tool used for planning and managing projects. It has
several tools that enable project management process such as cost and planning budget,
scheduling, requisitioning of materials and services.
Supply Chain Module:

This module provides extensive functionality for logistics, manufacturing, planning, and
analytics. Take advantage of a training curriculum that can help you drive maximum value from
your investment.
In Supply Chain Management System, any product which is
manufactured in a company, reaches directly from manufacturer to distributors where
manufacturer sells the product to the distributor with some profit of margin. Distributors
supply that product to retailer with his/her profit and then finally customers receive that
product from retailer. This is called Supply Chain Management System which implies that a
product reaches from manufacturer to customer through supply.

Customer relationship Management (CRM):

Customer Relationship Management is a system which aims at improving the relationship with
existing customers, finding new prospective customers, and winning back former customers.
Following are the features/working of CRM module:
(a) CRM manages the enterprise’s relationship with its customers.
(b) CRM does not exchange transactions with other modules as CRM does not have
transactions.
(c) Implementing a CRM strategy is advantageous to both small-scale and large-scale business
ventures.
Following are the benefits of CRM module:

There are five points under this topic. We will understand the same as below:
External Points Internal Points

Improved customer relations Better Internal Communication:
By using this strategy, all dealings Following a CRM strategy helps in
involving servicing, marketing, and building up better communication
selling out products to the customers within the company.
can be carried out in an organized The sharing of customer data between
and systematic way. different departments will enable them
to work as a team.
Improved customer revenue.

Using the data collected by CRM Optimise Marketing:
strategy, marketing campaigns can be
CRM enables to understand the
popularized in a more effective way.
customer needs and behavior,
Th increasing the customer base and
thereby allowing any enterprize to
ultimatley increase in revenue.
identify the correct time to market
its product to the customers.
Maximise Up & Cross selling
A CRM system allows up-selling which CRM will also give an idea about
is the practice of giving customers the most profitable customer
premium products that fall in the same groups
category of their purchase. The
strategy also facilitates cross selling
which is the practice of offering
complementary products to customers,
based on their previous purchases.

5.4. Integration with other modules:

All the units in ERP must work in harmony with other units to generate desired result. In order
to integrate the same with other module, following things to be considered:
(a) Master data across all the modules must be same and must be shared with other modules.
(b) Common transaction data must be shared with other module whenever required.
(c) Separate voucher types to be used for each module for easy identification.
(d) Figures & transaction may flow across all departments, e.g. stock values are taken to
Trading Account as well as Balance Sheet.
Material (a) Whenever any inventory posting is done, it updates the G/L accounts
management online in the background.
integration with (b) Logistics invoice verification will create vendor liability in vendor
finance & controlling account immediately on posting the document.
(fico) (c) Any advance given against the purchase order updates the Purchase
Order history.
Material (a) Material requirement Planning is based on Stocks, expected receipts,
management expected issues.
integration with (b) It generates planned orders or purchase requisitions which can be
production planning converted to purchase orders/Contracts
(c) Receipt of finished products in Warehouse is posted in Inventory
Mgmt.
Material (a) As soon as a sales order is created, it can initiate a dynamic
management availability check of stocks on hand.
integration with sales (b) When the delivery is created, the quantity to be delivered is marked
& distribution as “Scheduled for delivery”
(c) It is deducted from the total stock when the goods issue is posted
Material (a) It is integrated with QM for Quality inspection at Goods Receipt
management (b) In the case of a goods movement, the system determines whether
integration with the material is subject to an inspection operation.
quality Mgmt. (c) Based on quality parameters vendor evaluation is done.
Material (a) Material/service requirement is mentioned in Maintenance order.
management This leads to generation of Purchase Requisition.
integration with (b) This PR will be converted to Purchase Order by MM.
plant maintenance (c) The goods for a PO will be in warded to Maintenance by MM.
6. Reporting System and Management Information system (MIS):

6.1. Reporting System:
Reporting system is a system of regular reporting on the pre-decided aspects. The basic purpose
of any Financial and Accounting system is to give right information at right point of time to right
people for right decision making. Two basic reports, i.e. Balance Sheet and Profit & Loss Account
are used for basic analysis of financial position and financial performance. Key reports are
analyzed by management to determine if appropriate financial decisions are made at the right
time.
Large listed corporations publish their annual reports to public at large providing many
insights as to their operations, their future plans and their social responsibilities too. MD&A
(Management Discussion & Analysis) section in these annual reports discusses how
management has prepared the financial position, their interpretation of the company’s
performance etc.

6.2. Management information System

An MIS report is a tool that managers use to evaluate business processes and operations. Hence,
MIS system:
(a) Automatically collect data from various areas within a business.
(b) These systems can produce daily reports that can be sent to key members throughout the
organization.
Many large businesses have specialized MIS departments which gather business information and
create MIS reports. There can be as many types of MIS reports as there are divisions within a
business. In all scenarios of MIS reporting, what is important??? Yes, it is INFORMATION. MIS is
all about presenting information to management in a meaningful way. As such, to make the
information more meaningful, it should meet the following criteria: (Features of Information)
Code to Remember : R.A.T.S.
1. Relevant:
(a) MIS reports need to be specific to the business area they address.
(b) This is important because a report that includes unnecessary information might be
ignored.
2. Accurate:
(a) It’s important that numbers add up and that dates and times are correct.
(b) It is rather common that o manager would like to decide upon anything on the basis of
wrong information.
3. Timely:
(a) Information is said to be useful, when it is available on time.
(b) In case any information is old, it will not serve any purpose.
4. Structured:
(a) Information in an MIS report can be complicated.
(b) Making information easy to follow helps management understand what the report is
saying.
(c) Try to break long passages of information into more readable blocks or chunks.
7. Data Analytics and business Intelligence:

7.1. Meaning:
(a) Data Analytics is the process of examining data sets to draw conclusions about the
information they contain. Various software and techniques are used to draw meaningful
conclusion out of information we have.
(b) Data analytics technologies and techniques are widely used in commercial industries to
enable organizations to make more-informed business decisions.
(c) Data Analytics initiatives can help businesses increase revenues, improve operational
efficiency, optimize marketing campaigns and customer service efforts
(d) Data that’s analyzed can consist of either historical records or new information that has
been processed for real-time analytics uses.

7.2. Types of Data Analytical applications:
Exploratory Data Confirmatory Data Quamtitaive Data Qualitative Data

Analysis Analysis Analysis Analysis
Aims to find which applies Involves analysis of It focuses on
statistical techniques numerical data with
patterns and to determine whether
understanding the
relationships in data quantifiable variables content of non-
hypotheses about a that can be compared
data set are True or numerical data like
or measured
False text, images, audio
These data analysis happens to be done by different industries by different means. Below are
the types of data analysis done by these industries:
1. Advanced types of data analytics include data mining, which involves sorting through large
data sets to identify trends, patterns & relationships. Big data analytics applies data mining.
2. E-commerce companies and marketing services providers do clickstream analysis to identify
website visitors who are more likely to buy a product or service based on navigation and
page-viewing patterns.
3. Mobile network operators examine customer data to prevent defections to business rivals;
to boost customer relationship management efforts etc.
4. Healthcare organizations mine patient data to evaluate the effectiveness of treatments for
cancer and other diseases.
7.3. Data Analytical Process:

(a) The analytics process starts with data collection, in which data scientists identify the
information they need for analytics.
(b) Data from different source systems may need to be combined via data integration routines,
transformed into a common format and loaded into an analytics system.
(c) Once the data that’s needed is in place, the next step is to find and fix data quality problems
that could affect the accuracy of analytics applications.
(d) A data scientist builds an analytical model. The model is initially run against a partial data set
to test its accuracy until it functions as intended.
(e) Various analytics applications can be set to automatically trigger business actions.
(f) Last step in the data analytics process is communicating the results generated by analytical
models to business executives and other end users to aid in their decision-making.

7.4. Business Intelligence (BI):

7.4.1. Meaning:
 Business Intelligence (BI) is a technology-driven process for analyzing data and
presenting actionable information.
 BI encompasses a wide variety of tools, applications and methodologies that enable
organizations to collect data from internal systems and external sources.
7.4.2. Benefits of BI: Code to remember : A. – D.O.T.
 Helps in Accelerating and improving decision making.
 Driving new revenues & gaining competitive advantage.
 Optimization of internal business processes, increasing operational efficiency.
 BI systems can also help companies identify market Trends.
7.4.3. Examples of BI:
 BI uses data from different sources and helps to find solutions to various questions.
 Below is the example for business intelligence:
In an Online Transaction Processing (OLTP) system information that could be fed into
product database could be
• Add a product line
• Change a product price
Correspondingly, in a Business Intelligence system query that would be executed for the
product subject area could be did the addition of new product line or change in product
price increase revenues. In an advertising database of OLTP system query that could be
executed
• Changed in advertisement options
• Increase radio budget
In BI system query that could be executed would be how many new clients added due to
change in radio budget. In OLTP system dealing with customer demographic data bases
data that could be fed would be:
• Increase customer credit limit.
• Change in customer salary level.

8. Business reporting and fundamentals of XBRL:

8.1.1. Meaning:
1. Business Reporting or Enterprise Reporting is the public reporting of operating and
financial data by a business enterprise.
2. With the drastic expansion of information technology, there has been an increase in use of
computing power to produce single reports for different views of the enterprise.
3. This reporting process involves querying data sources with different logical models to
produce a readable report for the stakeholders.
4. Organizations conduct a wide range of reporting, including financial and regulatory
reporting; Environmental, Social, and Governance (ESG) reporting (or sustainability
reporting); and, increasingly, integrated reporting.
5. Organizations communicate with their stakeholders about:
 Mission, vision, objectives, and strategy;
 Governance arrangements and risk management;
 Trade-offs between the shorter and longer-term strategies; and
 Financial, social, and environmental performance.
8.1.2. Importance of Business Reporting/Why reporting important:
1. Business reporting allows organizations to present a cohesive explanation of their
business.
2. Helps in engaging with internal and external stakeholders, including customers,
employees, shareholders, creditors, and regulators.
3. Information contained in business reporting is crucial for stakeholders to assess
organizational performance.
4. High-quality information is integral to the successful management of the business,
and is one of the major drivers of sustainable organizational success.
8.1.3. What is XBRL:

1. XBRL (eXtensible Business Reporting Language) is a freely available and global
standard for exchanging business information.
2. XBRL provides a language in which reporting terms can be authoritatively defined.
3. XBRL is the international standard for digital business reporting.
4. XBRL helps in reporting information move between organizations rapidly, accurately
and digitally.
Working of XBRL:
1. XBRL is a standards-based way to communicate and exchange business information
between business systems.
2. These communications are defined by metadata set out in taxonomies;
3. That captures the definition of individual reporting concepts as well as the
relationships between concepts.
4. The new digital format allows us to have information being clearly defined,
platform-independent, testable and also digital.

What does XBRL do?

XBRL makes reporting more accurate and more efficient. It allows unique tags to be
associated with reported facts. This tagging allows:
1. People publishing report will do with confidence since the information contained in
them can be consumed and analyzed correctly.
2. People consuming reports to test them against a set of business and logical rules.
3. People using the information to do so in the way that best suits their needs.
4. People consuming the information to do so confident that the data is as per pre-
defined definitions/standards.
What is XBRL tagging?

1. XBRL Tagging is process by which any financial data is tagged with most
appropriate element in an accounting taxonomy,
2. Represents the data in addition to tags that facilitate identification/classification
(such as enterprise, reporting period, reporting currency, unit of measurement etc.)
3. Comprehensive definitions & accurate data tags allow preparation, validation,
publication, exchange, consumption; & analysis of business information of all kinds.
4. Information in reports prepared using the XBRL standard is interchangeable
between different information systems.
Users of XBRL information:

Users Description
Regulators 1. Securities regulators and stock exchanges that need to analyze the
performance and compliance of listed companies and securities.
2. Business registrars need to receive and make publicly available a
range of corporate data including annual financial statements.
3. Tax authorities need financial statements & other compliance
information from companies to process & review corporate tax.
Companies 1. Enterprises need to accurately move information around within a
complex group.
2. Supply chains that need to exchange information to help manage
risk.
Government 1. Simplifying the process of businesses reporting to government and
reducing red tape, by either harmonizing data definitions or
consolidating reporting obligations.
2. Standardization of reporting process.
Data Provider 1. Specialist data providers that use performance and risk information
published into the market place and create comparisons;
2. Ratings and other value-added information products for other
market participants
Analyst & 1. Analyst need to understand relative risk and performance.
Investors 2. Investors are required to read and understand the financial position
& earning capacity of a business, before investing into that company.

Important features of XBRL:

• Clear Definitions
XBRL allows the creation of reusable, authoritative definitions, called taxonomies that capture
the meaning contained in all the reporting terms used in a business report.
• Testable Business Rules:
XBRL allows creation of business rules that constrain what can be reported. Business rules can
be logical or mathematical, or both.
• Multi-lingual Support:
(a) XBRL allows concept definitions to be prepared in as many languages as necessary.
(b) The XBRL community makes extensive use of this capability as it can automatically open-
up reports to different communities.
• Strong software Support:
XBRL is supported by a very wide range of software from vendors large and small, allowing a
very wide range of stakeholders to work with the standard.
9. Applicable regulatory and compliance requirements:

9.1. What is regulatory compliance?
Compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory
Compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they
are aware of and take steps to comply with relevant laws, policies, and regulations. Regulatory
compliance is an organization’s adherence to laws, regulations, guidelines and
specifications relevant to its business. Violations of regulatory compliance regulations may
result in legal interest, penalty, prosecution etc. We can classify compliance & regulatory
requirement into:
a. General – Applicable to all irrespective of anything.
b. Specific – Applicable to specific type of businesses only.
9.2. Regulatory compliance and accounting system:

Regulatory Compliance describes the goal that organizations aspire to achieve in their efforts to
ensure that they are aware of and take steps to comply with relevant laws, policies, and
regulations. Below are 2 types of software which have both negative and positive aspects.
S. N. Particulars Accounting & Tax Compliance Only Tax Compliance Software

Software
1 Ease of software Less - As this is integrated system More - As this is used only for one
operation of accounting & tax compliance, single purpose so it is less
everything connected with other complicated and bound to be
and making changes at one place easy.
may affect other aspects also.
2 Features and Less - Since this system is not an More - Since this is an exclusive
facilities exclusive system for tax designed system for tax
compliance, it may have limited compliance, more features &
features for tax compliance. facilities shall exist here.
3 Time and Less - Since this is an integrated More - Since this is separate
efforts required system, time required to transfer software, data from accounting
data to compliance software is software need to put. This may
zero. take extra time and efforts.

4 Accuracy More - As this is an integrated Less - There are two separate

system and hence accounting data system, reconciliation with
and tax compliance data shall accounting data is needed,
always be same, ensuring more possibility of mismatch of data is
accuracy in data. always there.
5 Cost More - If tax compliance feature is Less - Since this is specific
not available in accounting purpose software, there shall be
system, getting it customized may less complications and the cost
require good amount of money. also shall be less.
Space for additional Notes-

TEST YOUR KNOWLEDGE
Ques 1-
XYZ a leading publication house of Delhi was facing many issues like delay in completing the
order of its customers, manual processing of data, increased lead time, inefficient business
processes etc. Hence, the top management of XYZ decided to get SAP - an ERP system
implemented in the publication house.
Using the proper method of vendor selection, Digisolution Pvt. Ltd. was selected to implement
SAP software in XYZ publication house. To implement the software, the IT team of Digisolution
Pvt. Ltd. visited XYZ’s office number of times and met its various officials to gather and
understand their requirements. With due diligence, the SAP software was customized and well
implemented in the publishing house. After the SAP implementation, the overall system
became integrated and well connected with other departments. This raised a concern in the
mind of few employees of XYZ worrying about their jobs’ security leading to quitting of jobs.
The top management of XYZ showed its concern on this issue and wanted to retain few of its
employees. Answer the following questions-
1. Imagine that you are core team member of Digisolution Pvt. Ltd. While customizing the Sales
and Distribution Module of SAP software, you need to know the correct sequence of all the
activities involved in the Identify the correct option that reflects the correct sequence of the
activities:
i. Material Delivery
ii. Billing
iii. Pre-Sales Activities
iv. Sales Order
v. Payments
vi. Inventory Sourcing
Choose the correct sequence from the following-
a) (i) - (iii) – (ii) – (iv) – (v)- (vi)
b) (ii) – (iv)- (vi) – (iii) – (i) – (v)
c) (iii)- (iv) – (vi)- (i) –(ii) – (v)
d) (iv)- (i) – (iii), (v), (ii), (vi)
2. In purview of above situation, which of the following control can be helpful to management of
XYZ publishing house to retain its employees and stopping them to leave the company?
a) Training can be imparted to employees by skilled consultant.
b) Allocation of employees to task matching their skill set, fixing of compensation package.
c) Management should stop the implementation of ERP.
d) Backup arrangement is required.

3. The SAP software was successfully implemented by XYZ publication house after overcoming
many challenges. The risk associated with “Patches and upgrades not installed and the tools
being underutilized” belongs to __________ risk?
a) Technological.
b) Implementation.
c) People.
d) Process.
Solution 1-
1 C (iii)- (iv) – (vi)- (i) –(ii) – (v)
2 B Allocation of employees to task matching their skill set, fixing of compensation
package.
3 A Technological
Ques 2-
Unique Services, a well-established firm of Chartered Accountants with nine branches at
different locations in Delhi, deals in accounting, auditing and taxation assignments like – return
filing, corporate taxation and planning, company formation and registration of foreign
companies etc. The firm has its own ERP software. The firm decided to come up with Real Estate
Regulatory Authority (RERA) registration which requires upgradation in its software. Hence, the
principal partner of the firm asked its associate partner to prepare a list of various clients dealing
in construction and development of flats, commercial properties etc.
The firm’s management took care to select the vendor to upgrade their ERP software
which will act as an online assistant to its clients providing them the complete details about
registration and filling of various forms and resolving their frequently asked questions. The firm
also wanted a safe and secure working environment for their employees to filing various forms
under RERA Act on behalf of clients using digital signature. The management also instructed its
employees to mandatorily use Digital Signature of clients for fair practices and any dishonesty
found in this regard may lead to penal provisions under various act including IT Act, 2000.
Answer the following questions-
1. In purview of case scenario, Unique Services requires to make changes in its software for its
users for RERA related matters. Identify the part of the overall software which actually
interacts with the users using the software?
a) Back End.
b) Front End.
c) Middle Layer.
d) Reports.

2. The firm decided to have an online assistant for its clients to provide complete details
regarding taxation, registration and filling of various forms and solve their queries. This is an
example of_________ application?
a) Installed application
b) Web Application
c) Cloud Based Application
d) Direct Application
3. While filling the tax for its client ABC, the firm Unique Services enters the detail of its TDS and
GST in the requisite forms. Identify from the following which type of master data it belongs
to?
a) Accounting Master Data
b) Inventory Master Data
c) Statutory Master Data
d) Payroll master Data
Solution 2-
1 B Front End
2 C Cloud Based Application.
3 C Statutory Master Data

INFORMATION SYSTEMS AND ITS

COMPONENTS
1. Information System:
Data is a raw fact and can take the form of a number or statement such as a date or a
measurement. It is necessary for businesses to put in place procedures to ensure data have been
processed so that they are meaningful. So, in other words processed data is called information.
“A group of mutually related, cooperating elements with a defined boundary;
working on reaching a common goal by taking inputs and producing outputs in organized
transformation process” is called system.
Role of information system in a business:

Systems may have a single goal to achieve. This is accomplished by achieving sub goals set by sub
systems under a common system. This is what similar to working of different departments of an
organization, to achieve overall corporate objectives. For system, data of any form is an input
which in turn creates information as an output. To monitor the performance of the system, some
kind of feedback mechanism is required. In addition, control must be exerted to correct any
problems that occur & ensure that the system is fulfilling its purpose. As such, there are 5
components of a system-
Input, Process, Output, Feedback and Control

Term of “information system” means interaction between processes and technologies. Now we
will study information system is detail:
Working of IS
Information System
Sharing of
Information
•Information System •that processes data •that will be sent to

(IS) is a combination and information for another user or
of people, a specific purpose other system via a
hardware, software, network and a
communication •System needs inputs feedback method
devices, network from user which will that controls the
and data resources then be processed operation
and produce output
The main aim and purpose of each Information System is to convert the data into information
which is useful and meaningful. An Information System depends on -
1. Resources of people (end users and IS specialists),
2. Hardware (machines and media),
3. Software (programs and procedures),
4. Data (data and knowledge bases), and
5. Networks (communications media and network support)

-to perform input, processing, output, storage, and control activities that transform data
resources into information products. This information system model highlights the relationships
among the components and activities of information systems. An information system model
comprises of following steps:
Input: Data is collected from an organization or from external environments & converted
into suitable format required for processing.
 Process: A process is a series of steps undertaken to achieve desired outcome or goal.
Businesses looking to effectively utilizes Information Systems do more. Using
technology to manage and improve processes, both within a company and
externally with suppliers and customers, is the goal.
 Output: Then information is stored for future use or communicated to user after
application of respective procedure on it.
 Storage: The storage of data shall be done at the most detailed level possible. Regular
backups should be stored in a geographically different locations to avoid impact
on both the original data storage and the backup data storage due to any major
disasters such as flooding or fires etc.
 Feedback: Apart from these activities, information system also needs feedback that is
returned to appropriate members of the enterprises to help them to evaluate
at the input stage.
2. Component of Information Systems:

With the help of information systems, business & individuals can use computers to collect, store,
and process, analyze, and distribute information. There are different types of information system
– manual information system, informal information system, formal information system and
computer-based information system. This chapter concentrate on computer-based information
system. An Information System comprise of
People : People here mean IT professionals i.e., who can use hardware and software for
retrieving the desired information.
Hardware : Means the physical components of the computers i.e., servers.
Software : Means the system software, application software.
Data : Data is the raw fact, which may be in the form of database
Network : Means communication media i.e., internet, intranet, extranet etc.

2.1 People resources:

• People are the most important element in most Computer-based Information Systems.
• The people involved users of the system and information systems personnel, including
all the people who manage, run, program, and maintain the system.
• More firms are realizing the importance of innovation to gain competitive advantage.
2.2 Computer system – Hardware and software:

• As per below chart, computer comprises of Hardware and software.
• Hardware- That part of Information Systems that you can touch-the physical
components of technology i.e., keyboard, mouse etc. It basically consists of devices that
perform the functions of input, processing, data storage and output activities of the
computer. Some of these devices:
a. Input devices: Devices through which we interact with the systems and include
devices like Keyboard, Mouse and other pointing devices.
b. Processing Devices: Include computer chips that contain the Central Processing Unit
and main memory. The Central Processing Unit (CPU or microprocessor) is the actual
hardware that interprets and executes the program (software) instructions. The
processor or CPU is like the brain of the computer. Following are the 3 functional
units of CPU:
Control Unit (CU): CU controls the flow of data and instruction to and from memory,
interprets the instruction and controls which tasks to execute and when.
Arithmetic and Logical Unit (ALU): Performs arithmetic operations such as addition,
subtraction, multiplication, and logical comparison of numbers: Equal to, Greater
than, less than, etc.
Processor Registers: These are high speed memory units within CPU for storing small
amount of data (mostly 32 or 64 bits). Registers could be:
 Accumulators: They can keep running totals of arithmetic values.
 Address Registers: They can store memory addresses which tell CPU as to where
in the memory an instruction is located.
 Storage Registers: They can temporarily store data that is being sent to or coming
from the system memory.

c. Data storage Devices: Refers to memory where data and programs are stored.
Various type of storage techniques/devices are-
1. Primary Memory: This includes the following

 Random Access Memory:
1. This memory is volatile in nature. If power off, data gone.
2. Main purpose is to hold program and data while they are in use.
Information can be read as well as modified.
 Read only Memory:
1. This memory is not volatile in nature even if there is no power off.
2. Used to store small amount of information for quick reference by CPU.
3. Information can be read not modified.
Code to remember: C.D. - B.A.S.I.C.S.

Aspects Random Access memory (RAM) Read Only memory (ROM)
Cost Volatile memory is costly per unit Non-volatile memory is cheap per
size. unit size.
Data Volatile in nature means Information Non-volatile in nature (contents
Retention is lost as soon as power is turned off. remain intact even in absence of
power).
Basic The purpose is to hold program and Used to store small amount of
Working data while they are in use. information that is rarely
changed.
Access to Information can be read as well as Information can be read only and
Information modified. not modified.
Storage These are responsible for storing These are used by manufacturers
instructions & data that computer is to store data and programs like
using at that present moment, that is translators that is used
why it is a temporary memory. repeatedly, that is why it is a
Permanent memory.
Impact RAM has high impact on system's ROM has no impact on system's
performance. performance.
Capacity RAM memory is large and high ROM is generally small and of low
capacity. capacity.
Speed RAM speed is quite high. ROM speed is slower than RAM.
Cache Memory:
There exists difference in speed between primary memory & registers. In order to
bridge the gap, we have cache memory which stores the copies of data from frequent
used main memory location.

1. Secondary Memory:
Secondary memory devices are non-volatile, have greater capacity (they are available in
large size), greater economy (the cost of these is lesser compared to register and RAM)
and slow speed (slower in speed compared to registers or primary storage).
Code to remember: M.E.S.S. - B.A.D. - F.R.

MESS is BAD and Very Far
Aspects Primary/Main Memory Secondary Memory
Memory Primary memory is an internal Secondary memory is an external
memory. memory.
Expense Primary memory is costlier than Secondary memory is cheaper than
secondary memory. primary memory.
Speed to Accessing data from primary Accessing data from secondary memory
Access data memory is faster. is slower.
Size The computer has a small primary The computer has a larger secondary
memory. memory.
Basic Primary memory is directly Secondary memory is not directly
accessible by Processor/CPU. accessible by CPU.
Access Primary memory is accessed by Secondary memory is accessed by input-
data bus. output channels.
Data Data to be currently executed are Data to be permanently stored is kept in
copied to main memory. secondary memory.
Volatility Primary memory is usually volatile. Secondary memory is non-volatile.
Formation Primary memories are made of Secondary memories are made of
semiconductors. magnetic and optical material.
d. Output Devices: Computer system provide output to decision makers at all level of the
enterprises to solve the business problems. These outputs may be visual, audio or digital
forms. Below are some types of output
• Textual output comprises of characters that are used to create words, sentences, and
paragraphs.
• Graphical outputs are digital representations of non-text information such as drawings, charts,
photographs, and animation.
• Tactile output such as raised line drawings may be useful for some individuals who are blind.
• Audio output is any music, speech, or any other sound.
• Video output consists of images played back at speeds to provide the appearance of full motion.
• Software- Software is defined as a set of instructions that tell the hardware what to do.
Software is created through the process of programming. Software can be broadly divided
into two categories: Operating Systems Software and Application Software.

An Operating System (OS) is a set of Application software includes all that

computer programs that manages computer software that causes a
computer hardware resources and computer to perform useful tasks
acts as an interface with computer
beyond the running of the computer
applications programs.
itself. It is a collection of programs
that helps in solving the problems.
VARIETIES OF ACTIVITIES ARE EXECUTED BY OPERATING SYSTEMS:

 Performing hardware functions: Application programs to perform tasks must obtain
input from keyboards, retrieve data from disk & display output on monitors.
 User Interfaces: An important function of any operating system is to provide user
interface.
 Hardware Independence: Every computer could have different specifications and
configurations of hardware. We have operating system, which provides Application
Program Interfaces (API), which can be used by application developers to create
application software.
 Memory Management: Memory Management features of Operating System allow
controlling how memory is accessed and maximize available memory & storage.
 Task Management: Task Management feature of Operating system helps in allocating
resources to make optimum utilization of resources.
2.3 Data Resources:

Data plays an important role for the business in form of formulating the strategies. Seeking
the present scenario and future prospective, we must understand some of the terminology:
Data:
Data are the raw bits and pieces of information with no context. Data can be quantitative or
qualitative. Quantitative data is numeric & Qualitative data is descriptive. Once we have put
our data into context, aggregated & analyzed it, we can use it to make decisions for entity.
Database:
Main aim of information system is to transform data into meaningful & presentable
information. To do this, the system must be able to take data, put the data into context, and
provide tools for aggregation and analysis. A database is designed for such purpose. Separate
databases should be created to manage unrelated information. For this we need digital
database.

Database Management System:

Database is just an electronic filing cabinet i.e., a collection of computerized data files. Below
operations are conducted in DBMS:
• Adding new files to database.
• Deleting existing files from database, inserting data in existing files,
• Modifying data in existing files,
• Deleting data in existing files, and
• Retrieving or querying data from existing files.
Below are the advantages of DBMS:

Code to Remember : D.R.A.C.U.L.A.S.
 Permitting Data Sharing:

One of the advantages of a DBMS is that the same information can be made available to
different users.
 Minimizing Data Redundancy:
One of the major advantages of DBMS is minimization of data redundancy. Minimizing
redundancy can therefore significantly reduce the cost of storing information on hard
drives and other storage devices.
 Faster Application development:
The data is already therein databases. As such developers need to have the logics
applied to retrieve the data. Because of such application development becomes fast in
the deployment of DBMS.
 Consistency of program and file:
File formats and programs are standardized in DBMS. This makes the data files easier to
maintain because the same rules and guidelines apply across all types of data.
 User Friendly:
DBMS makes the data access and manipulation easier for the user. DBMS reduces the
dependency of users on computer experts to meet their data needs.
 Latest data and its integrity:
Data integrity is maintained by possessing accurate, consistent, and latest data. Updates
and changes to the data only must be made in one place in DBMS ensuring Integrity.
 Achieving program/data independency:
In a DBMS, data does not reside in applications but data bases program & data are
independent of each other.
 Security improvement:
• DBMSs allow multiple users to access the same data resources which could lead to
risk to an enterprise.
• In order to minimize this risk, rules can be built to give access to sensitive data.
• Using passwords, database management systems can be used to restrict data access
to only those who should see it.

2.4 Network and communication system:

Effective and efficient communication is a valuable resource which helps in good
management. To enable this communication, we need communication networks.
Telecommunications give an organization to move information rapidly between distant
locations. Telecommunication helps the employees, customers and suppliers to
collaborate with anyone from anywhere. Such communications help the business to
restructure its processes.
Computer Network:
Computer Network is a collection of computers and other hardware interconnected by
communication channels that allow sharing of resources and information.
Network and communication system:

This consists of physical devices and software. Computers and communications
equipment can be connected in networks for sharing voice, data, images, sound and
video. A network links two or more computers to share data or resources such as a
printer. The entity must do the following in order to manage its information
• Knowing its information needs;
• Acquiring that information;
• Organizing that information in a meaningful way;
• Assuring information quality; and
• Providing software tools so users in the enterprise can access information they require.
Types of Networks:
Following are 2 types of networks:
Connection Here connection is first
Oriented established & data is
networks exchnaged thereafter.
Types of
Network No prior connection is made before
data exchange. Data which is to be
Connectionless exchanged has a complete contact
Networks information of recipient and at each
intermediate destination, it is decided
how to proceed further.
These networks have helped model computer networks. Each of these networks is modeled
to address the following mentioned basic issues:
 Routing: It refers to the process of deciding on how to communicate the data from
source to destination in a network.
 Bandwidth: It refers to the amount of data which can be sent across a network in given
time.
 Resilience: It refers to the ability of a network to recover from any kind of error like
connection failure, loss of data etc.
 Contention: It refers to the situation that arises when there is a conflict for some
common resource in a network. For example, network contention could arise when two
or more computer systems try to communicate at the same time.

Important benefits of a computer Networks:

Code to Remember: S.C. - R.U. N
(Supreme Court runs on computer network)
1. Sharing of resources:
• Data could be stored at a central location and can be shared across different systems.
• Even resource sharing could be in terms of sharing peripherals like printers, which are
normally shared by many systems.
2. Computational Power:
• If the processing is distributed amongst computer systems, the computational power
of the application increases.
3. Reliability:
• It refers to the ability of a network to recover from any kind of error like connection
failure, loss of data etc.
4. User Communication:
• Network allows users to communicate using email, newsgroup, video conferencing etc.
5. Nature of information:
• There are situations where information must be distributed geographically.
• Accounting information of various customers could be distributed across various
branches but to make Consolidated Balance Sheet at the year- end. It needs
networking to access information from all its branches.
3. Information Systems Control:

With the increased use of technology in the business, it is rather imperative to implement
appropriate information systems in the organisation. IT should cover all key aspects of business
processes of an enterprise and should have an impact on its strategic and competitive advantage
for its success.
3.1 Need for information system:

The need for information system in an enterprise can be summarized in below mentioned
points:
(a) It has increased the ability to capture, store, analyze and process tremendous amounts
of data and information.
(b) IT department may store all financial records centrally.
(c) Today’s dynamic global enterprises need information integrity, reliability and validity for
timely flow of accurate information throughout the organization.
3.2 Control lacking in a computerized environment:
Code to Remember: A. - S. L. I. C. K.
{How to remember  Very slick (चालाक) so this is not good for all time in a company}
1. Absence of controls:
• Absence or inadequate IS control framework and also lack or weak general controls
and IS controls.

2. Inadequate Security functionalities:

• Inappropriate technology implementations or inadequate security functionality in
technologies implemented.
3. Lack of management understanding:
• Lack of management understanding of IS risks and related controls.
4. Implementation complexities:
• Complexities of implementation of controls in distributed computing environments
and extended enterprises.
5. Lack of Control features:
• Lack of control features or their implementation is highly technological driven
environment.
6. Lack of Knowledge of IS risks:
• Lack of awareness and knowledge of IS risks and controls amongst the business user
and IT staff.
3.3 Classification of information system controls:
Classification
Objectives of Preventive Control || Detective Control ||

Controls
Corrective Control
Nature of IS Environmental Control || Physical Access Control

Resources || Logical Access Control
Management Control Framework || Application

IS Function
Control Framework
The controls as per the time that they act, can be classified as under
OBJECTIVES OF
Preventive Control + Detective Control + Corrective Control. Now will study
CONTROLS
all in detail-
• Preventive Controls:
 These controls prevent errors, omissions, or security incidents from occurring.
 Examples: sometimes we came across some security checks where passwords should
not include name, data entry that should alphabetically word in case of numeric field
etc.
 Any control can be implemented in both manual and computerized environment.
 One can give numerous examples on putting up preventive controls over manual and
computerized environment.
 Examples: Segregation of duties; Access control; Vaccination against diseases;
Documentation etc.

Purpose Manual Control Computerized Control

Restrict unauthorized Build a gate and post a Use access control software,
entry into the premises. security guard. smart card, biometrics, etc.
Restricted unauthorized Keep the computer in a Use access control, viz. User ID,
entry into the software secured location and allow password, smart card, etc.
applications. only authorized person to
use the applications.
• Detective Controls:
 These controls are designed to detect errors, omissions or malicious acts that occur
and report the occurrence.
 Detective controls include monitoring and analysis to uncover activities or events
that exceed authorized limits or violate known patterns in data.
 A scenario: a detective control may identify account numbers of inactive accounts or
accounts that have been flagged for monitoring of suspicious activities.
 Cash counts; Bank reconciliation; Review of payroll reports; Compare transactions on
reports to source documents, Hash totals, Past-due accounts report etc.
• Corrective Controls:
 It is desirable to correct errors, omissions, or incidents once they have been detected.
 This includes correction of data-entry errors, to identifying and removing
unauthorized users or software from systems or networks, to recovery from incidents
etc.
 These corrective processes also should be subject to preventive and detective
controls, because they represent another opportunity for errors, omissions, or
falsification.
 Example: A Business Continuity Plan (BCP); Contingency planning; Backup procedure;
Rerun procedures etc.
NATURE OF IS The controls can be classified as under Environmental Control || Physical

RESOURCES Access Control || Logical Access Control
• Environmental Controls:
 These controls aimed at controlling IT environment such as power, air-conditioning,
Uninterrupted Power Supply (UPS), smoke detection, fire-extinguishers etc.
 Now explaining the controls for environmental exposure.
Refer table on next page.

Exposure Control for environmental exposure

• Smoke Detectors Smoke detectors should be positioned at places
above and below the ceiling tiles.
• Norms to reduce Electric Firing To reduce the risk of electric firing,
the location of the computer room should be strategically planned.
• Fire Extinguishers Manual fire extinguishers can be placed at
Fire Damage strategic locations. Fire Alarms, Extinguishers, Sprinklers, and fire
Brigade Nos., Smoke detectors, and Carbon-dioxide based fire
extinguishers should be well placed and maintained.
• Fire Alarm Both automatic and manual fire alarms may be placed at
strategic locations and a control panel may be installed.
• Regular Inspection and Raising awareness Regular inspection by the
fire department should be conducted. The procedures to be followed
during an emergency should be properly documented.
• Electrical Surge Protectors The risk of damage due to power spikes
can be reduced using Electrical Surge Protectors that are typically built
into the Uninterrupted Power System (UPS).
• Un-interruptible Power System/Generator In case of a power
Electrical failure, the UPS provides the backup by providing electrical power for a
Exposures certain span of time. Depending on sophistication of the UPS, electrical
power supply could continue to flow for required time period.
• Voltage regulators and circuit breakers These protect the hardware
from temporary increase or decrease of power.
• Emergency Power-Off Switch When the need arises for an
immediate power shut down during situations arise, an emergency
power-off switch at the strategic location can be installed.
• Water DetectorsThese should be placed under the raised floor, near
drain holes and near any unattended equipment storage facilities.
• Strategically locating the computer roomTo reduce the risk of
flooding, the computer room should not be located in basement of
water Damage ground floor of a multi-storey building.
• Prohibitions against Eating, Drinking and Smoking within the
Information Processing Facility.
• To avoid these types of events, redundant power links should feed into
Pollution & facility so that interruption of 1 power supply does not adversely affect
Other Damage electrical supply.
• Physical Access Controls:

 These are the controls relating to physical security of the tangible IS resources and intangible
resources stored on tangible media.
 Examples of physical access controls: Security guards, door alarms, restricted entry to secure
areas, visitor logged access, CCTV monitoring etc.

Exposure Control for environmental exposure

 Cipher locks (Combination Door Locks) - Cipher locks are used in
low security situations or when many entrances and exits must be
usable all the time. To enter, a person presses a 4-digit number,
and the door will unlock for a predetermined period.
 Bolting Door Locks – A special metal key is used to gain entry
when the lock is a bolting door lock. To avoid illegal entry, the
keys should not be duplicated.
Locks on Doors  Electronic Door Locks – A magnetic or embedded chip-based
plastics card key or token may be entered a reader to gain access
in these systems.
 Personal Identification Numbers (PIN): A secret number will be
assigned to the individual which serves to verify the authenticity
of the individual. The visitor will be asked to log on by inserting a
card in some device and then enter their PIN via a PIN keypad for
Physical authentication. His/her entry will be matched with the PIN
number available in the security database.
Identification
 Plastic Cards: These cards used for identification purposes.
Medium Customers should safeguard their card.
 Identification Badges: Identification badges can be issued to
personnel/visitors. For easy identification purposes, their color of
the badge can be different.
Logging into  Manual Logging: All visitors should be prompted to sign a visitor’s
facilities log indicating their name, company represented, their purpose of
visit, and person to see.
 Electronic Logging: This feature is a combination of electronic and
biometric security systems. The users logging can be monitored
and the unsuccessful attempts being highlighted.
 Cameras should be placed at specific locations and monitored by
security guards.
 The video supervision recording must be retained for possible
Video Camera future play back.
Security  Extra security can be provided by appointing guards aided with
Guards CCTV feeds cameras should be placed at specific locations and
monitored by security guards.
Dead Men Doors  The first entry door must close and lock, for the second door to
operate, with the only one person permitted in the holding area.
Computer  These locks ensure that the device to the desk is not turned on or
Terminal disengaged by unauthorized persons.
Locks
Alarm  Illegal entry can be avoided by linking alarm system to inactive
System entry point.
 Security personnel should be able to hear the alarm when
activated.
• Logical Access Controls:

 These are the controls relating to logical access to information resources such as operating
systems controls, application software boundary controls etc.
 Logical access controls are implemented to ensure that access to systems, data and
programs is restricted to authorized users.
 Logical access controls are the system-based mechanisms used to assign who will access or
what to be accessed.

Technical Exposures Controls for Technical Exposures

Password use  Mandatory use of strong passwords.
Unattended  Users should ensure that none of the equipment is left

User user Unprotected.
equipment  They should also secure their PCs with a password &
Responsibilities
should not leave it accessible to others.
User  Information about every user is documented.

User Access registration  The de-registration process is also equally important.
Management
Privilege  Access privileges are to be aligned with job requirements
Management and responsibilities.
 For instance, an operator should have access to order
processing activity.
User password  Allocations, storage, revocation, and reissue of password

Mgmt. are password management functions.
 Educating user about password management is important.
Review of user  A user need for accessing information changes with time.
access rights  The same need to be reviewed at periodic interval.
An Internet connection exposes an organization to the harmful elements of the

outside world. The protection can be achieved.
Netwok  In case a network handles sensitive information, such
Seggregation networks can be isolated from internet service usage.
Network Call Back  It is based on the motto to keep intruder off the intranet
Access Control Devices despite imposing security measures.
 The call-back device requires the user to enter a password
Code to and then the system breaks the connection.
Remember  If the caller is authorized, call back device dials the caller’s
N. – C.U.R.E.S. – number to establish a new connection.
F.E.
Policy on  A business should formulate policy for internet services
NAC CURES Network Use that aligns with the business objectives.
Faults & Errors  Selection of appropriate services and approval to access
them should be part of this policy.
Routing &  The traffic between networks should be restricted.

Network  It is based on identification of source of access point.
connection
Controls
Enforced Path  It is necessary to specify the exact path or route
connecting the networks to minimize any possible risk.
Security of  The techniques of authentication and authorization policy

network services should be implemented across the organization’s network.

Firewall  This is a system that enforces access control between two

networks.
 All traffic between the external network and the
organization’s Intranet must pass through the firewall.
 This allows only authorized traffic between the
organization and the outside to pass through it.
Encryption  It is the conversion of data into a secret code for storage

in databases and transmission.
 The sender uses an encryption algorithm with a key to
convert the original message called the Clear text into
Cipher text. The same gest encrypted at receiver end.
Operating Operating System is computer control program. It allows users & their
System Access applications to share & access common computer resources. “Operating
Control system” control policy includes determine who can access operating system,
resources they access etc. OS can be protected by following means-
• Password management system:
Code to  Password protected file should not be accessible to all the users.
remember • User identification and authentication:
 The users must be identified and authenticated by use of biometric
P.U.T. - D.A. - authentication, digital certificates etc.
T.A.L.C. • Terminal identification automation:
 This will help to ensure that a specified session could only be initiated
from a certain location or computer terminal.
• Duress alarm to safeguard users:
 This alarm will activate and inform the concerned authority in case a
person accesses the operating system under threat.
• Access Token:
 After the successful login into the system, it will create unique access
token that contains details of the person who accessed.
 This token will be used for approve different type of tasks on OS.
• Terminal time out:
 In case a terminal is inactive for a defined period, the system
automatically times out the session. E.g., on income-tax site, 1 session is
of 15 minutes. After its expiry, re-login is required.
• Access Control:
 System administrator keeps a log of all access and maintains control of it.
 Resource owners are granted discretionary access control, which allows
them to grant access privileges to other users.
• Log-in procedures:
 Login procedure is first step in controlling unauthorized access of
systems.
 When user login by entering user-id & password, system compares ID and
password to a database of valid users & accordingly authorizes the log-in.
• Control List:
 This list contains information that defines the access privileges for all valid
users.
 When a user attempts to access a resource, the system compasses his or
her user-id & rights contained in the access token with those contained in
the access control list. If matched, access is granted.

Application Code to Remember: M.- M.I.C.E.S.

and • Mobile controlling:
Monitoring  Ease of access on the move provides efficiency and results in additional
System Access responsibility on the management to maintain information security.
Control  Possibility of theft of data carried on portable drives is high risk factor.
 Both physical and logical access to these systems is critical.
• Monitor System Users:
 A constant monitoring of some critical systems is essential.
 Types of accesses, operations, events and alerts will be monitored.
 The log files are to be reviewed periodically & action to be taken if
needed.
• Information access restriction:
 A user can access only to those items, he/she is authorized to access. This
means menu interface is restricted to what a person is authorized to do
so.
 Controls are implemented on the access rights of users. For example -
read, write, delete, and execute.
• Clock Synchronization:
 Event logs maintained across an enterprise network plays a significant
role in relating an event.
 Hence, synchronizing clock time across network is mandatory.
• Event Logging:
 In computer system, it is rather easy to maintain log of all types of events.
 It is imperative to review and archive the logs for proper monitoring.
 With event logging, one can easily maintain the log of unsuccessful login
made by an intruder.
• Sensitive system isolation:
 Monitoring system access and use is a detective control, to check if
preventive controls discussed so far are working.
 This calls for isolating the important system from main server so as to
avoid any sort of unauthorized access.
NATURE OF
Management Application Information
INFORMATION Control Control Systems
SYSTEMS Framework Framework Functions

Top Management and Systems Development Programming Data Resource

Information Systems Management Management Management
Management Controls Controls Controls Controls
Problem definition
Definition
Planning and Feasibility Planning
assessment Controls
Existence
Analysis of
Organising
existing system
Control /Backup
Controls
Information
Access
Leading processing Design
system design Controls
Hardware /
Update
Controlling Software Coding
Acquisition Controls
Operational Acceptance
Managment Concurrency
Testing and Testing
Controls Conversion Controls
Computer Operation and Operation & Quality

Operations Maintenance Maintenance Controls
Network
Operations Management Control
Security Quality Assurance Framework
Management Management Top Management and
Data Controls Controls Information Systems
Preparation Management Controls
and Entry
Concern of
Threat Systems Development
quality Management Controls
Production Identiifcation
control
Control Programming
Management Controls
Business
Continuity Reason for
Plan Emergence Data Resource
File Library Management Controls
Goals of Operational Managment

Controls
Operation & quality
Maintenance control Security Management
Controls
Quality Assurance
Management Controls

• Top Management and Information Systems Management Controls
Planning Organising Leading Controlling
These controls ensure that the information systems function correctly and they meet the strategic
business objectives. It is management’s responsibilities to determine whether the controls that
the enterprise system has put in place are sufficient to ensure that the IT activities are adequately
controlled. The controls flow from the top of an organization to down; the responsibility still lies
with the senior management. Top management is responsible for preparing a master plan for the
information systems function.
Planning:
This includes determining the goals of the information systems function and the means of
achieving these goals. The steering committee shall comprise of representatives from all areas of
the business, and IT personnel that would be responsible for the overall direction of IT.
Organizing:
There should be a prescribed IT organizational structure with documented roles and
responsibilities and agreed job descriptions. This includes gathering, allocating, and coordinating
the resources needed to achieve organizational objectives. This includes motivating, guiding, &
communicating with personnel.
Leading:
This includes the activities like motivating, guiding, and communicating with personnel. The
purpose of leading is to achieve the harmony of objectives, i.e., a person’s or group’s objectives
must not conflict with the organization’s objectives. The process of leading requires managers to
motivate subordinates, direct them and communicate with them.
Controlling:
This includes comparing actual performance with planned performance. This involves determining
when the actual activities of the information system’s functions deviate from the planned
activities. Following are the activities undertaken in under controlling head:
• Systems Development Management Controls:

Hardware/
Problem Information
Analysis Software Acceptance Operation
definition & Processing
of existing acquisition & Testing and and
feasibility System Conversion
system procedures Maintenance
assessment design
development
Problem definition & feasibility assessment

 Information Systems can be developed to help resolve problems or to take advantage of the
opportunities.
 All the stakeholders must reach to agreement on problem and should understand the possible
threats associated with possible solutions/systems related to asset safeguarding, data integrity,
system effectiveness, and system efficiency.
 The feasibility assessment is done to obtain a commitment to change & to evaluate whether
cost- effective solutions are available to address the problem or opportunity that has been
identified. All solutions must be properly and formally authorized to ensure their economic
justification and feasibility.

Analysis of Existing system:

 Studying the existing organizational history, structure, and culture to gain an understanding of
social & task systems in place.
 Studying the existing product and information flows as proposed system will be based primarily
on current product and information flows.
 The designers need to understand the strengths and weaknesses of existing product to
determine the new system requirements and the extent of change required.
Information Processing system design:

Following activities are undertaken in this phase-
 Elicitation (सामने लाना) of detailed requirements: Either ask from stakeholders or discover the
exact requirement through analysis and experimentation in case stakeholders are uncertain
about their need.
 Design of data/information flow: The designers shall determine the flow of data/information
and transformation points, the frequency and timing of the data and information flows and the
extent to which data and information flows will be formalized. Tools such as DFD can be used for
this purpose.
 Design of Database and user interface: Design of database involves determining its scope and
structure, whereas the design of user interface determines the ways in which users interact with
a system.
 Physical design: This involves breaking up the logical design into units which in turn can be
decomposed further into implementation units such as programs and modules.
 Design of the hardware/software platform: In case the hardware and software platforms are
not available in organization, the new platforms are required to be designed to support the
proposed system.
Hardware/software acquisition and procedures development:

 To purchase new application system or hardware, a request for a proposal must be prepared,
vendor proposals are sought, and final decisions is made based on evaluation.
 During procedures development, designers specify the activities that users must undertake to
support the ongoing operation of the system and to obtain useful output
Acceptance testing and conversion:

 Acceptance Testing is carried out to identify errors or deficiencies in the system prior to its final
release.
 The conversion phase comprises the activities undertaken to place the new system in operation.
Operation and Maintenance:

 In this phase, the new system is run and periodically modified to better meet its objectives.
 A formal process is required to identify and record the need for changes to a system and to
authorize and control the implementation of needed changes.
 The maintenance activities associated with these systems need to be approved and monitored
carefully.

• Programming management controls:

Below are the key points of this control
 Primary objective of the phase is to produce or acquire & to implement high-quality programs.
 There are 6 major phases in the program development life cycle:
Phase Controls
Planning Charts can be used to monitor progress against plan.
Control The Control phase has two major purposes:
• Task progress in various software life-cycle phases should be monitored
against plan and corrective action should be taken in case of any deviations.
• Control over software development, acquisition, & implantation tasks
should be exercised to ensure that development is authentic, accurate, &
complete.
Design A systematic approach to program design, such as any of the structured design
approaches or object-oriented design is adopted.
Coding • Programmers must choose a module implementation and integration strategy
(like Top-down, Bottom-up and Threads approach).
• A coding strategy (that follows the percepts of structured programming), and
a documentation strategy (to ensure program code is easily readable &
understandable).
Testing Three types of testing can be undertaken:
• Unit Testing – which focuses on individual program modules;
• Integration Testing – Which focuses in groups of program modules; and
• Whole-of-Program Testing – which focuses on whole program. These tests
are to ensure that a developed or acquired program achieves its specified
requirements.
Operation Management establishes formal mechanisms to monitor the status of
and operational programs so maintenance needs can be identified on a timely basis.
Maintenance Three types of maintenance can be used are as follows:
• Repair Maintenance – in which program errors are corrected;
• Adaptive Maintenance – in which the program is modified to meet changing
user requirements; and
• Perfective Maintenance - in which program is tuned to decrease the resource
consumption.
• Data resource management controls:

 The primary objective of this phase is to manage and protect the data. For data to be
managed; better users must be able to share data; data must be available to users.
 If data repository system is used properly, it can enhance data & application system
reliability.
 Controls should be exercised over the roles by appointing trustworthy persons, separating
duties, maintaining and monitoring logs of the data and database activities.
 Following control activities must be put in the place to maintain the integrity of the
database:

Code to Remember : Q. - A. - D. U. C. E.
(Q- D.U.C.E. court and Ad court in Tennis)
1. Quality Controls:
 These controls ensure accuracy, completeness, & consistency of data in the database.
 Controls may include putting up validation check of input data and batch control over data
in transit.
2. Access Controls:
 Designed to prevent unauthorized individual from;
 Viewing, retrieving, computing or destroying the entity’s data.
• User Access Controls through passwords, tokens and biometric Controls; and
• Data Encryption: Keeping the data in database in encrypted form.
3. Definition Controls:
 These controls are placed to ensure that the database always corresponds and comply
with its definition standards.
4. Update Controls:
 These controls are placed to ensure restrict update of the database to authorized user in
following manner:
o By permitting only addition of data to the database; and
o Allowing users to change or delete existing data.
5. Concurrency Controls:
 These controls provide solutions, agreed-upon schedules and strategies to overcome the
data integrity problems;
 That may arise when two update processes access the same data at the same time.
6. Existence/Backup Controls:
 These controls ensure that proper backup and recovery plans are in place in case of
disaster.
 Backup refers to making copies of the data so that these additional copies may be used to
restore the original data.
 Backup controls ensure the availability of system in the event of data loss because of
unauthorized access, software and hardware failure.
 Various backup strategies like dual recording of data; periodic dumping of data; logging
input transactions and changes to the data are used.
• Security management controls:

 Information security administrator are entrusted with the task of ensuring that information
systems are secure.
 Assets are secure when the expected losses that will occur over some time, are at an
acceptable level.
 The control’s classification based on “Nature of Information System Resources –
Environmental Controls, Physical Controls and Logical Access Controls.

 Threat Identification: A threat is some action/event that can lead to a loss. During threat-
identification phase, security administrators attempt to weed out all material threats that
can result in information systems assets being exposed for unauthorized purposes.
 However, despite of controls, there could be a possibility that a control might fail. When
disaster strikes, it still must be possible to recover operations and mitigate losses.
 There are 2 ways - A Disaster Recovery Plan (DRP) and Insurance.
 Disaster Recovery Plan (DRP)  A comprehensive DRP comprise four parts – an
Emergency Plan, a Backup Plan, a Recovery Plan and a Test Plan. The plan lays down the
policies, guidelines, and procedures for all Information System personnel.
Insurance Adequate insurance must be able to replace Information Systems assets and
to cover the extra costs associated with restoring normal operations.
• Operational management controls:

 Operational management is responsible for daily running of hardware & software facilities.
 Operation management control performs controls over following operations/functions:
Operation Controls
Computer Controls over computer operations govern activities that directly support
Operations day-to-day operations. Following 3 types of activities under this category:
 Operation Controls: These controls prescribe the functions that either
human operators or automated operations facilities must perform.
 Scheduling Controls: These controls prescribe how jobs are to be
scheduled on a hardware/software platform.
 Maintenance Controls: These controls prescribe how hardware is to be
maintained in good operating order.
Network This includes the proper functioning of network operations and monitoring
Operations the performance of network communication channels, network devices,
and network programs and files. There are 3 components in network
operations:
 Communication Lines: Cable, fiber optics, microwave and satellite etc.
 Hardware: Ports, modems, multiplexers, switches and concentrators.
 Software: Packet switching software, polling software etc.
Data Preparation For data either through customers or keyboard, facilities should be designed
and Entry to promote speed & accuracy & to maintain wellbeing of operators.
Production This includes functions like-
Control • Receipt and dispatch of input and output & Job scheduling;
• Management of service-level agreements with users;
• Transfer pricing/charge-out control.
File library This includes the management of an organization’s machine- readable
storage media like magnetic tapes, cartridges, and optical disks.
Documentation This involves that:
and Program • Librarians ensure that documentation is stored securely;
Library
• Only authorized persons are given access to these documents;
• Documentation is kept up-to date & adequate backup exists.
Help This assists end-users to:
Desk/Technical (a) Employ end-user hardware and software such as micro-computers,
support
spreadsheet packages, database management packages etc.
(b) Providing the technical support for production systems by assisting with
problem resolution.

Capacity Planning Regular performance monitoring facilitates the capacity planning wherein
and Performance the resource deficiencies must be identified well in time so that they can be
Monitoring made available when they are needed.
Mgmt. of This has the responsibility for carrying out day-to-day monitoring of the
Outsourced outsourcing contract.
Operations
• Quality assurance management controls:

 Quality Assurance management is concerned with ensuring that the:
o Information systems produced by the information systems function achieve certain quality
goals; and
o Development, implementation, operation and maintenance of Information systems comply
with a set of quality standards.
 Below are the reasons for the existence of quality control in a business:
Code to Remember : Q. – C.P.Ts.
(�ूं – CPTs Students – Quality maintain करना to become CA)
1. Quality of Software:
 Users are more demanding on the quality of the software they use when it comes to
the use of such software in their workings.
2. Cost factor:
 Poor quality control over the production, implementation, operation, and
maintenance of software can be costly.
 This indeed will lead to dissatisfied users and customer, lower morale among IS staff,
higher maintenance and strategic projects etc.
3. Project driven:
 Organizations are undertaking more ambitious projects when they build software.
4. Trend of improvement:
 Improving the quality of Information Systems is a part of a worldwide trend.
 The same is destined to improve the quality of the goods and services they sell.
5. Safety critical system:

 Organizations are increasingly producing safety-critical systems and;
 users are becoming more demanding in terms of the quality of the software they
employ to undertake their work.

THE APPLICATION CONTROL FRAMEWORK

The objective of application controls is to ensure that data remains complete, accurate and valid
during its input, update and storage. The specific controls could include form design, source
document controls, input, processing and output controls, etc. Any function or activity that
works to ensure the processing accuracy of the application can be considered an application
control.
“Application System Controls involve ensuring that individual application systems safeguard
assets (reducing expected losses), maintain data integrity (ensuring complete, accurate and authorized
data) and achieve objectives effectively and efficiently from the perspective of users of the system from
within and outside the organization.”
An Audit Trail should record all the material events that occur within the boundary subsystem to
analyze and search for error or irregularities. Audit Trail Controls attempt to ensure that a
chronological record of all events that have occurred in a system is maintained. 2 types of audit
trail exist in the system-
An Accounting Audit Trail to maintain a record of events within the subsystem.
An Operations Audit Trail to maintain a record of attempted or actual resource consumption associated
with each event in the subsystem.
Below is the diagrammatic presentation of controls mentioned in application control framework-
Application control
framework
Boundary Input Communication Processing Database Output

Controls Controls Controls Controls Controls Controls
Cryptographic Data Code Physical Component Processor Inference

Access Controls
Controls Controls Controls Controls Controls
Access Line Error Real Memory Integrity Batch Output

Batch Controls Controls
Controls Controls Controls Controls
PIN
Validation of Data Flow Controls Virtual Memory Application Batch Report
Input Control Controls Software Controls Design Controls
Digital Link Controls Application Concurrency Online output

Signatures Software Controls Controls Controls
Topological
Controls
Cryptographic
Plastic Cards Controls
Channel Access
Controls
File Handling
Controls
Controls over
Subversive threats
Audit Trail controls

(a) Boundary Control:

The major controls of boundary system are access control mechanisms that links the authentic
users to the authorized resources, they are permitted to access. The boundary subsystem
establishes the interface between user and the computer itself.
Cryptography  It deals with programs for transforming data into cipher text.
 A cryptographic technique encrypts data (clear text) into cryptograms
(cipher text). 3 techniques of cryptography are transposition, substitution &
product cipher.
Access  Controls restrict use of computer system resources to authorized users.
Controls  This access control mechanism involves 3 broad steps: Identification,
authentication and Authorization.
• User’s identification is done by user itself by providing his/her unique
user id allotted to him/her or account number.
• Authentication mechanism is used for proving the identity with the
help of a password which may involve personal characteristics like
name, birth date, employee code, biometric identification including
thumb or finger impression, eye retina etc. & information stored in
identification cards can also be used in an authentication process.
• Authorization refers to the set of actions allowed to a user once
authentication is done successfully.
Personal  PIN is similar to a password assigned to a user by the system.
Identification  Below is the process of life cycle of PINs-
Numbers • Generation of PIN
• Issuance and delivery of PIN to users
• Validation of the PIN upon entry at the terminal device
• Transmission of the PIN across communication lines
• Processing and storage of PIN
• Replacement of the PIN or cancellation of PIN.
Identification  Identification cards are used to store information required in an
Cards authentication process.
 These cards are to be controlled through application for a card, issue and
use and card return or card termination phases
Digital  Digital Signature is used as an analog signature for e-documents. Digital
Signatures Signatures are not constant like analog signatures– they vary across
messages and cannot be forged.
Accounting Audit Trail of boundary control Operations Audit Trail of boundary control
• All application-oriented events occurring within • This includes the details like resource
the boundary subsystem should be recorded. usage from log-on to log-out time and
• Data related to identity of the user of system; log of resource consumption.
authentication information supplied; resources
requested or provided or denied; and
• Terminal Identifier & Start/ Finish Time; number
of sign-on attempts; & privileges allowed/
denied.

(b) Input Control:

These controls are responsible for ensuring the accuracy and completeness of data and
instruction input into an application system. Controls relating to data input are critical. It
might be necessary to reprocess input data in the event, master files are lost, corrupted, or
destroyed. Controls relating to instructions are often in the form of changes to data, which
are recorded in the audit trail.
Data Coding 2 types of errors can corrupt a data code & cause processing error. Any of
Control these errors can cause serious problems in data processing if they go
undetected. Below are transcription and transposition errors-
• Transcription Errors: Data entry error that is commonly made by human
operators or by Optical Character Recognition (OCR) programs. These can
be Addition errors (when an extra digit is added to the code); Truncation
Errors (when a digit is removed from the code) and Substitution Errors
(replacement of a digit in a code with another).
• Transposition Errors: It is a simple error of data entry that occurs when 2
digits that are either individual or part of larger sequence of numbers are
reversed (Transpose) when posting a transaction. E.g., a sales order for
customer 987654 written as 897654 to the wrong customer’s account.
Batch Batching is process of grouping together transactions that have some type of
Controls relationship to each other. Various controls can be exercised over batch to
prevent or detect errors. 2 types of batches that occur are as follows:
 Financial Totals:
 Hash Totals
 Document/Record Counts
Validation Input validation controls are intended to detect errors in the transaction data
Controls before the data are processed. Some of these controls include the following:
(a) Field check- It involves programmed procedures that examine the characters of
the data in the field e.g.; picture, record check etc.
(b) Record check- This includes reasonableness check of whether the value
specified in a field is reasonable for that particular field.
(c) Batch Check- This includes the checks like transaction type if all input records in
a batch are of particular type.
(d) File Check- This includes file’s version usage; internal and external labeling; data
file security; file updating and maintenance authorization etc.
Accounting Audit Trail of Input control Operations Audit Trail of Input control
• This must record origin, contents, & timing of • Some of the data that might be collected
transaction entered into application system, include time to key in a source document
thus involving the details & also identity of or an instrument at a terminal;
the person (organization) who was the source • E.g.; Number of keying errors identified
of the data & who entered data into system. during verification; frequency with which
• Time and date when the data was captured; an instruction in a command language is
the identifier of physical device used to enter used; and time taken to invoke an
the data into the system; the account or instruction using different input devices
record to be updated by the transaction; like light pen or mouse.
• Details of the transaction; and the number of
the physical or logical batch to which the
transaction belongs.

(c) Communication Control:

Communication Controls aims to eliminate exposures in communication subsystem, controls
over physical components, communication line errors, flows, & links, topological controls,
channel access controls, controls over subversive attacks, etc. Some communication controls
are as follows:
(a) Physical Component Controls:

In the communications subsystem, the physical components shall have characteristics
that make them reliable and incorporate features and controls that mitigate the possible
effects of exposures. Major physical components that affect reliability of communication
subsystem are Transmission media, communication lines, concentrators etc.
(b) Line Error Controls:

Whenever data is transmitted over a communication line it may be possible that it is not
received by the receiver due to distortion, or noise that occurs on the line. These errors
must be detected and corrected.
(c) Flow Controls:

Whenever data is transmitted it is true that nodes in a network can differ in terms of the
rate at which they can send, received, and process data.
(d) Link Controls:

In Wide Area Network (WAN), line error control and flow control are important functions
in the component that manages the link between two nodes in a network.
(e) Topological Controls:

A communication network topology specifies the location of nodes within a network, the
ways in which these nodes will be linked, and the data transmission capabilities of the
links between the nodes. Following are 2 types of network topologies:
Accounting Audit Trail of communication control Operations Audit Trail of Communication control
• This includes collection of the data like • This includes the details like number of
unique identifier of the source, destination; messages that have traversed each link
• Each node that traverses (पार) the message and each node; queue lengths at each
unique identifier of the person or process node;
authorizing dispatch of the message; time • Number of errors occurring on each link
and date at which the message was or at each node; number of
dispatched and received by the sink node. retransmissions that have occurred across
• Time & date at which node in network was each link; log of errors to identify
traversed by message; message sequence locations and patterns of errors; log of
number; & image of the message received system restarts; and message transit
at each node traversed in the network. times between nodes and at nodes.

(d) Processing control:

Processing Controls is responsible for computing, sorting, classifying and summarizing date.
Processing is done by the computer system with the help of following components.
a) Processor Control-
Control Explanation
Error Detection  Occasionally, processors might malfunction because of design errors,
and Correction manufacturing defects, damage, fatigue etc.
.  Failure might be transient OR intermittent. For transient & intermittent
errors, re-tries & re-execution might be successful, whereas for
permanent errors, processor must halt & report error.
 Transient Error- Disappears after a short period.
Intermittent Error - that reoccurs periodically
Multiple  It is important to determine the number of and nature of the
Execution execution states enforced by the processor.
States  This helps auditors to determine which user processes will be able to
carry out unauthorized activities.
Timing Controls An operating system might get stuck in an infinite loop. In the absence
of any control, the program will retain use of processor and prevent
other programs from undertaking their work.
Component 1. In some cases, processor failure can result in significant losses.
Replication 2. Redundant processors allow errors to be detected and corrected.
3. If processor failure is permanent, the system might reconfigure itself
to isolate the failed processor.
b) Real Memory Control-

 This comprises the fixed amount of primary storage in which programs or data must
reside for them to be executed or referenced by the central processor.
 Real memory controls seek to detect and correct errors that occur in memory cells and
to protect areas of memory assigned to a program from illegal access by another
program.
c) Virtual Memory Control-

 Virtual Memory exists when the addressable storage space is larger than the available
real memory space.
 To achieve this outcome, a control mechanism must be in place that maps virtual
memory addresses into real memory addresses. When an executing program references
virtual memory addresses, the mechanism then translates these addresses into real
memory addresses.
d) Application Software Controls -

 These perform validation checks to identify errors during processing of data. These are
required to ensure both the completeness and the accuracy of data being processed.
 Processing controls are enforced through database management system that stores the
data. However, adequate controls should be enforced through the front-end application
system also to have consistency in the control process.

Accounting Audit Trail of processing control Operations Audit Trail of processing control
• This includes the data items like- to trace and • This includes a comprehensive log on
replicate processing performed on a data hardware consumption – CPU time used,
item that enters into the processing secondary storage space used,
subsystem, to follow triggered transactions • and communication facilities used &
from end to end by monitoring input data comprehensive log on software
entry, intermediate results and output data consumption – compilers, subroutine
values, to check for existence of any data libraries, file management facilities and
flow diagrams or flowcharts that describe communication software used.
data flow in the transaction, and
• Whether diagrams or flowcharts correctly
identify the flow of data & to check whether
audit log entries recorded changes made in
the data items at any time.
(e) Database control:

These controls are used within an application software to maintain the integrity of data, to
prevent integrity violations when multiple programs have concurrent access to data, and the
ways in which data privacy can be preserved within the database subsystem.
1. Access Controls: These controls in database subsystem seek to prevent unauthorized

access to & use of the data. A security policy has to be specified followed by choosing
an access control mechanism that will enforce the policy chosen. If database is
replicated, the same access control rules must be enforced by access control mechanism
at each site.
2. Integrity Controls: These are required to ensure that the accuracy, completeness, and
uniqueness of instances used within the data or conceptual modeling are maintained.
3. Application Software Controls: When application software acts as an interface to

interact between the user and the database, the DBMS depends on application software
to pass across a correct sequence of commands.
4. Concurrency Controls: These are required to address the situation that arises either due
to simultaneous access to the same database or due to deadlock.
5. Cryptographic Controls: These controls can be well used for protecting the integrity of
data stored in the database using block encryption.
6. File Handling Controls: These controls are used to prevent accidental destruction of
data contained on a storage medium. These are exercised by hardware, software, and
the operators or users who load/unload storage media.

Accounting Audit Trail of database control Operations Audit Trail of database control
• This includes the data items to confirm • This maintains a chronology of resource
whether an application properly accepts, consumption events that affects the
processes, and stores information, to attach a database definition or the database.
unique time stamp to all transactions, to
attach before-images and after-images of the
data item on which a transaction is applied to
the audit trail,
• Modifications to audit trail transactions
accommodating changes that occur within an
application system.
(f) Output control:

These controls ensure that the data delivered to users will be presented, formatted, and
delivered in a consistent & secured manner. Output can be in any form, it can either be a
printed data report or a database file in a removable media. Various Output Controls are as
follows:
Code to Remember: R.I.O.2
 Batch Report Design Controls:
• Batch report design features should comply with the control procedures laid down for them
during the output process.
• A well-designed batch report shall facilitate its flow though the output process and execution
of controls.
 Inference control:
• These are used to prevent compromise of statistical databases from which users can obtain
only aggregate statistics.
• These are restriction controls which limit the set of responses provided to users to try to
protect the confidentiality of data about persons in the database.
 Batch Output Production and Distribution Controls:
• Batch output in the form of tables, graphs or images etc. is produced at some operations
facility and distributed to users of the output and control must ensure that only authorized
users are permitted to execute batch report programs and these events are logged and
monitored.
• Some of the output controls are-
Spooling file Controls - User(s) can continue working while a queue of documents waiting to be
printed.
Printing Controls - Ensure that output is made on the correct printer, & unauthorized disclosure of
printed information does not take place.
Report collection controls – Ensure that report is collected immediately & secured to avoid
unauthorized disclosure and data leakage.
User/Client service Review Controls- Ensure user should obtain higher quality output and detection
of errors or irregularities in output.
Report distribution Controls- Ensuring that the time gap between generation & distribution of
reports is reduced.
User Output Controls- Ensure that users review output on a timely basis.
Storage Controls - ensure proper perseverance of output in an ideal environment, secured storage of
output and appropriate inventory controls.

 Online output production and Distribution Controls

• It deals with the controls to be considered at various phases like establishing the output at
the source, distributing, communicating, receiving, viewing, retaining and destructing the
output.
Source controls-Ensure that output which can be generated or accessed online is authorized
and complete.
Distribution Controls- Prevents unauthorized copying of online output when it was
distributed to a terminal.
Communication Controls- Reduce exposures from attacks during transmission; Receipt
Controls to evaluate whether the output should be accepted or rejected.
Review Controls- Ensure timely action of intended recipients on the output.
Disposition Controls- Educate employees the actions that can be taken on the online output
they receive.
Retention Controls to evaluate for how long the output is to be retained and Deletion
Controls to delete the output once expired.
Accounting Audit Trail of database control Operations Audit Trail of database control
• This includes what output was used for • This maintains the record of resources
the presentation to the users; what consumed by components in the output
output was then presented to the subsystem to produce, distribute, use,
users; who received the output; when store and dispose of various types of
the output was received; and what output like graphs, images etc.,
actions were subsequently taken with • To record data that enables print times,
the output. response times and display rates for output
to be determined & to manage information
that enables the organization to improve
the timelines of output production.
4. Information Systems Auditing:

Computers are used extensively to process data and to provide information for decision-making.
Since computers play a large part in assisting us to process data and to make decisions, it is
significant that their use is in controlled manner.
4.1 Need for audit of information system:

Factors influencing an organization toward controls and audit of computers and the impact of
the information systems audit function on organizations are depicted below:
COST OF INCORRECT
COST OF DATA LOSS
OTHER FACTORS
DECISION MAKING
Maintenance of Privacy
COST RELATED
Controlled evolution of
COSTS OF COMPUTER HIGH COSTS OF computer Use
ABUSE COMPUTER ERROR

Code to Remember: A. - P.R.I.D.E.

 Computer Abuse cost:
• Unauthorized access to critical information may prove disaster for any nosiness organisation.
• Such access to computer systems, malwares, physical access to computer facilities &
unauthorized copies of sensitive data can lead to destruction of hardware and software etc.
 Privacy Maintenance cost:

• Data collected in a business process contains private information about an individual too.
• Even though these data were collected in the past too, but use of computer systems has led to
condition of no-privacy of individual information.
 Reliability of computer system:

• Use of Technology and reliability of complex computer systems cannot be guaranteed and;
• Consequences of using unreliable systems can be destructive.
 Incorrect decision-making cost:

• Management and operational controls taken by managers involve detection, investigations and
correction of the processes.
• These high-level decisions require accurate data to make quality decision rules.
 Data Loss cost:

• Data is a critical resource of an organisation for its present and future process and its ability to
adapt and survive in a changing environment.
 High cost of computer Error:

• In a computerized enterprise environment where many critical business processes are
performed, a data error during entry or process would cause great damage.
4.2 Information Systems Auditing meaning:

It is defined as process of attesting objectives that focus on asset safeguarding, data integrity and
management objectives (those of an internal auditor) that include effectiveness and efficiency
both. Below is the summary of the objectives of ISA-
Category Category A : Attesting Objectives Category B: Mgmt. Objectives
Concerned Outside Organisation Within Organisation
1. Asset Safeguarding Objectives: The 1. System Effectiveness Objectives:
information system assets (hardware, The Effectiveness of a system is
software, data information etc.) to be evaluated by auditing
protected by a system of internal characteristics and objective of the
controls from unauthorized access. system to meet business & user
2. Data Integrity Objectives: requirements.
(a) To maintain integrity of data of 2. System Efficiency Objectives: To
an organization requires all the optimize the use of various
time. information system resources along
(b) Important from business point of with the impact on its computing
view for decision maker, market environment.
environment and competition.

4.3 Tools of IS Audit:

In today’s time, almost all data collection, processing is real time. Hence, there is need for
real-time continuous auditing to provide continuous assurance quality of the data. Continuous
auditing enables auditors to significantly reduce and to eliminate time between occurrence of
client’s events and the auditor’s assurance services thereon. Types of the audit Tools:
Different types of continuous audit techniques may be used. Some modules for obtaining
data, audit trails and evidence may be built into the programs. Audit software is available
which could be used for selecting and testing data. Some of audit tools are detailed below-
1. Integrated test facility:

(a) It involves creation of a dummy entry in the application system files.
(b) The dummy records entered by the auditor don’t affect actual records in the system.
(c) Auditor after entering dummy records, evaluate processing & output of these transactions
with the expected processing & output verifies whether the system and its controls are
operating correctly or not.
(d) Here the auditor has to decide what would be the method to be used to enter the data and
the methodology for removal of the effects of the ITF transactions:
2. System control audit review files (SCARF):

(a)It involves embedding audit software module within a HOST application system.
(b) The data are recorded in the SCARF files. Auditor then examines the information contained
in this file and see if some aspect of the application system needs follows up.
3. Snap shot technique:

(a) The snapshot is built into the system at those points where material processing occurs
which takes image of the flow of the transactions as it moves through applications.
(b) These images then used to access the accuracy, authenticity and completeness of the
processing carried out on the transactions.
(c) All snapshot data related to transaction can be collected at one place facilitating audit work.
4. Continuous and Intermittent Simulation (CIS):

(a) This is a variation of the SCARF continuous audit techniques.
(b) It is used to trap exceptions wherever the application system uses database management
system. CIS executes in the following way:
 The DBMS reads an application system transaction. It is passed to CIS.
 CIS then determine whether it wants to examine transactions further.
 CIS replicates the application system processing.
 Update to database that arises from processing of selected transactions will be
checked by CIS to determine difference between results by CIS & application system.
 Exceptions identified by CIS are written to EXCEPTION LOG FILES.
5. AUDIT HOOKS:
(a) These are audit routines that flag suspicious transactions.
(b) For instance, policyholder system of insurance company is vulnerable to fraud every time a
policyholder change name or address.
(c) In this case, auditor must devise system of audit hook to tag records with name/address
change.
(d) When audit hooks are employed, auditors can be informed of suspicious transactions.

4.4 Audit Trail:

Audit trail are logs that can be designed to record activity at the system, application & user
levels. Audit trails provide an important detective control to accomplish security policy
objectives. Accounting audit trail shows the source & nature of data & processes that
update the database. Audit trail controls attempt to ensure that a chronological record of
all events that have occurred in a system is maintained. Below are 2 types of audit trail:
4.4.1. Audit Trail Objectives:
(a) Detecting unauthorized access:
 Involves real time detection.
 Objective is to protect the system from outsider who is attempting to breach
security controls.
 Real time audit is used to report on changes in system performance that in
certain case may indicate any sort of virus infestation.
(b) Reconstruction of events:
 Audit analysis can be used to reconstruct the steps that led to system failures,
security violations etc.
(c) Personal accountability:
 Audit trail can be used to monitor user activity at the lowest level of details.
 This is rather preventive control that can be used to influence behavior.
4.4.2. Implementing Audit trail:
• The information contained in the audit log is useful for to accountants in
measuring the potential damage and financial loss associated with application
errors, authority abuse, unauthorized access.
• These logs provide valuable evidences and helps in accessing adequacies of the
controls and;
• To implement further controls if needed. As such, audit logs must be carefully
designed as so as to ensure correct functioning of the system.
5. Auditing of Information Systems controls:

5.1 Auditing Environmental controls:
The IS auditor should satisfy not only the effectiveness of various technical controls but
also the overall controls safeguarding the business against environmental risks.
Code to Remember: P.W.C. - F.A.B. (Audit है वहां PWC is FAB)

 Power conditioning:
 The IS auditor should determine how frequently power conditioning equipment, such
as UPS, line conditioners, motor generators etc. are used, inspected and maintained.
 Backup power:
 The IS auditor should determine if backup power is available via electric generators
or UPS and how frequently they are tested.
 The IS auditor should also examine maintenance records of these components.
 Heating, Ventilation, and Air Conditioning (HVAC):

 The IS auditor should determine if HVAC systems are providing adequate
temperature and humidity.

• Water detection:
 The IS auditor should determine if any water detectors are used in rooms where
computers are kept.
 He or she should determine how frequently these are tested and if they are
monitored.
• Fire detection and suppression:

 The IS auditor should determine if fire detection equipment is adequate.
 It should be evaluated whether staff members understand their function & if they
are tested. He/she should determine how frequently fire suppression systems are
tested.
• Cleanliness:
 The IS auditor should examine data centers to see how clean they are.
 IT equipment air filters and the inside of some IT components should be examined
to see if there is an accumulation of dust and dirt.
5.2 Auditing physical security controls:

Auditing physical access requires the auditor to review the physical access risk and
controls to form an opinion on the effectiveness of the physical access controls-
(i) Sitting and Marking: Auditing building sitting and marking requires attention to
several key factors and features, including:
o Proximity to hazards: The IS auditor should estimate the building’s distance to
natural and manmade hazards, such as Dams; Rivers, Lakes, and Canals; Natural
gas and petroleum pipelines; Water mains and pipelines; Earthquake faults;
Areas prone to landslides; Volcanoes; etc. The IS auditor should determine if
any risk assessment is done & if any compensating controls have been carried
out.
o Marking: The IS auditor should inspect the building and surrounding area to see
if building(s) containing information processing equipment identify
organization. Marking may be visible on the building itself, but also on signs or
parking stickers on vehicles.
(ii) Physical barriers: This includes fencing, walls, razor wire etc. The IS auditor needs
to understand how these are used to control access to facility.
(iii) Surveillance: The IS auditor needs to understand how video and human
surveillance are used to control and monitor access. Auditor needs to understand
how video is recorded and reviewed, and is it effective in preventing or detecting
incidents.
(iv) Guards and dogs: IS auditor needs to understand use and effectiveness of security
guards and guard dogs. Processes, policies, procedures, & records should be
examined to understand required activities and how they are carried out.
(v) Key-Card systems: IS auditor needs to understand how key-card systems are used
to control access to the facility.

Role of IS Auditor in auditing Physical Access Controls: Auditing physical access requires
the auditor to review the physical access risk and controls to form an opinion on the
effectiveness of the physical access controls. This involves the following activities:
• Risk Assessment: The auditor must satisfy him/herself that the risk assessment
procedure adequately covers periodic and timely assessment of all assets, physical
access threats, vulnerabilities of safeguards and exposures there from.
• Controls Assessment: Auditor should evaluate whether the physical access controls
are in place and adequate to protect the IS assets against the risks.
• Review of Documents: It requires examination of relevant documentation such as
the security policy and procedures, premises plans, building plans etc.
5.3 Auditing logical access controls:

Auditing physical access requires the auditor to review the physical access risk and
controls to form an opinion on the effectiveness of the physical access controls-
Audit of Logical Access

Controls
User Access Investigative Internet Points of

User Access Log
Controls Procedures Presence
Auditing User
Access
Controls
Auditing
Password
Management
Auditing User
Access
Provisioning
Auditing
Employee
Terminations
Now, will study each one of the above in details. Refer to table on next page:

Particulars Description
User Access Auditing User  Dormant accounts: The IS auditor should determine if any
Controls Access automated or manual process exists to identify and close
Controls dormant accounts. Dormant accounts are user (or system)
User access accounts that exist but are unused.
controls are Code To  Shared accounts: The IS auditor should determine if there
often the only remember are any shared user accounts (Used by more than 1person)
barrier between
 System accounts: The IS auditor should identify all system-
unauthorized D.S. से level accounts on networks, systems, and applications. The
parties and purpose of each system account should be identified.
S.A.U.D.A –
sensitive or
valuable  Authentication: The auditor should examine network &
information system resources to determine if it requires
authentication, or resources can be accessed without first
authenticating.
 User account lockout: The auditor should determine if
systems and networks can automatically lock user accounts
that are the target of attacks.
 Detection and prevention of intrusion: The auditor should
examine these systems to see whether they have up-to-
date configurations and signatures, whether they generate
alerts, and whether the recipients of alerts act upon them.
 Access violations: The auditor should determine if
systems, networks, and authentication mechanisms can log
access violations. These usually exist in the form of system
logs showing invalid login attempts.
Auditing 1. The IS auditor needs to examine password configuration on
Password information systems to determine how it is controlled.
Management 2. Some check point - How many characters must a password
have & whether there is a maximum length; how
frequently must passwords be changed; whether former
passwords may be used again; whether the password is
displayed when logging in or when creating a new
password etc.
Auditing User  Provisioning of new employee: IS auditor should examine
Access that how a new employee’s user accounts are initially set
Provisioning up. The auditor should determine if new employees’
managers are aware of access requests.
Code To  Access approvals: IS auditor needs to determine how
remember requests are approved & authority they are approved.
 Reviews access: The IS auditor should determine if there
P.A.R.D.A. are any periodic access reviews and what aspects of user
accounts are reviewed.
 Duties segregation (SOD): IS auditor should determine if
there is SOD matrices in organization & if they are actively
used to make user access request decisions.
 Access request processes: IS auditor should identify all
user access request processes and determine if these
processes are used consistently throughout the
organization.

Auditing  Contractor access and terminations: The IS auditor needs

Employee to determine how contractor access and termination is
Termination managed and if such management is effective.
 Access Review: IS auditor should determine if any internal
Code To reviews of terminated accounts are performed, which
remember would indicate a pattern of concern for effectiveness in
this important activity. If such reviews are performed, the
C.A.T. auditor should determine if any missed terminations are
identified.
 Termination Process: The IS auditor should examine the
employee termination process and determine its
effectiveness. This includes understanding on how
terminations are performed and how user account
management personnel are notified of terminations.
User Access • Centralized access logsIS auditor should determine if organization’s
Log* access logs are aggregated or if they are stored on individual systems.
(Prepare करो)
*LOG means • Access log protectionAuditor needs to determine if access logs can be
full altered, destroyed, or attacked to cause the system to stop logging events.
information IS auditor needs to determine if logs should be written to digital media that
is unalterable. (Protect करो)
So, here LOG • Access log review IS auditor needs to determine if there are policies,
prepare करो, processes or procedures regarding access log review. The auditor should
protect करो, determine if access log reviews take place, who performs them etc. (Timely
timely review करो review करो)
and retain करो  Access log retentionThe IS auditor should determine how long access logs
are retained by the organization and if they are back up. (Retain of LOGS).
Investigation Auditing investigative procedures requires attention to several key
Procedure activities, including:
 Investigation policies and procedures: IS auditor should determine if
Log* means there are any policies or procedures regarding security investigations.
full This would include who is responsible for performing investigations,
information where information about investigations is stored, and to whom the
results of investigations are reported. (Access +Responsibility + Reporting)
 Computer crime investigations: IS auditor should determine if there
are policies, processes, procedures, and records regarding computer
crime investigations.
 Computer Forensic: The IS auditor should determine if there any
procedure established for conducting computer forensic. The auditor
should also identify tools and techniques that are available to the
organization for the acquisition and custody of forensic data.

Internet Points The IS auditor needs to perform a “points of presence” audit to discover
of Presence what technical information is available about the organization’s Internet
presence. Some of the aspects of this intelligence gathering include:
 Search engines: Google, Yahoo!, & other search engines should be
consulted to see what information about the organization is available.
Searches should include the names of company officers & management.
 Social networking sites: Social networking (Facebook, LinkedIn, Twitter)
should be searched to see what employees, former employees, and
others are saying about the organization.
 Online sales sites: Sites such as eBay should be searched to see if
anything related to the organization is sold online.
 Domain names: IS auditor should verify contact information for known
domain names, as well as related domain names.
5.4 Auditing the management control framework-

The auditors play a vital role in evaluating the performance of various controls under
managerial controls. Some of the key areas that auditors should pay attention to while
evaluating Managerial controls and its types are provided below-
(A) Top Management and Information Systems Management Controls:

Since we are talking about the top management, we will read and try to understand the
below activities undertaken by the management:
 Planning:
• Auditors need to evaluate whether top management has formulated a high-quality
information system’s plan that is appropriate to the needs of an organization or not.
• A poor-quality information system is ineffective and inefficient leading to losing of
competitive position.
 Organizing:
• Auditors should be concerned about how well top management acquires and
manages staff resources for three reasons:
o Information system staff needs to remain up to date and motivated in their jobs.
o Intense competition made acquiring & retaining good system staff a complex activity.
o Research indicates that employees of an organization are most likely persons to
perform irregularities.
 Leading:
• Auditors examine variables that often indicate when motivation problems exist or
suggest poor leadership i.e., staff turnover statistics, frequent budget failure etc.
• Auditors may use both formal and informal sources of evidence to evaluate how well
top managers communicate with their staff.
 Controlling:
• Auditors should focus on subset of control activities that should be performed by top
management – namely, those aimed at ensuring that the information systems
function accomplishes its objectives at a global level.
• Auditors must evaluate whether top management’s choice to the means of control
over the users of IS services is likely to be effective or not.

(B) Auditing System Development Management Controls:

Below are different types of audits undertaken during the system development processes:
Concurrent Audit Auditors are members of the system development team. They
assist the team in improving the quality of systems development
for the specific system they are building and implementing.
Post – Auditors seek to help an organization learn from its experiences in
implementation the development of a specific application system. In addition, they
Audit might be evaluating whether the system needs to be scrapped,
continued, or modified in some way.
General Audit Auditors evaluate systems development controls overall. They
seek to determine whether they can reduce the extent of
substantive testing needed to form an audit opinion about
management’s assertions relating to the financial statements for
systems effectiveness and efficiency
(C) Auditing Programming Management Controls:

Some of the major concerns that an auditor should check and address are various activities
undertaken under programming management control:
Phase Audit Trails
Planning  They should evaluate whether nature of & extent of planning are
appropriate to different types of software developed or acquired.
 They must evaluate how well the planning work is being undertaken.
Control  Evaluate whether the nature of an extent of control activities
undertaken are appropriate for the different types of software.
 Must gather evidence on whether control procedures are operating
reliably.
Design  Auditors should find out whether the programmers use some type of
systematic approach to design. Auditors can obtain evidence of design
practices used by undertaking interviews, observations, & reviews.
Coding  Auditors should seek evidence –
 Level of care exercised by programming management in choosing a
module implementation and integration strategy.
 Whether programming management ensures that programmers
follow structured programming conventions.
 Whether programmers employ automated facilities to assist them.
Testing  Auditors can use interviews, observations, and examination of
documentation to evaluate how well unit testing is conducted.
 Auditors primary concern is to see that whole-of-program tests have
been undertaken for all material programs and that these tests have
been
well-designed and executed.
Operation &  Auditors need to ensure effectively & timely reporting of maintenance
Maintenance needs occurs & maintenance is carried out in a well-controlled manner.
 Auditors should ensure that management has implemented a review
system & assigned responsibility for monitoring the status of
operational.

(D) Auditing Data Resource Management Controls:

 Auditors should determine what controls are exercised to maintain data integrity. They
might also interview database users to determine their level of awareness of controls.
 Auditors might employ test data to evaluate whether access controls and update
controls are working.
 Auditors might interview the Data Administrator (DA) and Database Administrator (DBA)
to determine the procedures used by them to monitor the database environment.
(E) Auditing Security Management Controls:

 Auditors should check whether security administrators are reviewing frequently.
 Auditors should check whether organisation audited have appropriate, high quality
disaster recovery plan in place.
 Auditors need to evaluate the performance of BCP controls.
 These controls are related to having an operational and tested IT continuity plan and
make sure IT services are available as required & to ensure a minimum impact on
business in the event of a major disruption.
 Auditors should check whether organisation have opted for insurance plan or not.
(F) Auditing Operational Management Controls:

 Auditors should pay concern to see whether the documentation is maintained securely
and that it is issued only to authorized personnel.
 Auditors can use interview, observations and review of documentation to evaluate:
 Activities of documentation librarians.
 How well operations management undertakes the capacity planning and performance
monitoring function
 reliability of outsourcing vendor controls
 whether operations management is monitoring compliance with outsourcing contract.
(G) Auditing Quality Assurance Management Controls:

 Auditors might use interviews, observations and reviews of documentation to evaluate
how well Quality Assurance (QA) personnel perform their monitoring role.
 Auditors might evaluate how well QA personnel make recommendations for improved
standards.
 Auditors can evaluate how well QA personnel undertake the reporting function and
training.
5.5 Auditing the application control framework-

Based on the evaluation of management controls over the IS functions in an organization,
auditors might decide to evaluate application system further. In case the external auditors have
evaluated the reliability of management controls, the next step is to determine the adequacy of
application controls. Below are the key areas that auditor should pay attention, while
evaluating application controls at each level in an organization:

Auditing database Controls Auditing Output Controls

Auditors should check for mechanism if a Auditors should determine what report
damaged or destroyed database can be programs are sensitive and important, who
restored in an authentic, accurate, all are authorized to access them.
complete, and timely way. Auditors should review the action
Auditors should check backup and recovery privileges that are assigned to authorized
strategies for the restoration of damaged users are appropriate to their job
or destroyed database in the event of requirement or not.
failure . Auditors should determine whether the
Auditors shall evaluate whether the privacy report collection, distribution and
of data is protected during all backup & printing controls are executed in an
recovery activities. organization or not.
Auditors should address their concerns
regarding maintenance of data integrity.
Auditing Commuincation Controls Auditing Processing Controls

Auditors shall adopt a structured approach Auditors should determine whether user
to examine and evaluate various controls in processes are able to control unauthorized
the communication subsystem. activities e.g, access to sensitive data.
Auditors should ensure that transmission of Auditors should assess the performance of
data between the two nodes in a wide area validation controls to check for any data
network is being accurate and complete. processing errors.
Auditors must assess the implementation Auditors need to check for checkpoint and
of encryption controls to ensure protection restart controls that enable the system to
of privacy of sensitive data. recover itself from the point of failure. The
restart facilities need to be implemented
Auditors must assess topological controls to
well so that restart of the program is from
review the logical arrangement of various
the point where processing was accurate &
nodes and their connectivity using various
complete rather than from the scratch
internetworking devices in a network.
Auditing Boundary Controls Auditing Input Controls

Auditors need to determine how well the Auditors must understand the
safeguard assets are used & preserve data fundamentals of good source document
integrity. design so as to analyze what and how the
data will be captured.
Auditors need to determine whether the
access control mechanism implemented in Auditors must be able to examine the
that system is sufficient or not. data-entry screens used in an application
system & come to judgement on the
Auditors need to know which approach is
frequency with which input errors are
used to implement access control in order
likely to be made.
to acertain potential issues.
Auditors must evaluate quality of the
Auditors need to ensure that careful
coding systems used in application
control must be exercised on and over
system.
maintenance activities, in case of
hardware failure.

6. Data related concept:

6.1 Database models
A Database Model is a type of data model that determines the logical structure of a
database and fundamentally determines in which manner data can be stored, organized
& manipulated. Below are the model hierarchy-
• Database: This is a collection of Files/Tables.
• File or Table: This is a collection of Records, also referred as Entity.
• Record: This is a collection of Fields.
• Field: This is a collection of Characters, defining a relevant attribute of Table instance.
• Characters: These are a collection of Bits.
Hierarchical Database Model Relational Database Model
Database models
Network Database Model Object Oriented Database Model
1. Hierarchical Database Model:

 Hierarchically structured
database is arranged logically in
an inverted tree pattern. Here is
the example of hierarchical
database model.
 This database model organizes
data into a tree-like-structure,
with a single root, to which all the other data is linked. The hierarchy starts from root
data & expands like a tree, adding child nodes to the parent nodes. In this model, a child
node will only have a single parent node.
2. Relational Database Model:

A Relational Database allows in organizing the data and its structures, storage and
retrieval operations in tabular format. Three key terms are used extensively in relational
database models: Relations, Attributes, and Domains.
All relations adhere to some basic rules - First, the ordering of columns is immaterial in
a table. Second, there cannot be identical record in a table. And third, each record will
contain a single value for each of its attributes. A relation is a table with columns and
rows. The named columns of the relation are called attributes, and the domain is the set
of values the attributes can take.
 A relational database contains multiple tables that implies a relationship among
those two records.
 In a relational database, all the tables are related by one or more fields so that all
tables in database can be connected.
 For each table, one of the fields is identified as a Primary Key (which is the unique
identifier) for each record in the table. Keys are commonly used to join or combine
data from two or more tables.

3. Network Database Model:

 A network database structure views all records in sets wherein each set is composed of
an owner record and one or more member records.
 The network model implements one-to-one, one-to-many, many-to-one and the
many-to- many relationship types.
 The network model can represent redundancy in data more efficiently than in the
hierarchical model. Below is the example-
 RV = Repair Vendor || RI = Repair Invoice || ER = Equipment Records.
• One-to-One relationship: RV-1 record is the owner of the RI-1 record.

• One-to-Many relationship: RV-2 record is owner of the RI-2 and RI-3 records.
• Many-to-Many relationship: Many ER can be owned by many RI records. RV- 3 record
is the owner of RI-4 and RI-5 records, and the ER-7 is owned by both the RI-5 and RI-6
records because it was fixed twice by different vendors.
• Many-to-One relationship: Equipments 7 and 8 are owned by RI-6 because the repair
to both machines were listed on the same invoice by RV-4.
4. Object Oriented Database Model:

 An Object-Oriented Database Management System (OODBMS) helps programmers
make objects created in a programming language.
 It combines differentaspects of object-oriented programming language into a DBMS
like-complex data.
 This model helps programmers make objects which are independently functioning
application or program, assigned with a specific task or role to perform.

6.2 Big Data-

The term refers to such massively large data sets that conventional database tools do not
have the processing power to analyze them. Storing and analyzing that much data is
beyond the power of traditional database-management tools. Hence there is requirement
of developing such tools that are able to collect, store and analysis. Benefits of big data
processing:
1. Ability to process Big Data brings in multiple benefits, such as-

• Businesses can utilize outside intelligence while taking decisions.
• Access to social data from search engines and sites like Facebook, Twitter is
enabling organizations to fine tune their business strategies.
• Early identification of risk to the products/services, if any.
2. Improved customer service
• Traditional customer feedback systems are getting replaced by new systems
designed with Big Data technologies.
• In these new systems, big Data & natural language processing technologies are
being used to read and evaluate consumer responses.
3. Better operational efficiency
• Integration of Big Data technologies and data warehouse helps an organization to
offload infrequently accessed data, this leading to better operational efficiency.
6.3 Data Warehouse-

As organisation needs to fully understand the data they are collecting. Further, organizations
also want to analyze data in historical sense: How does the data we have today compare
with the same set of data this time last month, or last year. Data warehouse is a concept
starting with extract data from one or more of the organization’s databases and load it into
the data warehouse (which is itself another database) for storage and analysis. Below is the
process flow-:
 First stageData is Extracted from one or more of the organization’s databases. This
stage involves extracting the data from various sources such as ERP systems used,
databases etc.
 Second stage Data so extracted is placed in a temporary area called Staging Area where
it is transformed like sorting, filtering etc. of the data as per the information
requirements.
 Final stage involves the Loading of the transformed data into a data warehouse which
itself is another database for storage and analysis.
 Approaches while designing a data warehouse / 2 different schools of thought:
Bottom-Up Approach Top-Down Approach
Starts by creating small data warehouses, Suggests that we should start by
called data marts, to solve specific creating an enterprise-wide data
business problems. warehouse and
As these data marts are created, they can Then specific business needs are
be combined into a larger data identified, create smaller data marts
warehouse. from the data warehouse.

 Advantages of data warehouse: U.C. - D.A.T. (You see that)

Code Heading Descriptions
U Understanding Process of developing a data warehouse requires a
the data business to better understand data that is collected.
C Consistency of Once all data is identified as consistent, an
Data organization can easily report consistent statistics
about itself.
D Data Data warehouse provides a centralized view of all
centralization data which is collected across business.
A Analysis of Data warehouse provides a centralized view of all
Information data which is collected across business.
T Trend analysis Having a data warehouse, snapshots of data can be
taken over time. This creates a historical record of
data, which allows for an analysis of trends
 Data Mining-
• Data Mining is the process of analyzing data to find out unknown trends, patterns,
and associations to make decision. It is accomplished through automated means
against extremely large data sets.
• Example of data miningAnalysis of sales of a month by a super market store about
the product which is sold most.
• Below are the steps involved in data mining:
a. Data Integration: Firstly, the data are collected and integrated from all the different
sources which could be relational database, data warehouse or web etc.
b. Data Selection: So, in this step we select only those data which we think is useful for
data mining.
c. Data Cleaning: The data that is collected are not clean and may contain errors,
missing values, noisy or inconsistent data. Thus, we need to apply different
techniques to get rid of such anomalies.
d. Data Transformation: The data even after cleaning are not ready for mining as it
needs to be transformed into an appropriate form by using different techniques like -
smoothing, aggregation, normalization etc.
e. Data Mining: Data mining techniques are applied on data to discover the interesting
patterns. Techniques like clustering and association analysis are some examples.
f. Pattern Evaluation and Knowledge Presentation: This step involves visualization,
transformation, removing redundant patterns etc. from the patterns we generated.

g. Decisions / Use of Discovered Knowledge: This step helps user to make use of the
knowledge acquired to take better informed decisions.
Database Data Warehouse Data Mining
 This stores real  This store both historic  This analyses data to find
time information. & transactional data. previously unknown trends.
 Telecom company’s  In telecom company’s  For example- In the same
database stores information in a data telecommunication sector,
information related warehouse will be used information will be analyzed
to monthly billing for product by data mining techniques
details, call records, promotions, decisions to find out call duration with
etc. relating to sales, cash respect a particular age
etc. group from the entire data
available.
 Its function is to  Its function is to report and  Its function is to extract
record. analysis. useful data.
 Example - MySQL,  Example – Teradata,  Example- R-Language, data
MS Access etc. Informatica etc. mining and Oracle etc.
7. Organisation structure and responsibilities:

Organizations require structure to distribute responsibility to groups of people with
specific skills and knowledge. The structure of an organization is called an organization
chart.
It has been noticed that people are being shuffled from one business vertical to another.
These organizational changes are usually performed to help an organization meet new
objectives that require new partnerships and teamwork that were less important before.
Below are some of the illustrative reasons of changing in the organizational structure:
 Market conditions:
1. Changes in market positions can cause an organization to realign its internal
structure in order to strengthen itself.
2. For example, if a competitor lowers its prices based on a new sourcing strategy, an
organization may need to respond by changing its organizational structure to put
experienced executives in-charge of specific activities.
 Regulation:
1. New regulations may induce an organization to change its organizational
structure.
2. For instance, an organization that becomes highly regulated may elect to move its
security and compliance group away from IT and place it under the legal
department, since compliance has much more to do with legal compliance than
industry standards.

 Available talent:
1. When someone leaves the organization or moves to another position within the
organization, a space opens in the org chart that often cannot be filled right away.
2. Senior management will temporarily change the structure of the organization by
moving the leaderless department under the control of someone else.
3. For example, if the director of IT program management leaves the organization,
the existing department could temporarily be placed under the IT operations
department, in this case because the director of IT operations used to run IT
program management.
ROLES AND RESPONSIBILITIES:

 Owner: An owner is an individual who is the designated owner-steward of an asset.
Depending upon the organization’s security policy, an owner may be responsible for the
maintenance and integrity of the asset, as well as for deciding who is permitted to access
the asset.
 Executive management: The most senior managers and executives in an organization are
responsible for developing the organization’s mission, objectives, and goals, as well as
policy. Executives are responsible for enacting security policy, which defines (among
other things) the protection of assets.
 Manager: A manager is responsible for obtaining policies and procedures and making
them available to their staff members.
 User: Users are individuals (at any level of the organization) who use assets in the
performance of their job duties. Users are responsible for performing their duties
lawfully and for conforming to organization policies.
JOB TITLES AND JOB DESCRIPTION:

A Job Title is a label that is assigned to a job description. It denotes a position in the
organization that has a given set of responsibilities, and which requires a certain level and
focus of education and prior experience.
Executive
Management
CIO (Chief CTO (Chief CISO (Chief CPO (Chief

CSO (Chief
Information Technical Information Privacy
Security Officer): Security Officer): Officer):
Officer): Officer):
This is the title Usually responsible Responsible Responsible for all Responsible for
the protection and
of the top for an entity's overall for all aspects aspects of data- use of personal
most leader technology strategy. of security, related security. information.

Software
Development
Software
Systems Systems Software
Developer,
Architect Analyst Programmer
Tester
This position is usually A systems analyst is This position develops This position tests
responsible for the involved with the application software. In changes in
overall information design of applications, organizations that utilize programs made by
systems architecture including changes in an
purchased application software
in the organization. application’s original
design software, developers developers
Data Management
Database Architect Database Administrator Database Analyst

(DBA)
Develops logical and physical Builds and maintains Performs tasks carrying out
designs of data models for databases designed by the routine data maintenance
applications database architect and and monitoring tasks
databases
Network
Management
Network
Network Architect Network Engineer Telecom Engineer
Administrator
This position designs This position builds and performs routine tasks in Positions in this role
data & (increasingly) maintains network the network such as work with
voice networks and devices such as making minor telecommunications
designs changes and routers, switches, configuration changes technologies such as
upgrades to the firewalls, and gateways data circuits, phone
network. systems

General
Operations
Operation Operations Controls Systems Data Entry Media

s Manager Analyst Analyst Operator operator Librarian
This position is This position Responsible Responsible for This position is Maintaining &
responsible for may be for monitoring monitoring systems responsible for tracking use &
overall responsible for batch jobs, and networks, keying batches whereabouts of
operations that development data entry performing backup of data from backup tapes
are carried out of operational work, and tasks, running hard copy and other
by others. procedures other tasks batch jobs sources media
Systems
Management
Systems Storage Systems

Systems Architect
Engineer Engineer Administrator
Responsible for the overall Responsible for designing, Responsible for Responsible for
architecture of systems and building, & maintaining designing, building, and performing
design of services such as servers & server operating maintaining servers & maintenance
authentication systems server operating systems operations on systems
Security
Operations
Security Security Security User Account Security

Architect Engineer Analyst Manager Auditor
S/he is responsible S/he is responsible

S/he is S/he is responsible S/he is responsible
for the design of for designing,
responsible for for accepting for performing
security controls and building, maintaining
examining logs approved requests internal audits of IT
systems. security services and
from firewalls, for user access mgmt controls to ensure
systems that are
intrusion changes and that they are being
designed by the
detection systems performing the operated properly
security architect
necessary changes
7.1 Segregation of Duties:

An Information system often process large volumes of information that is sometimes highly
valuable or sensitive. Measures need to be taken in IT organizations to ensure that individuals
do not possess sufficient privileges to carry out potentially harmful actions on their own. Below
are some examples of segregation of duties control:

 Transaction Authorization:
1. Information systems can be programmed or configured to require two (or more) persons to
approve certain transactions.
2. In IT applications, transactions meeting certain criteria (for example, exceeding normally
accepted limits or conditions) may require a manager’s approval to be able to proceed.
 Split custody of high-value assets:

1. Assets of high importance or value can be protected using various means of split custody.
2. For example, a password can be split in two halves, one half assigned to two persons, and the
other half assigned to two persons, so that no single individual knows the entire password. This is
very much in use
 Workflow:
1. Applications that are workflow-enabled can use a second (or third) level of approval before certain
high-value or high-sensitivity activities can take place.
2. For example, a workflow application that is used to provision user accounts can include extra
management approval steps in requests for administrative privileges.
 Periodic review:
1. IT or internal audit personnel can periodically review user access rights to identify whether any
segregation of duties issues exist.
2. The access privileges for each worker can be compared against a segregation of duties control
matrix.
When SOD issues are encountered during a segregation of duties review, management will
need to decide how to mitigate the matter. The choices for mitigating a SOD issue:
 Reduce access privileges:
1. Management can reduce individual user privileges so that the conflict no longer exists.
 Introduce a new mitigating control:
1. If management has determined that the person(s) need to retain privileges that are viewed as a
conflict, then new preventive or detective controls need to be introduced.
2. Examples of mitigating controls include increased logging to record the actions of personnel,
improved exception reporting to identify possible issues, reconciliations of data sets, and
external reviews of high-risk controls

TEST YOUR KNOWLEDGE
Ques 1-
In 2017, XYZ Systems had shifted to the SQL Server Relational Database Management System
from the previously used IBM Information Management System which used a hierarchical
database model to create a well-organized database to store organizational data.
On acquiring a good number of global clients and keeping in view the increased number,
complexity of the overseas transactions and the management’s need for periodic performance
analysis; XYZ Systems planned to leverage the benefit of data warehouse whereas the research
team suggested the implementation of big data. However, XYZ Systems did not implement
suitable security controls and hence recently faced data security breach which led to the
unauthorized manipulation of certain confidential data. This resulted in XYZ Systems paying a
substantial amount as compensation and loss of a major client.
Consequently, XYZ Systems has now implemented varied controls starting from strict
password management to high level access controls and monitoring mechanism ensuring that
there are no further data security issues. Answer the following questions-
1. The XYZ Systems initially used IBM Information Management system which used a hierarchical
database model. Which type of relationship is not supported by such database model:
(a) One-to-One
(b) Many-to-One
(c) One-to-Many
(d) None of the above
2. The XYZ Systems recently shifted to the SQL Server DBMS from the IBM Information
Management system that it previously used. Under which aspect, the SQL Server differs from
IBM Information Management System?
i. One-to-one relationship.
ii. One-to-many relationship.
iii. Relational database structure.
iv. None of the above.
3. Which among the following is not an advantage of the SQL Server DBMS?
i. Data sharing
ii. Data Redundancy.
iii. Program and file consistency.
4. To ensure that the communication between their private network & public network is
secured, one of the steps taken by XYZ Systems are to install firewall. The installation of
firewall is__________type of control?
i. Preventive
ii. Corrective.
iii. Detective.

5. XYZ Systems made its access privileges more stringent so as to prevent unauthorized users
gaining entry into secured area and also minimum entry granted to users based on their job
requirements. Which of the following Logical Access control covers this aspect?
i. Operating System Access Control
ii. Network Access Controls
iii. User Access Management
iv. Application and Monitoring System control
6. Based on the risk assessment by the audit team, the management of XYZ Systems decided to
specify the exact path of the internet access by routing the internet access by the employees
through a firewall and proxy. This is referred to as?
i. Encryption
ii. Enforced Path
iii. Call Back Devices
iv. None of these
Solution 1-
1 (ii) Many-to-One
2 (iii) Relational database structure
3 (ii) Data Redundancy
4 (i) Preventive
5 (iii) User Access Management
6 (ii) Enforced Path
Ques 2-
Bianc Computing Ltd. has implemented a set of controls including those with respect to
security, quality assurance and boundary controls to ensure that the development,
implementation, operation and maintenance of information systems takes place in a planned
and controlled manner. It has also ensured that logs are designed to record activity at the
system, application, and user level. Along with the implementation of controls and maintenance
of logs, it has approached a leading firm of IS auditors to conduct a comprehensive audit of its
controls. Within the organization also, it has opened new job roles and has hired people with the
required skill sets for the same. Answer the following questions-
1. The team of network engineers of Bianc Computing Ltd. recommended certain controls to be
implemented in the organization to bridge the rate of data reception and transmission
between two nodes. Which types of controls are being referred to here?
i. Link controls
ii. Flow controls
iii. Channel access controls
iv. Line error controls

2. Which control is used to ensure that the user can continue working, while the print
operation is getting completed? This is known as________?
i. Printing Controls
ii. Spooling File Control
iii. Spoofing File Control
iv. Print-Run-to Run Control Totals
3. Bianc Computing Ltd. has also opened up new job roles and has hired persons with the
required skill sets for the same as given below-
Identify the right match to the job roles assigned and the responsible persons for the job role.
i. 1(c), 2(d), 3(a), 4(b), 5(f), 6(g), 7(e)
ii. 1(d), 2(b), 3(c), 4(g), 5(f), 6(a), 7(e)
iii. 1(e), 2(b), 3(c), 4(g), 5(a), 6(f), 7(d)
iv. 1(g), 2(f), 3(e), 4(d), 5(c), 6(b), 7(a)
Solution 2-
1 (ii) Flow Controls
2 (ii) Spooling File control
3 (i) 1(c), 2(d), 3(a), 4(b), 5(f), 6(g), 7(e)

E-COMMERCE, M-COMMERCE AND

EMERGING TECHNOLOGIES
1. Introduction to E-commerce:
E-Commerce means “Sale / Purchase of goods / services through electronic mode”. This could
include the use of technology in the form of Computers, Desktops, Mobile Applications, etc.
With the passage of time, e-commerce has gathered attention of nearly all the companies
towards it.
These companies are realizing that business via the Internet is inevitable
that they will not be able to ignore. The lure of reaching additional customers, expanding market
shares, providing value-added services, advancing technological presence, and increasing
corporate profits is just too valuable to disregard, and will eventually attract companies to
electronic commerce.
E-Commerce is the process of doing business electronically. It refers to the
use of technology to enhance the processing of commercial transactions between a company, its
customers and its business partners. It involves the automation of a variety of Business-To-
Business (B2B) and Business-To-Consumer (B2C) transactions through reliable and secure
connections. Now we will study the various aspect of E-commerce:
1.1 Traditional commerce and E-commerce:

Now will study both the ways of doing business-
TRADITIONAL WAY
Order Placed by User Shopping Cart Credit Card is Charged Order is completed
E-COMMERCE
Shipment
sent to
Shipping
Carrier
Sent to Warehouse for fulfilment Email is sent to Customer &
picks up
Merchant

Code to remember: RT NDL SPAM (R.T. pcr test S2.P2.A.M. mail at New DeLhi station)
Difference Traditional Commerce E Commerce
Resource Supply side Demand side
focus
Transaction Manual Automated
Processing
Scope Limited to particular area. Worldwide reach.
Size Type of items, size of items, & the Online stores expecting heavy traffic
number of customers influences size need enough bandwidth, processing
of the store power, and data storage capacity.
Payment Cash, Cheque, Credit Card, etc. Credit card, Fund transfer, Cash in
Delivery, Wallets, UPCI application etc.
Profit Cost incurred like middlemen, rent, Less costly than owning a physical store.
Impact overhead expenses etc. lower the Hence, more profit margin.
profit margin.
Availability For limited time 24 X 7 X 365
Marketing Stores have physical presence & are Have to invest more money, time and
known to potential customers. They effort to acquire a new customer. They
do not have to spend much to acquire have to advertise their presence more
new customers as compared to online aggressively on internet. This is also
companies. This is called One-way called as One- to-one marketing.
marketing.
Nature of Goods can be inspected physically Goods cannot be inspected physically
purchase before purchase. before purchase.
Definition Traditional commerce includes all E-Commerce means carrying out
those activities which are manual and commercial transactions or exchange of
non-electronic. information electronically on internet.
Location Require market place. Require market space.
1.2 Example/steps in E-commerce:

Step 1:
Go to website (like flipkart or amazon) and create your user ids (identifications). Those who
have social media ids, can directly link through those ids.
Step 2:
Select the type of product you wish to buy. Each such e-commerce vendor has huge display of
product inventory. User needs to make sure that s/he selects the right product type.
Step 3:
User needs to select the correct product s/he needs to buy.
Step 4:
User makes the final choice and goes for making payment online.
Step 5:
At the time of making payment, e-commerce vendor shows all details including the product
being bought & final price for review of the customer and confirmation before final payment.
Step 6:
Once the user selects the payment option, he is directed to the payment gateway and Based on
the delivery terms, the product is delivered to the customer in specified time.

1.3 Benefits of E-Business:

E-business benefits individuals, businesses, government and society at large. The major
benefits from e-business are as follows:
Code To Remember: D. – C.A.R.T.

BENEFITS TO CONSUMNER
Deals & There are discount coupons and reward points available for
Coupons customers to encourage online transaction.
Convenience Every product at individual’s fingertips on internet.
Anytime Access to the e commerce platforms is available which brings in
Access customer suitability.
Reviews There are often reviews about particular site/product from
previous customers which provides valuable feedback.
Time saving No. of operations that can be performed both by potential
buyers and sellers increase.
Code To Remember: Q.C. – D.I.C.E.
BENEFITS TO BUSINESS / SELLER

Better Quality Excess competition has increased and also improved the quality
of goods of goods through expanded markets.
Cost reduction Low advertising cost & large scale economies lead to low cost.
Dynamic Since there are several players, providing a dynamic market
Market which enhances quality and business.
Instant The transactions of e commerce are based on real time
Transaction processes. This has made possible to crack number of deals.
Customer Base Since number of people getting online is increasing, which are
increased creating new customers but also retaining the old ones.
Efficiency - Due to reduced transaction time.
improvement - Reduction in errors, time, for information processing.
- Reduction in inventories & risk of obsolete inventories
BENEFITS TO GOVERNMENT
Instrument to Commerce provides a pivotal hand to fight the corruption. The

fight corruption Information Technology Act, 2000 provides a legal framework for
electronic governance by giving recognition to electronic records and
digital signatures.
Reduction in use of There has been reduction in the use of ecologically damaging
ecological materials through electronic coordination of activities and the
damaging movement of information rather than physical objects.
materials

1.4 Disadvantages of E-Business:

Code To Remember: C.L.I.F.F.S. (चट्टान� – Danger – Disadvantage)
 COSTS:
Components of costs involved with e-commerce are due to the following factors:
• Connection: Connection costs to the Internet (i.e., direct link or connection provider).
• Hardware/software: This includes cost of sophisticated computer, modem, routers, etc.
• Set up: Employee work hours involved in the processes of setting up the systems.
• Maintenance: Costs involved in training of employees and maintenance of webpages.
 LEGAL ISSUES:
• Legal issues are significant impediment to conducting business on the Internet.
• It is almost uncertain to ascertain the legal issues that will start to pop up as business on
Internet progresses.
• Legal issues may also arise if customer-sensitive data fall into the hands of strangers. The
legal environment in which e-commerce is conducted is full of unclear and conflicting
laws.
 INTERNET CONNECTION:
• Internet connectivity is a pre-requisite to perform online transactions.
• Internet connectivity may not be available in rural or remote areas. Many people may not
have Internet connectivity due to which they may not be able to do online transactions.
 FOOD AND INSPECT RELATED ITEMS:

• Items such as perishable foods & high-cost items such as jewelry & antiques may be
impossible to adequately inspect from a remote location, regardless of technologies used.
 FRAUD FEAR:
• Some customers are still fearful of sending their credit card details over Internet.
Moreover, many customers are simply resistant to change and are uncomfortable viewing
merchandise on a computer screen rather than in person.
 SECURITY CONCERNS:
• Technical obstacles including issues related to security and reliability of network and
Internet are major concerns in online transactions.
• There is always fear of safety and security to the personal information due to the
increased spywares and malwares being rampant on the internet.
1.5 E-Marketing:
Marketing is the process of marketing a product or service using the Internet. The internet
changes the relationship between buyers and sellers because market information is available
to all parties involved in the transaction.
Some relevant terms related to e-marketing-

Definitions Description
Portal • Portal is a website that serves as a gateway or a main entry point on the
internet to a specific field of interest or an industry.
• A portal consists of web pages that act as a starting point for using the
web or web-based services.
• Example - Yahoo! Stores is a shopping cart software app that offers small
business operators & owners a variety of tools and features.
E-Shop • An e-shop is a virtual store front that sells products and services online
where customers can shop anytime.
• It is a convenient way of affecting direct sales to customers; allowing
manufacturers to bypass intermediate operators and thereby reducing
costs and delivery times.
E-mall • An e-mall consists of a collection of e-shops usually grouped under a
= 1 or more E- single Internet address. It is a website that displays electronic catalog
shops from several suppliers.
E-auctions • These provide channel of communication through which bidding process
for products and services can take place between competing buyers.
• At e-auctions, people buy & sell through an auction website. In e-
auctions, information is available about products, prices, current
demand, and supply. For example – www.salasarauction.com is an
online auction platform.
Buyer • In this, firm collects the information about goods/service providers,
Aggregator make the providers their partners and sell their services under its own
brand. For example - www.zomato.com.
Virtual • Virtual Community is a platform for community of customers who share
community common interest and use the internet to communicate with each other.
• Virtual communities may be of different types based on communities of
interest in a common goal, communities of learning, and communities of
practice based on characteristics of bonds & intentions etc. E.g. -
www.facebook.com .
E-distribution • E-distribution is a concept wherein a company supplies products and
services directly to individual businesses.
• This model helps distributors to achieve efficiency savings by managing
large volumes of customers, automating orders, communicating with
partners etc. Wipro uses internet to provide fully integrated e-business
enabled solutions that help to unify all information.
E-Procurement • E-procurement is management of all procurement activities via
electronic means. Many companies now prefer to procure the required
goods and services through a website devoted to procurement.
• Business models based on e-procurement seek efficiency in accessing
information on suppliers, availability, price.
• E-procurement infomediaries specialize in providing up-to-date and real-
time information on all aspects of the supply of materials to businesses.

1.6 E-commerce business models:

A Business Model can be defined as the mechanism by which a business intends to generate
revenue and profits and includes products, services and information flows, the sources of
revenues, and benefits for suppliers and customers.
Models Description E-business market Examples

Business to Refers to online retailers who e-shops, e-malls, e- Cisco, www.amazon.com,
consumer (B2C) sells products and services to auctions etc. www.byjus.com etc.
consumer through internet.
Business to This supports the supply chain E-auction, E- www. indiamart.com –
business (B2B) of organizations that involves procurement & E- connects prospective
commerce between company distribution etc. buyer and sellers
and its suppliers or other
partners.
Consumer to Consumers sell directly to E-auction www.olx.com
consumer (C2C) other consumers via on-line
ads and auctions, or by selling
personal services & expertise.
Consumer to Consumers create value & E-distribution TimesJobs.com
Business (C2B) businesses consume that www.paisabazaar.com
value. In the model, a reverse
auction allows consumers to
set and demand their own
price.
Consumer to This covers all the e- Portal www.
consumer (C2G) commerce transactions incometaxindia.gov.in
between consumers & govt.
Government to This allows consumers to Portal E-Seva (Andhra Pradesh)
consumer (G2C) provide feedback or ask
information about govt.
authority from public sector.
2. Component to E-commerce:
Below are the components of e-commerce:
E-commerce Technology Component of

Users
Vendors Infrastructure E-commerce
1. USER:
• This may be individual / organization or anybody using the e-commerce platforms.
• As e-commerce, has made procurement easy and simple, just on a click of button e-
commerce vendors needs to ensure that their products are not delivered to wrong
users.

2. E-Commerce Vendors:
• This is the organization / entity providing the user, goods/ services asked for.
• In order to ensure quality of goods and services, E-commerce Vendors further needs to
ensure following for better, effective and efficient transaction.
Showroom and Different Ordering

Guarantees Security
offline purchase Methods
•Few e-commerce vendors •These are the way •The product / service •Represents the security
have realized that their customer can place guarantee associated with policy adopted by the e-
products can be sold fast his/her order, say Cash product / service being commerce vendors.
if customers are able to on Delivery is today sold. Vendor website needs to
feel / touch / see those most preferred method state that online data
products.. •Money back guarantees used to transact is safe .
help generate a security •Privacy Policy and
•These vendors have in customer’s mind that in Security are also gaining
opened outlets for case of any problems, importance under the
customer experience of their money shall be Information Technology
their products safely returned back Act, 2000 (as amended
2008).
Warehouse E - Commerce Marketing and loyalty

Shipping & Returns
operations catalogue & product programs
•When a product is •Shipping is supplementary •Proper display of all •Loyalty programs
bought, it is delivered and complementary to products being sold by establish a long-term
from the warehouse of e- whole warehouse vendor including product relationship with
commerce vendor. This operations. details, technical
place is where online specifications, makes for a
customer..
•Fast returns have become
retailers pick products Unique Selling Preposition better sales conversion •In airline industry,
from the shelf, pack them (USP) for many e- ratio customer can get good
and prepare those commerce vendors, so •A good catalogue makes a discount/ free tickets
products to be delivered these vendors need very lot of difference to whole based on loyalty points
effective and efficient customer experience. accumulated
return processing
3. Technological Infrastructure:
• E-commerce is technology driven. Various types of e-commerce applications and
technologies are being used by the organizations to increase scope of business.
• Below are the characteristics of technology used in e-commerce:
with minimal effort to The technology to make a website
convenient
Easy to use and
Responsive Design
Scalable
handle peak traffic selected should accessible and

and to accommodate enable the usable on every
the needs of customers to find device is important
business's online
what they want as for the success of an
growth
well as enable the e-commerce site.
merchant to
promote its
products
• The computers, servers, database, mobile apps, digital libraries, data interchange are
the components of Technology Infrastructure that enable the e-commerce
transactions. These components are discussed as below:

Computers, Servers, and Database: Mobile Apps:

• These are the backbone for the success • Mobile devices such as tablet
of the venture. computers and smart phones also
• Big e-commerce entity invests huge have operating systems and
amount of money/time in creating application software.
these systems. They store data or • Most of the mobile devices run on one
program used to run whole operation of 2 operating systems: Android or iOS
of an organization. • There are other mobile Operating
systems like BlackBerry OS, Windows
Mobile, Tizen and FireFox OS.
Digital Library: Data Interchange:

• A Digital Library is a special library • Data Interchange is an electronic
with a focused collection of digital communication of data.
objects that can include text, visual • For ensuring correctness of the data
material, audio and video material; interchange between multiple players
• Stored as electronic media formats in e-commerce, business specific
along with means for organizing, protocols are being used to reduce the
storing, and retrieving the files and cost, delays, and errors
media contained in the library • There are standards to ensure
collection. It may vary in size. seamless / exact communication in e-
4. Internet/Network:
• This is the critical enabler for e-commerce. Internet connectivity is important for any
e-commerce transactions to go through.
• The faster net connectivity leads to better e-commerce. The success of e-commerce
trade depends upon the internet capability of organization.
5. Web Portal:
• This provides the interface through which an individual/organization shall perform e-
commerce transactions.
• Web Portal is an application through which user interacts with. These are the front
end through which user interacts for an e-commerce transaction and can be accessed
through desktops/laptops/PDA/hand-held computing devices/mobiles & now
through smart TVs also.
6. Payment Gateway:
• In an e-commerce transaction, the major proportion of online payments is being
performed based on payment gateway technology.
• A payment gateway is a server that is dedicated to linking websites and banks so that
online transactions can be completed in real-time.

3. Architecture of networked systems:

Architecture in e-commerce denotes the way network architectures are built. E-commerce
runs through network-connected systems. Networked systems have 2 types of
architecture:
• Two Tier Client Server

In a Two-tier network, client (user) sends request to Server and the Server responds to
the request by fetching the data from it. The Two-tier architecture is divided into two
tiers- Presentation Tier and Database Tier
Presentation Tier (Client Application/Client Tier): This is the

interface that allows user to interact with the e-commerce
vendor. User can login to an e-commerce vendor through
this tier. This application also displays the various products /
prices to customers
Database Tier (Data Tier): The product data / price data /
customer data and other related data are kept here. User
has not access to data / information at this level.
Advantage of 2 Tier system Disadvantage of 2 Tier system

• System performance is good due to • Performance deteriorates if number of
business logic & database being physically users’ increases.
close. • There is restricted flexibility and choice
• Since processing is shared between client & of DBMS, since data language used in
server, more users could interact with server differs with different vendors.
system.
• By having simple structure, it is easy to
setup and maintain entire system smoothly.
• Three Tier Client Server

Three - Tier architecture is a software design pattern and well-established software
architecture. Its three tiers are the Presentation Tier, Application Tier and Data Tier. The
three-tier architecture is as follows:

Presentation Tier: (Presentation to top management, hence presentation = Top)

Occupies the top level and displays information related to services available on a website.
This tier communicates with other tiers by sending results to the browser and other tiers in
the network.
Application Tier: (Application layer, hence middle tier)

Also, called the Middle Tier, Logic Tier, Business Logic or Logic Tier; this tier is pulled from
the presentation tier. It controls application functionality by performing detailed processing.
Database Tier:
1. This tier houses the database servers where information is stored and retrieved. Data in
this tier is kept independent of application servers or business logic.
2. The data access layer should provide an Application Programming Interface (API) to the
application tier that exposes methods of managing the stored data without exposing or
creating dependencies on the data storage mechanisms.
Advantage of 3 Tier system Disadvantage of 3 Tier system

Code to remember: C.B.C. Code to remember: M.I.C.
• Clear separation of application & user • Increased need of Traffic Mgmt.:
Interface: It creates increased need for network
The system performance is higher traffic management, server load
because business logic and database are balancing, and fault tolerance.
physically close. • Complex:
• Balancing: Tools are relatively immature and are
If bottlenecks in terms of performance more complex.
occur, the server process can be moved to • Maintenance Tools inadequacy:
other servers at runtime. Maintenance tools are currently
• Change Management: inadequate for maintaining server
It is easy and faster to exchange a libraries. This is a potential obstacle for
component on the server. simplifying maintenance.
• E-commerce architecture vide Internet:

Below diagram depicts the E-commerce architecture vide Internet.

S. N. Layer Includes Purpose

1 Client / User Web Server, Web Browser & This layer helps e-commerce
Interface Internet where user buys a mobile customer connect to e-
phone from an e-commerce commerce merchant.
merchant it includes -User & Web
browser.
2 Application Application Server and Back End This layer allows customer to
Layer Server. For example - In the same check the products available
example, it includes on merchant’s website.
- E-merchant - Reseller
- Logistics partner
3 Database The information store house, where This layer is accessible to user
Layer all data relating to products, price it through application layer.
kept.
• E-commerce architecture vide Mobile App:

Below M-commerce (mobile commerce) is the buying and selling of goods and services
through wireless handheld devices such as cellular telephone and Personal Digital Assistants
(PDAs). M-commerce enables users to access the Internet without needing to find a place to
plug in. Refer to figure on next page:
S. N. Layer Includes Purpose

1 Client / User Mobile Web Browser and Internet. This layer helps the e-
Interface Mobile - APP (Application) commerce customer connect
- User to e-commerce merchant.
2 Application Application Server and back-end This layer allows customer to
Layer server. For example: In the same check the products available on
example, it includes: merchant’s website.
- E-merchant - Reseller
- Logistics partner - Payment Gateway
3 Database The information store house, where all This layer is accessible to user
Layer data relating to products, price it kept. through application layer.
3. Work flow diagram for e-commerce:

Below is the description of e-commerce:
S. No. Step Activities

1 Customer’s login Few e-commerce merchants may allow same transactions to be done
through phone, but the basic information flow is e-mode.
2 Product / Service Customer selects products / services from available options.
Selection
3 Customer Places Order is placed for selected product / service by customer. This step leads
Order to next important activity PAYMENT GATEWAY.
4 Payment Gateway Here customer makes a selection of the payment method. In case
payment methods is other than cash on delivery (COD), the merchant
gets the update from payment gateway about payment realization from
customer. In case of COD, e-commerce vendor may do an additional
check to validate customer.
5 Dispatch & Shipping This process may be executed at two different ends. First if product /
Process service inventory is managed by e-commerce vendor, then dispatch shall
be initiated at merchant warehouse. For example: FLIPKART states that it
has more than 1 lac registered third party vendors on its website.
6 Delivery Tracking Another key element denoting success of e-commerce business is timely
delivery. Merchants keep a track of this. All merchants have provided
their delivery status with hand where the product / service delivery to
customers are immediately updated.
7 COD tracking In case products are sold on COD payment mode, merchants need to
have additional check on matching delivery with payments.
4. Risks and controls:

4.1. Risk is an e-business environment:
Risk is possibility of loss. The same may be result of intentional or un-intentional action by
individuals. Risks associated with e-commerce transactions are high compared to general
internet activities. Below are the risks associated with the e-commerce transactions:
Code to Remember: I. H.A.D. – C.L.A.P.

(Knowing all risks, I was happy and I HAD a CLAP)
1. Infrastructure:
• There is a greater need of not only digital infrastructure but also network
expansion of roads and railways. This is a challenge for a developing country.
2. Hidden Cost:
• When goods are ordered from another country, there are hidden costs enforced
by Companies.
3. Absence of Audit trail:

• Audit trails in e-Commerce system may be lacking and the logs may be incomplete,
too voluminous or easily tampered with.

4. Denial of service:
• Service to customers may be denied due to non- availability of system as it may be
affected by viruses, e-mail bombs and floods.
5. Contract Repudiation:
• There is possibility that the electronic transaction in the form of contract, sale
order or purchase by the trading partner or customer maybe denied.
• It means that item ordered by a customer may not be delivered by the trader or
customer cancels the order.
6. Loss or theft of data:

• The data transmitted over the Internet may be lost, duplicated, tampered with or
replayed.
7. Attack from hackers:

• Web servers used for e-Commerce maybe vulnerable to hackers.
8. Privacy and security:

• Comes in the point of hacking. There are often issues of security and privacy due
to lack of personalized digital access and knowledge.
4.2. Controls in an e-business environment:

Internal control, as defined in accounting and auditing, is a process for assuring
achievement of an organization’s objectives in operational effectiveness and efficiency,
reliable financial reporting, and compliance with laws, regulations and policies. In an e-
commerce era, we need to implement control on each and every person involved in the
chain. These are:
• Users - This is important to ensure that the genuine user is using e-commerce & M-
commerce platform. There is risk if user accounts are hacked & hackers buy products.
• Sellers / Buyers / Merchants- These people need to proper framework in place to ensure
success of business and needs to put controls on price, catalogue, discount schemes etc.
• Government- Governments across the world and in India have few critical concerns vis-à-
vis electronic transactions, namely (1) Tax accounting of all products / services sold.
(2) All products / services sold are legal.
• Network Service Providers - They need to ensure availability and security of network.
Any downtime of network can be disastrous for business.
Technology Service Providers – Includes cloud computing backends, applications
backends and like. They are also prone to risk of availability and security.
• Logistics Service Providers - Logistics service providers are the ones who are finally
responsible for timely product deliveries.
• Payment Gateways - E-commerce vendors’ business shall run only when their payment
gateways are efficient, effective and foolproof.

Above aforesaid controls are useless unless the participants are not trained and made aware
of the risks and ways to control them. So, following steps to be taken in order to minimize
the risk of failure of controls:
(a) Educating the participant about the nature of risks:

Every participant needs to be educated / sensitized towards risk associated with such
transactions. Organizations need to put in place infrastructure / policy guidelines for the
same. These policies may include the following:
 Frequency and nature of education programs.
 The participants for such program
(b) Communication of organizational policies to its customers:

To avoid customer dissatisfaction and disputes, it is necessary to make the following
information clear throughout your website:
 Privacy Policies: These should be available through links on any website.
 Information security: Create a page that educates customers about any security practices
and controls.
 Shipping and billing policies: These should be clear, comprehensive and available through a
link on the home page during online purchase.
 Refund policies: Establish and display a clear, concise statement of a customer’s refund and
credit policy.
(c) Ensure Compliance with Industry Body Standards:

All e-Commerce businesses are required to comply with and adhere to rules outlined by
the law of land. In India, RBI has been releasing these standards from time to time.
(d) Protect your e-Commerce business from intrusion: Below are the types of intrusion-
1. Viruses: Check your website daily for viruses, the presence of which can result in the
loss of valuable data.
2. Hackers: Use software packages to carry out regular assessments of how vulnerable
your website is to hackers.
3. Passwords: Ensure employees change these regularly and that passwords set by
former employees of your organization are defunct.
4. Regular software updates: Site should always be up to date with the newest versions
of security software. If you fail to do this, you leave your website vulnerable to attack.
5. Sensitive data: Consider encrypting financial information and other confidential data
Hackers or third parties will not be able to access encrypted data.
4.3. Controls in an e-business environment:

Now-a-days, almost all the businesses made their products/services available on online
platform. But, carrying e-commerce business calls for consideration of Cyber Security Risks
in the audit procedures. One of the most important aspects to be kept in mind during the
risk assessment process is giving due consideration to the changing risks in the entity.

SA 315 recognizes that it poses specific risks to an entity’s internal control in the form of
the following:
 Reliance on systems or programs that are inaccurately processing data, processing
inaccurate data, or both.
 Unauthorized access to data that may result in destruction of data or improper changes to
data, including the recording of unauthorized or non-existent transactions, or inaccurate
recording of transactions. Particular risks may arise where multiple users access a common
database.
 The possibility of IT personnel gaining access privileges beyond those necessary to perform
their assigned duties thereby breaking down segregation of duties.
 Unauthorized changes to data in master files.
 Unauthorized changes to systems or programs.
 Failure to make necessary changes to systems or programs.
 Inappropriate manual intervention.
 Potential loss of data or inability to access data as required.
Below are the levels through which breach can occur:
1. Network Diagram detailing, databases, hubs,

servers, routers, internal & external network,
etc.
2. Any incidents of cyber security breach which
occurred and the actions taken and controls
built in to avoid them from occurring again.
3. Are the IT managers responsible for the
safeguarding of the assets from cyber-attack?
4. Periodical review of access rights to all IT resources to ensure that the access to the users
is commensurate with their functional roles and responsibilities.
5. Timely employee awareness campaigns focusing on methods of intrusion which can be
stopped based on individual actions.
6. Use of firewalls by the Company to allow internet activity in accordance with the rules
defined.
7. Any vulnerability scans or penetration testing performed by the Company and any
findings noted.
8. Are the backups scheduled properly and timely checked by restoration of data?
5. Guidelines and law governing e-commerce:

5.1. Risk is an e-business environment:
All entity going for e-commerce / m-commerce business needs to create clear policy
guidelines for the following matters:

Matter Descriptions
Guidelines related to billing are:
Billing 1. Format of bill.
2. Details to be shared in bills.
3. Applicable GST.
Product guarantee / Proper display of product guarantee / warranty online as well as
warranty documents sent along with the products
Shipping Below are the things that to be put in the policy documents:
1. The shipping time.
2. frequency of shipping
3. the packing at time of shipping
This will ensure products are properly packed and timely shipped.
Policy needs to be defined for:
Delivery 1. Which mode of delivery to be chosen – Own, third party.
2. When deliveries to be made – day time or fixed time.
3. Where deliveries to be made – Buyer’s office, home, shop etc.
Policy for return of goods need to be put in place defining:
1. Which Product will be returned?
Return 2. The number of days within which returns can be accepted
3. The time within which buyer shall be paid his/her amount back
for goods returned.
Policy guidelines need to be created for following payment related
issues:
Payment 1. Mode of payment.
2. For which products, specific payment mode shall be there.
Organisation restricts COD for few consumable products.
5.2. Commercial law governing e-commerce:

All these transactions are covered under multiple laws, including commercial laws.
Following commercial laws are applicable to e-commerce and m-commerce
transactions.
Matter Descriptions
Income Tax Act 1. Income Tax Act has detailed provisions regarding taxation of
income in India.
2. For e-commerce transactions, the issue of deciding place of origin
transaction for tax purpose is critical.
Companies Act 2013 1. The law defines all regulatory aspects for companies in India.
2. Most of the merchants in e-commerce / m-commerce business are
companies, both private and public.
Foreign Trade Act, 1. An Act to provide for the development & regulation of foreign trade.
1992 2. The same is done by facilitating imports into, augmenting exports
from, India & for matters connected therewith or incidental thereto.
The Factories Act, 1. Act to regulate working conditions of workers
1948 2. The act extends to place of storage as well as transportation. Most of
the merchants in e-commerce / m-commerce business need to
comply with provisions of the act.
The Custom Act, 1. The act that defines import / export of goods / services from India
1962 and provides for levy of appropriate customs duty.
2. E.g.: An Indian company downloads hardware being sold by a foreign
company whether the same shall be chargeable to duty of import.

Matter Descriptions
The Goods and 1. This Act requires each applicable business, including e-commerce/
Services Tax Act, m-commerce, to upload each sale & purchase invoice on one central
2017 (GST) IT infrastructure.
3. This mandates reconciliations of transactions between business,
triggering of tax credits on payments of GST & facilitating filling of e-
returns, etc.
Foreign Exchange 1. This regulates foreign direct investments, flow of foreign exchange
Management Act in India.
(FEMA 1999) 2. E-commerce activities has been opened in a calibrated manner &
an entity is permitted to undertake retail trading through e-
commerce in following circumstances:
• A manufacturer is permitted to sell its products manufactured
in India through e-commerce retail.
3. An Indian manufacturer is permitted to sell its own single brand
products through e-commerce retail.
Consumer 3. This law protects consumer rights.
Protection Act, 1986
5.3. Special law governing E-commerce:

E-commerce transactions are covered under few other laws as these transactions are
done electronically. These are:
Matter Descriptions
Information 1. This law governs all internet activities in India. The law is applicable
Technology Act, to all online transactions in India, and provides for penalties,
2000 (As amended prosecution for non-compliances. Below are the objectives of IT Act
2008) 2000:
• To grant legal recognition for transaction by electronic means.
• To give legal recognition to digital signature for authentication of
any information.
• To facilitate electronic filing of documents with Government deptt.
• To facilitate electronic storage of data.
• To provide legal recognition for keeping books of account in
electronic format by bankers.
• To manage cyber-crimes at national & international levels by
enforcing laws.
• To amend the Indian Penal Code, Indian Evidence Act, 1972,
Bankers Book Evidence Act, 1891 and RBI Act, 1934.
Reserve Bank of 1. The law defines all regulatory aspects for companies in India.
India, 1932 2. Most of the merchants in e-commerce / m-commerce business are
companies, both private and public.
5.4. Forces behind the E-commerce revolution:

E-commerce business is expected to grow at a rapid pace. Those businesses which have the
vision to anticipate change and catch the trend before the competitors do would definitely
be more successful. This is due to the reason that competition in e-commerce is growing at
a rapid pace and the customers have abundance of options to choose from.
It is time to gain a better understanding of the forces underpinning its emergence.
Broadly speaking, they can be categorized as follows ( Forces to follow e-commerce)-

Matter Descriptions
Proliferation 1. The user is moving from desktop to mobile computing.
(rapid increase) 2. 55% traffic is from mobile. The creation of mobile application for e-
of Mobile Device commerce website is the latest trend to drive many online shoppers
who use mobile apps for online shopping.
Convergence of 1. Mobile internet is characterized by goal-oriented activities.
Mobile Telecom 2. The transition from 3G to 5G and faster data rate along with many new
Network & applications and services makes the success of e-commerce possible.
Internet
Social Network 1. Social media allows consumer to buy product without even leaving the
social media platform.
2. Social media tool box will help e-marketers to become familiar with
their clients & at same time will also enable the customers to develop
deep relationships with the merchants they buy from.
Biometrics 1. Biometric verification is a recent e-commerce technology trends that

measure the physical characteristics of users such as fingerprints, palm,
face, or voice.
2. With the use of biometrics, there will be no more stolen or forgotten
password problem.
Artificial 1. Artificial intelligence in e-commerce offers personalized and interactive

Intelligence (AI) buying experiences.
2. Chatbot, messenger bots etc. are perfect examples of AI.
3. A chatbot can offer guided, interactive browsing to consumers and
provide personalized answers to customers’ questions at all times.
Predictive Analysis 1. Use of predictive analysis tools is increasing to predict the online
customers’ behaviour, buying habits, their tastes, & preferences,
both quantitative and qualitative.
2. The analytical approach would lead to an increase in the number of
new customers.
3. Based on this information, marketer can create unique, personalized
promotions for each customer.
6. Digital Payment:
6.1. Forces behind the E-commerce revolution:
Digital Payment is a way of payment which is made through digital modes. In digital
payments, payer and payee both use digital modes to send and receive money. It is also
called electronic payment. All the transactions in digital payments are completed online. It
is an instant and convenient way to make payments. Since, evolution of online payment
has been tremendous, new banking services and ways should be adapted to use various
digital channels to interact and provide services to customers. To reach out to customers at
their convenience, banks are aggressively going digital. A high level of adaptability is a must
for banking sector in this highly digital and tech- savvy age, where banking transactions can
happen even on a mobile or tablet with a few clicks.

Below are traditional types of digital payment:

Methods Description
E-Wallet • E-wallet or mobile wallet is the digital version of physical wallet with
more functionality.
• User can keep money in an E-wallet and use it when needed.
• Some of the most used E-wallets are State bank buddy, ICICI Pockets,
Freecharge, Paytm etc.
Credit Cards • A small plastic card issued by a bank, or issuer etc., allowing the
holder to purchase goods or services on credit
• In this mode of payment, the buyer’s cash flow is not immediately
impacted.
Debit Cards • A small plastic card issued by a bank
• In this mode of payment, the buyer’s cash flow is immediately
affected
• As soon as payment is authorized buyers account is debited.
Smart Cards • Smart card is a prepaid card similar to credit card and debit card in
appearance.
• It has capacity to store customer’s personal information such as
financial facts, private encryption keys, credit card information etc.
Internet • In this mode, the customers log to his/her bank account and makes
Banking payments.
Below are new methods of digital payment:

Methods Description
Unified • UPI is a system that powers multiple bank accounts & banking
Payment services features and merchant payments in a single mobile app.
Interface (UPI) • UPI or unified payment interface is a payment mode which is used to
make fund transfers through the mobile application.
Immediate • It is an instant interbank electronic fund transfer service through
Payment mobile phones.
Service (IMPS)
Methods Description
Mobile Apps: • It is a Mobile App developed by National Payments Corporation of
BHIM (Bharat India (NPCI) based on UPI (Unified Payment Interface).
Interface for • It facilitates e-payments directly through banks & supports all Indian
Money) banks which use that platform.
• It is built on the Immediate Payment Service infrastructure.
Mobile • A mobile wallet or e-wallet is in which one can add money to
Wallets purchase various goods and services. A mobile wallet is a type of
virtual wallet service that can be used by downloading an app on
smartphone and registering for the service.
• The digital or mobile wallet stores bank account or debit/credit card
information or bank account information in an encoded format to
allow secure payments.

Aadhar • Planned for launch in near future by India government.

Enabled • AEPS is aadhar based payment mode. Payment can be made by using
Payment aadhar.
Service (AEPS) • Through this payer can directly pay the payee through bank account.
Mobile • It is a service provided by a bank or other financial institution;
Banking • that allows its customers to conduct different types of financial
transactions remotely using mobile devices.
Crypto- • it is another electronic payment method that is growing in popularity.
currency • A cryptocurrency is a medium of exchange wherein records of
individual coin ownership are stored in a computerized database
using strong cryptography.
E-Rupi • Government of India has launched a new mode of cashless and
contactless digital payment.
• It is an e-voucher, which will be delivered to beneficiaries in form of a
QR code and SMS-string-based voucher through which funds will be
directly transferred to their bank account.
Advantage of digital payment Disadvantage of digital payment

Code to remember – D.R. – L.E.T. Code to remember – I. - D.O.T.
1. Discount for Taxes: 6. Difficult for a Non-technical person:
• Govt. announced many discounts to • Payment through internet mode is
encourage the digital payments. somewhat difficult for non-technical
• E.g.-> 0.75% cash back in account persons such as farmers, workers etc.
when payment made for filling fuel.
2. Record: 7. Over-spending:
• These are automatically recorded in • With digital payment mode, one has
passbook or inside E-Wallet app. an access to all his/her money that
• This helps to maintain record, track can result in overspending. This is
spending and budget planning. not in case of cash.
3. Less Risk: 8. Theft risk:

• Digital payments have less risk if used • There is big risk of data theft
wisely. associated with the digital payment.
• No one can use anyone else’s money • Hackers can hack the servers of the
without MPIN, PIN or fingerprint in bank or the E-Wallet a customer is
case of AADHAR. using and easily get his/her
4. Easy and convenient: personal information.
• Digital payments are easy and 9. Increased business costs:
convenient. • This system come with an increased
• Persons do not need to take loads of need to protect sensitive
cash with themselves. information stored in business’s
5. Transaction ease: systems from unauthorized access.
• With digital payment modes, one can • Costs incurred in procuring &
pay from anywhere anytime. maintaining sophisticated payment-
security technologies.

7. Computing Technologies:
It is expected to revolutionize the value-additions to the huge information component, which is
growing exponentially. Now we will study various aspects of computing technology:
7.1. Virtualization:
MEANING/CONCEPT
Virtualization means to create a virtual version of a device or resource such as a server,
storage device, network or even an operating system where the framework divides
resource into one or more execution environment.
APPLICATION AREAS OF VIRTUALIZATION Code to Remember: T. – P.A.D.S.

 Testing and Training:
1. Virtualization can give root access to a virtual machine.
2. This provides a testing environment if there is issue in the system. If the virtual
system crashes, it will not affect the actual system, and within a few minutes, a new
virtual environment will be created.
 Portable Workplaces:
1. Portable applications are needed when running an application from a removable
drive, without installing it.
2. Virtualization can be used to encapsulate (summarize) the application that stores
temporary files, windows registry entries and other state information in the
application’s installation directory and not within the system’s permanent file
system
3. These devices include iPods and USB memory sticks.
 Applications:
1. Virtualization can give root access to a virtual machine
2. This can be very useful such as in operating system courses.
 Disaster recovery:
1. Virtual machines can be used as “hot standby”.
2. This includes process by providing backup images that can “boot” into live virtual
machines, capable of taking over workload for a production server experiencing an
outage.
 Server consolidation:
1. Virtual machines are used to consolidate many physical servers into fewer servers.
2. Each physical server is reflected as a virtual machine “guest” residing on a virtual
machine host system.
3. This is also known as “Physical-to-Virtual” or ‘P2V’ transformation.

COMMON TYPES OF VIRTUALIZATIONS

(A) Hardware/Platform Virtualization: -
1. Refers to the creation of a virtual machine that acts like a real computer with an
operating system.
2. Hardware virtualization is a method whereby one or more "virtual machines" are
created to share the hardware resources of one physical computer.
3. The basic idea of Hardware virtualization is to consolidate many small physical
servers into one large physical server.
4. The software that creates a virtual machine on the host hardware is called a
hypervisor or Virtual Machine Manager.
(B) Network Virtualization: -

1. It is a method of combining the available resources in a network by splitting up the
available bandwidth into channels.
2. Each channel is independent from the others, and each of which can be assigned (or
reassigned) to a particular server or device in real time.
3. This allows a large physical network to be divided into multiple smaller logical
networks and conversely allows multiple physical LANs to be combined into a larger
logical network.
4. This consolidation and dividing the resources in network allow administrators to
improve network traffic control, enterprise and security.
(C) Storage Virtualization: -

1. It is pooling of data from multiple storage devices.
2. It helps storage administrator perform the tasks of backup, archiving, and recovery.
3. Administrators can implement virtualization with software applications or by using
hardware and software hybrid appliances.
4. It is sometimes described as “abstracting the logical storage from the physical
storage.
7.2. Grid Computing:

Grid Computing is a computer network in which each computer’s resources are shared
with every other computer in the system. In the ideal grid computing system, every
resource is shared, turning a computer network into a powerful supercomputer.
(Your Virtual Camera)

Benefits of Grid Computing Code to Remember: U.R. - V.R. - C.A.M.
Main Points Descriptions
Virtual 1. User of grid computing can be organized into number of virtual entities.
resources 2. These virtual entities can share their resources such as data, specialized
devices, software, services, licenses, and so on, collectively as a larger grid.
3. Grid can help in enforcing security rules among them & implement policies.

Reliability 1. Conventional computer system uses expensive hardware to increase

reliability.
2. Such system ensures use duplicate processor ensuring replacement of any
computer without turning off others.
3. The systems are operated on special power sources that can start
generators if utility power is interrupted.
CPU Capacity 1. The potential for usage of massive parallel CPU capacity is one of the most
common visions and attractive features of a grid.
2. A CPU- intensive grid application can be thought of as many smaller sub-
jobs, each executing on a different machine in the grid.
3. Due to availability of multiple processors, applications are calculated in no
time.
Access to 1. A grid can provide access to other resources as well.
resources 2. E.g. - if a user higher bandwidth for internet, then instead of shelling
money, user can divide work among grid machines having independent
internet connection.
Resource 1. Grid can offer a resource balancing effect by scheduling grid jobs on
Balancing machines with low utilization and of least priority.
2. This feature of grid computing handles occasional peak loads of activity in
parts of a larger organization. In case of peak loads, activities can be
diverted to idle machines.
Management 1. Grid offer management of priorities among different projects and
aggregating utilization data over a larger set of projects.
2. When maintenance is required, grid work can be rerouted to other
machines without crippling (harming) the projects involved.
Underutilized 1. Grid computing provides a framework for exploiting underutilized
Resources resources & thus has possibility of substantially increasing efficiency of
usage resource usage.
2. Grid computing can be used to aggregate this unused storage into a much
larger virtual data store to achieve improved performance and reliability.
Resources of Grid Computing

A grid is a collection of machines, sometimes referred to as nodes, resources, members,
donors, clients, hosts and many other such terms. Some resources may be used by all
users of the grid. Some of them are as follows:
Computation 1. Computing cycles provided by the processors of machines on grid,
where processors can vary in speed, architecture & other factors.
2. These factors include memory, storage, connectivity etc. There are
3 way of exploiting computation resources of grid.
 To run an existing application on an available machine on the
grid rather than locally.
 To use an application designed to split its work in a way that
multiple applications run parallel.
Storage 1. The second most common resource used in a grid is Data Storage.
2. A grid providing an integrated view of data storage is sometimes
called a Data Grid. Each machine on the grid usually provides some
quantity of storage for grid use.
3. Storage can be memory attached to processor or it can be
secondary storage, using hard disk drives or other storage media.

Communications 1. Communications within the grid are important for sending jobs and
their required data to points within the grid.
2. The bandwidth available for such communications is a critical
resource that can limit utilization of the grid.
3. In some cases, higher speed networks must be provided to meet
the demands of jobs transferring larger amounts of data.
Software and 1. The grid may have software installed that may be too expensive to
Licenses install on every grid machine.
2. Some software licensing arrangements permit the software to be
installed on all of the machines of a grid but may limit installations
number that can be simultaneously used at any given point of time.
(Remember it is grid computing)
3. License management software keeps track of how many concurrent
copies of the software are being used and prevents more than that
number from executing at any given time.
Special 1. Platforms on the grid may have different architectures, operating
equipment, systems, devices, capacities, and equipment.
capacities, 2. Each of these items represents a different kind of resource that the
architectures & grid can use as criteria for assigning jobs to machines. E.g., some
policies machines may be designated to only be used for medical research.
Grid computing security 

To develop security architecture, following constraints are taken from the characteristics of
grid environment and application:
Code to Remember: D.S. - S.P.I.C.E.S. (DS group spices)
Data Management 1. Users’ data-intensive, high-performance computing applications
in grid computing require the efficient management and transfer
of huge data.
Standardization 1. Grid computing as a highly integrated system involves multi-
purpose protocols and interfaces to resolve the issues.
2. Standardizing these protocols and interfaces is a big issue in grid
computing.
Single Sign on 3. A user should authenticate once and they should be able to acquire
resources, use them, and release them.
4. The same to be communicated internally without any further
authentication.
Policy for securing 1. In a communication, there are various processes which coordinate
group their activities. This coordination must be secured.
communication
Interoperability 1. Access to local resources should have local security policy at a local
with local security level.
solution 2. There is an inter-domain security server for providing security to local
resource.
Credential 1. User passwords, private keys, etc. should be protected.
protection

Exportability 2. Code should be exportable i.e., they cannot use large number of
encryptions at a time and there be a minimum communication at a
time.
Support for 3. There should be a security policy which should provide security to
multiple multiple sources based on public and private key cryptography.
implementation
7.3. Cloud Computing:

“The Cloud” refers to applications, services, and data storage on the Internet. Cloud
computing is the use of these services by individuals and organization. The best example
of cloud computing is Google Apps, where it can be opened on any web browser and
application can be installed. Now will study cloud computing in detail:
Cloud computing is both, a combination of software and hardware-based computing
resources delivered as a networked service. This model of IT enabled services enables
anytime access to a shared pool of applications and resources. These applications and
resources can be accessed using a simple front-end interface such as a Web browser, and
thus enabling users to access the resources from any client device including notebooks,
desktops and mobile devices
Characteristic of cloud computing 

Code to Remember: M.P. – M.O.R.E.
1. Movement of workload:
(a) Cloud-computing providers can distribute workloads across servers both inside the
data center and across data centers.
(b) This results in cost reduction and also efficiency increase.
2. Pay per use:
(a) We pay for cloud services only when we use them;
(b) Either for short term and also for long term.
3. Multi-tenancy:
(a) Public cloud service providers often can host the cloud services for multiple users
within the same infrastructure.
(b) Server and storage isolation may be physical or virtual depending upon the specific
user requirements.

4. On-Demand:
(a) With cloud services there is no need to have dedicated resources waiting to be used,
as is the case with internal services.
5. Resiliency (लचीला):
(a) The resiliency of a cloud service offering can completely isolate the failure of server
and storage resources from cloud users.
(b) Work is migrated to a different physical resource in the cloud with or without user
awareness and intervention
6. Elasticity and scalability:
(a) Cloud computing gives us the ability to expand and reduce resources according to
the specific requirement.
(b) For example, we can use the resources of cloud computing for specific task and
then release them once task is over.
Advantages of cloud computing

Code to Remember: G. – F.R.A.M.E.S.
(Importance of cloud computing is great, get it frames)
1. Globalize the workforce:
(a) People worldwide can access the cloud with Internet connection.
2. Flexibility improvement:
(a) It is possible to make fast changes in our work environment without creating any issues.
3. Reduce spending on technology infrastructure:

(a) Data and information can be accessed with minimal spending.
(b) Such spending can be done in a pay-as-you-go approach, which is based on demand.
4. Accessibility:
(a) Data and applications can be accesses anytime, anywhere, using any smart computing
device, making our life so much easier.
5. Monitoring of projects:
(a) It is feasible to confine within budgetary allocations. It means that it is easy to monitor if
any project is not exceeding the allocated budget amount.
6. Economies of scale:
(a) Volume output or productivity can be increased even with fewer systems and thus
(b) reduce the cost per unit of a project or product
7. Streamline business processes:

(a) Getting more work done in less time with less resources are possible.

Drawback of cloud computing 

Code to Remember: D.R.I.N.K.
(Drinking is bad, hence the drawback)
1. Difficult in Interoperability:
(a) Interoperability is an issue wherein all the applications may not reside with a single
cloud vendor and two vendors may have applications that do not cooperate with each
other.
(b) Here “Interoperability” means ability of two or more applications that are required to
support a business need.
2. Restriction on availability:
(a) Customers may have to face restrictions on the availability of applications, operating
systems and infrastructure options.
(b) This is due to reason where various vendors offer different service.
3. Internet Connection absence:
(a) If Internet connection is lost, the link to the cloud and thereby to the data and
applications is lost.
4. No control resources:
(b) Although Cloud computing supports scalability (i.e., quickly scaling up and down
computing resources depending on the need),
(c) It does not permit the control on these resources as these are not owned by the user
or customer
5. Monitoring of projects:
(b) It is feasible to confine within budgetary allocations. It means that it is easy to monitor
if any project is not exceeding the allocated budget amount.
Cloud computing environment

The Cloud Computing environment can consist of multiple types of clouds based on their
deployment and usage. Below are types of cloud computing
Private Cloud
A private cloud is a proprietary network or a data center that supplies hosted services to a
limited number of people. These are typically deployed within an organization's own internal
ecosystem. This private cloud can be managed by:
• On-Premise Private Cloud: Cloud can either private to organization & managed by single entity.
• Outsourced Private Cloud: Private cloud managed by third party.
Below are the characteristics of private cloud-

(a) Secure:
• Private cloud is being managed by organization itself, hence less chance of data being
stolen and leaked out.
(b) Central Control:

• Private cloud is managed by organization itself so there is no need of relying on the
outside agency hence results in central control by the entity.

(c) Weak Service Level Agreement:

• SLAs are agreement between user & service provider. However, in case of private cloud
SLA is week since this type of networking is between the organizations & user of the
same organization.
ADVANTAGES OF PRIVATE CLOUD:

Let assume that you are working in an organization where there is much emphasis on IT
related security. So, I am dividing the benefits into 2 parts:
(a) For Organization:
• Improves the average server utilization, usage of low-cost servers & hardware.
• Small in size…Controlled and maintained by the organization.
(b) For Users:
• Provides high level of security and privacy to the users.
Public Cloud
A public cloud sells services to anyone on the Internet. (Currently, Amazon Web Services is the
largest public cloud provider). Public cloud services may be free or offered on a pay-per-usage
model. This environment can be used by general public. Below are the characteristics:
Code to Remember: S.A.L.S.A.
(a) Scalable:
• Resources and the users in the public code are large and service provider has to grant all
the requests. Hence public clouds are considered to be scalable. (Able to be changed in
size or scale).
(b) Affordable:
• In this case, user pays for that only foe what he or she is using and this don’t involve any
cost related to the deployment
(c) Less Secure:
• Since it is offered by third party and they have full control over the cloud, as such it is
less secured as compared to on-premises public cloud.
(d) Stringent SLAs:
• Since there is Service level agreement between the service provider and users, and
reputation of the service provider is dependent on that, they follow the SLA very strictly.
(e) Available:
• It is highly available since anyone can link to public cloud with the proper permission.
ADVANTAGES OF PUBLIC CLOUD:

(a) It is widely used in development, deployment and management of enterprise applications,
at affordable costs.
(b) Easy and inexpensive set-up because hardware, application and bandwidth costs are
covered by the provider.
(c) Scalability to meet needs.
(d) No wasted resources because you pay for what you use.
(e) Strict SLAs are followed.

Hybrid Cloud
A hybrid storage cloud uses a combination of public and
private storage clouds. Hybrid storage clouds are often
useful for archiving and backup functions, allowing local
data to be replicated to a public cloud. E.g., a business may
choose to run an ERP system from their private cloud, and
utilize a public cloud for offsite backup & disaster recovery
purpose.
ADVANTAGES OF HYBRID CLOUD:

(a) Scalable:
• Hybrid has the property of public cloud hence scalable.
(b) Partly Secure:
• Public cloud is more vulnerable and is subject to high risk of security breach. As such
hybrid is not fully secure, hence partly.
(c) Stringent SLAs:
• Since there is Service level agreement between the service provider and users, and
reputation of the service provider is dependent on that, they follow the SLA very strictly.
(d) Complex Cloud Management:
• Since hybrid model comprises of one or more deployment models & users are also very
large.
Community Cloud
Here the cloud is being shared by person(s) of one community and hence the name. In this type
of cloud infrastructure is provisioned by a specific community. For e.g., mission security
requirements etc.
CHARACTERISTICS OF HYBRID CLOUD:

(a) Cost effective:
• Since community cloud is being shared by several organizations, the community cloud is
cost effective too.
(b) Partly Secure:
• Community cloud is more vulnerable and is subject to high risk of security breach since
different organization share the cloud.
(c) Collaborative & Distributive Maintenance:
• Since there is sharing of the cloud among various organization, as such the control is
distributed and hence better cooperation provides better results.
Cloud
Private Organization Private Organization
User 1 User 2 User 3 User 1 User 2 User 3

ADVANTAGE OF COMMUNITY CLOUD:

(a) It allows establishing a low-cost private cloud.
(b) It allows collaborative work on the cloud.
(c) It allows sharing of responsibilities among the organizations.
(d) It has better security than the public cloud.
Cloud computing service model 

Cloud computing is a model that enables the end users to access the shared pool of
resources such as compute,
network, storage, database and
application as an on- demand
service without the need to buy
or own it. It means “खर�दने क�
जरूरत नह�ं”. The National
Institute of Standards and
Technology (NIST) define three
basic service models -
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service
(SaaS).
1. Infrastructure as a Service (IaaS):

(a) Provides computing resources such as processing power, memory, storage, and
networks for cloud users to run their application non-demand.
(b) This allows users to maximize utilization of computing capacities without having to
own and manage their own resources.
(c) The end users use the infrastructure in the form of Virtual machines (VMs).
(d) Examples of IaaS providers include Amazon Web Services (AWS), Google Compute
Engine, OpenStack and Eucalyptus.
Following are the characteristic of IaaS:

Code to Remember: M. – W.I.S.E.
1. Management is centralized:
• Resources distributed across different places to be controlled from any
management console that ensure effective resource management.
2. Web access to the resources:

• IaaS enables the users to access the infrastructure resources over the internet.
3. Infrastructure sharing:
• In IaaS, different users share same physical infrastructure and thus ensure high
resource utilization.
4. Metered Services:
• IaaS allows the user not to buy the computing resources but to rent them. The
user will be charged as per the usage.

5. Elasticity & dynamic Scaling:

• IaaS service provider can increase or decrease the usage of resources depending
on the load.
Different instance of IaaS:

(a) Network-As-A-Service (NaaS):
1. Providers the user with data communication capacity to accommodate bursts in
data traffic.
2. It provides user to access virtual network services provided by the service provider,
3. Over the internet on pay-per-use basis
(b) Storage as a Service (STaaS):

1. Provides the storage infrastructure on a subscription basis who wants low-cost way
to store data.
2. STaaS allow the user to access the files at any time from any place.
(c) Database as a Service (DBaaS):

1. Provides the user mechanism to create, store & access database at host site.
2. Users don’t have to pay-per-use basis and can access database.
3. End user can access the database through web user interface.
(d) Backend as a Service:

1. Provides the mobile app and web developer a way to connect their application to
backend cloud storage.
(e) Desktop as a Service (DTaaS):

1. Users can use the desktop virtualization without spending on infrastructure.
2. Here service provider manages the backend responsibilities of data storage, backup,
security etc.
3. Users are responsible to secure & manage their own desktop images, applications
etc.
2. Platform as a Service (PaaS)

(a) PaaS provides the users the ability to develop and deploy an application on the
development platform provided by the service provider.
(b) PaaS services can consist of preconfigured features that customers can subscribe to;
they can choose to include features that meet their requirements while discarding
those that do not.
3. Software as a Service (SaaS):

(a) Software-as-a-Service is cloud service where consumers are able to access software
applications over the internet.
(b) The programs which are developed by the software developers are accessed by the
customers through the browser and pay the fees for their usage.
(c) Users don’t have to worry about the installation, setup and running of the
application. Service provider will do that.

Different instance of SaaS: (TEA is SaaS-breath for me)

(a) Testing as a service (TaaS):
Provides users with software testing capabilities such as generation of test data,
generation of test cases, execution of test cases and test result evaluation on a pay-
per-use basis
(b) Email as a service (EaaS):
Provide users with an integrated system of emailing, office automation, records
management, migration, and integration services with archiving, spam blocking,
malware protection, and compliance features.
(c) API as a service (APIaaS):
Allow users to explore functionality of Web services such as Google Maps, Payroll
processing, and credit card processing services etc.
4. Other cloud service models:

Instance Description
Communication 1. It is an outsourced enterprise communication solution that can be
as a Service leased from a single vendor.
(CaaS) 2. CaaS vendor is responsible for all hardware and software management.
3. As name suggest, business need not to worry about large capital
investment required for video conferencing, voice over IP etc.
Data as a 1. Provides data on demand to multiple users.
Service (DaaS) 2. Data may include images, sounds and videos.
3. DaaS users have access to high quality data in a centralized place &
pay by volume or data type needed.
Security as a 1. It is an ability given to the end user to access the security service
Service (SECaaS) provided by the service provider on a pay-per-use basis.
2. Under this service, cloud security is moved into the cloud itself
whereby cloud service users will be protected from within the cloud
using a unified approach to threats.
Identity as a 1. It is an ability given to the end users to access the authentication
Service (IDaaS) infrastructure that is built, hosted, managed and provided by the
third-party service provider.
2. IDaaS includes directory services, authentication services, risk and
event monitoring etc.
5. Pertinent Issues related to Cloud Computing:

Threshold policy
• The main objective of implementing threshold policy is to inform cloud computing service
consumers and providers what they should do.
• The only legal document between the customer and service provider is the Service Level
Agreement (SLA). This document contains all the agreements between the customer and
the service provider.
• It contains what the service provider is doing and is willing to do. A carefully drafted
threshold policy outlines what cloud computing service consumers and providers should do.
It is important to consider how the cloud service provider will handle sudden increases or
decreases in demand. How will unused resources be allocated?

Hidden costs
• Such costs may include higher network charges for storage and database applications.
Interoperability issues
• If a company enters into a contract with one cloud computing vendor, it may find it
difficult to change to another computing vendor that has proprietary APIs (Application
Programming Interfaces) and different formats for importing and exporting data.
• Industry cloud computing standards do not exist for APIs or formats for importing and
exporting data. This creates problems of achieving interoperability of applications
between two cloud computing vendors.
Unexpected behavior
• An application may perform well at the company’s internal data center. It does not
necessarily imply that the application will perform the same way in the cloud.
• Therefore, it is essential to test its performance in the cloud for unexpected behavior.
Testing may include monitoring the application behavior on sudden increase in demand
for resources and how it allocates unused resources.
Security issues
• The important security issues with cloud computing are- the management of the data
might not be fully trustworthy; the risk of malicious insider attacks in the cloud; and
failing of cloud services.
• Maintaining confidentiality is one the major issues faced in cloud systems because
information is stored at a remote location which can be accessed by the service
provider.
• Data confidentiality can be preserved by encrypting data. Sharing of resources over
remote location may violate the confidentiality users’ IT Assets. It must be ensured that
there a degree of isolation between these users.
Software development in cloud

• Developers may face complexity of building secure applications that may be hosted in
the cloud. The speed at which applications will change in the cloud will affect both the
System Development Life Cycle (SDLC) and security. Project manager must ensure that
their application development processes are flexible enough to keep up with changes.
Bugs in Large- Scale Distributed Systems

• One of the difficult challenges in Cloud Computing is removing errors in these very
large- scale distributed systems

7.4. Mobile Computing:

A technology that allows transmission of data, via a computer, without having to be
connected to a fixed physical link. Mobile voice communication is widely established
throughout the world and has had a very rapid increase in the number of subscribers to
the various cellular networks over the last few years. An extension of this technology is
the ability to send and receive data across these cellular networks. This is the principle of
mobile computing. Mobile data communication has become a very important and rapidly
evolving technology as it allows users to transmit data from remote locations to other
remote or fixed locations. A scenario of mobile computing is provided as below:
Components Of Mobile Computing

(a) Mobile Communication:
1. Refers to infrastructure to ensure that seamless & reliable connection goes on.
2. It includes properties, protocols and data formats etc.
(b) Mobile Hardware:
1. Component that receives the service of mobility e.g., Mobile Hardware includes
laptops, smart phones etc.
2. At backend various application, database servers allow device to communicate
with internet.
3. Characteristic of mobile computing hardware depends on size, form factor,
primary or secondary storage.
(c) Mobile Software:
1. Program that runs on mobile hardware & deals with requirement of mobile
application.
2. It is operating system of the device that makes the device operate.
Working Of Mobile Computing

 The user enters or access data using the application on hand-held computing device.
 Using one of several connecting technologies, then data are transmitted from hand-
heldtosite’sinformationsystemwherefilesareupdatedandthenewdata are accessible to
other system user.
 Now both systems (hand-held and site’s computer) have the same information and are
in sync.
 The process works the same way starting from the other direction.

Benefits Of Mobile Computing

The user enters or access data using the application on hand-held computing device.
Mr. B Mr. A
Mr. C
In a company there is a director name Mr. A and he has a subordinate Mr. B (who is in
meeting), regional director of Faridabad region, has a field boy Mr. C who does all the
marketing work. Now we will discuss the benefit of mobile computing:
1. Mobile computing enables to access to work details like order status, contact
information, service contracts etc. (Mr. B meeting म� है and he require all data related
to contract)
2. It enables mobile salesperson to update work order status in real time. (Mr. C जो field
work म� है will update his work when finished)
3. Mr. A (director) of company can access the corporate complete information from
anywhere and at any time. (Mr. A दे ख सकते है at any time, the information about the
contract.)
4. Provide remote access to corporate knowledge base at job location.
5. Improves management efficiency by enhancing quality information, excellent
information communication etc.
Limitations of Mobile Computing

Code to Remember: B.S.P. - H. – H.T.
(BSP Hawala in Hindustan Times)
(a) Bandwidth insufficient:

1. It is slower than direct cable connections.
2. These networks are usually available within the range of phone tower. Higher
speed wireless LANs are inexpensive but have very limited range.
(b) Security standards

1. When mobile connects, one is dependent on public network i.e., use of virtual
Private Network.
2. One can easily attack VPN since a huge number of networks interconnected with
line.
(c) Power consumption:

1. In case of mobile, without power a mobile is dependent on the battery inbuilt in it.
2. As such to ensure mobile working for longer time, expensive batteries are used.
Mobile computing should also look into Greener IT in such a way that it saves the
power or increases the battery life.

(d) Human interface with the device:

1. Input devices in mobile such as keyboard is small in size & as such hard to use.
2. This will indeed result in problem in communicating.
(e) Health Hazards:

1. People often uses phone while driving which is a major cause of accidents.
2. It is hazardous to health, as it is believed that cell phone signals may cause
problems.
(f) Transmission Interface:

1. Any geographical conditions may hinder the good transmission for e.g., hilly areas,
tunnel etc.
7.5. Green Computing:

GREEN IT refers to study and practices of establishing/using computers and IT resources
in a more efficient and environmentally friendly way. Computers indeed use lot of natural
resources such as power & problems of disposing them. Below are the reasons for going
green computing:
(a) Reducing the use of hazardous materials.
(b) Maximize energy efficiency during the product’s lifetime & promote the recyclability.
(c) Implementation of energy-efficient CPUs, servers and peripherals.
(d) Reduce resource consumption and proper disposal of electronic waste(e-waste).
Green computing best practices

Government regulation, however well-intentioned, is only part of an overall green
computing philosophy. The work habits of computer users and businesses can be modified
to minimize adverse impact on the global environment. Some of such steps for Green IT
include the following.
(a) Develop a sustainable green Computing plan:

1. Involve stakeholders to include checklist, recycling policies for disposal of used
components & equipment.
2. Involve power usage, reduction of consumption of papers, recycling old machines &
equipment.
3. Use cloud computing so that multiple organizations share same computing resources.
4. On-going communication about and campus commitment to green IT best practices
to produce notable results.
(b) Recycle:
1. Dispose e-waste as per regulations.
2. Discard unwanted equipment in environmentally responsible manner.
3. Manufacturers must provide option how to dispose equipment when become
unusable.
(c) Make environment sound purchase decisions:
1. Purchase of laptops, desktops based on environmental attributes.
2. Clear policy in respect of designing of the product.
3. Recognize manufacturer efforts to reduce the environmental impact of products by
reducing or eliminating environmentally sensitive materials.

(d) Reduced Paper Consumption:

1. More use of emails resulting in saving of papers.
2. For marketing, advertising on-line marketing is best and will reduce paper wastage.
3. Use both side of paper while printing any document.
(e) Conserve Energy:
1. Use notebook computers rather than desktop computers whenever possible.
2. Use Liquid Crystal Display (LCD) monitors rather than Cathode Ray Tube (CRT)
monitors
3. Power-down the CPU and all peripherals during extended periods of inactivity.
4. Power-up and power-down energy-intensive peripherals such as laser printers
according to need.
7.6. Bring your own Devices:

BYOD is an abbreviation for BRING YOUR OWN DEVICE, and refers to the idea of people
bringing their personally-owned computing devices, such as laptops, tablets or smart
phones, for use at their place of work. It commonly refers to employees bringing along their
own devices to the office in order to access corporate networks and business data etc.
From employee perspective: Use of personal devices may be more convenient and user-
friendly, thus enhancing employee morale and productivity, and making the company look
like a flexible, attractive employee.
From employer perspective: It can be advantageous for businesses because it saves money
on the purchase of computing equipment and removes the need for extensive IT support,
therefore allowing companies to concentrate on broader issues. BYOD policy has rendered
the workplaces flexible, empowering employees to be mobile and going them right to work
even beyond their working hours.
Advantages of BYOD: Code to Remember: H.I.R.E2

1. Employees use their own devices at work. It lowers the burden since they have to take
only their device not the organizational device - (Happy Employees)
2. Since employee bring their own device, this result in decrease in outlay of the
organization. (Organizations need not to purchase the devices for their employee) –
(Lower IT budgets)
3. Since, devices are of employee there is cost saving since IT doesn’t have to provide and
user support and maintenance activities – (Reduced IT support requirement)
4. In case of self-device, user is efficient in working on its own device. In case it works on
other devices some learning phase is included – (Increased Employee efficiency).
5. Employees are generally proactive in adoption of new technologies that results in

enhanced productivity of employees leading to overall growth of business – (Early
adoption of new Technologies)

Emerging BYOD threats:

Code to Remember: I. - A.N.D. (I AND me are 2 dangerous words- Threats)
1. Implementation risks:
(a) It is exemplified and regarded as “Weak BYOD policy”.
(b) BYOD implementation must not cover only the technical aspects but also demand for
robust (strong) policy too.
(c) A weak BYOD policy may result in the failure of communication of employee
expectations; thereby increase the chances of device misuse.
2. Application risks:
(a) It is in general context that employee’s phone or smart devices that are connected to
corporate network are not protected by security software.
(b) Due to increased use of mobile and like devices the vulnerabilities have increased
consequently.
3. Network risks:
(a) It is exemplified and regarded as “Lack of device visibility”.
(b) When employee uses the company assets, then IT part of organization has full control
over such devices and have complete visibility of devices connected to the network.
4. Device risks:
(a) It is exemplified (illustrated) in “Loss of Device”.
(b) Lost or stolen computer device or mobile phones can result adverse impact on the
company as these devices contains vital information about the company. With ease
access to company mails one can easily obtain the trade secrets of the organization.
7.7. WEB 3.0

Web 3.0 is also known as semantic Web. In this, site wherein the computers will be
generated raw data on their own without direct user interaction. Web 3.0 uses semantic
web technology, drag and drop mash, and consolidation of web content depending on the
interest of individual user. It is based on the “DATA WEB” technology, which contains the
data records publishable and reusable through query format. These systems are capable to
think of its’ own and find the most preferable answer to the query of the user.
Below are 2 components of Web 3.0:
1. Semantic Web:
• Provides the user a common platform where data can be used across various
organisation, applications and community boundaries. The data is readily available so
that machines are able to analyze the data on their own.
2. Web Services:
• It is software that supports computer-to-computer interaction over the internet.

7.8. INTERNET OF THINGS (IoT)

Definition
It is a system of interrelated computing devices, mechanical and digital machines, objects,
animals or people that are provided with unique identifiers and the ability to transfer data
over a network. For example, washing machines with Wi-Fi networking capabilities, water
purifier is Wi-Fi enabled etc.
Applications
(a) All home appliances to be connected and that shall create a virtual home. Home owners
can keep track of all activities in house through their hand-held devices. Home security
CCTV is also monitored through hand held devices.
(b) Office machines shall be connected through net.
(c) Governments can keep track of resource utilizations / extra support needed.
(d) Some Definitions:
Models Definition
Wearables  Wearables are an important potential IoT application like
Apple smartwatch.
Smart City  Smart city is a big innovation.
 It spans a wide variety of use cases, from water distribution
and traffic management to waste management etc.
Smart Grids  Smart grids are another area of IoT technology.
 A smart grid promises to extract information on behaviors of
consumers and electricity suppliers in an automated way to
improve efficiency & reliability of electricity distribution.
Industrial Internet  Industrial IoT is means connected machines and devices in
of things (IoT) industries such as power generation, oil, gas, etc. for
monitoring and improving control efficiency.
 With an IoT enabled system, factory equipment that contains
embedded sensors communicate data about different
parameters, such as pressure, temperature, etc.
 The IoT system can also process workflow and change
equipment settings to optimize performance.
Connected Car  Connected car technology is a vast and an extensive network
of multiple sensors, antennas, embedded software, and
technologies that assist in communication to navigate.
Connected Health  IoT has various applications in healthcare, which are from
remote monitoring equipment to advance and smart sensors
to equipment.
Smart Retail  Retailers started adopting IoT solutions. Using IoT embedded
systems improve store operations, increasing purchases,
better stock management and enhancing consumer’s
shopping experience.
Smart Supply Chain:  Offering solutions to problems like tracking of goods while
they are in transit.

Risks
Risk to the manufacturers – B.O.A. ( it is a snake, hence bad)
Impact on Business Manufacturers may be out of business in few years if IOT becomes a
necessary product feature of the business
Obsolescence of devices Dismantling old products means, disabling old operating software
and the buyer doesn’t support old product data.
Analytics & Data storage Manufacturers will to ensure that the huge data generated from IoT
devices is kept secured. Any sort of hacking & losing of data may
prove detrimental to the business
Risk to users of the products – SAP (Again snake in Hindi)
Security As home devices and office equipment’s are connected to network,
they shall be hit by all network related risks, including hacking, virus
attacks, stealing confidential data etc.
Autonomy, Privacy & Individuals may lose control over their personal life. The other major
control concern is who has the ownership of this personal data.
Technological Risks
De-standardization Lack of technical standards in terms of both hardware variations and
differences in software running on them, makes task of developing
applications tough.
Environment risk due to Technology
Impact on Here impact on house air quality, due to use of heavy earth metals
environmental in device is being studied. the risk is being considered in terms of
resources resource depletion, harm to biodiversity, ecological balance
disruption, nuclear and space waste etc.
7.9. ARTIFICIAL INTELLIGENCE(AI):

Definition
“The ability to use memory, knowledge, experience, understanding, reasoning, imagination
and judgment to solve problems and adapt to new situations”. The ability described above
when exhibited by machines is called as Artificial intelligence (AI).
Application Code to Remember : G.O.T. - M.A.D

Artificial Intelligence is being used in the following applications:
 Games Playing.
 Online assistants
 Theorems of mathematics.
 Medical diagnosis, in cancer research. Predicting the chances of an individual getting ill
by a disease.
 Art
 Drones and self-driving cars
Risks
• AI relies heavily of data it gets.
• AI (robots) carries a security threat.
• AI in long term may kill human skills of thinking the unthinkable. All the data shall be
processed in a structured manner. These machines shall not have capability of thinking
out of box.

Controls
• The set of controls in AI will be extremely complex because of the nature of processing of
information and must be dealt with based on the nature of the AI tool and the purpose
etc.
7.10. BLOCK CHAIN:

Blockchain is shared, peer-to-peer & decentralized open ledger of transactions system with
no trusted third parties in between. This ledger database has every entry as permanent as it
is an append-only database which cannot be changed or altered. All transactions are fully
irreversible with any change in the transaction being recorded as new transaction.
The decentralized network refers to network which is not controlled by any bank,
corporation, or government. A blockchain generally uses a chain of blocks, with each block
representing the digital information stored in public database.
•A transaction like
Step 2 •The network
sending money to •Transaction is validates the
someone is broadcasted via transaction using
initated the network. cryptography.
Step 1 Step 3
•The transaction is
Step 5 • Block is
renpresented
online as a block.
•Block is added to added to
the existing
blockchain
the existing
Step 4 Step 6
Application
Below are the areas of application:
 Financial Services-
Blockchain can be used to provide an automated trade lifecycle in terms of transaction
log of any transaction of asset or property – both physical or digital.
 Healthcare-
Blockchain provides secure sharing of data in healthcare industry by increasing the
privacy, security, and interoperability of the data by eliminating the interference of third
party and avoiding the overhead costs.

 Government-
Blockchain improves the transparency and provides a better way to monitor and audit
the transactions in these systems where mostly all matters are decentralized.
 Travel Industry-
Blockchain can be applied in money transactions and in storing important documents
like passports, reservations & managing travel insurance, loyalty etc.
 Economic Forecast-
Blockchain makes possible the financial and economic forecasts based on decentralized
prediction markets, decentralized voting & stock trading, thus enabling organizations to
plan and shape their businesses.
Risks
• Different block chain carries different risk magnitude that may further lead to conflict
when monitoring controls are designed for a blockchain
• The reliability of financial transactions is dependent on underlying technology and any
tampering may result in compromise with information stored.
• In the absence of any central authority monitoring, there could be a challenge in the
establishment of process control activities.
• As blockchain involves humongous data getting updated frequently, risk related to
information overload could potentially challenge the level of monitoring required.
Controls Code to remember: C. – D.A.M. (Bridges gap)

• Communication methods shall be developed to ensure that operational changes and
updates relating to the use of blockchain are communicated to appropriate personnel.
• Suitable Data analytics procedures shall be developed to identify and obtain relevant and
quality data from the blockchain so that it can then be processed into information.
• Both internal and external Auditors shall be engaged in discussions during development
or identification of a blockchain so as to make the management understand the typical
auditability issues associated with using blockchain.
• Monitoring techniques shall be used to perform ongoing evaluations, considering the large
volume of data processed.

CORE BANKING SYSTEM
1. Overview of Banking:
Information Technology (IT) is an integral aspect of functioning of enterprises and professionals
in this digital age. The dependence on IT is such that the banking business cannot be thought of
in isolation without IT. There has been massive use of technology across many areas of banking
business in India. Banking is the engine of economic growth specifically in a rapidly developing
country like India with its diverse background, practices, cultures & large geographic dispersion
of citizens. Banking has played a vital and significant role in the development of the economy.
The changes in the banking scenario due to moving over to Core Banking System
and IT-based operations have enabled banks to reach customers and facilitate seamless
transactions. Core banking system has enabled following activities in all branches with lesser
physical infrastructure-
1. Loan processing & sanctioning
2. Safe keeping of security documents
3. Post sanction monitoring & supervision of borrower’s accounts
4. Accounting of day-to-day transactions, receipts and payments of cash and cheques and updating
passbooks/statements.
2. Banking and finance services:

Acceptance of Deposits
It involves deposits by customers in various schemes for pre-defined periods.
Deposits fuel the growth of banking operations; this is the most important
function of a commercial bank. Commercial banks accept deposits in various
forms such as term deposits, savings bank deposits, current account deposits,
recurring deposit, saving-cum-term deposit & various others innovative products.
Granting Of Advances
This constitutes a major source of lending by banks. Advances granted by banks
take various forms such as overdrafts, discounting of bills, term loans, etc. Banks
also provide facilities like housing loans, educational loans, etc. In rural areas,
banks have become a major channel for disbursement of loans under various
government initiatives like KCC (Kisan Credit Cards), Mudra Yozana, &many
social welfare schemes.
Remittances
Remittances involve transfer of funds from one place to another. Below
are the most common modes of remittance of funds:
1. Demand drafts: are issued by one branch of the bank and are payable
by another branch of the Bank.
2. Mail Transfers: No instrument is handed over to the applicant.
Transmission of instrument is responsibility of the branch. Generally,
the payee of MT is an account holder of the paying branch.
3. Electronic Fund Transfers: This includes instantaneous transfer of
funds between two centers electronically. Some of the methods are-
• Real Time Gross Settlement (RTGS) - is an electronic form of
funds transfer where transmission takes place on real-time basis.
• National Electronic Funds Transfer (NEFT) - individuals can
electronically transfer funds from any bank branch to any
individual having an account with any other bank branch.
• Immediate Payment Service (IMPS) - IMPS offers an inter-bank
electronic fund transfer service through mobile phones even on
holidays (Unlike RTGS or NEFT).
Collections
Collections involve collecting proceeds on behalf of the customer. Customers can
lodge various instruments such as cheques, drafts, pay orders, travelers’ cheques,
dividend and interest warrants, tax refund orders, etc. Banks also collect
instruments issued by post offices, like national savings certificates, postal orders
etc.

Clearing
• It involves collecting instruments on behalf
of customers of bank. The instruments
payable locally are collected through clearing
house mechanism.
• While the instruments payable outside is
sent by the Bank with whom the instrument
has been lodged, for collection to the
branches of the issuing Bank. Clearing house
settles the inter-Bank transactions among
the local participating member banks.
• It is technology which allows machines to
read & process cheques enabling thousands
of cheque transactions in a short time- MICR
• ECS is generally used for bulk transfers
performed by institutions for making
payments like dividend, interest, salary,
pension, etc. - ECS
1.2 Letters Of Credit and Guarantees:

A Letter of Credit (LC) is an undertaking by a bank to payee (supplier of goods and
services) to pay to him on behalf of the applicant (the buyer) any amount up to the
limit specified in the LC.
The Guarantees are required by the customers of banks for submission to the buyers
of their goods/ services to guarantee the performance of contractual obligations
undertaken by them.
Debit Cards are issued by the bank where customer is having their
account. Debit Cards facilitates customers to pay at any authorized outlet
` as well as to withdraw money from an ATM from their account.
Credit Cards:
Theprocessingofapplicationsforissuanceofcreditcardsisusuallyentrustedto
a separate division at the central office of a bank. The dues against credit
cards are collected by specified branches

3. Overview of core banking system (CBS):

CBS refer to common IT solution wherein central share database supports the entire banking
applications. Characteristic of CBS are:
Code to Remember: A.B.D.–I.C.C.

(A.B.D. (AB de Villiers) in I.C.C. list)
• Advanced Technology:
 CBS is supported by advanced technology infrastructure.
• Business Application:
 CBS is centralized banking application software that has several components which are
designed to cater the needs of the users.
• Delivery Channel:
 Branch function as delivery channel providing services to its customers.
• Integration:
 CBS software enables integration of all third-party application to facilitate simple and
complex business processes.
• Centralized Business Application:

 CBS is centralized business application software that has several components which
have been designed to meet the demands of the banking industry.
• Customer Benefit:
 CBS brings significant benefits such as a customer is a customer of bank and not only of
the branch.
3.1 Key modules of CBS:

All key modules of banking such as back office, branch, data warehouse, ATM Switch,
mobile banking, internet banking, phone banking and credit-card system are all
connected and related transactions are interfaced with the central server ad are
explained below:

Models Definition
Back Office  The Back Office is the portion of a company made up of administration
and support personnel, who are not client-facing. It includes settlements,
clearances, record maintenance, regulatory compliance, accounting etc.
Data  Data warehouses take care of the difficult data management & digesting
Warehouse large quantities of data and ensuring accuracy and make it easier for
professionals to analyze data.
Credit Card  Credit card system provides customer management, credit card
System management, account management, customer information management
and general ledger functions.
 System has a flexible parameter system, complex organization support
mechanism.
Automated  An Automated Teller Machine (ATM) is an electronic banking outlet that
Teller Machines allows customers to complete basic transactions without the aid of a
(ATM) branch representative or teller. ATMs are convenient, allowing
consumers to perform quick, self-serve transactions.
Central Server  Most banks use core banking applications to support their operations
creating Centralized Online Real-time Exchange (or Environment) (CORE).
 This means that all the bank's branches access applications from
centralized data centers/servers.
Mobile Banking  Service provided by a bank or other financial that allows its customers to
conduct financial institution that allows its customers to conduct
financial transactions remotely using a mobile device. It uses software,
usually called an app. Mobile banking is usually available on a 24-hour
basis.
Internet  It is an electronic payment system that enables customers of a bank or
Banking other financial institution to conduct a range of financial transactions.
 We can make and receive payments to our bank accounts, open Fixed
and Recurring Deposits, view account details, request a cheque book and
a lot more, when online.
Phone Banking  Customers execute many of the banking transactional services through
Contact Centre of a bank over phone.
 Registration of Mobile number in account is one of the basic perquisites
to avail Phone Banking.
Branch Banking  CBS enables single-view of customer data across all branches in a bank
and thus facilitate information across the delivery channels. Branch
functions
 Initiating Beginning-Of-Day & End-of-Day operations.
 Reviewing reports for control and error correction etc.
3.2 Core features of CBS:

Banking industry involves dealing with the public money and hence ensures proper
controls. A CBS is built with some of the inherent features that include minimization of
risk scenario arising out of banking business. In addition to basic banking services that a
bank provides through use of CBS, the technology enables bank to add following
features too:

Code to remember: P.AT.I. - C.U.R.E. (पैसे है प�त का इलाज) – CBS is source of money
Processing of standing instruction

Authorizations occur within the application
Transactions are posted immediately.
Interaction with customers
Centralized operations
Updation of databases simultaneously
Real-time processing.
Easy, anytime and every-time access to customers and vendors.
4. Component and architecture of CBS:

4.1 Technology component of CBS:
CBS is a Technology environment based on Client-Server Architecture, having a Remote
Server (called Data Centre) and Client (called Service Outlets which are connected through
channel servers) branches. The Server is a sophisticated computer that accepts service
requests from different machines called Clients.
4.2 CBS IT Environment:

1. APPLICATION SERVER:
 The Application server performs necessary operations and this updates the account
of the customer.
 For instance, customer “A” does transaction at 2 different branches of a bank. The
results are updated in the database server at the centralized data center.
 In bank, the accounting process being centralized at the centralized data center is
updated at the centralized database. The application software, CBS, which is in the
application server is always to be latest version as accepted after adequate testing.
2. DATABASE SERVER:
 The Database Server of the Bank contains the entire data of the Bank. This data
includes information about accounts of the customers and master data.
 It also includes base rates for advances, FD rates, the rate for loans, penalty to be
levied etc.
 Application software would access the database server.
3 AUTOMATED TELLER MACHINE (ATM) CHANNEL SERVER:

 This server contains the details of ATM accountholders. Soon after the facility of using
ATM is created by the Bank, details of such customers are loaded on to ATM server.
 A file called “Positive Balance File (PBF)” is being to ATM switch that contains the
account balance of the customer.
 Till the central database becomes accessible, the ATM transactions are passed and
the balance available in the ATM server. Once the central database server becomes
accessible, all the transactions get updated in the central database.

4 INTERNET BANKING CHANNEL SERVER(IBCS):

 Internet banking database server stores user name & passwords of all internet
banking customers.
 IBCS (Internet Banking Channel Server) software stores the name and password of
the entire internet banking customers.
 IBCS server also contains the details about the branch to which the customer
belongs. The Internet Banking customer would first have to log in to the bank’s
website with the username and password.
5 INTERNET BANKING APPLICATION SERVER (IBAS):

 The Internet Banking Software which is stored in the IBAS (Internet Banking
Application Server) authenticates the customer with the login details stored in the
IBCS.
 Authentication process is the method by which the details provided by the customer
are compared with the data already stored in the data server.
6 WEB SERVER:
 The Web Server is used to host all web services and internet related software.
 A Web server is a program that uses HTTP (Hypertext Transfer Protocol) to serve the
files that form Web pages to users, in response to their requests.
 Dedicated computers and appliances may be referred to as Web servers as well. All
computers that host Web sites must have Web server programs.
7 PROXY SERVER:
 A Proxy Server is a computer that offers a computer network service to allow clients
to make indirect network connections to other network services.
 A client connects to the proxy server, and then requests a connection, file, or other
resource available on a different server.
8 ANTI-VIRUS SOFTWARE SERVER:

 Anti-Virus Server is used to host anti-virus software which is deployed for ensuring
all the software deployed are first scanned to ensure that appropriate virus/ malware
scans are performed.
4.3 Technology component of CBS:

An application server is located at the Central Data Centre. The CBS deployed by the Banks
as a part of the CBS Project includes Data Centre (DC) and the Disaster Recovery Centre
(DRC). With the introduction to core banking systems, a customer is not only having
accessibility with the branch but to the bank. Key components of CBS are as follows-

Network Security and

Secure Configuration
Application Security
Cyber Security
Data Centre and
Disaster Recovery
Technology Centre
Application
component Environment
of CBS Online Transaction
monitoring for fraud risk
Database management
Environment
Database Environment:
This consists of the centrally located database servers that store the data for all the
branches of the bank which includes customer master data, interest rates, account types
etc. Whenever a customer requests for a particular service to be performed, the
application server performs a particular operation it updates the central database server.
The databases are kept very secure to prevent any unauthorized changes.
Application Environment:
Application environment consist of application servers that host the different core banking
systems like Flex Cube, bankMate etc. and is centrally used by different banks. The access to
these application servers will generally be routed through a firewall.
Cyber Security:
Comprehensive Cyber Security Framework is prescribed by RBI for Banks to ensure effective
information security governance. Some key features of Cyber Security Framework as
prescribed by are RBI for banks are as under-
a) Network security and secure configurations:

1. Multi-layered defense system through properly configured proxy servers, firewalls and
intrusion detection systems to protect network from malicious attacks and to detect any
unauthorized network entries.
2. LAN segments for in-house/onsite ATM and CBS/branch network to confirm adequacy of
bandwidth to deal with volume of transactions so as to prevent slowing down.
3. To ensure secured network; proper usage of routers etc. should be envisaged.
4. Periodic security review of systems and terminals to assess the network’s vulnerability and
identify the weaknesses.
5. Identification of the risks to ensure that risks are within the bank’s risk appetite.
b) Application security:
1. Implementation of bank specific email domains with anti-phishing and anti-malware
software with controls enforced at the email solution.
2. Two step authentications to be added to login process, such as a code sent to user’s
phone or a fingerprint scan, that helps verify user’s identity and prevent cybercrimes.
3. Implementation of Password Management policy to provide guidance on creating and using
passwords in ways that maximize security of the password & minimize misuse of password.

4. Effective training of employees to educate them to avoid clicking any links received via
email.
5. Effective change management process to record/ monitor all the changes that are moved/
pushed into production environment.
6. Capturing of the audit logs pertaining to user actions and an alert mechanism to monitor
any change in the log settings.
c) Data Centre and Disaster Recovery Centre

1. The core banking systems consist of a Data Centre which includes various application servers,
database servers, web servers etc. and various other technological components.
2. The bank should adopt full-fledged documentation and prepare necessary manuals dealing
with the disaster recovery procedures.
3. Arrangements for alternate connectivity of banks with the data center should be established
whenever there is a disruption in the primary connectivity.
4. Proper awareness should be created among the employees through periodic trainings and
mock drills.
d) Online Transaction monitoring for fraud risk management

1. Risk evaluations are carried out & considering risk profile and other regulatory requirements of
the bank, effective monitoring should be done as a part of managing fraud risk management.
2. There are also methods that facilitate fraud reporting in CBS environment. Proper alert system
should be enabled to identify any changes in the log settings and the audit logs pertaining to
user actions are captured.
Some key aspects in-built into architecture of a CBS are as follows:

• Information flow: This facilitates information flow within the bank and improves the speed
and accuracy of decision-making. It deploys systems that streamline integration and unite
corporate information to create a comprehensive analytical infrastructure. It ensures various
interfaces like payment channels, ATM, mobile/internet banking, Point of Sale (PoS) capability
are readily available.
• Customer centric: Through a holistic core banking architecture, this enables banks to target
customers with the right offers at the right time with the right channel to increase profitability.
• Regulatory compliance: CBS has built-in and regularly updated regulatory platform which will
ensure compliance by providing periodic regulatory and compliance reports required for the
day-to-day operations of the bank.
• Resource optimization: This optimizes utilization of information and resources of banks and
lowers costs through improved asset reusability, faster turnaround times, faster processing,
and increased accuracy.
4.4 Functional architecture of CBS:

• A Core Banking Solution is the enterprise resource planning software of a bank. It
covers all aspects of banking operations from a macro to micro perspective.
• A CBS is modular in nature and is generally implemented for all functions or for core
functions as decided by the bank.
• Following provides an architecture of CBS covering the complete range of banking
services-

4.5 Internet Banking process:

• To protect the web server from unauthorized use and abuse, the traffic is necessarily to go
past a firewall.
• Anindividualwhoaccessesthewebsiteofbankthroughthebrowserwillbeable to access the web
server and there will be a display of the bank’s web page on the screen of the client’s
computer
• Webpagewillalsoprovideallinformationgenerallyofinteresttothepublic. Password will not be
displayed in plain text but will only be in an encrypted form.
• The web server forwards the customer details to the internet banking applications server
which in turn accesses the IDBS. For each customer, it would be having details about user ID
and password. Information received from the web server is verified with the data of the
customer held in the internet banking (IBAS).
• In case of mismatch between user name and password, the message ‘access denied’ would
appear giving the reason giving the User ID/password incorrect’. After three attempts, the
customer will be logged out for security reasons.
• On authenticate login, the Internet Banking Application Server (IBAS) sends an
acknowledgement to the webserver. The webserver displays message. Once the
authentication process is completed correctly, the customer is provided internet banking
facility, which would include:
• The Internet Banking Channel Server (IBCS) will retrieve the data from the central database
server after the customer chooses above facilities.
• Internet banking database server then forwards the customer data to the IBAS which
processes the transaction e.g. Statement of account from the central database server is made
available to the Internet Banking Database Server (IDBS). The IBCS then sends the data to the
IBAS. The IBAS then sends the same to the web browser (Internet Explorer).

4.6 E-commerce Transaction processing:

Most of the e-Commerce transactions involve advance payment either through a credit or
debit card issued by a bank:
4.7 Implementation of CBS:

An automated information system such as CBS provides the platform for processing
information within the enterprise & extends to external service providers. CBS covers entire
flow of information right from initiation, processing to storage and archiving of information.
The CBS also interfaces with various type of software that may be developed in-house or
procured from different vendors. Deployment & implementation of CBS should be controlled
at various stages to ensure that banks automation objectives are achieved. Stages are:
Plan करके Approval लेना Vendor selection & designing testing करना
Implementing & Maintenance Support ता�क CBS can work fine
 Planning: Planning for implementing the CBS should be done as per strategic and
business objectives of bank.
 Approval: The decision to implement CBS requires high investment and recurring costs
and will impact how banking services are provided by the bank. Hence, the decision must
be approved by the board of directors.
 Selection: Although there are multiple vendors of CBS, each solution has key
differentiators. Hence, bank should select the right solution considering various
parameters as defined by the bank to meet their specific requirements and business
objectives.
 Design and Develop/Procure: CBS solutions used to be earlier developed in-house by the
bank. Currently, most of the CBS deployments are procured. There should be appropriate
controls covering the design or development or procurement of CBS for the bank.
 Testing: Extensive testing must be done before CBS is made live. The testing is to be done
at different phases at procurement stage to test suitability to data migration to ensure all
existing data is correctly migrated and testing to confirm processing of various types of
transactions of all modules produces the correct results.

 Implementation: CBS must be implemented as per pre-defined and agreed plan with
specific project milestones to ensure successful implementation.
 Maintenance: CBS must be maintained as required. E.g., program bugs fixed, version
changes implemented, etc.
 Support: CBS must be supported to ensure that it is working effectively.
 Updation: CBS modules must be updated based on requirements of business processes,
technology updates and regulatory requirements.
 Audit: Audit of CBS must be done internally and externally as required to ensure that
controls are working as envisaged.
5. CBS risks, security policy and controls:

5.1 Risk associated with CBS:
Operational Risk:
It is defined as a risk arising from direct or indirect loss to the bank which could be associated
with inadequate or failed internal process, people and systems.
Transaction Processing Risk: Arises because faulty reporting of important market developments to
the bank management.
Information Security Risk: Due to threats & vulnerabilities associated with operation & use of
information systems & environments in which those systems operate.
Legal Risk: Arises because of the treatment of clients, the sale of products, or business practices of a
bank.
Compliance Risk: When it fails to act in accordance with industry laws and regulations, internal
policies or prescribed best practices.
People Risk: Arises from lack of trained key personnel and unauthorized access to dealing rooms and
nexus between front and back-end offices.
Refers to the risk of losses in the Can be defined as the risk that
It is the risk that an asset or a loan
bank’s trading book due to earnings decline due to a
becomes irrecoverable in the case
changes in equity prices, interest changing business environment
of outright default
rates etc.
Strategic
Market Risk
Credit Risk
Risk
Since bank and borrower usually Example new competitors or

To manage market risk, banks
sign a loan contract, credit risk changing demand of
deploy several mathematical and
can be considered a form of customers.
statistical techniques
counterparty risk
Compliance Risk:
Compliance risk is exposure to legal penalties, financial penalty and material loss an organization faces
when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best
practices.

5.2 IT Risk:
Once the complete business is captured by technology and processes are automated in CBS;
the Data Centre (DC) of the bank, customers, management and staff are completely
dependent on the DC. Some of the common IT risks related to CBS are as follows:
 Ownership of Data/ process: Data resides at the Data Centre. Establish clear ownership.
 Authorization process: Anybody with access to the CBS, including the customer himself,
can enter data directly. What is the authorization process?
 Authentication procedures:
Usernames and Passwords, Personal Identification Number (PIN), One Time Password
(OTP) are some of the most commonly used authentication methods.
 Several software interfaces across diverse networks:
A data center must also contain adequate infrastructure, such as power distribution and
supplemental power subsystems, including electrical switching; uninterruptable power
supplies; backup and so on. Lapse in any of these may lead to real-time data loss.
 Maintaining response time:
Maintaining the interfacing software and ensuring optimum response time and up time
can be challenging.
 Access Controls:
Designing and monitoring access control is an extremely challenging task. Bank
environments are subject to all types of attacks. Access control, however, does vary
between branch networks and head office locations.
 Incident handling procedures:
These may not be adequate considering the need for real-time risk management.
 Change Management:
Requires at application level and data level of the database- Master files, transaction files
and reporting software.
5.3 Security Policy:

Information security is critical to mitigate the risks of Information technology. Security refers
to ensure confidentiality, Integrity and availability of information.
(a) Information Security Policies, Procedures, and practices:
 Refers to processes relating to approval and implementation of information security.
 These policies are the basis upon which detailed procedures and practices are developed
and implemented.
(b) User security administration:
 Refers to security for various users of information systems.
 These policies are the basis upon which detailed procedures and practices are developed
and implemented.
(c) Application Security:
 Refers to how security is implemented at various aspects of application
 This starts right from configuration, setting of parameters and security for transactions
through various application controls.
(d) Database Security:
 Refers to various aspects of implementing security for database software.
(e) Operating system Security:
 Refers to security for operating system software which is installed in the servers and
systems which are connected to the servers.

(f) Network Security:

 Refers to how security is provided at various layers of network and connectivity to the
servers.
5.4 Internal Control system in Banks:

The objective of internal control system is to ensure orderly and efficient conduct of
business, adherence to management policies, safeguarding assets through prevention
and detection of fraud and error, ensuring accuracy and completeness of the accounting
record and timely preparation of the reliable financial information and ensuring
compliance with the applicable laws and regulations.
Internal controls in banking would be to ensure that the transaction or decision
are within the policy parameters laid down by the bank, they do not violate the
instruction or policy prescription and are within delegated authority.
(a) Internal controls in banks environment:
Some examples of internal controls in bank branch are given here:
 Work of one staff member is supervised/ checked by another staff member.
 A system of job rotation among staff exists.
 Financial and administrative powers of each official/position is fixed.
 All books are to be balanced periodically.
(b) IT controls in bank:

Sample list of IT related controls are:
 System maintains a record of all log-ins and log-outs.
 System checks whether amount to be withdrawn is within the drawing power.
 Financial and administrative powers of each official/position is fixed.
 Exception situations such as limit excess, reactivating dormant accounts, etc. can
be handled only with a valid supervisory level password.
(c) Controls in Bank’s application software:

Any application software has 4 gateways through which enterprise can control
functioning, access and use the various menus and functions of the software:
1. Configuration: Some examples of CBS software
 Defining access rules from various devices.
 Creation of user types
 Creation of customer type, deposit types etc.
2. Masters: Some examples of CBS software
 Customer MasterCustomer types, details etc.
 Employee MasterEmployee name, ID, designation etc.
 Income Tax masterTax rate applicable, TDS rate etc.
3. Transaction: Some examples of CBS software
 Deposit transactionOpening of Ac, Deposit, withdrawal etc.
 Advance TransactionOpening of Ac, transfer, closure etc.
 ECS TransactionEntry, upload, approve etc.
 General LedgerExpense accounting, interest computation etc.
4. Reports:
 Summary of transactions of day and Daily General Ledger (GL) of day
 Activity Logging and reviewing & MIS report for each product or service.
 Reports covering performance/compliance & exception.

6. Core business processes flow and relevant risks and controls:

6.1 Business process flow of Current & Savings Accounts (CASA) – Please read HINDI
version.
Process Flow of CASA facility
• Here customer approaches the relationship manager to apply for a CASA facility or
through internet banking. Charges/rates for facility are provided by the relationship
manager or may be available online. (Bank जाना है)
• Once the customer agrees for availing the facilities/products of the bank, the relationship
manager request for the relevant documents i.e. KYC and other relevant documents of
the customer depending upon the facility/product. KYC (Know Your Customer) is a
process by which banks obtain information about the identity and address of the
customers. (दस्तावेज़ द� )
• The documents received from customers are handed over to the Credit team / Risk team
for sanctioning of the facilities/limits of the customer. (दस्तावेज� को स�प� to concerned team)
• Credit team verifies the document’s, assess the financial and creditworthiness of the
borrowers and updates facilities in the customer account. (दस्तावेज� क� जाँच)
• Current / Account savings account along with the facilities requested are provided to the
customer for daily functioning. (Account is opened in bank)
• Customers can avail facilities such as cheque deposits / withdrawal, Cash deposit /
withdrawal, Real Time Gross Settlement (RTGS), National Electronics Funds Transfer
system (NEFT), Electronic Clearing Service (ECS), Overdraft Fund Transfer services
provided by the bank. (Bank द्वारा द� जाने वाल� सेवाएं)
6.2 Risks and controls around CASA facility:

S.N. Risk Controls
1. Credit setup is The credit committee checks Financial Ratios, Net-
unauthorized and not in worth, Risk factors and its corresponding mitigating
line with the banks factors, the Credit Line offered and the Credit amount
policy. etc. is in line with Credit Risk Policy and that the Client
can be given the Credit Line.
2. Credit Line set up in CBS Access rights to authorize the credit limit in case of
is unauthorized & not in account setup system should be restricted to authorized
line with banks policy. personnel.
3. Customer Master defined Access rights to authorize the customer master in CBS
in CBS is not in should be restricted to authorized personnel.
accordance with Pre-
Disbursement Certificate
4. Inaccurate interest / Interest on fund-based facilities is automatically
charge being calculated calculated in the CBS as per the defined rules.
in CBS.
5. Unauthorized personnel Segregation of Duties to be maintained between the
approving the CASA’s initiator and authorizer of the transaction for processing
transaction in CBS. transaction in CBS.

6.3 Business process flow of Credit Card:

• Either the customer approaches the relationship manager to apply for a credit card facility or
customer will apply the same through internet banking, charges/rates for facility are
provided by relationship manager basis the credit application made by customer.
• Once the potential customer agrees for availing the facilities/products of the bank, the
relationship manager request for the relevant documents i.e., KYC and other relevant
documents of the customer depending upon the facility/product.
• The documents received from the customers are handed over to the credit team for
sanctioning of the facilities/limits of the customers.
• Credit teams verify documents, assess the financial and credit worthiness of the borrowers
and issues a credit limit to the customer in CBS and allots a credit card.
6.4 Process flow of process-Authorization process of credit card facility:

• Customer will swipe the credit card for the purchase made by him/her on the POS machine
(Point of Sale) at merchant’s shop/establishment. (दक
ु ान पर card swipe by us)
• POS (Point of Sale) will process the transaction only once the same is authenticated.
• The POS (Point of Sale) will send the authentication request to the merchant’s bank (also
referred as “acquiring bank”) which will then send the transaction authentication verification
details to the credit card network (such as VISA, MASTER CARD, AMEX, RUPAY) from which
the data will be validated by the credit card issuing bank. Acquirer bankCard
networkIssuing bank
• Once the transaction is validated, the approval message is received from credit card issuing
bank to the credit card network which then flows to the merchant’s bank and approves the
transaction in the POS (Point of Sale) machine. (Approval के बाद, issue bank to POS merchant)
• The receipt of the transaction is generated and the sale is completed.

6.5 Process flow of clearing and settlement process of credit card facility:
• The transaction data from the merchant is transferred to the merchant’s bank.
Merchant’s bank clears settlement amount to Merchant after deducting Merchant fees.
Merchant’s bank, in turn now provides the list of settlement transactions to the credit
card network which then provides the list of transactions made by the customer to the
credit card issuing bank.
• The credit card issuing bank basis the transactions made, clears the amount to
Merchant’s bank but after deducting interchange transaction fees.
• At the end of billing cycle, card issuing company charges the customer’s credit card
account with those transactions in CBS.
6.6 Business process flow of mortgages:

Meaning & type
The mortgage loan is a secured loan which is secured on the borrower’s property by
marking a lien on the property as collateral (additional security) for the loan. In case
borrower doesn’t pay the borrowed money, lender has first charges on the property.
Now we will study different types of mortgage loan:

This is a tradition mortgage where customer has an option of

selectingfixedorvariablerateofinterestandisprovidedforthepurchase of
property.
Here the customer already has an existing loan and is applying for
additional amount either for refurbishment or renovation of the house
In case of under construction properties the loan is disbursed in tranches /

parts as per construction plan
Mortgage loan Process Description

• Loans are provided by the lender which is a financial institution such as a bank or a
mortgage company. Such loans are provided at fixed and flexible rate of interest.
• Borrower/Customer approach the bank for a mortgage and loan officer explains the
customer about home loan. Customer to fill loan application and provide KYC documents
(Proof of Identity, Address, Income and obligation details etc.) to the loan officer.
• Loan officer reviews the loan application and sends it to Credit risk team who will
determine customer’s financial eligibility.
• This is done basis the credit score as per Credit Information Bureau (India) Limited (CIBIL)
rating, income and expense details and rate of Interest at which loan is offered.
• Underwriting team will verify the financial (applicant’s credit history) and employment
information of the customer. Underwriter will ensure that the loan provided is within the
lending guidelines.
• Details of property selected by the customer are being forwarded by loan officer to their
legal and valuation team. Underwriting team will verify the financial (applicant’s credit
history) and employment information of the customer. Underwriter will ensure that the
loan provided is within the lending guidelines. Verification of property is to be done to
determine whether property is built as per the approved plan.
• Legal and valuation team will send their report to the operations team which will
generate letter of offer to customer which entails all details of loan such as loan amount,
rate of interest, tenor, installment and other term and conditions.
• Customer will sign the letter of offer by signing the loan agreement. Loan officer will
notarize all the loan documents and are sent back to lender operation steam.
• Once signed offer letter is received the operations team will release or disburse fund
Once exchange is carried out successfully, banks place a charge or lien on the property so
that incase of default the first charge is with the bank to recover the money.

Risk and controls around the mortgage process

S.N. Risks Key Controls
1. Incorrect customer and loan There is secondary review performed by an
details are captured which will independent team member who will verify loan
affect overall down- stream details captured in core banking application with
process. offer letter.
2. Incorrect loan amount There is secondary review performed by an
disbursed. independent team member who will verify loan
amount to be disbursed with the core banking
application to the signed offer letter.
3. Interest amount is incorrectly Interest amount is auto calculated by the core
calculated and charged. banking application basis loan amount, ROI and
tenure.
4. Unauthorized changes made System enforced segregation of duties exist in the
to loan master data or core banking application where the inputter of the
customer data. transaction cannot approve its own transaction and
reviewer cannot edit any details submitted by
inputter.
6.7 Treasury Process:

Meaning and Inclusion:
Investment category:
Government Securities, Shares, Commercial Papers, Certificate of Deposits, Security Receipts,
Pass through certificates, Units of Mutual Funds, Venture Capital Funds and Real Estate Funds
Debentures and Bonds.
Products in trading category:
Government Securities, Shares, Commercial Papers, Certificate of Deposits, Security Receipts,
Pass through certificates, Units of Mutual Funds, Venture Capital Funds and Real Estate Funds
Debentures and Bonds.
Core areas of treasury operation: Below are 3 major categories of treasury operations:
FRONT OFFICE
1. The Front Office operations consist of dealing room operations wherein the dealers
enter into deal with the various corporate and interbank Counter-parties.
2. Deals are entered by dealers on various trading/Communication platform such as

Reuters’ system, telephonic conversation, Brokers or any other private channel.
3. The dealers are primarily responsible to check for counter-party credit Limits,
eligibility, and other requirements of the Bank before entering into the deal with the
customers.
4. Dealers must ensure that all risk/credit limits are available before entering into a deal.

MIDDLE OFFICE
1. The Middle Office includes risk management, responsibility for treasury accounting,
and documentation of various types.
2. Responsibilities also includes producing the financial results, analysis and budget
forecasts for the treasury business unit, input into regulatory reporting.
3. It is also responsible for monitoring of counter-party, country, dealer and market-
related limits that have been set and approved.
BACK OFFICE OPERATIONS 

1. This includes verification by confirmation, settlement, checking existence of a valid and
enforceable agreement and reconciliation of NOSTRO account.
2. One of the developments in the back office has been the advent (arrival) of Straight-
Through Processing (STP), also called ‘hands-off’ or exception processing.
3. Critical operation is FOBO (Front Office/Back Office) reconciliation to ensure
completeness and accuracy of trades/ deals done for the day
Process flow for bank Treasury operations:
Risks and controls around the treasury process:

S.N. Risks Control
1. Unauthorized securities setup Appropriate Segregation of duties and review
in systems such as Front controls around securities master setup and
office/Back office. amendments.
2. Inaccurate trade is processed. Appropriate Segregation of duties and review
controls to ensure the accuracy and authorization of
trades.
3. Unauthorized confirmations Complete and accurate confirmations to be obtained
are processed. from counter-party.
4. Insufficient Securities Effective controls on securities and margins.
available for settlement

6.8 Loans and trade finance operations:

Meaning and types-
Business of lending is main business of banks. Taking all consideration, banks lend money and
have some inherent risk. Hence lending activity has to necessarily adhere to certain principles.
The business of lending is carried on by banks offering various credit facilities to its customers.
• Types of credit facilities:
1. Fund Based Credit Facilities: Fund based credit facilities involve outflow of funds meaning
thereby the money of the banker is lent to the customer. They involve cash
Credits/Overdrafts, Demand Loans/Term loans and Bill Discounting.
2. Non-Fund Based Credit Facilities: In this type of credit facility, the banks’ funds are not lent
to the customers and include Bank Guarantees and Letter of Credit
• Customer master creation process:

 The relationship manager identifies the potential customers and approaches them
with the details of the products/facilities.
 Once the potential customer agrees for availing the facilities/products of the bank,
the relationship manager request for the relevant documents i.e., KYC.
 The documents received from the customers are handed over to the credit team of
bank for sanctioning of the facilities/limits of the customers. Credit team verifies the
document’s access the financial and credit worthiness of the borrowers and issues a
sanction letter to the customer.
 Sanction letter details the terms of the facilities and the credit limits the customer is
eligible e.g., how much loan can be offered to the customer. Once the customer
agrees with the terms of the sanction letter, the credit team prepares a Pre -
Disbursement Certificate (PDC) containing the details of all the facilities & a limit
approved for the customer and sends it to the disbursement team i.e., the team
who is responsible for disbursing the loan amount to customer.
 The disbursement team verifies the PDC and creates customer account and master
in the Loan Disbursement System. The disbursement team member also assigns the
limits for various products as per PDC.
 Once the limits are assigned to the customer, the customer can avail any of the
facilities/products up to the assigned credit limits.
• Loans disbursal/facility utilization & income accounting:

• Customer may approach bank for availing product/facility as per the sanction letter.
• In case of the fund-based loan, the funds are disbursed to customer’s bank accounts.
Interest is generally accrued on a daily basis along with the principal.
• In case of bill discounting, the customer is credited the invoice amount excluding the
interest amount as per the agreed rates.
(If the drawer of the bill does not want to wait till the due date of the bill and is in
need of money, he may sell his bill to a bank at a certain rate of discount.
The bill will be endorsed by the drawer with a signed and dated order to pay the
bank) - Meaning of Bill discounting.
• In case of non-fund-based facilities; the facilities are granted to the customer up to
the assigned limits in loan disbursement system.

Risk and controls in loans and advances process

S.N. Risks Controls
1. Credit Line setup is The credit committee checks that the Financial
unauthorized and not in line Ratios, the Net-worth, the Risk factors and its
with the banks policy. corresponding mitigating factors, etc. is in line with
Credit Risk Policy.
2. Credit Line setup is Access rights to authorize the credit limit in Loan
unauthorized & not in line Booking system/CBS should be restricted to
with the banks policy. authorized personnel.
3. Masters defined for the • Access rights to authorize the customer master in
customer are not in Loan Booking system/CBS should be restricted to
accordance with Pre - authorized personnel.
Disbursement Certificate. • Segregation of duties exist in Loan Disbursement
system. The system restricts the maker having
checker rights to approve the loan.
4. Credit Line setup can be Loan disbursement system/CBS restricts booking of
breached in Loan loans/ facilities if the limit assigned to the customer is
disbursement system/ CBS. breached.
5. Lower rate of interest/ Loan disbursement system/CBS restricts booking of
Commission may be charged loans/ facilities if the rate charged to the customer
to customer. are not as per defined masters in system.
7. Reporting Systems And MIS, Data Analytics &Business Intelligence

Basel III is a comprehensive set of reform measures, developed by the Basel Committee on
Banking Supervision, to strengthen the regulation, supervision and risk management of the
banking sector. These measures aim to improve the banking sector’s ability to absorb shocks
arising from financial and economic stress. Data for CBS database is transferred to a Data
Warehouse. Data Warehouse stores data in multi-dimensional cubes (unlike the rows and columns
structures of tables in a traditional database of CBS). Data in the Data Warehouse is generally
never purged. So, there is huge data accumulated over years.
The only comprehensive and accurate solution for this problem is using artificial neural
network logic (Artificial Intelligence), wherein algorithms based on neural networks are executed
on the data in the Data Warehouse, so as to understand hidden trends, which in turn helps in risk
assessment. This improves the management of banking risks and banking risk prediction, and in-
turn, the assessment of capital adequacy under Basel III.
8. Applicable regulatory and compliance requirement:

8.1 Impact of technology in banking:
Described are 4 components of banking

business. Hence, it is important to understand
how the 4 components of banking business
are configured, maintained and updated using
technology

8.2 Money Laundering:

Heads Description
Money Laundering is the process by which the proceeds of the crime and
Meaning the true ownership of those proceeds are concealed or made opaque (अस्पष्ट
/Not clear) so that the proceeds appear to come from a legitimate source.
Placement:
First stage involves the placement of proceeds derived from illegal activities,
the movement of proceeds from scene of the crime to a place, or into a
form, less suspicious and more convenient for the criminal.
Layering:
Stages of This involves the separation of proceeds from illegal source using complex
Money transactions designed to obscure the audit trail and hide the proceeds.
Laundering Layering involves sending the money through various financial transactions
to change its form and make it difficult to follow
Integration:
Integration involves conversion of illegal proceeds into apparently legitimate
business earnings through normal financial or commercial operations.
Integration creates the illusion of a legitimate source for criminally derived
funds and involves techniques as numerous and creative as those used by
legitimate businesses.
• Negative publicity, damage to reputation and loss of goodwill, legal and

Anti-Money regulatory sanctions and adverse effect on the bottom line are all
Laundering possible consequences of a bank’s failure to manage the risk of money
using laundering.
technology • Banks face the challenge of addressing the threat of money laundering
on multiple fronts as banks can be used as primary means for transfer
of money across geographies.
• With adopting stricter regulations on banks & enhancing their
enforcement efforts, banks are using special fraud and risk
management software to prevent and detect fraud.
• Money to fund terrorist activities moves through the global financial
system via wire transfers in and out of personal and business accounts.
Financing of
• The money can lie in the accounts of illegitimate charities and be
Terrorism
laundered through buying and selling securities and other commodities
or purchasing and cashing out insurance policies.
• The money frequently starts out clean i.e., as a 'charitable donation’
before moving to terrorist accounts. It is highly time sensitive requiring
quick response.

8.3 Cyber Crimes:

Cybercrime also known as computer crime is a crime that involves use of a computer and a
network. The computer may have been used in committing a crime, or it may be the target.
Cybercrimes is defined as:
1. Offences committed against individuals or groups of individuals;
2. With a criminal motive to intentionally harm the reputation of the victim or cause physical
or mental harm, or loss, to the victim directly or indirectly;
3. Using modern telecommunication networks (Internet and mobile phones).
4. The United Nations Manual on the Prevention and Control of Computer Related crime
classifies such crimes into following categories.
8.4 Banking regulations Act:

Heads Description
Meaning Banking Regulation Act,1949 is legislation in India that regulates all banking
firms in India. The Act gives the Reserve Bank of India (RBI) the power:
1. To license banks,
2. Regulation over shareholding and voting rights of shareholders.
3. Supervise the appointment of the boards and management
4. Regulate the operations of banks & laying down instructions for audits
5. Issue directives in interests of public good & on banking policy.
6. Imposing penalties.
Some Negotiable instrument Act
Important Under this act, cheque includes electronic image of truncated cheque and a
points cheque in the electronic form. A cheque in the electronic form has been
defined as “A mirror image” of a paper cheque. The definition of a cheque in
electronic form contemplates digital signature with or without biometric
signature and asymmetric crypto system.
RBI Regulations
The basic functions of the Reserve Bank as: “to regulate the issue of Bank Notes
and keeping of reserves with a view to securing monetary stability in India and
generally to operate the currency and credit system of the country to its
advantage.” Some of the key functions of RBI are discussed below-
Monetary Authority & Regulator and supervisor of the financial system &
Issuer of currency.
Prevention Section 12 of PMLA:
of Money 1. “Every banking company, financial institution and intermediary, (hereinafter
laundering referred to as such entities) is required to maintain a record of transactions
Act (PMLA), as may be prescribed by rules;
2002 2. Furnish information to the Director within such time as may be prescribed”.
Rule 3 of PMLR:
1. Maintenance of record of all cash transactions above ₹ 10 lakhs.
2. All series of cash transactions of value less than ₹ 10 lakhs integrally
connected if it is taken place within a month (aggregate value > ₹ 10 Lacs)
3. All cash transactions here forged or counterfeit notes have been used
4. All suspicious transactions made in cash or otherwise.

Heads Description
Prevention Section 13 of PMLA:
of Money 1. The Director may, either of his own motion or on an application made by
laundering any authority, officer or person, make such inquiry or cause such inquiry to
Act (PMLA), be made, as he thinks fit to be necessary, with regard to the obligations of
2002 the reporting entity, under this Chapter.
2. If at any stage of inquiry or any other proceedings before him, the Director
is of the opinion that it is necessary to do so, he may direct the concerned
reporting entity to get its records audited by an accountant from amongst
a panel of accountants, maintained by the Central Government for this
purpose.
3. The expenses of and incidental to, any audit shall be borne by the Central
Government.
4. If the Director, in the course of any inquiry, finds that a reporting entity or
its designated director on the Board or any of its employees has failed to
comply with the obligations under this Chapter, he may-
(a) Issue a warning in writing; or
(b) Direct such reporting entity or its designated Director on the Board
or any of its employees, to comply with specific instructions; or
(c) Direct such reporting entity or its designated Director on the Board
or any of its employees, to send reports at such interval as may be
prescribed on the measures it is taking; or
(d) By an order, impose a monetary penalty on such reporting entity or
its designated Director on the Board or any of its employees, which
shall not be less than ₹ 10, 000 but may extend to ₹ 1,00,000 for
each failure.
Section 63 of PMLR:
(1) Any person willfully and maliciously giving false information and so causing
an arrest or a search to be made under this Act shall on conviction be liable
for imprisonment for a term which may extend to
2 years OR fine which may extend to ₹ 50, 000 OR both
(2) If any person-

a) Refuses to answer any question put to him by an authority in the exercise
of its powers under this Act;
b) Refuses to sign any statement made by him in course of any proceedings
under this Act, which an authority may legally require to sign;
To whom a summon is issued under section 50 either to attend to give
evidence or produce books of account or other documents at a certain
place and time, omits to attend or produce books of account or
documents at the place or time; shall pay penalty not less than ₹ 500
which may extend to ₹ 10, 000.
Section 70 of PMLR:
If the contravention is committed by such entities the officers in charge of and
responsible to the conduct of the business of such entity at the relevant time
are also liable to be proceeded with and punished.

Heads Description
The Information Technology Act (ITA):
1. The Act provides legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic communication.
2. It involves use of alternatives to paper-based methods of communication
and storage of information, to facilitate electronic filing of documents with
the Government.
3. The Act provides the legal framework for electronic governance by giving
recognition to electronic records and digital signatures
4. It also deals with the cybercrimes.
IT Act 2008 (Amended) and Bank’s liability:

1. Incudes both civil and criminal liability.
2. Civil Liability – Pay damages by way of compensation up-to ₹ 5 crores.
3. Criminal Liability – Imprisonment  3 years to Life imprisonment.
Information
Technology Key provisions of IT Act: ( Covered in chapter 1)
Act, 2000  Section 43: Penalty and compensation for damage to computer, computer
system, etc.
 Section 43A: Compensation for failure to protect data.
 Section 65: Tampering with Computer Source Documents.
 Section 66: Computer Related Offences.
 Section 66B: Punishment for dishonestly receiving stolen computer resource
or communication device.
 Section 66C: Punishment for identity theft.
 Section 66D: Punishment for cheating by personation by using computer
resource.
 Section 66E: Punishment for violation of privacy.
Sensitive Personal Data Information (SPDI):

Reasonable Security Practices and Procedures and Sensitive Personal Data
or Information Rules 2011 formed under section 43A of the Information
Technology Act 2000 define a data protection framework for the processing
of digital data by Body Corporate.
 One of the largest stakeholders of SPDI are include banks apart from
insurance companies, financial institutions, hospitals, educational
institutions, etc.
 Every bank should develop, communicate and host the privacy policy of
the bank. The policy should include all key aspects of how they deal with
the personal information collected by the bank. To provide practical
perspective of how compliance to the provisions of IT Act specifically
relating to privacy and protection of personal information, the next section
provides an overview of requirements of privacy policy of a bank
The detail of this concept has been discussed in Chapter 1 of the study
material.

TEST YOUR KNOWLEDGE
Ques 1-
Mr. Shoren has recently been associated with the procurement and sale of drugs and narcotic
substances without a license which is illegal as per Narcotic Drugs and Psychotropic Substances
Act, 1985. A major part of the sale proceeds amounting to ` 65 lakhs was collected and routed
through various bank accounts held in SNFC Bank which was subsequently advanced to various
bogus companies and a series of transactions were initiated to make the money appear to have
been obtained from a legal legitimate source. These activities were carried out with the assistance
of one of the employee Mr. Sushil of SNFC Bank who intentionally altered few computer sources
codes so that no records for major transactions that took place could be found in the database. A
series of transactions ranging from ₹ 10,000 to ₹ 1 lakh was initiated in a month for depositing the
amount of ₹ 65 lakhs in SNFC Bank.
However, SNCF Bank had failed to keep proper record of information relating to few of the
transactions as they were not of substantial amount. Furthermore, it was later found that one of
the staff members of SNFC bank who’s relative was an insurance agent, used to obtain medical
information of customers having account with the bank for obtaining personal benefits. Answer
the following questions-
1. Which amongst the following activities carried out by Mr. Shoren could be considered as an
offence of Money Laundering:
(a) Expenses incurred for procurement of narcotic drugs
(b) Sale of narcotic drugs without a license
(c) Routing the illegal proceeds through bank & other transactions to appear as obtained
from legitimate source.
(d) Being a part of the cartel/association carrying out illegal sale of drugs.
2. An employee of SNFC Bank Mr. Sushil had assisted Mr. Shoren in routing the illegal money
through bank by altering the computer source code so that major transactions’ amounts were
not traceable in bank’s database. Under which Section of IT Act, 2000 will this act of Mr. Sushil
is punishable?
(a) Section 66E
(b) Section 66B
(c) Section 65
(d) Section 66D
3. Mr. Shoren was involved in the collection and sale of illegal drugs and got routing done
through various banking transactions and advances to bogus companies. Which stages of
Money Laundering process address these aforesaid activities?
(a) Placement and Integration
(b) Layering and Integration
(c) Placement and Layering
(d) Placement, Layering and Integration

4. SNFC Bank failed to maintain records of information relating to baking transactions carried out
by Mr. Shoren as many of the transaction amounts were not substantial. Also, the privacy
regarding the details of medical history of its customers was breached. Which kind of risk
would SNFC bank be exposed to if it has to face legal penalties as it had failed to act in
accordance with laws and requirements as per Prevention of Money Laundering Act (PMLA)?
(a) Legal and Compliance Risk
(b) Compliance and Information Security Risk.
(c) Information Security and People Risk
(d) Transaction processing and Legal risk
Solution 1-
1 (c) Routing the illegal proceeds through bank & other transactions to appear as
obtained from legitimate source.
2 (c) Section 65
3 (c) Placement and Layering
4 (b) Compliance and Information Security Risk.
Ques 2-
GNI Bank is one of the age-old conventional banks which offers an array of banking services like
EFT’S, Collections, clearing, Letter of credits/guarantees etc. to its customers. To provide latest
functionalities and to improve the overall efficiency with respect to banking services, it has
recently implemented a core banking solution. It has also put in place the necessary controls to
safeguard its business from being exposed to probable IT risks.
Mr. Doshi, a senior software developer having a savings bank account with GNI Bank has
requested for internet banking facilities. He has also applied and produced all the necessary
documents for availing a housing loan from the said bank. Though the procedures followed for
sanctioning housing loans are quite stringent, GNI bank offers floating interest rate on its loans
and offers comparatively higher interest rates on its fixed deposits compared to the other banks in
the state also. Answer the following questions-
1. Given below are the features of Core Banking Solution recently implemented by GNI Bank that
prove advantageous to both the bank & its customers. Which among the following advantages
would relate the most to Mr. Doshi who has recently availed a housing loan in terms of easy
and effortless Internet banking
(a) Reliance on transaction balancing
(b) Highly dependent system-based controls
(c) Daily, half yearly and annual closing
(d) Automatic processing of standing instructions
2. GNI Bank during this stage of the loan processing of Mr. Doshi, checks the borrower’s ability
to repay the loan based on an analysis of his credit history, and his earning capacity. This
process which forms a major aspect in loan approvals is referred to as _____
(a) Clearing
(b) Underwriting
(c) Collections
(d) Letter of Credit

3. GNI bank has also implemented necessary controls to ensure safeguards against the exposure
to IT risks. As a practice, whenever a connection is made to website in another network, it will
be routed through a particular server. Which among the servers would be utilized for making
connections with other network services?
(a) Web Server
(b) Application Server
(c) Proxy Server
(d) Database Server
4. GSI Bank has also implemented necessary controls to ensure safeguards against the exposure
to IT risks. Which among the following controls could be implemented when risk arises due to
lack or inadequate management direction and commitment to protect information assets?
(a) The identity of users is authenticated to the systems through passwords.
(b) Security policies are established and management monitors compliance with policies.
(c) Access to sensitive data is logged and the logs are regularly reviewed by management.
(d) Physical access restrictions are implemented and administered.
Solution 2-
1 (d) Automatic processing of standing instructions
2 (b) Underwriting
3 (c) Proxy server
4 (b) Security policies are established and management monitors compliance with
policies.

EIS Full Notes - MAY 2022

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EIS Full Notes - MAY 2022

Uploaded by

Copyright:

Available Formats

Self Study Notes on EIS 2

4-43 Automated Business Processes

44-71 Financial and Accounting system

72-125 Information systems and its components

CA AKHIL KUMAR MITTAL

126-167 E-Commerce, M-Commerce & Emerging Technology

168-196 Core Banking System

CA AKHIL KUMAR MITTAL

AUTOMATED BUSINESS PROCESSES

2. Enterprise Business Processes:

CA AKHIL KUMAR MITTAL

2.1 Categories of Business Processes:

Supporting • These processes back core processess and functions

Management • It measures, monitor and control activities related to

Customer Order : Customer order received is documented.

CA AKHIL KUMAR MITTAL

Example representing all categories of business process:

S.N. Nature of Description of Decision

4 Operational Managers to implement the decisions in actual working form. It is here

3. Automated Business Processes:

3.1 Factors affecting business process:

CA AKHIL KUMAR MITTAL

3.2 Benefits of BPA:

3.3 Which business Processes should be automated:

CA AKHIL KUMAR MITTAL

3.4 Challenges involved in Business process Automation:

3.5 Implementation of BPA:

(a) Step 1Define why we plan to implement a BPA:

CA AKHIL KUMAR MITTAL

(c) Step 3  Document the process, we wish to automate:

(d) Step 4  Define the objectives/goals to be achieved by implementing BPA:

CA AKHIL KUMAR MITTAL

(e) Step 5  Engage the business process consultant:

(f) Step 6 Calculate the ROI for project:

(g) Step 7 Developing the BPA:

(h) Step 8  Testing the BPA:

CA AKHIL KUMAR MITTAL

CA AKHIL KUMAR MITTAL

4.2 Sources of Risk:

4.3 Types of Risk:

CA AKHIL KUMAR MITTAL

Code to Remember: V.G. - S.A.D.- C.O.M.E.T

1. Vendor related concentration risk:

CA AKHIL KUMAR MITTAL

2. Governance processes requirement:

3. Segregation of Duties (SoD):

4. Alignment with business objectives:

5. Dependence on vendors due to outsourcing of IT services:

7. Obsolescence or frequent changes of technology:

8. Multiple types of controls:

CA AKHIL KUMAR MITTAL

10. Threats leading to cyber frauds/ crime:

• Data related Risk

CA AKHIL KUMAR MITTAL

4.4 Risk Management Strategies:

CA AKHIL KUMAR MITTAL

 Tolerate/Accept the risk : जो�खम को स्वीकार करना

1. Accept the Risk: (जो�खम को स्वीकार करना)

2. Eliminate the Risk: (जो�खम को समाप्त करना)

3. Share the Risk: (जो�खम शेयर करना)

4. Mitigate the Risk: (जो�खम को कम करना)

5. Enterprise Risks Management:

CA AKHIL KUMAR MITTAL